It’s possible that hundreds of applicants in the filing window for new LPFMs had their filing information viewed by outside parties due to an alleged security flaw with the FCC’s Licensing and Management System, according to LPFM advocates.
In light of that security vulnerability, the groups asked the FCC to extend the filing deadline. The commission has not confirmed the vulnerability but it acknowledged the request and has announced a short extension. The window will now close at 12 p.m. noon EST on Dec. 15.
The FCC also extended the existing freeze on LPFM and FM translator minor modification applications until 12:01 a.m. on Dec. 18.
The vulnerability was discovered and reported to the FCC after the filing window for LPFM licenses opened last week.
Several advocates, including Common Frequency and Prometheus Radio Project, said early filers could have had their information viewed, even though the LMS system presumably was designed to prevent outsiders from viewing applications until after the window closes. They say the FCC was notified of the vulnerability on Thursday, Dec. 6. The next day, the FCC held an unscheduled outage of the LMS system the next day for several hours to address the issue, according to those familiar with these developments.
The filing window was originally scheduled to begin Nov. 1 but had been pushed back earlier this fall to Dec. 6–13 after community radio supporters asked for more time to help applicants prepare. This is the first LPFM filing window for new CPs since 2013.
Those familiar with the LMS system say LPFM applications are only supposed to be available for public view once a filing window closes.
REC Networks, which analyzed the online database vulnerability, says the problem involved the Facility ID and LMS functionality that the FCC uses. REC estimates that approximately 600 filed LPFM applications were vulnerable to unauthorized viewing.
“Someone knowing the Facility ID of one of the new LPFM facilities would have been able to view a screen which would have linked them to the application, even though the application is supposed to be suppressed until after the close of the filing window,” REC stated in a posted analysis of the situation.
REC and other community radio supporters are concerned someone purposely seeking an applicant’s information could use it to strategically place other applications that could “torpedo” the previously filed LPFM application.
“In the same way, (the information) could also be used to avoid mutual exclusivity. Either way, there is an expectation of applicant privacy during the window, and this vulnerability breached that expectation,” REC wrote in its analysis.
REC also commented that overall, despite functionality quirks, LMS is by far a superior filing system to its CDBS predecessor. LMS was introduced for television in the mid-2010s but wasn’t used for FM broadcast engineering until 2019.
The request for an extension was made by Austin Airwaves; Common Frequency Inc.; Community Media Assistance Project; CTone Media; Media Alliance; National Federation of Community Broadcasters; Pacifica Foundation; Prometheus Radio Project; and REC Networks.
They said valuable time had been lost between confirming the breaches, notifying the applicants, counsel and consultants, and deliberating contingency options, including an immediate moratorium on filing further applications until the LMS breach was fixed.
More time was lost when the LMS filing portal was taken down to fix the issue, which prevented filing applications, according to the groups. They say applicants then had to “test and confirm the integrity and security of the system, which is necessary to restore confidence before they proceed with filing.”
They’d hoped for a longer, five-day extension.
Not all LPFM advocates were in favor of an extension at all. John Broomall, president of Christian Community Broadcasters, says an extension was not warranted.
“While I would like more time to help procrastinators and make more money as a LPFM application filer, I oppose delaying or extending the window again. The FCC and its deadlines would lose all credibility. You know the children’s stories about Chicken Little and Little Red Riding Hood,” he wrote in an email.
“Unlike warfare where torpedoes kill people, FCC filings are like a video game. If, after the window, an applicant has been hurt, torpedoed, the FCC can cancel the actions of bad actors and grant relief and CPs to legitimate filers.”
The FCC published the following contact information for those with questions: For additional information on the filing window, contact James Bradshaw, [email protected]; Alexander Sanjenis, [email protected]; Lisa Scanlan, [email protected]; or Amy Van de Kerckhove, [email protected]; of the Media Bureau, Audio Division, (202) 418-2700.
