FCC chair Ajit Pai Friday confirmed that the FCC commissioners have now voted to propose fining AT&T, Verizon, Sprint and T-Mobile over $200 million collectively for "apparently selling access to their customers’ location information without taking reasonable measures to protect against unauthorized access to that information."
The vote was 4 to 1, with Commissioner Jessica Rosenworcel dissenting and Commissioner Geoffrey Starks dissenting in part.
Pai said T-Mobile drew the biggest fine at more than $91 million, with AT&T next at $57 million, Verizon at $48 million and over $12 million for Sprint.
The commission also admonished all four, which would be a permanent black mark in their record.
Pai said the items would be released later Friday and called it decisive action to protect American consumers.
The FCC has been investigating carriers' alleged selling/sharing of geographic location information with third party data aggregators, information that reportedly made its way to bounty hunters and others, data their subs can't opt out of because it is used to provide the underlying service.
The Enforcement Bureau said it launched the investigation "following public reports that a Missouri Sheriff, Cory Hutcheson, used a 'location-finding service' operated by Securus, a provider of communications services to correctional facilities, to access the location information of the wireless carriers’ customers without their consent between 2014 and 2017."
Pai signaled last month he would be circulating one or more NALS for Forfeiture (essentially a fine) related to its finding.
“This FCC will not tolerate phone companies putting Americans’ privacy at risk," the chairman said in a release issued only minutes after he spoke about the fines at a post-public meeting press conference.
In a release the FCC outlined the relevant law and rules and the results of its investigation.
"The Communications Act requires telecommunications carriers to protect the confidentiality of certain customer data related to the provision of telecommunications service, including location information. The FCC’s rules make clear that carriers must take reasonable measures to discover and protect against attempts to gain unauthorized access to this data. The rules also require that carriers or those acting on their behalf generally must obtain affirmative, express consent from a customer before using, disclosing, or allowing access to this data. And carriers are liable for the actions of those acting on their behalf.
"All four carriers mentioned above sold access to their customers’ location information to “aggregators,” who then resold access to such information to third-party location-based service providers (like Securus). Although their exact practices varied, each carrier relied heavily on contract-based assurances that the location-based services providers (acting on the carriers’ behalf) would obtain consent from the wireless carrier’s customer before accessing that customer’s location information.
"Hutcheson’s unauthorized access of hundreds of wireless customers’ location information made clear that the carriers’ existing measures to safeguard this data were inadequate. Yet all four carriers apparently continued to sell access to their customers’ location information without putting in place reasonable safeguards to ensure that the dozens of location-based services providers acting on their behalf were actually obtaining consumer consent. Although the carriers had several commonsense options to impose reasonable safeguards (such as verifying consent directly with customers via text message or app), the carriers apparently failed to take the reasonable steps needed to protect customers from unreasonable risk of unauthorized disclosure. The size of the proposed fines for the four wireless carriers differs based on the length of time each carrier apparently continued to sell access to its customer location information without reasonable safeguards and the number of entities to which each carrier continued to sell such access.
"The proposed actions, formally called Notices of Apparent Liability for Forfeiture and Admonishment, or NALs, contain allegations that advise the parties on how they have apparently violated the law and set forth a proposed monetary penalty. Neither the allegations nor the proposed sanctions in the NALs are final Commission actions. The parties will be given an opportunity to respond and the Commission will consider the parties’ evidence and legal arguments before taking further action to resolve these matters. The Commission may not impose a greater monetary penalty in its final resolution of whether the parties have violated the law than the amount proposed in the NAL."
Democratic Commissioner Jessica Rosenworcel, who had pushed for the investigation, was underwhelmed with the result and could not support it.
“The FCC’s investigation is a day late and a dollar short," she said. "The FCC kept consumers in the dark for nearly two years after we learned that wireless carriers were selling our location information to shady middlemen. There are more than 270 million smartphones in service in the United States and this practice put everyone using them at a safety risk. The agency proposes a $40,000 fine for the violation of our rules—but only on the first day. For every day after that, it reduces to $2,500 per violation. The FCC heavily discounts the fines the carriers potentially owe under the law and disregards the scope of the problem. On top of that, the agency gives each carrier a thirty-day pass from this calculation. This thirty day “get-out-of-jail-free” card is plucked from thin air."
Democratic Commissioner Geoffrey Starks' dissent in part still counts as a "yes" vote, but with major caveats.
"I am pleased that the Notices of Apparent Liability we vote[d] on today confirm that misuse of customer location data by AT&T, Verizon, Sprint, and T-Mobile violate the Commission’s rules," he wrote in a statement. "These serious violations damaged Americans’ faith in our telephone system, and I am pleased that we have reached bipartisan agreement that enforcement is appropriate here. I cannot fully approve these Notices, however, because in conducting these investigations and determining the appropriate penalty, we lost track of the most important part of our case—the very consumers we are charged with protecting. Because I strongly believe we should have determined the number of customers impacted by the abuses and based our forfeiture calculations on that data—calculations that would have been possible if we had investigated more aggressively—I must dissent in all remaining parts of the item.
One prominent senator was on the same page as Rosenworcel.
“The Trump FCC wants you to think it’s protecting your privacy – don’t be fooled,” said Senator Ed Markey (D-Mass.), who had pushed for an investigation. “For almost two years, the FCC has known that companies were selling real-time location information that could reveal where you live and work. This compromise of our trust and personal information isn’t just a creepy, abstract privacy risk, it is a direct threat to consumers’ physical safety and well-being. Instead of meetings its obligation to come down hard on the wireless carriers that are guilty in this case, the FCC dragged its feet and issued penalties that let these companies off easy. If you own a smart phone, information about where you were at any given moment may have been bought and sold. You deserve better than this decision from the FCC.”
It was at the prodding of House Energy & Commerce Committee Chairman Frank Pallone (D-N.J.) at an FCC oversight hearing that prompted Chairman Ajit Pai to signal fines were coming. The congressman was glad the fines were being proposed, he was not happy with the amounts.
“Today’s notice by the FCC confirms what I have said from the beginning — carriers have a duty to protect consumers’ real-time location data and the FCC must enforce the law in order to protect the personal safety of consumers across the country," he said. "While I am glad the FCC is finally proposing fines for this egregious behavior, it represents little more than the cost of doing business for these carriers. Further, the Commission is still a long way from collecting these fines and holding the companies fully accountable. I will continue to closely monitor this important issue.”