FCC issues wrist-slap fines to carriers that sold your phone-location data, Ars Technica

Getting off easy –

Pai’s FCC fines carriers “less than one one-thousandth” of annual revenue.

Getty Images | Nakhorn Yuangkratoke / EyeEm The big four mobile carriers face fines of between $ 18 million and $ million each for selling their customers’ real-time location data to third-party data brokers without customer consent, Federal Communications Commission Chairman Ajit Pai’s office announced today .

These are “proposed” fines, meaning the carriers can dispute them and try to get them reduced or eliminated. The proposed fines are $ million for T-Mobile, $ million for AT&T, $ 91 million for Verizon, and $ 18 million for Sprint. That’s a total of $ million.

The FCC announcement said the carriers’ punishments are for ‘apparently selling access to their customers’ location information without taking reasonable measures to protect against unauthorized access to that information. ” The FCC said it also “admonished these carriers for apparently disclosing their customers’ location information, without their authorization, to a third party.”

Pai said that the FCC has taken “strong enforcement action” with today’s proposed fines. But the two Democrats on the Republican-majority commission said the fines are too low and criticized the Pai-led FCC for secrecy during the investigation.

“The FCC’s investigation is a late day and a dollar short,” Democratic Commissioner Jessica Rosenworcel said in a statement. “The FCC kept consumers in the dark for nearly two years after we learned that wireless carriers were selling our location information to shady middlemen.”

Commissioner Geoffrey Starks, the FCC’s other Democrat, said the FCC’s investigation was extensive enough:

I am concerned that the penalties proposed today are not properly proportioned to the consumer harms suffered because we did not conduct an adequate investigation of those harms. The Notices make clear that, after all these months of investigation, the Commission still has no idea how many consumers’ data was mishandled by each of the carriers. I recognize that uncovering this data would have required gathering information from the third parties on which the carriers’ relied. But we should have done that via subpoenas if necessary.

Fines are tiny portion of revenue

Relative to the carriers’ collective revenue, the fines are “a slap on the wrist amounting to less than one one-thousandth of their annual take, “consumer-advocacy group Free Press said . Revenue in calendar year (was ($) . 2 billion for AT&T; $ 200. 9 billion for Verizon; $ billion for T-Mobile; and $ . 5 billion for (Sprint) . “The carriers have shown an egregious contempt for the law. The Communications Act plainly lists location data as the kind of private information that carriers have a duty to protect and are forbidden to sell without their customers’ permission, “Free Press Senior Policy Counselor Gaurav Laroia said. “Yet the companies showed complete disregard for the law and for our safety in pursuit of a few extra dollars.”

The $ million ( represents little more than the cost of doing business for these carriers, “House Commerce Committee Chairman Frank Pallone, Jr. (D-NJ) said today.

The FCC said the size of each fine was based on how long each carrier sold access to customer-location data without appropriate safeguards and on the number of entities each carrier sold data to. according to Rosenworcel, the FCC is proposing “a $ , 05 fine for the violation of our rules — but only on the first day. For every day after that, it reduces to $ 2, 800 per violation. The FCC heavily discounts the fines the carriers potentially owe under the law and disregards the scope of the problem. ” Rosenworcel also said each carrier was given a ” – day pass, ” eliminating (days worth of fines.) “This 32 – day ‘get-out-of-jail-free’ card is plucked from thin air, “Rosenworcel said.

Location data leaked in

The controversy over location-data sales ramped up in when a security problem (leaked the real-time locations) of US cell phone customers on all four major carriers. Verizon, AT&T, T-Mobile, and Sprint in June pledged to stop selling their mobile customers’ location information to third-party data brokers, but carriers continued the sales until (several months into .

Starks said today’s FCC action “has been too long delayed.”

“From the beginning, it has been difficult to get the facts straight,” Starks said. “The carriers repeatedly told the public that they were stopping their location-sharing program while hiding behind evasive language and contractual terms. For example, on June 21, , Verizon told Senator Ron Wyden, ‘[w] e are initiating a process to terminate our existing agreements for the location aggregator program. ‘ But Verizon didn’t terminate its aggregator agreements until November , and did not end all of its location data sharing programs until April . ”

The FCC said it began its investigation “following public reports that a Missouri Sheriff, Cory Hutcheson, used a ‘location-finding service ‘operated by Securus, a provider of communications services to correctional facilities, to access the location information of the wireless carriers’ customers without their consent between and . “

Carriers violated opt-in consent rule

The Communications Act requires carriers “to protect the confidentiality of certain customer data related to the provision of telecommunications service, including location information , “and” take reasonable measures to discover and protect against attempts to gain unauthorized access to this data, “the FCC said. “The rules also require that carriers or those acting on their behalf generally must obtain affirmative, express consent from a customer before using , disclosing, or allowing access to this data, “the FCC continued. “And carriers are liable for the actions of those acting on their behalf.”

T-Mobile, AT&T, Verizon, and Sprint all “sold access to their customers’ location information to ‘aggregators,’ who then resold access to such information to third-party location-based service providers (like Securus), “the FCC said. “Although their exact practices varied, each carrier relied heavily on contract-based assurances that the location-based services providers (acting on the carriers’ on behalf) would obtain consent from the wireless carrier’s customer before accessing that customer’s location information.”

Hutcheson’s access to customer-location information makes it clear that the carriers did not make adequate efforts to safeguard the data, the FCC said. “Yet all four carriers apparently continued to sell access to their customers’ location information without putting in place reasonable safeguards to ensure that the dozens of location-based services providers acting on their behalf were actually obtaining consumer consent,” the FCC said.

The fines were proposed in Notices of Apparent Liability for Forfeiture and Admonishment. They contain allegations that the carriers will be given an opportunity to respond to. The proposed fines set a ceiling — carriers could end up paying less, but the FCC “may not impose a greater monetary penalty in its final resolution,” the announcement said.

The FCC has a poor track record on collecting proposed fines. In March , a Wall Street Journal report found that the FCC had issued $ . 4 million in fines against robocallers since , but collected only $ 6, of that amount.