All four major US mobile carriers broke the law by selling customers' mobile phone location data to third-party companies, the FCC said today. However, the proposed penalty will only amount to $200 million collectively, or what critics are calling a slap on the wrist.
“The Commission had an obligation to come down hard on the wireless carriers that are guilty in this case. Instead, they dragged their feet and issued a penalty that lets companies off easy,” US Senator Ed Markey (D-Massachusetts) said on Twitter.
On Friday, the FCC announced the proposed penalties following an investigation into how customer data ended up in the hands of police officers and bounty hunters, allowing them to find out cell phone locations in real time without a warrant.
According to the FCC, all four major wireless carriers sold the customer data without “taking reasonable measures” to prevent unauthorized access to the sensitive information. This allowed a little-known prison security company called Securus to buy the location data without customer consent between 2014 and 2017 in order to power a phone-tracking service for police and correctional officers.
“American consumers take their wireless phones with them wherever they go. And information about a wireless customer’s location is highly personal and sensitive,” FCC Chairman Ajit Paid said in today’s announcement. “This FCC will not tolerate phone companies putting Americans’ privacy at risk.”
FCC Chairman Ajit Pai (Photo by Chip Somodevilla/Getty Images)
Nevertheless, the proposed fine is chump change when you consider a carrier like AT&T made $48 billion in revenue during its last financial quarter. Under today’s proposal, none of the affected carriers will even pay 1 percent of that amount. The highest fine was leveled at T-Mobile, which is facing a $91 million penalty. AT&T, on the other hand, got a $57 million fee; Verizon has been saddled with a $48 million charge; while Sprint will only have to pay $12 million.
The FCC said it arrived at the penalty amounts based on the length of time each carrier sold access to its customer location information without reasonable safeguards in place. The commission also factored in the number of third-party companies to which each carrier sold.
However, FCC Commissioner Jessica Rosenworcel blasted the proposed penalty as too low when explaining other aspects of the commission's calculus. “The agency proposes a $40,000 fine for the violation of our rules—but only on the first day,” she said in a statement. “For every day after that, it reduces to $2,500 per violation.
“On top of that, the agency gives each carrier a third-day pass from this calculation. This third day ‘get-out-of-jail free’ card is plucked from thin air,” she added.
All four carriers decided to end the location data sales to third-party companies last year after Motherboard reported about how bounty hunters were gaining access to the data. However, some critics are concerned today’s low penalty will entice them to resume the practice.
Chairman Pai "only investigated after public pressure mounted. And now his response is a set of comically inadequate fines that won’t stop phone companies from abusing Americans’ privacy the next time they can make a quick buck,” US Senator Ron Wyden, an Oregon Democrat, said in a statement yesterday amid reports the FCC was set to announce the $200 million fine.
The FCC will give the carriers a chance to challenge the proposed penalties before they’re finalized. And at least one carrier, T-Mobile, plans on doing just that. “While we strongly support the FCC’s commitment to consumer protection, we fully intend to dispute the conclusions of this NAL (Notices of Apparent Liability) and the associated fine,” T-Mobile said in a statement.
“We take the privacy and security of our customers’ data very seriously. When we learned that our location aggregator program was being abused by bad actor third parties, we took quick action. We were the first wireless provider to commit to ending the program and terminated it in February 2019 after first ensuring that valid and important services were not adversely impacted,” the carrier added.
Further Reading
- Android Malware Can Steal 2FA Codes From Google Authenticator App
- 3 Things That Keep This Election Security Expert Up at Night
- Are Russian Accounts Pushing Coronavirus Disinformation? Social Networks Aren't So Sure
- UK Military Intelligence Wants 'Exceptional Access' to Encrypted Messages
- More in Security
Security Reviews
- NordLocker
- Private Internet Access VPN (for macOS)
- NordPass Premium
- Qustodio
- Virtru Email Protection for Gmail