T-Mobile said it intends to fight a $91.6 million fine proposed by the FCC against the carrier related to unauthorized sales of customers’ real-time location data to third-parties.
The FCC announced (PDF) last week that it was issuing Notices of Apparent Liability for Forfeiture and Admonishment (NALs) to T-Mobile, AT&T, Sprint and Verizon, with the collective penalties totaling about $209 million.
The agency’s investigation found the carriers violated the law and failed to put adequate safeguards in place, even after learning that sensitive customer data was being resold to third-parties (without customer consent) from companies known as data “aggregators” that had agreements with the operators.
“While we strongly support the FCC’s commitment to consumer protection, we fully intend to dispute the conclusions of this NAL and the associated fine,” said a T-Mobile spokesperson in an emailed statement to FierceWireless.
“We take the privacy and security of our customers’ data very seriously. When we learned that our location aggregator program was being abused by bad actor third parties, we took quick action. We were the first wireless provider to commit to ending the program and terminated it in February 2019 after first ensuring that valid and important services were not adversely impacted,” the spokesperson continued.
Investigative reports over the last couple of years, including by the New York Times and Vice Motherboard among others, revealed that carriers were selling customer location data that then could make its way into unauthorized hands. In Motherboard’s report in early 2019, the outlet was able to buy the real-time location of a T-Mobile device from a bounty hunter for $300, after the information trickled down from carriers to data aggregators and their relationships with third parties.
It should be noted that carriers sometimes share location data for legitimate services like emergency roadside assistance and fraud prevention.
T-Mobile faces the stiffest fine of the four carriers, followed by AT&T ($57.3 million), Verizon ($48.3 million), and Sprint ($12.2 million).
The amount of the proposed penalty relates to the length of time carriers continued to sell unauthorized access after becoming aware of the problem and the number of companies it gave the information to. Interestingly, the FCC investigation did not delve into how many consumers’ data was affected or misused by each carrier.
All four carriers had pledged as early as 2018 to stop providing data location to third-party brokers.
In its NAL to T-Mobile, the FCC said the operator continued to provide unauthorized access until early February 2019, for “the better part of a year” after learning its safeguards in place weren’t doing enough. T-Mobile had arrangements with two data aggregators, LocationSmart and Zumigo, which in turn had several relationships with location-based services entities. T-Mobile directly or indirectly sold customer location information to 83 third parties, according to the NAL (PDF).
Verizon meanwhile continued to sell access to location data until the end of March 2019 and Sprint until May 31. AT&T’s date, meanwhile, was redacted from its NAL (PDF), which noted the practice continued “for nearly a year” after the carrier became aware.
FCC Commissioner Geoffrey Starks called out T-Mobile specifically, objecting to the penalty amount as too low.
“It should be higher,” Starks said of T-Mobile’s proposed fine, in prepared remarks (PDF). “I believe that T-Mobile was on notice about the problems with its location data protections back in July 2017 and that the proposed forfeiture amount should reflect that fact – the punishment should fit the crime.”
Carriers still have the opportunity to respond to the NAL, as T-Mobile intends to do, so the penalty and conclusions are not yet final. A Sprint spokesperson said yesterday that the carrier was in the process of reviewing the NAL and reiterated that it takes “the privacy and security of our customers very seriously.”
AT&T and Verizon have not responded to FierceWireless inquiries.