30 April 2024

Headline: FCC Fines T-Mobile, AT&T, and Verizon $196 million "for illegally sharing access to customers' location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure."

Six years later - FCC finalizes $196M penalties for location-data sales revealed in 2018.

The FCC fined T-Mobile and other major carriers a total of $200 million for illegally sharing users' location data


The Federal Communications Commission (FCC) has fined major telecommunications carriers AT&T, Sprint, T-Mobile, and Verizon a total of approximately $200 million (approximately 31.34 billion yen) for sharing customer location information with third parties without permission.

FCC FINES AT&T, SPRINT, T-MOBILE, AND VERIZON NEARLY $200 MILLION FOR ILLEGAL SHARING ACCESS TO CUSTOMERS' LOCATION DATA
(PDF file)

https://docs.fcc.gov/public/attachments/DOC-402213A1.pdf

FCC fines AT&T, Sprint, T-Mobile, and Verizon nearly $200 million for illegally sharing location data - The Verge
https://www.theverge.com/2024/4/29/24144599/fcc-fine-att-sprint-verizon-t-mobile-location-data

FCC fines big three carriers $196M for selling users' real-time location data | Ars Technica
https://arstechnica.com/tech-policy/2024/04/fcc-fines-big-three-carriers-196m-for-selling-users-real-time-location-data/

AT&T, Verizon, Sprint, T-Mobile US fined for privacy woe • The Register
https://www.theregister.com/2024/04/29/fcc_telecom_fines/

According to the FCC, the carriers fined this time shared their customers' location data without their consent with aggregators , who then resold the data to other location-related businesses.
The fines vary by carrier, with 
  • T-Mobile paying $80 million, 
  • AT&T paying $57 million, 
  • Verizon paying $47 million, and 
  • Sprint paying $12 million.

According to the FCC's investigation, AT&T shared data with 88 third-party carriers, Sprint with 86, T-Mobile with 75, and Verizon with 67. 

The FCC strongly criticized the carriers, saying, 'The fact that they sold information to aggregators, who then resold it to third-party carriers, represents an attempt by the carriers to shift liability downstream.'


The issue first came to light in 2018, when it was discovered that

Securus , a service that helps connect people incarcerated in correctional and criminal facilities, had disclosed customer location information it received from telecommunications carriers to state sheriffs.

'Our findings show that the nation's largest telecommunications carriers are selling our real-time location data to aggregators, making it available to bail bondsmen, bounty hunters, and other shady actors. This egregious practice violates the law, particularly Section 222 of the Communications Act, which protects the privacy of consumer data,' FCC Chairman Jessica Rosenworcel said in 2018, and called on the carriers to do just that.

However, all four of the fined carriers continued their location-sharing programs without putting in place safeguards to ensure that operators with access to the data had customer consent.


In response to this decision, AT&T argued that the program in question ended in 2019 and that the FCC's decision was incorrect. Veriton and T-Mobile also disagreed with the decision and indicated they would appeal. Sprint merged with T-Mobile after the FCC's investigation began.

'The information sharing was intended to support services like vehicle accident compensation and medical reporting,' said Veriton spokesman Rich Young. 
'In this case, we discovered that a single bad actor had gained unauthorized access to that information, and we have taken steps to end the program and ensure that this never happens again. 
The FCC's decision is contrary to the facts and the law, and we plan to fight it in court.'

__________________________________________________________________



The Federal Communications Commission today said it fined T-Mobile, AT&T, and Verizon $196 million "for illegally sharing access to customers' location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure."

The fines relate to sharing of real-time location data that was revealed in 2018. The FCC proposed the fines in 2020, when the commission had a Republican majority, and finalized them today.

All three major carriers vowed to appeal the fines after they were announced today. The three carriers also said they discontinued the data-sharing programs that the fines relate to.

The fines are $80.1 million for T-Mobile, $57.3 million for AT&T, and $46.9 million for Verizon. T-Mobile is also on the hook for a $12.2 million fine issued to Sprint, which was bought by T-Mobile shortly after the penalties were proposed over four years ago.

Today, the FCC summarized its findings as follows:

The FCC Enforcement Bureau investigations of the four carriers found that each carrier sold access to its customers' location information to "aggregators," who then resold access to such information to third-party location-based service providers. In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained. This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.

“Shady actors” got hold of data

The problem first came to light with reports of customer location data "being disclosed by the largest American wireless carriers without customer consent or other legal authorization to a Missouri Sheriff through a 'location-finding service' operated by Securus, a provider of communications services to correctional facilities, to track the location of numerous individuals," the FCC said.

Chairwoman Jessica Rosenworcel said that news reports in 2018 "revealed that the largest wireless carriers in the country were selling our real-time location information to data aggregators, allowing this highly sensitive data to wind up in the hands of bail-bond companies, bounty hunters, and other shady actors. This ugly practice violates the law—specifically Section 222 of the Communications Act, which protects the privacy of consumer data."

For a time after the 2018 reports, "all four carriers continued to operate their programs without putting in place reasonable safeguards to ensure that the dozens of location-based service providers with access to their customers' location information were actually obtaining customer consent," the FCC said.

The three carriers are ready to challenge the fines in court. "This industry-wide third-party aggregator location-based services program was discontinued more than five years ago after we took steps to ensure that critical services like roadside assistance, fraud protection and emergency response would not be disrupted," T-Mobile said in a statement provided to Ars. "We take our responsibility to keep customer data secure very seriously and have always supported the FCC's commitment to protecting consumers, but this decision is wrong, and the fine is excessive. We intend to challenge it."

AT&T and Verizon also plan appeal

AT&T issued a statement saying the FCC order "unfairly holds us responsible for another company's violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that company's failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged. We expect to appeal the order after conducting a legal review."

Verizon said today that "when one bad actor gained unauthorized access to information relating to a very small number of customers, we quickly and proactively cut off the fraudster, shut down the program, and worked to ensure this couldn't happen again." Verizon said the now-shuttered program "required affirmative, opt-in customer consent and was intended to support services like roadside assistance and medical alerts."

The fines were proposed in 2020 in Notices of Apparent Liability issued to each carrier. The companies provided responses to the FCC, which took the carriers' comments into consideration in the forfeiture orders released today. 
  • The T-Mobile fine was lowered from $91.6 million to $80.1 million, and the 
  • Verizon fine was lowered from $48.3 million to $46.9 million, but the 
  • AT&T and Sprint fines remained the same.


Republicans dissent

The fines may have been delayed by the 2-2 partisan deadlock the commission operated under until September 2023. Although the fines were originally proposed when the FCC was controlled by Republicans, the vote to finalize the penalties was 3-2 with dissents from Republicans Brendan Carr and Nathan Simington.
  • Simington argued that the FCC is "sending a strong market signal that any alleged violation... can and will result in an outsize fine," which "effectively choke[s] off one of the only ways that valid and legal users of consent-based location data services had to access location data for which legal safeguards and oversight actually exist."
  • Carr said he supported the 2020 notices "so we could investigate the facts and determine whether or not the carriers had violated any provisions of the Communications Act," but doesn't support the final orders.

The fines are unfair, Carr said, because the commission "has never held that location information other than 'call location information' constitutes CPNI [Customer Proprietary Network Information]. Nor has the FCC stated that a carrier might be liable under our CPNI rules for location information unrelated to a Title II service and collected outside the Title II relationship. So, even if we could proscribe the conduct at issue here through a rulemaking (and I am dubious that we could), it would be inappropriate and unlawful to impose the retroactive liability that these Orders do."

The FCC forfeiture orders note that the Communications Act defines CPNI as "information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship." Phone location data falls within this definition, the FCC said.

Rosenworcel's statement pointed out that the fines "were first proposed by the last Administration. By following through with this order, we once again make clear that wireless carriers have a duty to keep our geolocation information private and secure."
JON BRODKINJon has been a reporter for Ars Technica since 2011 and covers a wide array of telecom and tech policy topics. Jon graduated from Boston University with a degree in journalism and has been a full-time journalist for over 20 years. 

No comments: