THE United States Federal Communications Commission (FCC) today imposed fines totaling nearly $200 million on the four major carriers, including AT&T, Sprint, T Mobile And Verizon — for illegally sharing access to customers’ location information without their consent.
The fines mark the culmination of a more than four-year investigation into the actions of major carriers. In February 2020, the FCC warned the four wireless carriers that their practices of sharing access to customer location data likely violated the law.
The FCC said it found that the carriers each sold access to their customers’ location information to “aggregators,” who then resold access to the information to third-party location service providers.
“In doing so, each operator attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many cases meant that no valid customer consent was obtained” , says an FCC statement on the action. “This initial failure was compounded when, after realizing the ineffectiveness of their safeguards, operators continued to sell access to location information without taking reasonable steps to protect it against unauthorized access .”
The FCC’s findings against AT&T, for example, show that AT&T sold customer location data directly or indirectly to at least 88 third-party entities. The FCC found that Verizon sold access to customer location data (indirectly or directly) to 67 third-party entities. Sprint customers’ location data was transmitted to 86 third-party entities and 75 third parties in the case of T-Mobile customers.
The commission said it took action after Senator Ron Wyden (D-Ore.) sent a letter to the FCC detailing how a company called Secure Technologies sold location data on customers of virtually every major cell phone provider to law enforcement.
The same month, KrebsOnSecurity announced that LocationSmart – a data aggregation company working with major mobile carriers – offered a free, insecure online demo of its service that anyone could abuse to find the near-exact location of virtually any mobile phone in North America.
Operators have promised to “end” location data sharing agreements with third-party companies. But in 2019, a report from Vice.com showed that little had changed, detailing how journalists were able to locate a test phone after paying $300 to a bounty hunter who simply purchased the data through a low-cost third-party service. known.
Senator Wyden said no one who signed up for a cell phone plan thought about giving their phone company permission to sell a detailed record of their movements to anyone with a credit card.
“I commend the FCC for following through on my investigation and holding these companies accountable for endangering the lives and privacy of their customers,” Wyden said in a statement today.
The FCC fined Sprint and T-Mobile $12 million and $80 million, respectively. AT&T was fined more than $57 million, while Verizon was fined $47 million. Yet these fines represent only a tiny fraction of each carrier’s annual revenue. For example, $47 million is less than 1% of Verizon’s total 2023 wireless revenue of nearly $77 billion.
The fine amounts vary because they were calculated in part based on the number of days carriers continued to share customer location data after being told it was illegal (the agency also took into account the number of active location data sharing agreements with third parties). The FCC notes that AT&T and Verizon each took more than 320 days from the publication of the Times article to end their data-sharing agreements; T-Mobile took 275 days; Sprint continued to share customer location data for 386 days.
Updated, 6:25 p.m. ET: He said the FCC launched its investigation at the request of Senator Wyden.
