The Federal Communications Commission (FCC) will propose fines for the nation's largest telecom companies for selling the location data of their customers without consent. In all, the FCC says the carriers should pay around $200 million, according to a person familiar with the matter. The Wall Street Journal first reported the fines, and said the action includes AT&T, T-Mobile, Sprint, and Verizon.
The news comes after Motherboard revealed that carriers sold phone location to companies which then provided it to hundreds of bounty hunters and other third-parties.
But some believe that the fines are too low.
"Based on today’s news reports, it seems clear Chairman Pai has failed to protect American consumers at every stage of the game—this issue only came to light after my office and dedicated journalists discovered how wireless companies shared Americans’ locations willy nilly," Senator Ron Wyden said in a statement. "He only investigated after public pressure mounted. And now his response is a set of comically inadequate fines that won’t stop phone companies from abusing Americans’ privacy the next time they can make a quick buck."
Do you work at the FCC or know anything else about this investigation? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
The FCC found, after an investigation some inside the agency feared would not materialise, that the carriers broke the law by selling the data. The Department of Justice will need to enforce collection of the fines itself, and the telecom companies can appeal the decision.
In 2018 The New York Times and Senator Ron Wyden's office found the carriers sold location information through a string of middlemen companies to government contractor Securus. A former sheriff abused the tool to spy on judges and law enforcement officials. Securus did not properly verify whether users had legal authority to locate phones.
Motherboard then reported a similar company called Captira obtained cell phone location data from all the major carriers and sold it to bail bondsman. In January 2019, Motherboard found a firm called Microbilt sold AT&T, T-Mobile, and Sprint data to bounty hunters, and also offered it to property managers and used car salesmen. Motherboard also bought T-Mobile phone location data on the black market for $300, and reported on leaked documents which showed that hundreds of bounty hunters had access to T-Mobile, Sprint, and AT&T data for years.
In the wake of Motherboard’s reporting all three of those telcos said they were stopping the sale of location data to third-parties. 15 senators called for the FCC and Federal Trade Commission (FTC) to investigate the issue.
In May two commissioners of the FCC said the agency was not being forthcoming with its investigation. Then in November, members of a congressional committee focused on telecoms urged FCC Chairman Ajit Pai to update them on the investigation, as they had "growing concern" that the FCC was failing to enforce laws made to protect consumers' privacy.
Update: This piece has been updated to include more information from a person familiar with the matter.
Subscribe to our cybersecurity podcast, CYBER.