The U.S. Federal Communications Commission said on Monday that it is fining the four U.S. major wireless carriers around $200 million in total for “illegally” sharing and selling customers’ real-time location data without their consent.
AT&T’s fine is more than $57 million, Verizon’s is almost $47 million, T-Mobile’s is more than $80 million, and Sprint’s is more than $12 million, according to the FCC’s announcement.
“Our communications providers have access to some of the most sensitive information about us. These carriers failed to protect the information entrusted to them. Here, we are talking about some of the most sensitive data in their possession: customers’ real-time location information, revealing where they go and who they are,” FCC Chairwoman, Jessica Rosenworcel, said in the announcement.
The FCC said its investigative arm, the Enforcement Bureau, concluded that the four companies sold access to its customers’ location data to third party companies, which the FCC called “aggregators,” which in turn resold the location data to other companies. These series of sales and resales effectively created a whole gray market for cell phone subscribers’ historical and real-time location data. Most customers had no idea such a market for their data even existed, let alone consented to the sale of their data.
Cell phone carriers are required by law to “maintain the confidentiality of such customer information and to obtain affirmative, express customer consent before using, disclosing, or allowing access to such information,” the FCC wrote.
The fines come years after investigations by news organizations revealed that the four carriers were sharing this type of data with law enforcement and bounty hunters, among other organizations.
In 2018, The New York Times reported that law enforcement and correction officials across the U.S. used a company called Securus Technologies to track people’s locations. Securus’ solution relied on “a system typically used by marketers and other companies to get location data from major cell phone carriers,” the NYT wrote.
The following year, a Motherboard investigation revealed that bounty hunters could geo-locate any cell phone customer’s location for as little as $300. “These surveillance capabilities are sometimes sold through word-of-mouth networks,” Motherboard’s Joseph Cox, who is now at 404 Media, wrote at the time.
The FCC wrote that despite these public reports, the four carriers failed to put safeguards in place “to ensure that the dozens of location-based service providers with access to their customers’ location information were actually obtaining customer consent,” and kept selling the data.
All four carriers criticized the decision and said they intend to appeal it.
T-Mobile spokesperson Tara Darrow said in a statement that “this industry-wide third-party aggregator location-based services program was discontinued more than five years ago after we took steps to ensure that critical services like roadside assistance, fraud protection and emergency response would not be disrupted.”
Darrow said that T-Mobile, which was merged with Sprint in 2020, will appeal the decision.
“We take our responsibility to keep customer data secure very seriously and have always supported the FCC’s commitment to protecting consumers, but this decision is wrong, and the fine is excessive. We intend to challenge it,” the statement read.
AT&T spokesperson Alex Byers also said the company will appeal, and said that the FCC decision “lacks both legal and factual merit.”
“It unfairly holds us responsible for another company’s violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that company’s failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged. We expect to appeal the order after conducting a legal review,” Byers said in a statement sent to TechCrunch.
Verizon spokesperson Rich Young said that the “FCC’s order gets it wrong on both the facts and the law, and we plan to appeal this decision.”
“In this case, when one bad actor gained unauthorized access to information relating to a very small number of customers, we quickly and proactively cut off the fraudster, shut down the program, and worked to ensure this couldn’t happen again,” the statement read. “Keep in mind, the FCC’s order concerns an old program that Verizon shut down more than half a decade ago. That program required affirmative, opt-in customer consent and was intended to support services like roadside assistance and medical alerts.”
