The U.S. Federal Communications Commission (FCC) today levied fines totaling nearly $200 million against the four major carriers — including AT&T, Sprint, T-Mobile and Verizon — for illegally sharing access to customers’ location information without consent.
The fines mark the culmination of a more than four-year investigation into the actions of the major carriers. In February 2020, the FCC put all four wireless providers on notice that their practices of sharing access to customer location data were likely violating the law.
The FCC said it found the carriers each sold access to its customers’ location information to ‘aggregators,’ who then resold access to the information to third-party location-based service providers.
“In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained,” an FCC statement on the action reads. “This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.”
The FCC’s findings against AT&T, for example, show that AT&T sold customer location data directly or indirectly to at least 88 third-party entities. The FCC found Verizon sold access to customer location data (indirectly or directly) to 67 third-party entities. Location data for Sprint customers found its way to 86 third-party entities, and to 75 third-parties in the case of T-Mobile customers.
The commission said it took action after Sen. Ron Wyden (D-Ore.) sent a letter to the FCC detailing how a company called Securus Technologies had been selling location data on customers of virtually any major mobile provider to law enforcement officials.
That same month, KrebsOnSecurity broke the news that LocationSmart — a data aggregation firm working with the major wireless carriers — had a free, unsecured demo of its service online that anyone could abuse to find the near-exact location of virtually any mobile phone in North America.
The carriers promised to “wind down” location data sharing agreements with third-party companies. But in 2019, reporting at Vice.com showed that little had changed, detailing how reporters were able to locate a test phone after paying $300 to a bounty hunter who simply bought the data through a little-known third-party service.
Sen. Wyden said no one who signed up for a cell plan thought they were giving permission for their phone company to sell a detailed record of their movements to anyone with a credit card.
“I applaud the FCC for following through on my investigation and holding these companies accountable for putting customers’ lives and privacy at risk,” Wyden said in a statement today.
The FCC fined Sprint and T-Mobile $12 million and $80 million respectively. AT&T was fined more than $57 million, while Verizon received a $47 million penalty. Still, these fines represent a tiny fraction of each carrier’s annual revenues. For example, $47 million is less than one percent of Verizon’s total wireless service revenue in 2023, which was nearly $77 billion.
The fine amounts vary because they were calculated based in part on the number of days that the carriers continued sharing customer location data after being notified that doing so was illegal (the agency also considered the number of active third-party location data sharing agreements). The FCC notes that AT&T and Verizon each took more than 320 days from the publication of the Times story to wind down their data sharing agreements; T-Mobile took 275 days; Sprint kept sharing customer location data for 386 days.
Update, 6:25 p.m. ET: Clarified that the FCC launched its investigation at the request of Sen. Wyden.
A quick calculation shows that this cost the violators in aggregate about 62¢ per customer. That really sends a message, but not a good one. $100 per customer would be a good starting point. It has to be more than the profit of selling location data.
Excellent observation.
If the fine is less than the profits made, then the fine is nothing more than a cost of doing business.
At the very least, it ought to be some low multiple of the prices charged.
Thefines ought to be on top of disgorgement of all profits made from the sale of that data.
That’s it thar a. Bunch of crap
Huh?
Wow. Their wrists mus smart something awful.
That’s not a fine, that’s a cost of doing business. A fine must be prohibitively expensive.
When will companies actually be fined a huge amount for illegal sharing of customer data and individual sys admins be held accountable on a personal level for breaches for for lack of cyber due diligence. Tired of a 1 year credit monitoring and pittance for class action monetary compensation. I want real change.
What about the companies that resell/piggyback on the major carriers, e.g., TimeWarner/Spectrum Mobile that uses Verizon?
Have they been selling location data too? Or was that done by Verizon since it was their cell towers/system carrying the calls?
To further add salt to customers’ wound, there will be a new fee. Something like “Regulatory Compliance fee”. So the customers end up paying the fine.
I also have to wonder if anybody convicted with the aid of location data purchased by police will seek to have their conviction thrown out. They may not be successful, but they will try. After all that evidence must have been obtained illegally.
And these organizations are trusted to secure our online accounts due to the pervasive use of SMS to deliver MFA security codes. May as well use a postcard.
I have a feeling that this slap on the wrist was done because some other agency wants access to that data without a warrant. So they have to make political theater of this case, without completely invalidating the business model. Section 702 mumble mumble…
I wonder if this includes data specific to company or government accounts.
What about cell network “resellers” that use the major networks?
This seems like some lawyers wanting a big payday to reach out to everyone for 4 class action lawsuits. FCC is not working on the people’s interest as it’s a payday for them and not given to the people violated.
Please remember my fine friends that every $1 they pay in fines comes from the very users who were harmed! So once more big corporate bosses escaped felony charges while the dumb ass user pays through the nose. You’ll probably claim their gouging you when the prices go up to cover the cost. Phillip Morris was fined $350+ million but smokers paid a tax on the smokes not the crooks who lied about what they were selling.
Nothing will change until CEOs and other senior executives do prison time. There is no disincentive to act ethically.
This will not stop until CEOs and other senior executives receive jail time. As other comments state, fines are a cost of business, and it is paid by the end users. Lock ‘em up!
The FCC should have quadrupled the fine and sent most of the funds to the 200 million of us who were tracked without permission
Fines won’t fix it. There was more money made selling user info than what the fines work out to be per user impacted. Who pays the fine in the end? Customers. Like another tax. The CEO’s should be held accountable and face jail time for breaking the law. Just like the managers at VW who approved Dieselgate. Things would change a lot more quickly if they made it a crime, not a fine.
Yep.
Correct me if I’m wrong, but aren’t police able to get cell phone records with a warrant?
Yes, police can get cell phone records with a warrant. They can also get them without a warrant if they say it is an emergency (e.g., missing person), and this loophole is widely abused.
I’m a victim of this- someone has been living in a different state using my information to the point they have debt and a serious amount to the IRS I had to go through so many different things just to prove who I am and still have no resolve. I lost my job due to the IRS issues. And they have been doing it since 2018 apparently. Today though I was able to have my bank account unfroze so that was a win.
I hear the teeth of sharks starting to grind when the smell of blood is in the water. To whom precisely did you sell my location information to, carrier? Sadly, the reality in 2024 is that if you don’t want to be geolocated in 2024 you have to go back to the stone age and carry not a smidgen of electronics. At root, that is what we have consented to as a society…
I find Wyden’s high praise of the FCC for issuing a limp slap on the wrist to these carriers for “putting customers’ *lives* and privacy at risk” pretty suspect in itself.
$200 million in fines for criminal reckless endangerment of – well, we don’t know how many people’s lives and privacy were endangered, do we – let’s just call it “countless”. And continuing to do it for many months after being told (like they needed to be told) that this is “probably” illegal?!? And Wyden thinks $200M is even meaningful, let alone adequate, let alone anything approaching real tough punishment?
I’m also curious as to why, or if, this is only a carriers vs the people thing. Any app with location permissions can do this exact same thing on a smaller scale, can they not? And these “aggregators” who do the actual dirty deed, selling us out – where’s the fines and jail time for them? Meta, Alphabet, Apple, Amazon – squeaky clean here, are they?
Oddly enough, on my first attempt posting this, my phone crashed, then took a long time to reboot itself, then “optimized” my apps like it had just restarted after installing a monthly security or Play Store patch – but no patches were downloaded, or necessary. I already installed both the April system/security and April Play Store updates a week ago. And then I got re-notified of texts I’d already been notified of, and read, half a day ago.
I’ve had this phone for 6 months and it’s never crashed before, but ok, phones do odd stuff once in a while. But, that’s some uncanny timing, huh?
Nothing stops cellphone users from turning off the Location setting. If an app wants to use it, a message will appear. If the user wants to allow that, the setting can be returned to Off as soon as that use is done. It won’t stop tracking based on cell-tower analysis, but it will inhibit aggregator uses. For more-detailed insight on how computer and cellphone users are abused by aggregators, including the digital giants like Facebook/Meta, Amazon, Apple, Microsoft and Google, read Prof. Shoshana Zuboff’s book The Age of Surveillance Capitalism, and The Hidden History of Big Brother In America, by Thom Hartmann.
Any idea what is happening north of the border, in Canada, where I live?
Do Bell, Telus, Rogers and others sell location data too?
Bart
These CEO’s should be charged with the murders, robberies and the stalking that are committed behind these tracking methods. The FCC did this a few years ago and it’s still going on. Nothing is happing or stopping it. Fines are nothing when will it end?
Criminal penalties to the C-level is the most effective attention getter.
-The illegal sale of data, should include a return/wipe of the illegal information (w/carrier proof of purge) Monthly fines until compliances should be coupled to this action.
-Since ‘breached’ data keeps on giving, incident of re-use should trigger new fines. Vendors need to wake up.
– the downstream should see the same treatment
Details should be released to customers, and lets kick-in the legal piranha, just like asbestos.
Side note: the strawman rationalization of ‘we signed up for this by using tek’ NO WE DIDNT, predators decided to take advantage of ungoverned areas…thats over
They were mad about the movie 2000 Mules… and someone had to pay!
There is no more privacy or anonymity in the USA anymore if you’re using phones or the internet. It’s pretty sad we live in this authoritarian police state. It’s become even worse under Joe Biden thanks to Democrats
@Jduhjff,
Not that I’m a fan of Biden, but this case started in Feb 2020, Biden had been in office a month. The wireless carriers had been doing this for a long time, it’s hard to blame Biden for that.
so its illegal and they do it anyways…. why not jail time for those involved?
Fining big corporations does little to stop them from behaving badly if it makes money for shareholders and executives. If we really want to stop such behavior, its time to start giving the decision makers (ATT, Sprint and Verion executives) jail time or take away their yachts and second homes. Make them send their kids to public schools. Hurt them!