The Federal Communications Commission (FCC) has accused the nation's largest wireless network of illegally sharing access to customers' location information without their consent and without taking reasonable steps to protect that information from unauthorized disclosure. Fines were imposed on carriers.
Shared access to customer location data by wireless carriers
Sprint and T-Mobile, which have merged since the investigation began, face fines of more than $12 million and $80 million, respectively. AT&T will be fined more than $57 million, and Verizon will be fined about $47 million.
“Our communications providers have access to some of the most sensitive information about us. These carriers have failed to protect the information entrusted to them. We're talking about some of the highest data in the world. It's the real-time location of customers, revealing where they go and who they are,” said FCC Chairwoman Jessica Rosenworcel. “In resolving these cases, which were first proposed by the previous administration, the Commission continues to hold all carriers accountable and ensure that they fulfill their obligations to their customers as custodians of this most sensitive data. I will do my best to make it happen.”
An FCC Office of Enforcement investigation into four carriers found that each carrier sold access to its customers' location information to “aggregators,” and the aggregators passed on access to such information to third-party location service providers. It turned out that it was resold. In doing so, carriers attempted to shift the burden of obtaining customer consent to downstream recipients of location information, but in many cases valid customer consent was not obtained.
This initial failure occurred because, after realizing that their own security measures were ineffective, carriers continued to sell access to location information without taking reasonable steps to protect it from unauthorized access. It got even worse.
Under law, including Section 222 of the Communications Act, carriers are required to take reasonable steps to protect certain customer information, including location information. Carriers are also required to maintain the confidentiality of such customer information and obtain affirmative, explicit customer consent before using, disclosing, or allowing access to such information. . These obligations also apply when carriers share customer information with third parties.
“The protection and use of sensitive personal data, such as location information, is sacrosanct,” said Royan A. Egal, FCC Director of Enforcement and Chair of the Privacy and Data Protection Task Force. “If it falls into the wrong hands or is used for nefarious purposes, we are all at risk. Foreign adversaries and cybercriminals have made it a priority to obtain this information; Ensuring that service providers have reasonable safeguards to protect their customers' location data and valid consent for its use is a top priority for the Enforcement Directorate.
Wireless carriers continued to sell access to location data
The investigation that led to these fines revealed that customers' location information was sent to the Missouri State Sheriff's office without the customer's consent or other legal permissions through a “location service” operated by provider Securus, one of the largest wireless carriers in the United States. The initiative was initiated in response to a public report that the disclosure had been made by Provides communication services to correctional facilities to track the location of large numbers of individuals.
However, even after learning of this unauthorized access, all four carriers have taken reasonable steps to ensure that the dozens of location service providers that have access to their customers' location information do in fact have their customers' consent. continued to operate the program without any safeguards in place. .
The forfeiture order announced finalizes the Notice of Apparent Liability (NAL) issued to these carriers in February 2020. The amounts of fines against AT&T and Sprint remain unchanged from the NAL phase. Both T-Mobile and Verizon's fines were reduced after further consideration of the parties' submissions to NAL. The law does not allow forfeitures to increase for certain violations after a NAL is issued.
In 2023, the Chair established the Privacy and Data Protection Task Force. This is his FCC staff working group focused on coordination across the agency on rulemaking, enforcement, and public awareness needs in the privacy and data protection areas, including data breaches (e.g., data breaches). is. communications providers) and vulnerabilities.