All four national carriers face fines over selling unauthorized access to customer location data
The Federal Communications Commission is planning to fine the four national carriers up to $200 million over the unauthorized release and sale of wireless customers’ location data, around two years after the violations first came to light.
The largest single proposed fine would be to T-Mobile US, at $91.3 million, followed by AT&T at $57.3 million, Verizon at $48.3 million and Sprint with a proposed fine of $12.2 million.
Each of the carriers is accused of disclosing their customers’ location information, without their content, to a third party who wasn’t authorized to receive it — and dragging their feet on shutting down that access once the problem became clear. The FCC outlined a system in which there were layers of shifted responsibility and indirect relationships that allowed carriers to sell their customers’ location-based information to aggregators while also shifting the responsibility for getting consent from those customers for access to their location information—first to the aggregators, then the aggregators further shifted that responsibility to get consent to location-based services providers, some of whom didn’t have direct relationships with the carrier(s).
Security researchers found in the spring of 2018 that third-party companies such as LocationSmart were sourcing real-time location data from mobile network operators and selling it to non-law-enforcement agencies or individuals, and that related website hacks meant such information could be accessed for free. After a 2018 New York Times investigation and subsequent investigations by outlets including Wired and Motherboard (which found that individual phones could be tracked for as little as $300), the carriers began attempting to shut down the aggregators’ access to their customers information and tracking down just how that access had come about, including acknowledging that audits and other processes that were meant to safeguard access to customer location information did not pick up on the fact that such information was being regularly accessed without customers’ consent.
“All four carriers mentioned … sold access to their customers’ location information to ‘aggregators,’ who then resold access to such information to third-party location-based service providers,” the FCC said in a statement on the proposed fines. “Although their exact practices varied, each carrier relied heavily on contract-based assurances that the location-based services providers (acting on the carriers’ behalf) would obtain consent from the wireless carrier’s customer before accessing that customer’s location information,” the FCC went on, but even when it became clear that those measures were inadequate, the carriers “apparently continued to sell access to their customers’ location information without putting in place reasonable safeguards to ensure that the dozens of location-based services providers acting on their behalf were actually obtaining consumer consent.”
The size of the fines, the FCC added, it based on the length of time that each carrier continued to sell access to customer location information after the problem became obvious, and the number of entities to which it continued to sell access.
“Information about a wireless customer’s location is highly personal and sensitive. The FCC has long had clear rules on the books requiring all phone companies to protect their customers’ personal information,” said FCC Chairman Ajit Pai in a statement, going on to add that “This FCC will not tolerate phone companies putting Americans’ privacy at risk.”
On each of the proposed fines, the three Republican FCC commissioners voted in support. Democratic Commissioner Jessica Rosenworcel dissented, and Democratic Commissioner Geoffrey Starks supported them in part and dissented in part.
Rosenworcel called the investigation “a day late and a dollar short,” and criticized the amount of time that the investigation took, as well as steep discounts to the fines that the FCC could have applied under the law.
“Taking nearly two years to address these troubling revelations is a stain on this agency’s public safety record. It’s a testament to how little it makes privacy a priority,” Rosenworcel said, going on to add, “Given the facts here—the sheer volume of those who could have had their privacy violated—I don’t think this discount is warranted.”