this Federal Communications Commission (FCC) today imposed fines totaling nearly $200 million on four major players, including AT&T, sprint, T move and Verizon — Illegal sharing of customer location information without consent.
The fine marks the culmination of more than four years of investigation into the conduct of major airlines. In February 2020, the FCC sent notices to all four wireless providers that they may be violating the law by sharing access to customer location data.
The FCC said it found that the carriers each sold access to their customers’ location information to “aggregators,” which then resold access to that information to third-party location-based service providers. .
“In doing so, each carrier seeks to shift its obligation to obtain customer consent to downstream recipients of location information, which in many cases means that valid customer consent is not obtained,” the FCC’s statement on the action reads. “After realizing that their protection measures were ineffective, operators continued to sell access to location information without taking reasonable steps to protect it from unauthorized access, compounding the initial failure.”
For example, the FCC’s investigation into AT&T revealed that AT&T directly or indirectly sold customer location data to at least 88 third-party entities. The FCC found that Verizon sold (indirectly or directly) access to customer location data to 67 third-party entities. Sprint customers’ location data was leaked to 86 third-party entities, while T-Mobile customers’ location data was leaked to 75 third parties.
The committee said it took action after Senator Ron Wyden (D-Ore.) sent a letter to the FCC detailing how one company called Yi Technology has been selling customer location data from nearly all major mobile providers to law enforcement officials.
In the same month, KrebsOnSecurity broke the news that Smart positioning A data aggregation company that works with major wireless carriers is offering a free, unsecured online demonstration of the service that anyone can use to find the near-precise location of nearly any cellphone in North America.
The operator pledged to “gradually reduce” location data sharing agreements with third-party companies. But in 2019, a Vice.com report showed little had changed, detailing how reporters found a test phone after paying $300 to a bounty hunter who had simply purchased it through a little-known third-party service data.
Senator Wyden said no one who signs up for a cellphone plan thinks they are allowing their phone company to sell detailed records of their whereabouts to anyone with a credit card.
“I commend the FCC for continuing to investigate and hold these companies accountable for putting customers’ lives and privacy at risk,” Wyden said in today’s statement.
The FCC fined Sprint and T-Mobile $12 million and $80 million respectively. AT&T was fined more than $57 million, and Verizon was fined $47 million. Still, these fines represent only a small portion of each operator’s annual revenue. For example, $47 million is less than one percent of Verizon’s total wireless service revenue in 2023 (nearly $77 billion).
The fines vary because they are calculated in part based on the number of days the carrier continues to share customer location data after being told that doing so is illegal (the agency also takes into account the number of third-party location data sharing agreements in effect). The FCC pointed out that since the publication of the New York Times report, AT&T and Verizon each took more than 320 days to terminate the data sharing agreement; T-Mobile took 275 days; and Sprint shared customer location data for 386 consecutive days.
Updated at 6:25 p.m. ET: Clarify that the FCC initiated the investigation at the request of Senator Wyden.