The Federal Communications Commission has proposed fines against the four largest wireless carriers serving the U.S. mainland — three in Puerto Rico — for apparently selling access to their customers’ location information without taking reasonable measures to protect against unauthorized access to that information.
As a result, T-Mobile faces a proposed fine of more than $91 million; AT&T faces a proposed fine of more than $57 million; Verizon faces a proposed fine of more than $48 million; and Sprint faces a proposed fine of more than $12 million.
The FCC also admonished the carriers for apparently disclosing their customers’ location information, without their authorization, to a third party.
The FCC’s Enforcement Bureau opened this investigation following public reports that a Missouri Sheriff, Cory Hutcheson, used a “location-finding service” operated by Securus, a provider of communications services to correctional facilities, to access the location information of the wireless carriers’ customers without their consent between 2014 and 2017.
In some cases, Hutcheson provided Securus with irrelevant documents like his health insurance policy, his auto insurance policy, and pages from Sheriff training manuals as evidence of his authorization to access wireless customer location data.
“American consumers take their wireless phones with them wherever they go. And information about a wireless customer’s location is highly personal and sensitive,” said FCC Chairman Ajit Pai.
“The FCC has long had clear rules on the books requiring all phone companies to protect their customers’ personal information. And since 2007, these companies have been on notice that they must take reasonable precautions to safeguard this data and that the FCC will take strong enforcement action if they don’t,” he said. “Today, we do just that.”
The Communications Act requires telecommunications carriers to protect the confidentiality of certain customer data related to the provision of telecommunications service, including location information.
The FCC’s rules make clear that carriers must take reasonable measures to discover and protect against attempts to gain unauthorized access to this data.
The rules also require that carriers or those acting on their behalf generally must obtain affirmative, express consent from a customer before using, disclosing, or allowing access to this data. And carriers are liable for the actions of those acting on their behalf, the regulatory agency said.
Carriers sold access to customer data
All four carriers mentioned sold access to their customers’ location information to “aggregators,” who then resold access to such information to third-party location-based service providers (like Securus).
Although their exact practices varied, each carrier relied heavily on contract-based assurances that the location-based services providers (acting on the carriers’ behalf) would obtain consent from the wireless carrier’s customer before accessing that customer’s location information.
Hutcheson’s unauthorized access of hundreds of wireless customers’ location information made clear that the carriers’ existing measures to safeguard this data were inadequate.
“Yet all four carriers apparently continued to sell access to their customers’ location information without putting in place reasonable safeguards to ensure that the dozens of location-based services providers acting on their behalf were actually obtaining consumer consent,” the FCC said in a statement.
“Although the carriers had several commonsense options to impose reasonable safeguards (such as verifying consent directly with customers via text message or app), the carriers apparently failed to take the reasonable steps needed to protect customers from unreasonable risk of unauthorized disclosure,” the agency said.
The size of the proposed fines for the four wireless carriers differs based on the length of time each carrier apparently continued to sell access to its customer location information without reasonable safeguards and the number of entities to which each carrier continued to sell such access.
The companies will be given an opportunity to respond and the FCC will consider the parties’ evidence and legal arguments before taking further action to resolve these matters, it said.