The Federal Communications Commission today said it fined T-Mobile, AT&T, and Verizon $196 million "for illegally sharing access to customers' location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure."
The fines relate to sharing of real-time location data that was revealed in 2018. The FCC proposed the fines in 2020, when the commission had a Republican majority, and finalized them today.
All three major carriers vowed to appeal the fines after they were announced today. The three carriers also said they discontinued the data-sharing programs that the fines relate to.
The fines are $80.1 million for T-Mobile, $57.3 million for AT&T, and $46.9 million for Verizon. T-Mobile is also on the hook for a $12.2 million fine issued to Sprint, which was bought by T-Mobile shortly after the penalties were proposed over four years ago.
Today, the FCC summarized its findings as follows:
The FCC Enforcement Bureau investigations of the four carriers found that each carrier sold access to its customers' location information to "aggregators," who then resold access to such information to third-party location-based service providers. In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained. This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.
“Shady actors” got hold of data
The problem first came to light with reports of customer location data "being disclosed by the largest American wireless carriers without customer consent or other legal authorization to a Missouri Sheriff through a 'location-finding service' operated by Securus, a provider of communications services to correctional facilities, to track the location of numerous individuals," the FCC said.
AdvertisementChairwoman Jessica Rosenworcel said that news reports in 2018 "revealed that the largest wireless carriers in the country were selling our real-time location information to data aggregators, allowing this highly sensitive data to wind up in the hands of bail-bond companies, bounty hunters, and other shady actors. This ugly practice violates the law—specifically Section 222 of the Communications Act, which protects the privacy of consumer data."
For a time after the 2018 reports, "all four carriers continued to operate their programs without putting in place reasonable safeguards to ensure that the dozens of location-based service providers with access to their customers' location information were actually obtaining customer consent," the FCC said.
The three carriers are ready to challenge the fines in court. "This industry-wide third-party aggregator location-based services program was discontinued more than five years ago after we took steps to ensure that critical services like roadside assistance, fraud protection and emergency response would not be disrupted," T-Mobile said in a statement provided to Ars. "We take our responsibility to keep customer data secure very seriously and have always supported the FCC's commitment to protecting consumers, but this decision is wrong, and the fine is excessive. We intend to challenge it."
AT&T and Verizon also plan appeal
AT&T issued a statement saying the FCC order "unfairly holds us responsible for another company's violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that company's failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged. We expect to appeal the order after conducting a legal review."
Verizon said today that "when one bad actor gained unauthorized access to information relating to a very small number of customers, we quickly and proactively cut off the fraudster, shut down the program, and worked to ensure this couldn't happen again." Verizon said the now-shuttered program "required affirmative, opt-in customer consent and was intended to support services like roadside assistance and medical alerts."
The fines were proposed in 2020 in Notices of Apparent Liability issued to each carrier. The companies provided responses to the FCC, which took the carriers' comments into consideration in the forfeiture orders released today. The T-Mobile fine was lowered from $91.6 million to $80.1 million, and the Verizon fine was lowered from $48.3 million to $46.9 million, but the AT&T and Sprint fines remained the same.
Republicans dissent
The fines may have been delayed by the 2-2 partisan deadlock the commission operated under until September 2023. Although the fines were originally proposed when the FCC was controlled by Republicans, the vote to finalize the penalties was 3-2 with dissents from Republicans Brendan Carr and Nathan Simington.
AdvertisementSimington argued that the FCC is "sending a strong market signal that any alleged violation... can and will result in an outsize fine," which "effectively choke[s] off one of the only ways that valid and legal users of consent-based location data services had to access location data for which legal safeguards and oversight actually exist."
Carr said he supported the 2020 notices "so we could investigate the facts and determine whether or not the carriers had violated any provisions of the Communications Act," but doesn't support the final orders.
The fines are unfair, Carr said, because the commission "has never held that location information other than 'call location information' constitutes CPNI [Customer Proprietary Network Information]. Nor has the FCC stated that a carrier might be liable under our CPNI rules for location information unrelated to a Title II service and collected outside the Title II relationship. So, even if we could proscribe the conduct at issue here through a rulemaking (and I am dubious that we could), it would be inappropriate and unlawful to impose the retroactive liability that these Orders do."
The FCC forfeiture orders note that the Communications Act defines CPNI as "information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship." Phone location data falls within this definition, the FCC said.
Rosenworcel's statement pointed out that the fines "were first proposed by the last Administration. By following through with this order, we once again make clear that wireless carriers have a duty to keep our geolocation information private and secure."
