Getty Images | Nakhorn Yuangkratoke / EyeEm
The four major mobile operators will face fines of between $ 12 million and $ 91 million if they sell their customers' real-time location data to third-party data brokers without customer approval, the Federal Communications Commission President Ajit Pai said today ,
These are "proposed" fines, which means that carriers can contest them and try to reduce or eliminate them. The proposed fines are $ 91 million for T-Mobile, $ 57 million for AT&T, $ 48 million for Verizon, and $ 12 million for Sprint. That's a total of $ 208 million.
The FCC announcement says the airlines 'fines are "apparently selling access to their customers' location information without taking appropriate measures to protect against unauthorized access to that information." The FCC also said it "warned these carriers to apparently disclose their customers' location information to third parties without their permission."
Pai said the FCC has taken "strong enforcement measures" with the fines proposed today. But the two Democrats in the Republican majority commission said the fines were too low and criticized the Pai-led FCC during the confidentiality investigation.
"The FCC investigation is a day too late and a dollar too short," said Democratic Commissioner Jessica Rosenworcel in a statement. "The FCC kept consumers in the dark for almost two years after we learned that mobile operators were selling our location information to dodgy middlemen."
Commissioner Geoffrey Starks, the other FCC democrat, said the FCC investigation was not extensive enough:
I am concerned that the penalties proposed today are not commensurate with the damage suffered by the consumer because we have not properly investigated the damage. The notices clarify that after all these months of investigation, the Commission still has no idea how much consumer data has been mishandled by each of the airlines. I acknowledge that uncovering this data would have required gathering information from third parties that carriers had relied on. But we should have done that through subpoenas if necessary.
Fines only make up a tiny fraction of sales
In relation to the airline's collective revenue, the fines are "a slap on the wrist that is less than a thousandth of their annual revenue," said the Free Press consumer protection group. Revenue for the 2019 calendar year was $ 181.2 billion for AT&T. $ 131.9 billion for Verizon; $ 45 billion for T-Mobile; and $ 32.5 billion for Sprint.
"Air carriers have shown tremendous contempt for the law. The Communications Act clearly lists location data as the type of private information that air carriers must protect and are prohibited from selling without their customers' permission," said Gaurav, senior policy counsel at Free Press Laroia said. "However, companies have completely disregarded the law and our safety in pursuing a few extra dollars."
The $ 208 million "is little more than the cost of operating these airlines," said Frank Pallone, Jr. (D-NJ), chairman of the House Commerce Committee, today.
The FCC stated that the amount of each fine depends on how long each forwarder has sold access to customer location data without adequate security measures and how many companies each forwarder has sold data.
According to Rosenworcel, the FCC "fines $ 40,000 for violating our rules, but only on the first day. For each day thereafter, it is reduced to $ 2,500 per violation. The FCC reduces the fines imposed on airlines may owe a lot of money to the law and ignore the scale of the problem. "Rosenworcel also said that each carrier had received a" 30-day pass ", which would eliminate 30-day fines.
"This 30-day jail-free card has been torn from nothing," said Rosenworcel.
Location data leaked in 2018
The controversy surrounding the sale of location data increased in 2018 when a security problem leaked the real-time locations of US mobile phone customers from all four major network operators. Verizon, AT&T, T-Mobile and Sprint agreed in June 2018 to no longer sell their mobile customers' location information to third-party data brokers. However, the network operators continued the sale until several months in 2019.
Starks said today's FCC action was "delayed too long."
"It was difficult to make the facts clear from the start," said Starks. "The airlines have repeatedly told the public that they will stop using their location sharing program while hiding behind evasive language and contractual terms. For example, on June 15, 2018, Verizon told Senator Ron Wyden:" (w) We initiate a process to terminate our existing site aggregator program agreements. & # 39; However, Verizon did not terminate its aggregator agreements until November 2018 and did not end all location data sharing programs by April 2019. "
The FCC said it had begun its investigation, "according to public reports that a Missouri sheriff, Cory Hutcheson, uses a" location service "operated by Securus, a prison communications service provider, to access the location information of mobile operators." Customers without their consent between 2014 and 2017. "
The carriers violated the consent rule
The Communications Act requires network operators to "protect the confidentiality of certain customer information related to the provision of telecommunications services, including location information," and "must take reasonable measures to detect and prevent attempts to gain unauthorized access to that information" said the FCC.
"The rules also require carriers or those who act on their behalf to generally obtain positive, explicit consent from a customer before using, disclosing, or granting access to that information," continued the FCC. "And carriers are responsible for the actions of those who act on their behalf."
T-Mobile, AT&T, Verizon, and Sprint "sold access to their customers' location information to" aggregators "who then resell access to that information to location-based third parties (such as Securus)," said the FCC. "Although their exact practices differ, each network operator relied heavily on contractual assurances that the location-based service providers (acting on behalf of the network operators) would obtain the consent of the carrier's customer before accessing that customer's location information."
Hutcheson's access to customer location information shows that the airlines have not made reasonable efforts to protect the data, the FCC said. "All four airlines appear to have continued to sell access to their customers' location information without taking adequate security measures to ensure that the dozens of location-based service providers that act on their behalf are actually getting consumer approval," said the FCC.
The fines were suggested in the notice of obvious liability for forfeiture and warning. They contain allegations that carriers are given the opportunity to respond. The proposed fines set an upper limit – carriers may end up paying less, but the FCC "cannot impose a higher fine in its final resolution," the announcement said.
The FCC has a poor track record in collecting the proposed fines. In March 2019, a report from the Wall Street Journal found that the FCC had fined Robocaller $ 208.4 million since 2015, but only collected $ 6,790 of that amount.