Your mobile network broke the law by selling location data and may be fined millions... or maybe not, shrugs FCC

US watchdog struggles to do its job over illegal sale of folks' whereabouts


It’s been nearly two years since it was first revealed that US cellular networks were selling real-time location data with inadequate safeguards. Late last week, after months of political pressure, the regulator in charge, the FCC, finally revealed the results of an investigation.

“I wish to inform you that the FCC’s Enforcement Bureau has completed its extensive investigation,” FCC chairman Ajit Pai informed lawmakers who demanded to know where the report was three months earlier. “It has concluded that one or more wireless carriers apparently violated federal law.”

Pai’s statement went on: “Accordingly, in the coming days, I intend to circulate to my fellow Commissioners for their consideration one or more Notice(s) of Apparent Liability for Forfeiture in connection with the apparent violation(s). We are unable to provide additional information about any pending enforcement action(s) beyond what is stated in the letter.”

If that seems unusual vague: that “one or more” mobile operators “apparently violated” the law by selling location data, you’re not the only one.

The sale of location data would, in any other era, have provoked outrage and determined federal action. But the FCC’s response to revelations that bounty hunters were buying the real-time location of people for $100 through third-parties, contracted through third-parties with little or no oversight, has been almost complete silence.

That inaction has only added to fears that FCC boss, and former Verizon executive, Pai is not only hesitant to take on the powerful companies that his office is supposed to oversee, but actively defends and supports the industry from behind the scenes.

Third time lucky

The mobile operators were caught not once, not twice, but three times over the course of eight months selling location data without adequate privacy safeguards, despite promising each time to take corrective action.

When caught for the third time, all four operators – AT&T, Sprint, T-Mobile US and Verizon – promised to stop the provision of location data to third parties altogether. But, notably, the promise is not binding and can be lifted at any time.

The issue and the failure by both the mobile companies and the FCC to take it seriously is one factor behind a broader push for federal privacy legislation.

But concerted pressure from lawmakers – who have sent repeated letters to the mobile operators and demanded answers in a series of Congressional hearings, has finally brought a promise of action from the federal regulator. It’s still not clear what that response will be however and those pushing the FCC to investigate remain frustrated.

The chair of the House Energy and Commerce Committee – which oversees the FCC – Frank Pallone (D-NJ) issued a statement: “Following our longstanding calls to take action, the FCC finally informed the Committee today that one or more wireless carriers apparently violated federal privacy protections by turning a blind eye to the widespread disclosure of consumers’ real-time location data. This is certainly a step in the right direction, but I’ll be watching to make sure the FCC doesn’t just let these lawbreakers off the hook with a slap on the wrist.”

For her part, Commissioner Rosenworcel put out a statement saying: “For more than a year, the FCC was silent after news reports alerted us that for just a few hundred dollars, shady middlemen could sell your location within a few hundred meters based on your wireless phone data."

"It’s chilling to consider what a black market could do with this data. It puts the safety and privacy of every American with a wireless phone at risk. Today this agency finally announced that this was a violation of the law. Millions and millions of Americans use a wireless device every day and didn’t sign up for or consent to this surveillance. It’s a shame that it took so long for the FCC to reach a conclusion that was so obvious.”

In the dark

It’s still not clear what the FCC will do. We spoke to both Pallone and Rosenworcel’s offices and they both told The Register they have no details beyond the statement made on Friday. As for the FCC itself, it has continued with its entirely unhelpful approach.

We asked the FCC:

  • Why it feels unable to say the number of mobile operators that have broken the law
  • What steps remain for the sale of location data to be deemed an actual violation – as opposed to an “apparent violation” – and who makes that determination
  • Whether the FCC investigation has been completed or if it waiting on feedback from the mobile operators
  • What the precedents are for similar violations
  • Whether there will be a fine and how it will be calculated
  • Whether other measures will be considered against the mobile operators

And in response the FCC gave us… nothing. “We are unable to provide additional information about any pending enforcement action(s) beyond what is stated in the letter,” it told us in a statement.

ostrich

FCC's answer to scandal of AT&T, Sprint, T-Mobile US selling people's location data: Burying its head in the ground

READ MORE

In truth, the FCC letter was likely only sent – on the last day of January – because FCC chair Pai had promised Congress to send some kind of response by January at the latest.

The FCC sometimes keeps the names of those it is placing enforcement actions against private until the action is formally voted on by the five commissioners; though not always. It’s not clear why it has refused to say how many of the main four carriers (soon to be three thanks to another controversial decision by the FCC) are affected.

It’s also not clear why the FCC won’t outline what measures it expected to take, or what precedent it will be using to access any fines, or what process it will be following from this point, or whether the mobile operators still have a say in the process.

In short, the FCC has been dragged to the point where it has been obliged to enforce its own rules and protect the privacy rights of users over the profit incentive of the mobile industry. And it isn’t happy about it, so it’ll be damned if it’s going to tell anyone what it has been forced into doing.

Yes, this is a federal regulator. And yes things really have got this petty. ®

Similar topics


Other stories you might like

  • UK science suffers as lawmakers continue to dither over Brexit negotiations

    Horizons Europe carrot dangled amid protocol wrangling

    A report from the UK House of Commons' European Scrutiny Committee has blamed delays in Brussels for choking off revenue streams to British institutions and businesses.

    The UK departed the European Union following a 2016 referendum. One of the results was that UK businesses were no longer able to tender for lucrative contracts within the bloc.

    The Brexit Divorce Bill uncomfortably laid out the facts back in 2018. The satellite navigation system Galileo was one victim despite substantial involvement from the UK in its development. Another was the Copernicus Earth monitoring programme; the UK was infamously snubbed when the European Space Agency (ESA) handed out six juicy contracts to institutions from the Continent.

    Continue reading
  • Warehouse belonging to Chinese payment terminal manufacturer raided by FBI

    PAX Technology devices allegedly infected with malware

    US feds were spotted raiding a warehouse belonging to Chinese payment terminal manufacturer PAX Technology in Jacksonville, Florida, on Tuesday, with speculation abounding that the machines contained preinstalled malware.

    PAX Technology is headquartered in Shenzhen, China, and is one of the largest electronic payment providers in the world. It operates around 60 million point-of-sale (PoS) payment terminals in more than 120 countries.

    Local Jacksonville news anchor Courtney Cole tweeted photos of the scene.

    Continue reading
  • Everything you wanted to know about modern network congestion control but were perhaps too afraid to ask

    In which a little unfairness can be quite beneficial

    Systems Approach It’s hard not to be amazed by the amount of active research on congestion control over the past 30-plus years. From theory to practice, and with more than its fair share of flame wars, the question of how to manage congestion in the network is a technical challenge that resists an optimal solution while offering countless options for incremental improvement.

    This seems like a good time to take stock of where we are, and ask ourselves what might happen next.

    Congestion control is fundamentally an issue of resource allocation — trying to meet the competing demands that applications have for resources (in a network, these are primarily link bandwidth and router buffers), which ultimately reduces to deciding when to say no and to whom. The best framing of the problem I know traces back to a paper [PDF] by Frank Kelly in 1997, when he characterized congestion control as “a distributed algorithm to share network resources among competing sources, where the goal is to choose source rate so as to maximize aggregate source utility subject to capacity constraints.”

    Continue reading
  • How business makes streaming faster and cheaper with CDN and HESP support

    Ensure a high video streaming transmission rate

    Paid Post Here is everything about how the HESP integration helps CDN and the streaming platform by G-Core Labs ensure a high video streaming transmission rate for e-sports and gaming, efficient scalability for e-learning and telemedicine and high quality and minimum latencies for online streams, media and TV broadcasters.

    HESP (High Efficiency Stream Protocol) is a brand new adaptive video streaming protocol. It allows delivery of content with latencies of up to 2 seconds without compromising video quality and broadcasting stability. Unlike comparable solutions, this protocol requires less bandwidth for streaming, which allows businesses to save a lot of money on delivery of content to a large audience.

    Since HESP is based on HTTP, it is suitable for video transmission over CDNs. G-Core Labs was among the world’s first companies to have embedded this protocol in its CDN. With 120 points of presence across 5 continents and over 6,000 peer-to-peer partners, this allows a service provider to deliver videos to millions of viewers, to any devices, anywhere in the world without compromising even 8K video quality. And all this comes at a minimum streaming cost.

    Continue reading
  • Cisco deprecates Microsoft management integrations for UCS servers

    Working on Azure integration – but not there yet

    Cisco has deprecated support for some third-party management integrations for its UCS servers, and emerged unable to play nice with Microsoft's most recent offerings.

    Late last week the server contender slipped out an end-of-life notice [PDF] for integrations with Microsoft System Center's Configuration Manager, Operations Manager, and Virtual Machine Manager. Support for plugins to VMware vCenter Orchestrator and vRealize Orchestrator have also been taken out behind an empty rack with a shotgun.

    The Register inquired about the deprecations, and has good news and bad news.

    Continue reading
  • Protonmail celebrates Swiss court victory exempting it from telco data retention laws

    Doesn't stop local courts' surveillance orders, though

    Encrypted email provider Protonmail has hailed a recent Swiss legal ruling as a "victory for privacy," after winning a lawsuit that sees it exempted from data retention laws in the mountainous realm.

    Referring to a previous ruling that exempted instant messaging services from data capture and storage laws, the Protonmail team said this week: "Together, these two rulings are a victory for privacy in Switzerland as many Swiss companies are now exempted from handing over certain user information in response to Swiss legal orders."

    Switzerland's Federal Administrative Court ruled on October 22 that email providers in Switzerland are not considered telecommunications providers under Swiss law, thereby removing them from the scope of data retention requirements imposed on telcos.

    Continue reading
  • Japan picks AWS and Google for first gov cloud push

    Local players passed over for Digital Agency’s first project

    Japan's Digital Agency has picked Amazon Web Services and Google Cloud for its first big reform push.

    The Agency started operations in September 2021, years after efforts like the UK's Government Digital Service (GDS) or Australia's Digital Transformation Agency (DTA). The body was a signature reform initiated by Prime Minister Yoshihide Suga, who spent his year-long stint in the top job trying to curb Japan's reliance on paper documents, manual processes, and faxes. Japan's many government agencies also operated their websites independently of each other, most with their own design and interface.

    The new Agency therefore has a remit to "cut across all ministries" and "provide services that are driven not toward ministries, agency, laws, or systems, but toward users and to improve user-experience".

    Continue reading
  • Singaporean minister touts internet 'kill switch' that finds kids reading net nasties and cuts 'em off ASAP

    Fancies a real-time crowdsourced content rating scheme too

    A Minister in the Singapore government has suggested the creation of an internet kill switch that would prevent minors from reading questionable material online – perhaps using ratings of content created in real time by crowdsourced contributors.

    "The post-COVID world will bring new challenges globally, including to us in the security arena," said Minister for Defence Dr Ng Eng Hen at a Tuesday ceremony to award the city-state's 2021 Defense Technology Prize.

    "For operations, the SAF (Singapore Armed Force) has to expand its capabilities in the digital domain. Whether for administrative or operational purposes, I think that we will need to leverage technology to the maximum," he declared.

    Continue reading

Biting the hand that feeds IT © 1998–2021