In May 2018, The New York Times reported that a company called Securus had sold law-enforcement agencies access to the locations of people’s cellphones. Police were supposed to provide a warrant or other documentation proving they had authority to see the data, but the Times said Securus often didn’t check.
Subsequent stories by ZDNet and Vice Motherboard revealed an industry of middlemen that acquired location information from AT&T, Sprint, T-Mobile, and Verizon and resold it to companies like Securus. Some of the information came from the bail bonds industry, raising concerns that stalkers could buy their victims’ location information.
The big four carriers all promised to stop selling location data to data aggregators. But months later, many companies still had access to carrier data.
Now, nearly two years later, the Federal Communications Commission is taking action against the four carriers for their role in these breaches of privacy. Friday, the agency said it has proposed tentative fines against the companies totaling more than $200 million: $91 million for T-Mobile, $57 million for AT&T, $48 million for Verizon, and $12 million for Sprint. The fines are based on the amount of time that the carriers sold access to customer location information “without reasonable safeguards” and the number of outside companies to which they sold it.
“The FCC has long had clear rules on the books requiring all phone companies to protect their customers’ personal information,” FCC Chair Ajit Pai said in a statement. “And since 2007, these companies have been on notice that they must take reasonable precautions to safeguard this data and that the FCC will take strong enforcement action if they don’t.”
FCC commissioner Geoffrey Starks, who dissented from part of the decision, said the carriers “did not treat the protection of their customers’ data as a key responsibility. Instead, they delegated responsibility for protecting this sensitive information to aggregators and third-party location service providers.”
The carriers can dispute the fines, which T-Mobile says it will do. “We take the privacy and security of our customers’ data very seriously,” the company said in a statement. The company said it took quick action to restrict “bad actor third parties” and ended its location aggregator program in February 2019. Sprint said it is reviewing the notice and takes its customers’ privacy and security very seriously. AT&T, Verizon, and Securus did not immediately respond to requests for comment.
Critics see the FCC’s response as too little, too late.
Senator Ron Wyden (D-Oregon) was among the first to call attention to Securus and has been asking the FCC to act since the beginning. “It seems clear Chairman Pai has failed to protect American consumers at every stage of the game,” Wyden said in a statement. “He only investigated after public pressure mounted. And now his response is a set of comically inadequate fines that won’t stop phone companies from abusing Americans’ privacy the next time they can make a quick buck.”
Wyden and others said the incidents highlighted the need for new privacy laws. “The importance of having rules that protect consumers before they are harmed cannot be overstated,” former FCC lawyer Gigi Sohn said in a statement.
Harold Feld of the organization Public Knowledge argued that the FCC’s lax attitude toward privacy rules emboldened carriers to disregard consumer privacy. For example, one of Pai’s first major actions after becoming FCC chair in 2017 was to suspend parts of an Obama-era FCC order that would have required broadband providers to take reasonable action to protect personal data. Soon after, the Republican-controlled Congress overturned the entire Obama-era order, which would also have banned providers from selling your personal data without your permission.
“Small wonder that carriers felt safe flouting the law,” Feld said in a statement. “Congress should conduct an immediate investigation into the FCC’s handling of privacy enforcement, and take suitable action to empower consumers when the FCC chair fails to act.”
More Great WIRED Stories