69 comments

[ 628 ms ] story [ 189 ms ] thread
Customer Proprietary Network Information (CPNI)
the data collected by telecommunications companies about a consumer's telephone calls. It includes the time, date, duration and destination number of each call, the type of network a consumer subscribes to, and certain other information that appears on the consumer's telephone bill

https://en.wikipedia.org/wiki/Customer_proprietary_network_i...

Note, they also provide a one click link in the email to opt out, super easy

Still enjoying my sub $30 bills and bloatware free device

It's not one-click, or at least it wasn't for me. I clicked the link in the sentence "If you prefer to opt out of letting Fi use and share your CPNI with Alphabet and Google services, you can do so by replying here", and it took me to the Google Fi homepage. I had to then click on Settings, "Privacy & Security", and finally on "Allow CPNI Sharing". Four clicks total.
I clicked it from my Fi device

4 is still far less effort than having to call Amazon to cancel your account (among the many providers that make opt out / cancel incredibly difficult)

You said one click. Now you've moved the goalposts to "less bad than [other company]."
It is one click if you are a normal Fi user
No it isn't. And I don't know what a "normal Fi user" is. This doesn't apply to non-Fi users.
Normal as in regular, not I pay for this but only use it every few months, like GGP
I clicked it from my Fi device too - and it automatically opened the Fi app, which doesn't have this setting.

It took a lot more than 4 clicks to figure out I needed to switch chrome to desktop mode AND needed to open the link in a new tab to make it stop opening the app.

Side rant - Wasn't HTML5 supposed to do away with the need for dedicated apps? Interaction with any corp is now split between web, app, and phone, all with different capabilities.

Huh, I did it yesterday and I clicked the 'here' link in the email and it took me to a page that said I was now opted out. I didn't have to do anything additional.
Interesting, I clicked on the link (from mac) and got a thank you for opting out page, nothing else.
I have a dedicated Google account for Fi, and it took me about 10 minutes to get past the identity verification challenge it threw at me when I tried to log in (for the first time in months) to opt out. I'm opted out now but it was a lot more than one click.
well, if you aren't using it, then it would be expected that you probably have more steps to login in after some time away
It's a carrier, it connects you to the internet. Why isn't "I haven't connected to my account in months" the expected state?
I am curious why people are using dedicated accounts for this? Are they afraid of bannination and losing mobile access? Is this a security measure?
I use a dedicated account for Fi because when Fi first came out I signed up with my main account they removed my access to Google Voice which I use heavily. They have since allowed both Fi and Voice on the same account but I am not bothering with switching my Fi account to my main at this point.
I also had a terrible experience with the link. Not only that, it's still me having to remove myself from an automated opt in! This makes zero sense!
Made me jump through 6 different pages on a phone where I was already signed in to Google, so ymmv.

Or perhaps there's an A-B testing going on to see how they might be able to tire people out by making the "one-click" opt out harder.

Not sure why you're getting downvoted. It was also a single click for me, in a browser.
Only if you're already signed in to your Google account in your browser. They are initiating communication in one channel and not accepting a response in that same channel.
The submitted support article doesn't really provide any details about the change. This is the email they sent users today:

--

Notice about your CPNI settings

Google Fi Wireless takes your privacy seriously. The updated Google Fi Privacy Notice provides information about how we collect and use personal information. This includes your Customer Proprietary Network Information (CPNI).

CPNI includes the destination, technical configuration, and location of your calls and information about the type and amount of services that you purchase and use. Your CPNI does not include your name, address, or phone number.

Google Fi uses your CPNI to:

• Provide your Fi service and related features

• Provide Internet access and voicemail

• Provide protection from fraudulent, abusive, or unlawful use

• Bill you for your Fi service

• Provide customer support and troubleshooting when you need it

From time to time, Fi may wish to provide you with additional information about products, services, and offers from our Alphabet affiliates, including Google LLC, that aren’t among the category of services you’re already purchasing from us, such as offers from Google Store on new Pixel devices. Starting today, we will opt you into the sharing with and use of your CPNI by Alphabet affiliates to receive this information. Your opt in will go into effect 30 days from the date you receive this email.

You’re not required to stay opted in. It’s your right and our duty under federal law to protect the confidentiality of your CPNI. If you prefer to opt out of letting Fi use and share your CPNI with Alphabet and Google services, you can do so by replying here or via Fi’s privacy and security settings at any time (instructions here). Opting out of CPNI sharing won’t affect your account or your ability to use any of Google Fi Wireless’ services. If you do not choose to opt-out within 30 days of receiving this notice, Fi will assume your approval to share your CPNI with other Google services and our affiliates.

We have also updated our Fi Terms of Service. These changes will go into effect on 9/28/23. You can review the updated Terms of Service in full here.

Thanks,

Google Fi Wireless team

> Starting today, we will opt you into the sharing with and use of your CPNI by Alphabet affiliates to receive this information. Your opt in will go into effect 30 days from the date you receive this email.

What a weird, disingenuous use of the term "opt in".

iirc, it's cpni compliant.
It's not. Federal regulations require "affirmative, express consent" for CPNI release approval to count as "opt-in". https://www.govinfo.gov/content/pkg/CFR-2018-title47-vol3/xm...
well, i guess this email constitutes "affirmative, express consent" unless user clicks on opt-out. at least this is conclusion of google legal department.
It's not as there's no guarantee the subscriber ever actually received the email much less made it past their spam filter or that they opened it and read it.

I can't see any way this is "opt-in".

there is no guarantee to make sure that subscriber actually delivered notification outside of personal delivery with ID verification.

i guess google legal decided that this is about "reasonable" effort and given that this email sent from google it's above reasonable that it's past spam filter and sufficiently reasonable effort in general.

You can be pretty sure they recieved the email and opted-in if the default is opt-out.
(comment deleted)
The parallel on a website would require a clickwrap, I think they're just being bold and hoping nobody notices and/or they want the suit.
>this email constitutes "affirmative, express consent" unless user clicks on opt-out.

No. That would be (by definition) negative, implicit consent.

Federal law specifically demands "affirmative, express" consent.

Affirmative means the user has to take an action to consent. Not doing something for 30 days isn't an affirmative action - it's known as "implicit consent" which is the opposite of "affirmative consent"[1]

Express means they have to specifically consent and can't be implied to consent or consent passively somehow.[2]

This is neither affirmative nor express consent. Also notice that literally nothing that Google (or any company) can do gives affirmative, express consent from the user. The user themselves has to do something for Google to obtain that consent - that's literally the whole point of the wording of "affirmative, express".

I'd be very surprised if google's legal thinks this is actually consent or ok. I think most likely they said it probably wouldn't stand up to challenge and the McKinsey types who run google decided they probably wouldn't be challenged and it was worth the risk.

[1] https://iapp.org/resources/article/consent-2/

[2] https://www.wilsonlaw.com/blog/difference-between-express-an...

>I'd be very surprised if google's legal thinks this is actually consent or ok. I think most likely they said it probably wouldn't stand up to challenge and the McKinsey types who run google decided they probably wouldn't be challenged and it was worth the risk.

many of (ex)googler posts mention that legal needs to sign off on everything and looped into everything and they find it frustrating and slowing things down

change of such proportions can't be executed without involvement of multiple legal departments that both approved this decision and scrutinized every letter of this letter.

edit: from cpni itself " Use of opt-out and opt-in approval processes. A telecommunications carrier may, subject to opt-out approval or opt-in approval, use its customer's individually identifiable CPNI for the purpose of marketing communications-related services to that customer. A telecommunications carrier may, subject to opt-out approval or opt-in approval, disclose its customer's individually identifiable CPNI, for the purpose of marketing communications-related services to that customer, to its agents and its affiliates that provide communications-related services. A telecommunications carrier may also permit such persons or entities to obtain access to such CPNI for such purposes."

or in general 64.2007 and 64.2008 describe that it's ok

Can we talk about the dark-pattern in that email body?

- Mention that this doesn't include name/address/phone number, while glossing over that this allows near-GPS level tracking (the "address" part is particularly offensive).

- Talks about what "Google Fi" uses CPNI for, including a bullet list, which is completely irrelevant and not why they're sending this email. It is literally so that you'll skim it, and not read the next paragraph.

- Imply that this is authorizing "Googling LLC" (and other Alphabet companies). But what this is actually doing is authorizing Alphabet's affiliates meaning up to every company in the world.

- They updated the ToS but didn't mention what changed.

Someone needs to tell Google what "Opt-in" and "Opt-out" means.

No, if you automatically enroll me into sharing my data with 3rd-parties, that is NOT opt-in. That's completely disingenuous.

This should really be illegal.

It is illegal. Google is attempting to bend definitions and skirt the law.

https://www.govinfo.gov/content/pkg/CFR-2018-title47-vol3/xm...

Title 47 - Telecommunication. CHAPTER I - FEDERAL COMMUNICATIONS COMMISSION (CONTINUED). SUBCHAPTER B - COMMON CARRIER SERVICES (CONTINUED). PART 64 - MISCELLANEOUS RULES RELATING TO COMMON CARRIERS.

§ 64.2003 Definitions

(k) Opt-in approval. The term “opt-in approval” refers to a method for obtaining customer consent to use, disclose, or permit access to the customer's CPNI. This approval method requires that the carrier obtain from the customer affirmative, express consent allowing the requested CPNI usage, disclosure, or access after the customer is provided appropriate notification of the carrier's request consistent with the requirements set forth in this subpart.

(l) Opt-out approval. The term “opt-out approval” refers to a method for obtaining customer consent to use, disclose, or permit access to the customer's CPNI. Under this approval method, a customer is deemed to have consented to the use, disclosure, or access to the customer's CPNI if the customer has failed to object thereto within the waiting period described in § 64.2008(d)(1) after the customer is provided appropriate notification of the carrier's request for consent consistent with the rules in this subpart.

§ 64.2007 Approval required for use of customer proprietary network information.

(b) Use of opt-out and opt-in approval processes. A telecommunications carrier may, subject to opt-out approval or opt-in approval, use its customer's individually identifiable CPNI for the purpose of marketing communications-related services to that customer. [...] a telecommunications carrier may only use, disclose, or permit access to its customer's individually identifiable CPNI subject to opt-in approval.

No it is not. They clearly provide precise steps to grant or deny access.

(3) The notification must advise the customer of the precise steps the customer must take in order to grant or deny access to CPNI, and must clearly state that a denial of approval will not affect the provision of any services to which the customer subscribes. However, carriers may provide a brief statement, in clear and neutral language, describing consequences directly resulting from the lack of access to CPNI.

You just quoted a random, unrelated part of the regulation. Nobody is claiming that the notice is inadequate because it lacks a description of precise steps. The notice is inadequate because it alleges that Google will use opt-out approval for purposes that are only allowed with explicit opt-in approval.
> Opt-in approval. The term “opt-in approval” refers to a method for obtaining customer consent to use, disclose, or permit access to the customer's CPNI. This approval method requires that the carrier obtain from the customer affirmative, express consent allowing the requested CPNI usage, disclosure, or access after the customer is provided appropriate notification of the carrier's request consistent with the requirements set forth in this subpart.

IANAL, but doesn't the "disclosure, or access after the customer is provided appropriate notification" make this entire "opt-in" definition completely legal?

I mean, it was easy for me to opt-out, but I really hate the fact that I had to do so in the first place.

No "affirmative, express consent allowing the requested CPNI usage, disclosure, or access" was obtained by the carrier after "the customer is provided appropriate notification of the carrier's request consistent with the requirements set forth in this subpart", so opt-in approval is not present. I don't see a way to parse this that equates notification to express consent.
You use more than one services from Google. You have to have a Google account before you sign up with Fi. Google is allowed to use opt-out.

§ 64.2005 Use of customer proprietary network information without customer approval.

(1) If a telecommunications carrier provides different categories of service, and a customer subscribes to more than one category of service offered by the carrier, the carrier is permitted to share CPNI among the carrier's affiliated entities that provide a service offering to the customer.

(1) I use a dedicated Google account for Fi, which does not subscribe to other services.

(2) Notwithstanding (1), this is not what the regulation contemplates a "category of service" to be. It is contemplating categories of telephony services, as indicated by "(i.e., local, interexchange, and CMRS)"

I wonder whether Google will lose their meager remaining motivation to keep running Fi if they're told to stop doing this.
Considering that Fi is on my "Killed by Google" watch list for about two years now especially after the Sprint/T-Mobile merger (Google sees the writing on the wall) and T-Mobile likely buying Mint Mobile (continuing the death spiral of MVNOs in the process). Maybe this is the excuse they needed to shut Fi down entirely who knows.
(comment deleted)
I forwarded the email to oig@ftc.gov. They say it's the wrong way to complain about consumer issues, but I don't care.
Shouldn't you contact the FCC not the FTC?
> If you do not choose to opt-out within 30 days of receiving this notice, Fi will assume your approval to share your CPNI with other Google services and our affiliates.

I assume this is legally questionable?

Seems like this violates a few of the notice requirements most clearly:

(ii) Carriers must allow customers to reply directly to emails containing CPNI notices in order to opt-out;

As it came from a no reply address.

They have "If you prefer to opt out of letting Fi use and share your CPNI with Alphabet and Google services, you can do so by replying here" text in the email with "here" being a hyperlink that takes me to my main google fi profile page but doesn't even turn off the opt-in.

Looking forward to absolutely nothing happening! Is there even a private right of action?

Clicking the link in my email last night immediately forwarded me to a "You have been opted out" page.

I was using Chrome on a Chromebook I was logged into with the account I use for Fi, and the Fi app was installed, though.

Interesting - yeah does work for me now but last night just redirected to the home page and was still enabled when I checked privacy settings.

I'd argue a hyperlink 4 paragraphs deep in the middle of a sentence doesn't meet the standard of "reply directly" but I'm sure Google's lawyers feel different.

Link to Google Fi settings where you can opt out: https://fi.google.com/account?pli=1#settings/privacy
Thank you for the link!

Surprising how the e-mail message differs from the setting language:

Allow CPNI sharing (toggle on/off)

Let Google Fi Wireless use and share your Customer Proprietary Network Information with Alphabet affiliates, including Google LLC, to offer you additional products, personalized offers, and services.

E-mail reads like CPNI is essential for service:

Google Fi uses your CPNI to:

Provide your Fi service and related features Provide Internet access and voicemail Provide protection from fraudulent, abusive, or unlawful use Bill you for your Fi service Provide customer support and troubleshooting when you need it

Yeah I can’t tell if opting out would compromise service. Will I lose those features (internet access especially) if I opt out?

I’m assuming “no” but appreciate some consensus here.

I don't understand why everyone is saying this is illegal unless they are just not reading past §64.2003(k) as (l) provides for a the opt-out method, and §64.2007(b) is clear the providers can use either:

>§64.2003(l) Opt-out approval. The term “opt-out approval” refers to a method for obtaining customer consent to use, disclose, or permit access to the customer's CPNI. Under this approval method, a customer is deemed to have consented to the use, disclosure, or access to the customer's CPNI if the customer has failed to object thereto within the waiting period described in § 64.2008(d)(1) after the customer is provided appropriate notification of the carrier's request for consent consistent with the rules in this subpart.

>§64.2007(b)(b) Use of opt-out and opt-in approval processes. A telecommunications carrier may, subject to opt-out approval or opt-in approval, use its customer's individually identifiable CPNI for the purpose of marketing communications-related services to that customer. A telecommunications carrier may, subject to opt-out approval or opt-in approval, disclose its customer's individually identifiable CPNI, for the purpose of marketing communications-related services to that customer, to its agents and its affiliates that provide communications-related services.

Don't get me wrong, I think this is pretty shitty, and I already opted out, but everyone in this thread saying it's illegal needs to brush up on how to read the law.

https://www.govinfo.gov/content/pkg/CFR-2018-title47-vol3/xm...

Carriers can only use opt-out consent for a limited subset of the actions that they can use opt-in consent for. The actions that they say they plan to take do not fall under this subset. See § 64.2005.
What part of 64.2005 excludes the opt-out consent? I read the whole thing. Please quote exactly.
§ 64.2007 (b): Except for use and disclosure of CPNI that is permitted without customer approval under § 64.2005, or that is described in this paragraph, or as otherwise provided in section 222 of the Communications Act of 1934, as amended, a telecommunications carrier may only use, disclose, or permit access to its customer's individually identifiable CPNI subject to opt-in approval.

§ 64.2005 (a): Any telecommunications carrier may use, disclose, or permit access to CPNI for the purpose of providing or marketing service offerings among the categories of service (i.e., local, interexchange, and CMRS) to which the customer already subscribes from the same carrier, without customer approval.

Today's email: Fi may wish to provide you with additional information about products, services, and offers from our Alphabet affiliates, including Google LLC, that aren’t among the category of services you’re already purchasing from us

Google plans to advertise outside of the user's existing service category. § 64.2005 says that with opt-out consent, they can only do this within the existing service category. Since it doesn't fall under a § 64.2005 exemption, § 64.2007 (b) says that this requires opt-in approval.

You need to read further to § 64.2005(2) which covers other categories of services:

>(2) If a telecommunications carrier provides different categories of service, but a customer does not subscribe to more than one offering by the carrier, the carrier is not permitted to share CPNI with its affiliates, except as provided in § 64.2007(b).

And 64.2007(b) as we've already covered says that carriers can use opt-in or opt-out

Anyone with legal knowledge in this area care to chime in and break the impass?

Interesting argument. This relies on the circular backreference to § 64.2007(b) from § 64.2005(a)(2), and wouldn't seem to apply for the § 64.2005(a)(1) case. Google's messaging uses "opt in", which seems to be at odds with an intent to rely on an opt-out characterization.

I'd also welcome review from a lawyer with experience here.

Google customer communication could say 'unless you take action you will be shanghaied'.

Then it's easier to understand if their approach is allowed by the law -- seems yes.

Their consumer-facing terminology isn't what the law required. The law required one of two approaches, and they implemented the 'they default you in' one.

I really don't feel Apple is a good company, but compared to Google, wow. What happened to don't be evil?
FFS... Maybe it's time to switch to a regular carrier and pay the Apple tax. This is unscrupulous.