February 28, 2020

The U.S. Federal Communications Commission (FCC) today proposed fines of more than $200 million against the nation’s four largest wireless carriers for selling access to their customers’ location information without taking adequate precautions to prevent unauthorized access to that data. While the fines would be among the largest the FCC has ever levied, critics say the penalties don’t go far enough to deter wireless carriers from continuing to sell customer location data.

The FCC proposed fining T-Mobile $91 million; AT&T faces more than $57 million in fines; Verizon is looking at more than $48 million in penalties; and the FCC said Sprint should pay more than $12 million.

An FCC statement (PDF) said “the size of the proposed fines for the four wireless carriers differs based on the length of time each carrier apparently continued to sell access to its customer location information without reasonable safeguards and the number of entities to which each carrier continued to sell such access.”

The fines are only “proposed” at this point because the carriers still have an opportunity to respond to the commission and contest the figures. The Wall Street Journal first reported earlier this week that the FCC was considering the fines.

The commission said it took action in response to a May 2018 story broken by The New York Times, which exposed how a company called Securus Technologies had been selling location data on customers of virtually any major mobile provider to law enforcement officials.

That same month, KrebsOnSecurity broke the news that LocationSmart — a data aggregation firm working with the major wireless carriers — had a free, unsecured demo of its service online that anyone could abuse to find the near-exact location of virtually any mobile phone in North America.

In response, the carriers promised to “wind down” location data sharing agreements with third-party companies. But in 2019, Joseph Cox at Vice.com showed that little had changed, detailing how he was able to locate a test phone after paying $300 to a bounty hunter who simply bought the data through a little-known third-party service.

Gigi Sohn is a fellow at the Georgetown Law Institute for Technology Law and Policy and a former senior adviser to former FCC Chair Tom Wheeler in 2015. Sohn said this debacle underscores the importance of having strong consumer privacy protections.

“The importance of having rules that protect consumers before they are harmed cannot be overstated,” Sohn said. “In 2016, the Wheeler FCC adopted rules that would have prevented most mobile phone users from suffering this gross violation of privacy and security. But [FCC] Chairman Pai and his friends in Congress eliminated those rules, because allegedly the burden on mobile wireless providers and their fixed broadband brethren would be too great. Clearly, they did not think for one minute about the harm that could befall consumers in the absence of strong privacy protections.”

Sen. Ron Wyden (D-Ore.), a longtime critic of the FCC’s inaction on wireless location data sharing, likewise called for more stringent consumer privacy laws, calling the proposed punishment “comically inadequate fines that won’t stop phone companies from abusing Americans’ privacy the next time they can make a quick buck.”

“Time and again, from Facebook to Equifax, massive companies take reckless disregard for Americans’ personal information, knowing they can write off comparatively tiny fines as the cost of doing business,” Wyden said in a written statement. “The only way to truly protect Americans’ personal information is to pass strong privacy legislation like my Mind Your Own Business Act [PDF] to put teeth into privacy laws and hold CEOs personally responsible for lying about protecting Americans’ privacy.”


29 thoughts on “FCC Proposes to Fine Wireless Carriers $200M for Selling Customer Location Data

  1. Phil

    The quote from the FCC sounds more like the fines are because the sales were being conducted without proper safeguards, and not because the location data was being sold

  2. The Sunshine State

    I don’t think the big cell telecom’s have to sell data, the NSA has been scooping up phone business record data for years now under Section 215 of the USA Patriot Act and that’s coming from Ed Snowden

    1. PHP

      Sure the NSA has the data.
      Telecoms is likely using the API they developed for NSA to sell the same data to anybody whyo wants to pay, thus recovering the development cost.

      I do not understand why US citizens can not see that the US is NOT a true democracy. All decisions are made by corporations, and their right of more profits comes above the rights of any citizen.

  3. Larry

    Meh. I’m such a pessimist, I don’t see anything changing.
    On a different topic, I finished reading Snowden’s book “Permanent Record” & am now reading Glen Greenwald’s “Nowhere to Hide”.
    Both are Interesting!!

  4. bill

    I’m still angry that companies like Equifax leaked data, and then turned it into a profit center to protect us from their actions.

    Accountability of the Board of Directors would make this change in a heartbeat.

  5. Gromit45

    The carriers will raise rates to annually cover the fines so to maintain business as usual.

  6. Chris

    And the starlink will launch and we can give the finger to the carriers who think that they can pass on that price.

  7. Mikey Doesn't Like It

    $200-million?

    Given those companies’ annual revenues and balance sheets, that’s about the equivalent of a ticket for jaywalking.

    And from what I’ve heard, most jaywalkers are repeat offenders. (I know I am.)

    Plus, given that most Boards of Directors are figureheads who are typically asleep at the switch, I wouldn’t expect them to change one iota.

    1. Winston

      In addition, who actually pays the fine? Their customers through increased cost for services!

      Since corporations are artificial persons, we need something like a three strikes and you’re out system. X number of strikes and your corporate charter is withdrawn making each CEO/CFO/etc. personally liable. Then, it’s JAIL TIME for their company’s next violation rather than being let go with a golden parachute.

    2. JimV

      This $200M is at least an order of magnitude too low to be an effective sanction and deterrent.

    3. KoSReader600000

      “U.S. Federal Communications Commission (FCC) today proposed fines of more than $200 million against the nation’s four largest wireless carriers(AT&T, Verizon, T-Mobile, Sprint – see Brian’s link to the FCC’s pdf)”-Brian Krebs

      I have to agree with “Mikey Doesn’t Like It.” That is to small of a sanction given the revenues of all four Telecom companies. But, it is a starting point.

      “…critics say the penalties don’t go far enough to deter wireless carriers from continuing to sell customer location data….”- Krebs on Security

      Again, I agree with the critics. See my reasons below. The FCC’s fine is too small to cause the Big Four Telco’s, AT&T, T-Mobile, Verizon, and Sprint to change their abusive monopolistic tactics.

      Back of the envelope numbers:

      AT&T, Revenue US $181.756 billion (2019) https Wikipedia (see: ht ts://en.wikipedia[.]org/wiki/AT%26T )

      T-Mobile, Revenue US $40.6 Billion (2017) – Wikipedia

      Verizon, Revenue US $130.86 billion (2018) – Wikipedia

      Sprint, Revenue Increase US$33.60 billion (2019)

      Total revenue of the Big four is about $386.816 billion or about 387,000,000,000 dollars US. The FCCs fines are in the single digit percent range of the big four Telco’s revenue (AT&T, T-Mobile, Verizon, and Sprint).

      That is of little to no help to poor families whose car was re-possessed by a bounty hunter or a guy who lost millions of dollars on a port-out scam basically facilitated by Big Telco’s sell location data via front companies.

      Here is an example of AT&T claiming to Never sell their customers real time location – yet doing the opposite.

      AT&T:

      “Our Privacy Commitments…We Will not sell your personal information to anyone, for any purpose Period. ” – AT&T

      Page 58 of EFF lawsuit.
      https://www.documentcloud[.]org/documents/6200226-EFF-and-Pierce-Bainbridge-AT-T-Class-Action.html

      [Or]

      https://assets.documentcloud[.]org/documents/6200226/EFF-and-Pierce-Bainbridge-AT-T-Class-Action.pdf

      see comments on AT&T Telco’s real-time location data sales and resulting lawsuit that follow:

      https://krebsonsecurity.com/2019/08/who-owns-your-wireless-service-crooks-do/comment-page-1/#comment-494377

      and/or

      https://krebsonsecurity.com/2019/08/who-owns-your-wireless-service-crooks-do/comment-page-1/

      See: Brian’s good post entitled “Who Owns Your Wireless Service? Crooks Do.-Brian Krebs”

      https://krebsonsecurity[.]com/2019/08/who-owns-your-wireless-service-crooks-do

      See all of Brian’s posts related to Securus:

      Securus Technologies had been selling location data on customers of virtually any major mobile provider to law enforcement officials. Just follow Brian’s story.

      Most importantly, are Basic legal rights in the US Constitution and basic moral obligations:

      “…for many of us location privacy is priceless because, without it, almost everything else we’re doing to safeguard our privacy goes out the window… It won’t be enough until lawmakers in this Congress step up and do their jobs — to prevent the mobile providers from selling our last remaining bastion of privacy in the free world to third party…” -Brian Krebs

      I agree with Brian Krebs and I agree with other posters. Further, make the 200 million dollar fine 5 times or ten times higher. The Telco’s and share holders will get the message. Just my 2 cents.

      Links broken for safety.

  8. Scott

    Where do these fines end up? FCC fines carriers $200m to ‘protect’ consumers. FCC pockets money. Carriers raise rates to cover near inconsequential fines. Seems like a two-party protection racket to me.

    1. JimV

      The fines will be deposited into the General Treasury and distributed accordingly into all the various programmatic categories authorized by Congress, unless there is some specific action for these specific funds which Congress (and not the FCC) deems appropriate.

      So rather than being devoted to something like improving broadband access to rural areas or enhancing network and Internet user security, those funds will basically go to (slightly) defray the country’s annual operating deficit and (slightly) retard the increasing growth in accrued outstanding debt.

    2. Mahhn

      always has been, and isn’t going to change :/

  9. MattK

    The ex-Verizon lawyer goes easy on Verizon. Who could have guessed.

  10. Red Hat

    The FCC is a law enforcement joke. Pai face is a trump stooge and doesn’t show he actually cares about the public. The DO NOT CALL enforcement is DO NOTHING. The robocalling scams continue and nobody is punished. You can make all the laws in the world but they are a joke without enforcement. I support local law enforcement using cell phone location information. I do not support selling it. Often local police are trying to locate somebody in danger or wanted for serious crimes.
    They should be supported in their investigations.

    1. Justin

      In the past, LEO’s needed to get a warrant and follow due process to get the locations.

      Now, they could just purchase it, usually based on a monthly subscription.

  11. sue jones 345 davis st waco

    The fact that law enforcement and FBI/CIA have access to data is one thing.
    But offering it for sale to anyone is quite different and worse.
    That means a domestic violence criminal can find his victim.
    That means the mafia can find you.
    That means the KGB can find you,
    That means your employer or potential employer can find you.

    I might not like the CIA having my data…. but I’m much more fearful about them selling it to all the criminals in the world.

  12. Rene

    For anyone in developed countries the US is a joke when it comes to privacy of any sorts.

    $200m fine for actively selling sensitive customer data…
    Meanwhile the EU is fining Google and Facebook billions in fines for, compared to this, minor infractions.

    In relation to “I am ok with CIA / FBI / NSA having my data” – why? Innocent until proven guilty implies that the data would need to be asked for upon proven suspicion, not just because they can!

    However, when talking to US citizens they have always, so far, have given me the “if you have nothing to hide, then what’s the problem” answer. Brain washing completed is all I am saying.

  13. Bob

    Way too low! A minimum of $1B per provider. For a second offense, the firms lose their wireless spectrum license with them unable to bid to get it back.

  14. private c

    When Sen. Wyden speaks about protecting personal data, everyone in Washington should listen and follow his lead.

  15. Mahhn

    Fines are taxes that companies don’t mind paying.
    The only way to enforce these laws is to give jail time.
    Otherwise, it’s just the cost of doing business and business practices will continue under that model.
    A couple billionaires land in the average jail and the abuse would end – and that ain’t gonna happen.

  16. Bob G

    FCC: So, AT&T what you are doing is bad. How much money did you make off selling the data?

    AT&T: Not a penny over $70 million

    FCC: Very good, your fine is…well…how does $57 million sound?

    AT&T: Ouch! You’re killing us, but we’ll take it. 😉

    FCC: 😉

  17. Rebecca Roberts

    Hey, how about instead making them pay the 200 million to those victimized by their data being sold.

    1. sue jones 345 davis st waco

      How about paying back the Domestic Violence victim who was murdered.

Comments are closed.