On Friday, 11 democratic members of a congressional committee focused on telecoms urged FCC Chairman Ajit Pai to update them on the Commission's investigation into how phone carriers sold the real-time location data of their customers. The members noted they have "growing concern" the FCC is failing to enforce laws designed to protect consumer privacy. As Motherboard revealed, those data sales included to bounty hunters and others without phone users' consent.
The news highlights how the FCC is seemingly dragging its feet or not being forthcoming about its investigation, while the period of time to investigate the issue quickly runs out.
"Despite announcing that it began an investigation into the wireless carriers after being made aware of the allegations in 2018, the FCC has failed, to date, to take any action. And now time is running out since the statute of limitations gives the FCC one year to act," a letter the democratic members of the Committee on Energy and Commerce, Subcommittee on Communications and Technology sent to the FCC on Friday reads. Motherboard obtained a copy of the letter before its publication.
"We write regarding our growing concern that the Federal Communications Commission (FCC) is failing in its duty to enforce the laws Congress passed to protect consumers’ privacy. This Committee has repeatedly urged you to act quickly to protect consumers’ privacy interests, and unfortunately you have failed to do so," the letter adds.
Do you work at the FCC? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
The issue centers around several recent revelations of the location data industry. In 2018, the New York Times and Senator Ron Wyden found that major carriers were selling real-time location data through a middleman company to a firm called Securus, which then sold it to low level enforcement who used it without a court order. A few months later, Motherboard found this trade expanded to private individuals and businesses, and paid a bounty hunter $300 to track a mobile phone's location. Then in February Motherboard revealed one company had sold AT&T, T-Mobile, and Sprint location data to hundreds of bounty hunters for years, including highly precise A-GPS data. The carriers said they stopped selling the data earlier this year.
After Motherboard's initial report, 15 senators called on the FCC and FTC to investigate the sale of data to bounty hunters. The FCC said it would.
The FCC has stonewalled that investigation at various points though. In May Motherboard reported the FCC was withholding key information about the investigation from its Commissioners. Gizmodo then reported how other Congress members protested the FCC's inaction. Pai also refused a request for an emergency briefing on the issue from the Committee that penned this most recent letter.
The Subcommittee letter gives the FCC until November 29 to provide an update on the investigation.
An FCC spokesperson wrote in an email, "We’ve received the letter and are reviewing it. I don’t have a further comment."
Update: This piece has been updated to include comment from the FCC.
Subscribe to our new cybersecurity podcast, CYBER.