FCC to Fine US Carriers Over Location Data SalesAgency Proposes Fines Against AT&T, Verizon, Sprint and T-Mobile
(This story has been updated.)
The Federal Communications Commission Friday proposed fines against the nation’s four largest wireless carriers for selling real-time mobile phone location data without taking reasonable measures to protect against unauthorized access to that information. T-Mobile faces a proposed fine of more than $91 million; AT&T - $57 million; Verizon - more than $48 million; and Sprint - more than $12 million.
The FCC also admonished these carriers for apparently disclosing their customers’ location information, without their authorization, to a third party. The commission will take a final vote on the fines later.
The development comes after FCC Chairman Ajit Pai informed lawmakers on Jan. 31 that the agency’s Enforcement Bureau had concluded “one or more wireless carriers apparently violated federal law” (see: FCC: Wireless Carriers Violated Law by Sharing Location Data).
In Friday statement, Paj said: "The FCC has long had clear rules on the books requiring all phone companies to protect their customers’ personal information. And since 2007, these companies have been on notice that they must take reasonable precautions to safeguard this data and that the FCC will take strong enforcement action if they don’t. Today, we do just that. This FCC will not tolerate phone companies putting Americans’ privacy at risk.”
Sen. Ron Wyden, D-Ore., who is active in data privacy and security issues, alleges that Pai “has failed to protect American consumers at every stage of the game.”
Pai "has only investigated after public pressure mounted,” Wyden says. “And now his response is a set of comically inadequate fines that won’t stop phone companies from abusing Americans’ privacy the next time they can make a quick buck.”
Leaky Location Data
Reporting by Motherboard and The New York Times found that U.S. carriers sold location data to a variety of companies, who then sold it to bail bondsmen and law enforcement, where it appeared to be improperly used to track people.
Mobile carriers have sold location data to middlemen that then supply access to the data for purposes such as roadside assistance. But the investigations showed it wasn’t difficult for others to get access to such sensitive data, and also it was unclear whether the mobile customers were aware their data was being shared.
Motherboard paid $300 to locate a mobile phone on T-Mobile’s network, first contacting a bail bondsman who then obtained the accurate location data through a middleman.
There also was an astounding data leak. Krebs on Security reported in May 2018 on a vulnerability in the website of LocationSmart, which could be used to track a mobile device on AT&T, Sprint, T-Mobile or Verizon networks.
As a result of the reports, Verizon said in June 2018 that it would stop selling location data. Sprint, T-Mobile and AT&T followed in January 2019.
Federal Privacy Legislation
Wyden says that the location data situation underscores the need for new federal privacy legislation that addresses how the internet age has impacted consumer privacy.
In October 2019, he introduced the Mind Your Own Business Act of 2019. The legislation has been referred to the Senate Finance Committee.
Pai's response is laughable, and won’t stop companies from abusing Americans’ privacy the next time they can make a profit. From Facebook to Equifax, companies have shown nothing but contempt for consumer data, knowing they can write off fines as the cost of doing business.— Ron Wyden (@RonWyden) February 27, 2020
The act would give the Federal Trade Commission authority to establish minimum privacy and cybersecurity standards. It would also allow the FTC to fine companies up to 4 percent of global revenue for violations, similar to the General Data Protection Regulation. Also, company executives could face criminal charges and 10 to 20 years in prison for knowingly lying to the FTC.
The FTC often takes action against technology companies for privacy missteps by alleging deceptive conduct. That’s because there is no overarching federal privacy law for regulating private companies, although states often have their own.