Congress to FCC: Where’s the damn report on mobile companies selling location data?

It’s been 18 months since it emerged that US mobile companies were selling the location data to their tens of millions of users with little or no oversight, and Congress wants to know what the hell the FCC is doing about it.

In a letter sent on Friday, all Democratic members of the House of Representatives’ Energy and Commerce Committee signed a furious letter to the head of the federal regulator, Ajit Pai, demanding his organization produce an update on what it is doing.

“The Federal Communications Commission (FCC) is failing in its duty to enforce the laws Congress passed to protect consumers ' privacy,” the letter [PDF] bellows. “This Committee has repeatedly urged you to act quickly to protect consumers' privacy interests, and unfortunately you have failed to do so.”

The details behind the sale of location data are extraordinary: all four main carriers have been selling the real-time location of their users to third parties with seemingly no checks or accountability.

The situation blew up in May 2018 when it was revealed that a company called Securus Tehnologies was buying real-time location data on American phone users and selling it to the police with no oversight through an online portal. The situation sparked a letter to the FCC from multiple Congressmen demanding it look into the situation.

It got worse: it turned out that Securus was buying its data from another party, LocationSmart and a security researcher found that LocationSmart was continuing to make that same data available through its own online portal.

And again

In response all the main mobile companies promised to clampdown on the practice - something we and others, including Senator Ron Wyden (D-OR) were extremely skeptical of at the time. And we were right to be, because six months later, in January this year, a journalist was able to pay a bounty hunter $300 to have someone’s phone tracked and located, through yet another third party, Microbilt.

In the ensuing outcry, the mobile phone companies promised for a second time to prevent it from happening. And then just a month later, it emerged that the mobile phone companies has been selling specially protected user location data intended only for emergency services.

Congressmen again sent letters to the FCC demanding that it carry out an investigation, something that the regulator conspicuously failed to do. Incredibly, at the same time that lawmakers were demanding an investigation, the FCC put forward a proposal for even greater and more accurate location data to be stored by mobile phone companies.

And then in May - a year since the original report into the sale of US consumers’ private location data - yet another case emerged where a bounty hunter was able to routinely gain access to targets’ location data by simply calling up the mobile phone companies and asking for it.

And again

Even though the bounty hunter in that case, Matthew Marre, had some inside knowledge about how mobile companies work - rather than access the information through a web portal - the fact remained that he was given real-time location data by simply implying he was law enforcement. Marre successfully persuaded T-Mobile USA to hand over location data for six phone numbers - and caught three bail-jumpers as a result.

In response mobile companies promised for a fourth time that they will stop the sale and unauthorized provision of location data. At which point, lawsuits started flying and mobile operators argued that legal claims over location data has to be resolved through arbitration rather than the courts.

Through all of this, despite numerous demands from lawmakers that the FCC carry out an investigation, nothing has been heard from the federal regulator, and congresscritters are not happy about the situation.

“Despite announcing that it began an investigation into the wireless carriers after being made aware of the allegations in 2018, the FCC has failed, to date, to take any action,” the letter sent today complains.

“And now time is running out since the statute of limitations gives the FCC one year to act. This Committee has repeatedly urged you to act quickly to protect consumers’ privacy interests, and unfortunately you have failed to do so.”

It goes on: “We are concerned that the Commission is shirking its obligation to enforce the Communications Act and the rules it has issued to protect consumers’ privacy.” And it demands “an update on the FCC's investigation into the carriers' disclosure of consumers' real-time location data by November 29, 2019.”

The situation is a remarkable sign of quite how dysfunctional Washington and its supposedly independent federal regulators have become. The FCC, under Pai, has made a long series of decisions that directly benefit mobile companies at the expense of ordinary US citizens: the complete opposite of what it is supposed to do.

As a former executive for the second largest mobile operator, Verizon, observers are furious that Pai continues to be so brazen in favor of his former - and possibly future - employer. The failure of the FCC to do or say anything in favor of consumers when the sale of location data without consent to random third parties is a seemingly obvious abuse of data have only added fuel to that fire.

But it is notable that all signatories to the letter demanding action are Democrats and not a single Republican signed it. The overwhelming partisanship of Washington DC has led to the situation where not even the misuse of highly personal data of American citizens is sufficient to cause politicians to break ranks.

And FCC chair Pai has long since decided that he can rely on those dividing lines to drive forward with his agenda while ignoring anything he doesn’t wish to tackle. ®