IPVM Urges FCC Modernize Equipment Authorization Database

IPVM urged the US Federal Communications Commission (FCC) to modernize databases containing valuable information for supply chain researchers such as photos and documentation on most electronic products sold in the US. Though officially public, such information is challenging to access due to antiquated user interfaces.

As our letter explains, this is in the best interests of the FCC as well as the public. The agency's increasing national security responsibilities can benefit from third party contributions to new enforcement areas; for instance, IPVM could help the FCC identify relabeled devices banned from equipment authorization. But third parties can only contribute if the FCC's information is reasonably accessible.

It was sent to all five of the FCC Commissioners, as well as the FCC's Enforcement Bureau, Office of Engineering and Technology, and Office of Managing Director:

Our letter identifies various specific problems, which broadly result from the databases having a decades-old design that is not consistent with increasing public interest in supply chains.

The full body of the letter is below.

Modernizing FCC Databases Can Put Valuable Information in Public Hands While Assisting the FCC in Protecting National Security.

We write to urge that the FCC modernize its public-facing equipment authorization databases. There is likely no comparable repository of images, specifications, and other documentation on electronic products in the world. This information could be of enormous value to supply chain security investigations. While officially public, dilapidated user interfaces make access impractical for research, journalism, or other public interest purposes.

This is a lost opportunity for everyone. Modernization with public access in mind would serve both the public and the FCC, including national security initiatives. The FCC already has the data, the backend infrastructure, and the authority. With relatively little effort, you have the opportunity to build one of the most important resources in the country.

Easier Public Access Enhances FCC National Security Initiatives

As you are aware, this is an ambitious moment for the FCC. With impactful initiatives like the “Bad Labs” NPRM, and the prohibition on authorization of covered equipment, the FCC is in some ways the tip of the spear in the federal government when it comes to protecting US networks and national security.

Consequently, FCC staff are often in uncharted waters. Our experience is that FCC staff are exceptionally capable and dedicated, but developing new enforcement programs and competencies takes time. Third parties can make important contributions, just as they do throughout the cyber and supply chain security worlds, and the FCC’s transparency makes it particularly well-positioned to benefit.

Problems With FCC Equipment Authorization Databases

However, the FCC’s equipment authorization databases severely limit the full potential of public engagement. Based on design features, we estimate construction two to three decades ago, and simply visiting them will make clear that redesign is long overdue. IPVM would be pleased to assist with a full accounting of potential improvements and changes. Nonetheless, we provide a few examples below.

The information necessary to match white labeled products to a suspected manufacturer is present, but doing so is impractical.

Even after familiarizing oneself with Equipment Authorization Search’s esoteric construction, to access a single public document tied to an authorization requires several time-consuming steps, most of which can be eliminated. That is when the site works at reasonable speed, which typically it does not.

This is often fruitless, in any case, because the database provides no information indicating the actual product associated with each listed authorization, as demonstrated in this example search by grantee name:

This might be less of an issue if one could open the pages of several authorizations simultaneously in separate tabs, but a popup legal disclosure (which could instead appear on the page itself) prevents this.

Information about documents is inexplicably contained on a “Summary” page that is separate from the “Detail” page, where one actually accesses those documents, as shown below for the same authorization:

Other databases have their own problems, but all are comparably antiquated and equally slow. We are also not sure why these are separate databases at all.

For instance, the pending equipment authorization database allows lookup only by FCC ID and Form 731 Confirmation number, neither of which are readily accessible. This may be intended to intentionally limit access. At a minimum, it is opaque and confusing:

It is understandable that these databases have aged. Until recently, we presume they have served organizations with reason to be professionally competent in using them, such as those submitting or managing authorizations, or FCC staff. With the FCC engaged in such ambitious policies centered on its equipment authorization program - and given the rising importance of supply chain security research generally - the databases are now highly relevant to the public. They should be redesigned accordingly.

Indeed, as we wrote to you previously regarding covered entities, “third-party researchers and the media who are empowered by open information - including about US government activities - are responsible for much of what federal agencies and the public have learned about the covered entities in recent years.” We urge the FCC to support such efforts by prioritizing redesign of its equipment authorization databases, and we stand ready to assist.