The four largest U.S. carriers face combined FCC fines totaling about $209 million for selling access to customers’ real-time location data without their consent to unauthorized third parties, even after operators were made aware of the issue.
An FCC investigation found that even after several highly public press reports, including the New York Times and Motherboard, revealed customer data was getting into unauthorized hands, AT&T, T-Mobile, Sprint and Verizon all continued to sell access to the sensitive information to so-called “aggregators” without putting adequate safeguards in place, in some cases for more than a year.
In MotherBoard’s early 2019 investigative report, bounty hunters were able to get their hands on real-time location data as it trickled down from aggregators for just a few hundred dollars.
The FCC first announced last month that it would issue Notices of Apparent Liability for Forfeiture and Admonishment (NALs) to at least one wireless carrier for violating federal law and at its meeting last week disclosed all four had engaged in the practice.
The agency has proposed the following fines: T-Mobile, $91.6 million; AT&T, $57.3 million; Verizon $48.3 million; and Sprint, $12.2 million.
The varied amounts for proposed penalties relate to the length of time each carrier continued to sell unauthorized access without reasonable protections in place after becoming aware of the problem and the number of entities each continued to do so with.
According to the FCC, although exact methods varied, all four carriers appeared to sell customers’ location data to aggregators who then resold it to third-party location-based service providers.
Under FCC rules carriers are required to get customers' express consent before disclosing information including location data, and carriers are liable for those acting on their behalf. The carriers seem to have left it up to the third parties that they would obtain consent from customers, relying heavily on “contract-based assurances” that the companies would do so.
T-Mobile had the largest fine and apparently continued to sell the location information for “the better part of a year,” until early February 2019. It had arrangements with two aggregators, LocationSmart and Zumigo, which each had relationships with numbers location-based service providers. In total T-Mobile sold information directly or indirectly to 83 third parties, according to the NAL (PDF).
Information about exactly when AT&T stopped selling access to the data was redacted from its NAL (PDF) (other than it continued to sell information for “nearly a year” after it became aware), as was the number of third-party relationships. Like T-Mobile the NAL noted AT&T’s data aggregator relationships included LocationSmart and Zumigo, as did Sprint’s and Verizon’s.
According to the Notice (PDF), Sprint continued disclosing the data more than a year after having learned of the issue, until May 31, 2019. Sprint sold information directly or indirectly to 86 third parties.
Verizon continued to sell access to location information for “many months” after it was put on notice, until the end of March 2019. The number of its third-party relationships was redacted from its NAL (PDF).
The carriers, which all had pledged to end agreements with location aggregators after public reports surfaced, still have a chance to respond and the penalties aren’t final yet. In some cases, carriers had previously said they would make exceptions for legitimate applications, like location data needed for emergency services and to prevent fraud.
A Sprint spokesperson in emailed comments to FierceWireless said the carrier has received the NAL from the FCC and is in the process of reviewing it.
“We take the privacy and security of our customers very seriously, and are committed to protecting it,” the Sprint spokesperson added.
Representatives for AT&T, T-Mobile and Verizon could not be immediately reached for comment on this story.
“American consumers take their wireless phones with them wherever they go. And information about a wireless customer’s location is highly personal and sensitive. The FCC has long had clear rules on the books requiring all phone companies to protect their customers’ personal information,” said FCC Chairman Ajit Pai in a statement (PDF). “This FCC will not tolerate phone companies putting Americans’ privacy at risk.”
Some commissioners dissent
Not all FCC commissioners, however, were on board with the process or proposed penalty amounts.
FCC Commissioner Jessica Rosenworcel, in her dissenting statement, slammed the agency for moving too slow in their investigation and said the fines were not nearly enough, pointing to the more than 270 million smartphones in service, noting “this practice put everyone using them at a safety risk.”
“All told, taking nearly two years to address these troubling revelations is a stain on this agency’s public safety record,” Rosenworcel said in her prepared remarks. “It’s a testament to how little it makes privacy a priority.”
Rosenworcel last year called on carriers to provide proof that they had stopped selling customers’ location data and publicized their responses.
She took issue with the amount of the fines, saying the agency engaged in “some seriously bureaucratic math” to discount fines, which disregards the scope of the problem.
The FCC said it would fine carriers every day the practice was ongoing, but Rosenworcel noted each carrier gets a 30-day pass from the calculation, which she asserts was “plucked from thin air.” She also noted that a proposed $40,000 fine is only imposed on the first day, after which it’s only a $2,500 fine for the same violation.
“In sum, it took too long to get here and we impose fines that are too small relative to the law and the population put at risk,” she said.
Commissioner Geoffrey Starks dissented in part, saying that while he was pleased that the agency agreed to take enforcement action, he disagreed with the amount of the fines. He felt that the FCC should have determined the number of customers impacted by the violations and based penalties on that data, stressing that each carrier has tens of millions of customers “that likely had their personal data abused.”
He pointed to evasive language from carriers that they had stopped location sharing programs.
“Despite these statements, each of these carriers continued to sell their customers’ location data for months afterwards,” said Starks in his prepared remarks (PDF).
In particular he called out the amount of T-Mobile’s fine as inadequate, saying it should be higher. The NAL shows T-Mobile was made aware in July 2017 that its contract assurances weren’t working to prevent location aggregators form misusing customer information and the carrier knew that at least one provider was selling customer data to bounty hunters, Starks noted.
“Despite T-Mobile’s knowledge of the problem, it took two months for the carrier to contact the aggregator company about this issue, and even then, T-Mobile only inquired of the aggregator and reminded it of its contractual obligations,” he said, adding that T-Mobile’s proposed penalty amount should reflect its lack of action.