America's communications watchdog on Friday suggested it may fine the nation's four major wireless carriers for selling subscribers location data without adequate safeguards to prevent misuse.
AT&T, Sprint, T-Mobile US, and Verizon now have the opportunity to respond to the FCC's proposal, in case they have other ideas on the matter.
The regulator's commissioners will consider the carriers' arguments and evidence before reaching a final determination on the findings in its Notices of Apparent Liability for Forfeiture and Admonishment (NALs).
Back in May 2018, Securus Technologies was found to be buying data about telecom customers' whereabouts and sharing the details with law enforcement agencies. It turned out the firm had obtained the data from another company, LocationSmart, and both outfits were offering the data through online portals.
Senator Ron Wyden (D-OR) asked the FCC to investigate, and while the cellular giants that provided the location records subsequently said they had taken steps to prevent abuse, reports suggested bounty hunters were still able to obtain this sensitive personal data from systems supposedly restricted to authorized law enforcement personnel.
Now, after ongoing pressure from lawmakers, the FCC has finally come up with a plan to penalize America's Big Wireless.
“This FCC will not tolerate phone companies putting Americans’ privacy at risk," said FCC chairman Ajit Pai in a statement.
Your mobile network broke the law by selling location data and may be fined millions... or maybe not, shrugs FCCREAD MORE
Jessica Rosenworcel, one of the five FCC commissioners, suggested the regulator tolerated just that for quite some time and continues to go easy on the phone companies. Pai is an ex-cellular industry executive: he was associate general counsel at Verizon.
"The FCC proposes fining carriers who sold your real-time location data for years," she said in a statement on Twitter. "But this is a day late and a dollar short. Our fines are discounted. It took too long to get here. Americans’ privacy and security deserves the highest level of protection. That didn't happen here."
Under the law, the FCC could have levied far more substantial fines, but the agency has chosen to dial down the penalties it has proposed.
The agency found that all four networks sold customer location data to aggregators who then resold the information to third-party location-based service providers like Securus. The telcos, the agency said, relied on contractual assurances that these third-parties would get permission from wireless carrier customers before accessing their location data.
But the carriers did so "without putting in place reasonable safeguards to ensure that the dozens of location-based services providers acting on their behalf were actually obtaining consumer consent," the FCC said.
AT&T faces a potential fine of $57m – about twice the $29m paid to its CEO Randall Stephenson in 2019; Sprint could be on the hook for $12m; T-Mobile US might have to shed $91m; and Verizon's future bill could come to $48m.
However, after hearing from the companies, the FCC could adjust these amounts – already trivial to these billion-dollar businesses – downward.
T-Mobile US, right now in the process of merging with Sprint, has said it intends to fight the charges.
"We take the privacy and security of our customers’ data very seriously," a T-Mobile US spokesperson said in a statement provided to The Register. "When we learned that our location aggregator program was being abused by bad actor third parties, we took quick action. We were the first wireless provider to commit to ending the program and terminated it in February 2019 after first ensuring that valid and important services were not adversely impacted. While we strongly support the FCC’s commitment to consumer protection, we fully intend to dispute the conclusions of this NAL and the associated fine."
AT&T, Sprint, and Verizon did not immediately respond to requests for comment. ®