The U.S. Federal Communications Commission said Monday it is fining the four major U.S. wireless carriers a total of about $200 million for “illegally” sharing and selling customers’ real-time location data without their consent have.
The penalty for AT&T is more than $57 million, for Verizon nearly $47 million, for T-Mobile more than $80 million and for Sprint more than $12 million, the statement said FCC.
“Our communications providers have access to some of the most sensitive information about us. These operators have failed to protect the information entrusted to them. This is about some of the most sensitive data in their possession: real-time customer location information that shows where they are going and who they are,” FCC Chairwoman Jessica Rosenworcel said in the announcement.
The FCC said its investigative arm, the Enforcement Bureau, concluded that the four companies sold access to their customers’ location data to third-party companies, which the FCC described as “aggregators,” which in turn resold the location data to other companies . This series of sales and resales effectively created an entire gray market for mobile subscribers’ historical and real-time location data. Most customers had no idea such a market for their data even existed, let alone agreed to sell their data.
Wireless carriers are required by law to “maintain the confidentiality of such customer information and to obtain the customer’s express consent before using, disclosing or providing access to such information,” the FCC wrote.
The fines come years after investigations by news organizations revealed that the four airlines shared this type of data with law enforcement and bounty hunters, among others.
In 2018, The New York Times reported that law enforcement and corrections officials across the U.S. were using a company called Securus Technologies to track people’s locations. Securus’ solution was based on “a system typically used by marketers and other companies to obtain location data from major wireless carriers,” the NYT wrote.
The following year, an investigation by Motherboard found that bounty hunters could geolocate the location of any cell phone customer for as little as $300. “These surveillance capabilities are sometimes sold through word-of-mouth networks,” wrote Motherboard’s Joseph Cox, now at 404 Media, at the time.
The FCC wrote that despite these public reports, the four carriers failed to implement safeguards “to ensure that the dozens of location-based service providers with access to their customers’ location information were actually obtaining consent from customers” and continued to sell the data.
All four airlines criticized the decision and said they planned to appeal.
T-Mobile spokeswoman Tara Darrow said in a statement: “This industry-wide third-party location-based aggregator program was discontinued more than five years ago after we took steps to ensure critical services such as roadside assistance, fraud protection and emergency response were provided. “Wouldn’t be disturbed.”
Darrow said T-Mobile, which merged with Sprint in 2020, would appeal the decision.
“We take our responsibility for the security of customer data very seriously and have always supported the FCC’s commitment to protecting consumers, but this decision is wrong and the fine is excessive. We intend to appeal it,” the statement said.
AT&T spokesman Alex Byers also said the company would appeal, saying the FCC’s decision “lacks both legal and factual merit.”
“It unfairly blames us for another company’s violation of our contractual consent obligations, ignores the immediate steps we took to address that company’s failures, and perversely penalizes us for providing life-saving location services such as emergency medical alerts and Support roadside assistance provided by the company.” The FCC itself has previously encouraged this. We expect to appeal the order after conducting a legal review,” Byers said in a statement sent to TechCrunch.
Verizon spokesman Rich Young said that “the FCC’s order is incorrect both factually and legally, and we plan to appeal this decision.”
“In this case, when a criminal gained unauthorized access to information from a very small number of customers, we quickly and proactively took down the fraudster, shut down the program and ensured that something like this could not happen again,” the statement read . “Keep in mind that the FCC’s order affects a legacy program that Verizon discontinued more than half a decade ago. This program required positive customer consent and was intended to support services such as roadside assistance and medical alerts.”