The U.S. Federal Communications Commission announced Monday that it is fining the four major U.S. wireless carriers about $200 million in total for “unlawfully” sharing and selling customers’ real-time location data without their consent.
AT&T’s fine is more than $57 million, Verizon’s is almost $47 million, T-Mobile’s is more than $80 million, and Sprint’s is more than $12 million. according to the FCC announcement.
“Our communications providers have access to some of the most sensitive information about us. These carriers failed to protect the information entrusted to them. Here, we’re talking about some of the most sensitive data in their possession: real-time location information about customers, revealing where they go and who they are,” FCC Chair Jessica Rosenworcel said in the release.
The FCC said its investigative arm, the Enforcement Bureau, concluded that the four companies sold access to its customers’ location data to third-party companies, which the FCC called “aggregators,” which in turn resold the data location to other companies. These series of sales and resales essentially created an entire gray market for the historical and real-time location data of mobile phone subscribers. Most customers had no idea there was such a market for their data, let alone consented to the sale of their data.
Carriers are required by law to “maintain the confidentiality of this customer information and obtain the customer’s affirmative, express consent before using, disclosing or allowing access to this information,” the FCC wrote.
The fines come years after investigations by news organizations revealed that the four carriers shared this type of data with law enforcement and bounty hunters, among other organizations.
In 2018, the New York Times reported that law enforcement and corrections officials across the US used a company called Securus Technologies to track people’s locations. Securus’ solution was based on “a system commonly used by merchants and other companies to obtain location data from major mobile carriers,” the NYT wrote.
Next year, motherboard research revealed that bounty hunters could geo-locate any cell phone customer for as little as $300. “These surveillance capabilities are sometimes sold through word-of-mouth networks,” said Motherboard’s Joseph Cox, who is now at 404 Mediahe wrote then.
The FCC wrote that despite these public reports, the four carriers failed to implement safeguards “to ensure that the dozens of location service providers with access to their customers’ location information actually obtained customer consent” and continued to sell the data.
All four carriers criticized the decision and said they plan to appeal.
T-Mobile spokeswoman Tara Darrow said in a statement that “this program of third-party location-based services across the industry was discontinued more than five years ago after we took steps to ensure that critical services such as roadside assistance, fraud protection and emergency response would not be disrupted.”
Darrow said T-Mobile, which merged with Sprint in 2020, will appeal the decision.
“We take our responsibility to keep customer data safe very seriously and always support the FCC’s commitment to consumer protection, but this decision is wrong and the fine is excessive. We intend to challenge it,” the statement said.
AT&T spokesman Alex Byers also said the company would appeal and said the FCC’s decision “lacks legal and factual merit.”
“It unfairly holds us responsible for another company’s breach of our contractual consent requirements, ignores the immediate steps we took to address that company’s failures, and penalizes us for supporting life-saving location services such as emergency medical alerts and roadside assistance that The FCC itself previously encouraged. We expect to appeal the order after conducting a legal review,” Byers said in a statement sent to TechCrunch.
Verizon spokesman Rich Young said “the FCC’s order is wrong on both the facts and the law, and we plan to appeal this decision.”
“In this case, when a bad actor gained unauthorized access to information related to a very small number of customers, we quickly and proactively cut off the fraudster, shut down the program, and worked to ensure this could not happen again,” the statement read. “Please note that the FCC’s order concerns an old program that Verizon shut down more than half a decade ago. This program required affirmative customer consent and was intended to support services such as roadside assistance and medical alerts.”