US Federal Communications Commission (FCC) today imposed fines totaling nearly $200 million, including four major carriers AT&T, run at full speed, T Mobile And Verizon – To illegally share access to customers’ location information without consent.
The fine represents the culmination of a more than four-year investigation into the actions of the major carriers. In February 2020, the FCC served notice to all four wireless providers that their practices of sharing access to customer location data were potentially violating the law.
The FCC said it found that each carrier sold access to its customers’ location information to ‘aggregators,’ who then sold access to the information to third-party location-based service providers.
A statement from the FCC on the action said, “In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many cases meant that no legitimate customer Consent was not obtained.” “This initial failure was compounded when, after it became known that their security measures were ineffective, carriers continued to sell access to location information without taking appropriate measures to protect against unauthorized access.”
For example, the FCC’s findings against AT&T show that AT&T sold customer location data directly or indirectly to at least 88 third-party entities. The FCC found that Verizon sold (indirectly or directly) access to customer location data to 67 third-party entities. The location data found its way to 86 third-party entities for Sprint customers, and to 75 third-parties in the case of T-Mobile customers.
The Commission said that after this it took action senator ron wyden (D-Ore.) sent a letter to the FCC detailing how a company calls Securus Technologies Virtually any major mobile provider was selling customers’ location data to law enforcement officials.
That same month, KrebsOnSecurity reported that LocationSmart — a data aggregation firm that works with major wireless carriers — had a free, unsecured demo of its service online that anyone could misuse to trace the exact location of almost any mobile phone in North America .
The carriers promised to “stop” location data sharing agreements with third-party companies. But in 2019, reporting on Vice.com revealed that little had changed, detailing how journalists were able to locate a test phone after paying $300 to a bounty hunter, who provided only a little-known third party. -Data was purchased through a third party service.
Sen. Wyden said no one who signed up for the cell plan thought they were giving their phone company permission to sell detailed records of their activities to anyone with a credit card.
“I applaud the FCC for stepping up its investigation and holding these companies accountable for putting consumers’ lives and privacy at risk,” Wyden said in a statement today.
The FCC fined Sprint and T-Mobile $12 million and $80 million, respectively. AT&T was fined more than $57 million, while Verizon was fined $47 million. Still, these fines represent a small portion of each carrier’s annual revenue. For example, $47 million is less than one percent of Verizon’s total wireless service revenue in 2023, which was approximately $77 billion.
The amount of fines varies because they are calculated partly based on the number of days that carriers continued to share customer location data after being informed that doing so was illegal (the agency The number of active third-party location data sharing agreements was also considered). The FCC notes that AT&T and Verizon each took more than 320 days from the publication of the Times story to terminate their data sharing agreements; T-Mobile took 275 days; Sprint continued to share customer location data for 386 days.
Update, 6:25pm ET: Clarified that the FCC initiated its investigation at the request of Senator Wyden.
