First mooted in 2020, the regulator’s decision will no doubt have other regulators watching closely
The Federal Communications Commission fined the largest US mobile operators nearly $200 million for illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorised disclosure.
Sprint and T-Mobile – which have merged since the investigation began – face fines of more than $12 million and $80 million, respectively. AT&T is fined more than $57 million, and Verizon is fined almost $47 million.
“Our communications providers have access to some of the most sensitive information about us. These carriers failed to protect the information entrusted to them. Here, we are talking about some of the most sensitive data in their possession: customers’ real-time location information, revealing where they go and who they are,” said FCC chairwoman Jessica Rosenworcel.
“As we resolve these cases – which were first proposed by the last administration – the Commission remains committed to holding all carriers accountable and making sure they fulfil their obligations to their customers as stewards of this most private data,” she added.
The FCC Enforcement Bureau investigations of the four carriers found that each carrier sold access to its customers’ location information to “aggregators,” who then resold access to such information to third-party location-based service providers. In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained.
This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorised access.
The investigations that led to the fines started following public reports that customers’ location information was being disclosed by the telcos without customer consent or other legal authorisation to a Missouri Sheriff through a “location-finding service” operated by Securus, a provider of communications services to correctional facilities, to track the location of numerous individuals.
Yet, according to the FCC, even after being made aware of this unauthorised access, all four carriers continued to operate their programmes without putting in place reasonable safeguards to ensure that the dozens of location-based service providers with access to their customers’ location information were actually obtaining customer consent.
It wasn’t me
The mobile operators said they plan to challenge the fines.
According to Reuters, T-Mobile said the FCC “decision is wrong, and the fine is excessive. We intend to challenge it.”
In a statement the operator added: “industry-wide third-party aggregator location-based services program was discontinued more than five years ago after we took steps to ensure that critical services like roadside assistance, fraud protection and emergency response would not be disrupted.”
Verizon told Reuters it had worked to protect customers: When “one bad actor gained unauthorised access to information relating to a very small number of customers, we quickly and proactively cut off the fraudster, shut down the program, and worked to ensure this couldn’t happen again.”
Meanwhile, AT&T criticised the order as lacking “both legal and factual merit. It unfairly holds us responsible for another company’s violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that company’s failures, and perversely punishes us for supporting life-saving location services.”
No doubt the operators are smarting as they compare the fines dished out by the FCC to what happened to Google when its Street View cars collecting personal data from wi-fi networks in a number of countries.