The US Federal Communications Commission (FCC) today imposed penalties totaling $200 million against four major carriers — including AT&T, Sprint, T-Mobile And Verizon — for illegally sharing customers' location information without permission.
The fines mark the culmination of a more than four-year investigation into the activities of the major carriers. In February 2020, the FCC charged four wireless providers with violating the law for their practices of sharing access to customer location data.
The FCC said it found that each of the carriers sold its customers' location information to 'aggregators'.
“In doing so, each carrier sought to offload its obligations to obtain customer consent to downstream recipients of location information, which in many cases was not properly obtained.” An FCC report Reading the action. “After learning that their safeguards were ineffective, carriers continued to sell access to location information without taking reasonable steps to protect against unauthorized access, and this initial failure was compounded.”
of the FCC Findings against AT&T, for example, show that AT&T sold customer location data directly or indirectly to at least 88 third-party companies. FCC detected Verizon sold access to customer location data (indirectly or directly) to 67 third-party companies. Location data was available to 86 third-party companies for Sprint customers and 75 third-parties for T-Mobile customers.
The commission said that action was taken after that Sen. Ron Wyden (On the wrist.) sent a letter to the FCC Describes how an entity is called Easy techniques Any major mobile provider used to sell customer location data to law enforcement.
That same month, KrebsOnSecurity broke the news LocationsSmart — a data aggregation company that works with major wireless carriers — had a free, unsecured demo of its service online that anyone could misuse to find the exact location of almost any mobile phone in North America.
The carriers also pledged to “wind down” location data sharing agreements with third-party companies. But in 2019, the statement As reported by Vice.com Little has changed, describing how reporters were able to find the test phone after paying $300 to a bounty hunter who bought the data through a little-known third-party service.
Sen. Wieden says anyone who signs up for a cell plan doesn't think they're giving their phone company permission to sell a detailed record of their movements to anyone with a credit card.
“I applaud the FCC for holding these companies accountable for putting consumers' lives and privacy at risk following my investigation,” Wyden said in a statement today.
The FCC fined Sprint and T-Mobile $12 million and $80 million, respectively. AT&T was fined $57 million, while Verizon was fined $47 million. However, these penalties represent a small fraction of each carrier's annual revenue. For example, $47 million is less than one percent of Verizon's total wireless service revenue in 2023, which would be nearly $77 billion.
Penalty amounts differ because they are calculated based on the number of days that carriers continue to share customer location data after being notified that sharing customer location data is illegal (the agency also considered the number of active third-party location data sharing agreements). The FCC notes that AT&T and Verizon took more than 320 days since the publication of the Times story to finalize their data-sharing agreements; T-Mobile took 275 days; Sprint shared customer location data for 386 days.
Update, 6:25 pm and: Sen. He clarified that the FCC began its investigation at Wyden's request.