On Monday, April 29th, the United States Federal Communications Commission (FCC) fined some of the most popular wireless data carriers for “illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure” (FCC).
What Happened?
Back in 2018, “U.S. Senator Ron Wyden first highlighted the use case which launched the agency’s investigation” (FCC). Throughout the course of the investigation, the FCC discovered that “each carrier sold access to its customers’ location information to ‘aggregators,’ who then resold access to such information to third-party location-based service providers” (FCC). The FCC asserts that “each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained” (FCC). Essentially, the wireless data carriers would sell customer data to these aggregate companies, who would then freely resell this information. Thus, while the wireless carriers were not directly selling customer information to just anyone who wished to buy it, they were selling it to other companies that would.
Under the law, including section 222 of the Communications Act, carriers are required to take reasonable measures to protect certain customer information, including location information. Carriers are also required to maintain the confidentiality of such customer information and to obtain affirmative, express customer consent before using, disclosing, or allowing access to such information. These obligations apply equally when carriers share customer information with third parties.
FCC
The carriers were previously made aware of this breach of confidentiality, however, “even after being made aware of this unauthorized access, all four carriers continued to operate their programs without putting in place reasonable safeguards to ensure that the dozens of location-based service providers with access to their customers’ location information were actually obtaining customer consent” (FCC).
What is the Penalty?
Each of the companies received a different monetary fine as a result of their actions. Specifically, “Sprint and T-Mobile – which have merged since the investigation began – face fines of more than $12 million and $80 million, respectively. AT&T is fined more than $57 million, and Verizon is fined almost $47 million” (FCC).
Considerations and Dissent
This sale of data can be considered a breach of confidentiality as well as data and personal security. FCC Chairwoman Jessica Rosenworcel mentioned the following in her statement:
Our smartphones are always with us, and as a result these devices know where we are at any given moment. This geolocation data is especially sensitive. It is a reflection of who we are and where we go. In the wrong hands, it can provide those who wish to do us harm the ability to locate us with pinpoint accuracy.
Rosenworcel
However, some members of the FCC disagree with these fines. Commissioner Brendan Carr states that he “cannot support… [the] Orders. This is not to say that the carriers’ past conduct should escape scrutiny by a federal agency. Rather, given the nature of the services at issue, the Federal Trade Commission, not the FCC, would have been the right entity to take a final enforcement action, to the extent the FTC determined that one was warranted” (Carr). Carr also notes that “for more than a decade, location-based service (LBS) providers have offered valuable services to consumers, like emergency medical response and roadside assistance” and that “LBS providers did so by obtaining access to certain location information from mobile wireless carriers like AT&T, Verizon, and T-Mobile” (Carr). He argues that, while some of these LBS providers may have misused their data, penalties should not be applied as a whole to the wireless carriers for these misuses, especially since the data being shared could potentially save lives.
Nathan Simington, another commissioner of the FCC, also expressed his dissent. He states that “it cannot credibly be argued that any of the mobile network operators, in operating an LBS/aggregator program, committed more than one act relevant for the purposes of forfeiture calculation” (Simington). Essentially, Simington argues that attempting to apply a uniform punishment to all of these carriers is improper, given that the case of each individual carrier is different. Thus, a more nuanced and case-by-case basis approach should instead be taken. Furthermore, he argues that “at every moment, any of thousands of unregulated apps may pull GPS location information, Wi-Fi and Bluetooth signal strength, and other fragments of data indicating location from customer handsets at every moment the device is on” all without consumer permission (Simington). This is, unfortunately, true, as there are many applications or software that purposefully collect more data that necessary in order to sell it for additional profit. Finally, he states that the FCC has chosen “to appear ‘tough on crime’ in a way that actually reduces consumer data privacy by pushing legitimate users of location data toward unregulated data brokerage”.
Resources & Further Reading
Carr, Brendan. “Federal Communications Commission FCC 24-40 Dissenting Statement of Commissioner Brendan Carr.” United States Federal Communications Commission, 17 Apr. 2024.
FCC. “FCC Fines AT&T, Sprint, T-Mobile, and Verizon Nearly $200 Million for Illegally Sharing Access to Customers’ Location Data.” United States Federal Communications Commission, 29 Apr. 2024.
Rosenworcel, Jessica. “Federal Communications Commission FCC 24-40 Statement Of Chairwoman Jessica Rosenworcel.” United States Federal Communications Commission, 17 Apr. 2024.
Simington, Nathan. “Federal Communications Commission FCC 24-40 Dissenting Statement of Commissioner Nathan Simington.” United States Federal Communications Commission, 17 Apr. 2024.
The H.A.C.K.E.R. Project 
Leave a comment