The Federal Communications Commission (FCC) has proposed substantial fines on the nation’s largest wireless carriers, claiming that there was not an adequate effort to secure real time location data that was sold to third parties. If the fines hold up, the four largest carriers would pay amounts ranging from $12 million to $91 million. While fines of this sort are unprecedented, they may not mean much to companies that collectively bring in almost $400 billion per year.
The fines also do not address the relatively free sale of location data by the wireless carriers to third parties; they are simply a response to sales made to middleman brokers who gave access to just about anyone who could afford to pay.
Location data available to anyone
The stories of middlemen selling location data irresponsibly, and sometimes in violation of the law, date back to 2018. The New York Times reported that a company called Securus was selling location data to law enforcement agencies without verifying that those agencies had a warrant. More stories followed, including a broker selling data freely to corporate clients that allowed prospective customers to “try before they buy” by looking up the current location of any cell phone number through their website.
These companies are generally required to obtain customer consent or see documentation of a lawful law enforcement investigation before granting access to location data. Investigative reporting found that some of these companies were doing neither. And even if they were, for a few hundred dollars more one could enter through a back door by contracting the services of a licensed private investigator or bounty hunter.
This series of investigative reports pressured all of the major carriers into promising not to sell customer location information to these sorts of brokers, but a 2019 Wired report found that they only partially kept this promise. Sales of location data to questionable brokers was scaled back, but not entirely eliminated.
Are the wireless carriers really in trouble?
The four major wireless carriers are being fined a collective $200 million, with the individual amounts based on how long they were found to be selling customer location data. T-Mobile is looking at a fine of $91 million, AT&T would pay $57 million, Verizon would pay $48 million and Sprint would pay $12 million.
At an annual revenue of about $33 billion, Sprint is the “poorest” of the major wireless carriers. AT&T and Verizon bring in well over $100 billion per year. None of these fines would even make a significant dent in the company’s operating income except perhaps for T-Mobile.
The companies would be fined on the basis of FCC regulations that require “reasonable precautions” to safeguard sensitive user data when selling access to it. The wireless carriers cannot delegate full responsibility for protection of this type of information to the parties they sell it to.
However, the wireless carriers have the ability to contest the fine amounts. T-Mobile has already committed to doing so; the other companies have yet to comment.
Critics in Congress contend that FCC chairman Ajit Pai dragged his feet on the investigation, failing to respond until significant public pressure was generated by the news reports. The carriers evaded harsher punishment thanks to the Pai-led elimination of rules proposed by predecessor Tom Wheeler. The rules would have put additional protections in place such as consumer notification requirements and required opt-in consent for sharing of sensitive information.
The investigation that led to the fines went on for well over a year and was conducted with very little transparency. One of the central complaints from critics was that the fine total was based on number of customer contracts, rather than an actual count of data breaches. One customer was counted as one breach, regardless of how many times their personal information might have been accessed without consent or legal justification.
T-Mobile has indicated that it will challenge the proposed fines on the basis of a belief that the requirements only apply to mobile phone calls and not to data transfers, a contention that would indicate the company feels it has no legal responsibility to protect location data. One of the Republican commissioners said they found the argument “compelling” in spite of voting to levy the fines.
Under Pai, who was appointed by the Trump administration, the FCC has demonstrated a marked trend toward deregulation of the phone companies. Given that, it seems quite possible that these already minimal fines will be reduced even further and will do little to promote significant change in the way the wireless carriers handle user location data. While there may be further restrictions on sale to the most egregious of the data brokers, any cell phone user in the United States should continue to assume they can be tracked for a nominal fee.