Just about a year ago, it came to light just how easy it was to buy the real-time location data of US wireless customers via lax carrier standards, shady third-parties, and bounty hunters. Now after an “extensive investigation” the FCC has declared that “one or more wireless carriers apparently violated federal law.”
Update 2/28: The FCC has shared its proposal to fine the four major US wireless carriers a total of $200 million (via TechCrunch). The breakdown is based on the “amount of time that the carriers sold access to customer location information ‘without reasonable safeguards’ and the number of outside companies to which they sold it.”
The numbers of the proposal have T-Mobile owing $91 million, AT&T $57 million, Verizon $48 million, and Sprint $12 million. The FCC statement notes that the carriers will have a chance to respond to the proposal before it is finalized.
Neither the allegations nor the proposed sanctions in the NALs are final Commission actions. The parties will be given an opportunity to respond and the Commission will consider the parties’ evidence and legal arguments before taking further action to resolve these matters. The Commission may not impose a greater monetary penalty in its final resolution of whether the parties have violated the law than the amount proposed in the NAL.
TechCrunch highlighted how weak the FCC investigation has been into this serious security and privacy issue.
The scale of the fines, they say, has little to do with the scale of the offenses — and that’s because the investigation did not adequately investigate or attempt to investigate the scale of those offenses. Essentially, the FCC didn’t even look at the number or nature of actual instances of harm — it just asked the carriers to provide the number of contracts entered into.
And why not go after the individual companies? They’re not being fined at all. Even if the FCC lacked the authority to do so, it could have handed off the case to Justice or local authorities that could determine whether these companies violated other laws.
The unsurprising finding was detailed in a letter sent from FCC Chairman, Ajit Pai to the US House Energy and Commerce Committee (via The Verge).
While the letter doesn’t specify which carriers were “apparently” violating federal law, Pai went on to say that he is “committed to ensuring that all entities subject to our jurisdiction comply with the Communications Act and the FCC’s rules,” with a fine and/or other consequence(s) expected to be announced in the near future.
Notably, after the initial expose by Motherboard in January last year, T-Mobile and Sprint agreed to stop selling users’ location data, while AT&T claimed innocence. However, it was later reported in May that they didn’t follow through with those promises or at least in the timeframe they said they would.
Here’s the FCC Chairman’s letter in full:
I am writing to follow up on my letter of December 3, 2019 regarding the status of the FCC’s investigation into the disclosure of consumers’ real-time location data. Fulfilling the commitment I made in that letter, I wish to inform you that the FCC’s Enforcement Bureau has completed its extensive investigation and that it has concluded that one or more wireless carriers apparently violated federal law.
I am committed to ensuring that all entities subject to our jurisdiction comply with the Communications Act and the FCC’s rules, including those that protect consumers’ sensitive information, such as real-time location data. Accordingly, in the coming days, I intend to circulate to my fellow Commissioners for their consideration one or more Notice(s) of Apparent Liability for Forfeiture in connection with the apparent violation(s).
FTC: We use income earning auto affiliate links. More.