The FCC on Monday fined four major US telcos almost $200 million for “illegally” selling subscribers’ location information to data brokers.

AT&T, Verizon, Sprint, and T-Mobile US – the last two of which merged in 2020 – were ordered to pay $57 million, $47 million, $12 million, and $80 million respectively.

“Our communications providers have access to some of the most sensitive information about us,” said FCC boss Jessica Rosenworcel in a statement.

“These carriers failed to protect the information entrusted to them. Here, we are talking about some of the most sensitive data in their possession: Customers’ real-time location information, revealing where they go and who they are.”

Concerns about telecoms giants providing customer location data surfaced in 2018 when US Senator Ron Wyden (D-OR) asked Ajit Pai, then head of the FCC, to investigate claims that Securus Technologies bought real-time location data from major wireless carriers.

The FCC under Pai concluded in 2020 that the telcos had likely broken the law, but it wasn’t clear what the consequences might be. Now it seems the bill has come due.

“No one who signed up for a cell plan thought they were giving permission for their phone company to sell a detailed record of their movements to anyone with a credit card,” Senator Wyden said in a statement today. “I applaud the FCC for following through on my investigation and holding these companies accountable for putting customers’ lives and privacy at risk.”

Another American watchdog, the FTC, recently started going after location data brokers. Privacy-oriented legislators in the House of Representatives have done so, too, proposing a bill to ban the US government from purchasing citizens’ info from data brokers.

Nonetheless, other government agencies have allegedly been bypassing the Fourth Amendment’s warrant requirement by buying phone records from the likes of AT&T.

Easy access to Americans’ personal information, such as their location data, is not just a privacy concern – one that’s more acute in the post-Dobbs era – but also a matter of national security. This was demonstrated by a recent Duke University study that found information on US military personnel and their families was available from data brokers for as little as $0.12 per record.

According to the FCC Enforcement Bureau, each of the four named carriers sold customer location data to data aggregators that subsequently resold the data to third-party location service companies. The bureau believes each of the four telcos “attempted to offload its obligations to obtain customer consent” to the downstream buyers of the data, a process that often meant valid consent was not obtained.

The FCC in its various forfeiture orders notes that the law “makes clear that carriers cannot disclaim their statutory obligations to protect their customers’ CPNI [customer proprietary network information] by delegating such obligations to third parties.”

Carriers blame brokers

AT&T told The Register said it should not be blamed for the failure of those buying its data to obtain proper consent, and said it will fight the fine.

“The FCC order lacks both legal and factual merit,” an AT&T spokesperson wrote in a statement sent to The Register. "It unfairly holds us responsible for another company’s violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that company’s failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged.

“We expect to appeal the order after conducting a legal review.”

AT&T added the program at issue was terminated in 2019.

Verizon also said the FCC had erred in its determination and that its location data program, also shut down five years ago, required affirmative, opt-in customer consent and was intended to support services like roadside assistance and medical alerts.

“Verizon is deeply committed to protecting customer privacy,” Verizon spokesperson Rich Young told The Register. “In this case, when one bad actor gained unauthorized access to information relating to a very small number of customers, we quickly and proactively cut off the fraudster, shut down the program, and worked to ensure this couldn’t happen again. Unfortunately, the FCC’s order gets it wrong on both the facts and the law, and we plan to appeal this decision.”

T-Mobile US also said it planned to fight the fine.

“This industry-wide third-party aggregator location-based services program was discontinued more than five years ago after we took steps to ensure that critical services like roadside assistance, fraud protection and emergency response would not be disrupted,” a T-Mo spokesperson told The Register.

“We take our responsibility to keep customer data secure very seriously and have always supported the FCC’s commitment to protecting consumers, but this decision is wrong, and the fine is excessive. We intend to challenge it.”

In this case, “excessive” means the $92 million combined fine T-Mobile US has been ordered to pay would amount to about 1.1 percent of its 2023 net income of $8.3 billion.

  • coffeeClean@infosec.pub
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    7 months ago

    Yet a vast majority of people have no problem when people are forced to subscribe to mobile phone service:

    https://infosec.pub/post/11658371

    This kind of information should be startling enough to at least see the merit in not having a mobile phone subscription. But no, people will just say “that sucks” and continue to being the sucker while also expecting others to be equally naive or cavalier too.

    from the article:

    AT&T told The Register said it should not be blamed for the failure of those buying its data to obtain proper consent, and said it will fight the fine.

    Private investigators are treated as legitimate consumers of that location data. An angry ex-boyfriend or ex-husband hired a PI to find out where his ex was, who then simply bought the location data from a mobile carrier. The guy used the info to find her and shoot her dead on the spot (headshot while she was driving a car). The data sharing was “legit” in that case, in the US where privacy laws are generally non-existent.

    It’s strange how that murder case gets omitted in these articles about mobile carriers selling location data.