In letters addressed to oversight lawmakers on Friday, FCC Chairman Ajit Pai announced that his agency’s nearly two-year investigation into the unauthorized sale of consumers’ phone location data had finally come to an end.
The FCC’s Enforcement Bureau has determined that “one or more wireless carriers” broke the law, the letters said.
In apparent violations of the Communications Act, the country’s major wireless carriers—including AT&T, Sprint, and T-Mobile—have been accused of repeatedly violating their customers’ privacy by disclosing their location data to so-called “location aggregators.” Those aggregators sold the data they acquired to, among others, bail bond agents and various law enforcement entities, reporters found.
The FCC investigation into the carriers’ activity was prompted by a letter from Senator Ron Wyden in May 2018, which coincided with a New York Times investigation that drew national attention to the abuse of location data by U.S. law enforcement and prison officials.
At the center of the investigation was Securus Technologies, a major provider of correctional-facility phone services, was found to be providing law enforcement with “unrestricted access” to location data. Securus purchased the data—for which law enforcement officers would invariably require a warrant—directly from major wireless carriers.
Pai’s letters did not indicate which carriers likely violated the law, nor even the number of carriers implicated, but he wrote that in the coming days the full commission would be apprised of the details.
The FCC did not respond to a request for comment.
A source with knowledge of FCC enforcement procedures told Gizmodo that the chairman was being intentionally vague, likely because it is common practice to maintain confidentiality until potential liability can be determined by the full commission.
The source said they viewed Pai’s ambiguity as a likely sign that settlement discussions are already underway with the carriers accused of violating the law.
Last year, Motherboard published a series of articles describing the ease with which bounty hunters are able to illegally acquire user location data. One article described how a Motherboard reporter paid a bounty hunter $300 to put a trace on a cellphone. The coordinates provided proved accurate up to around a quarter-mile. (The phone belonged to the reporter.)
“When I alerted the FCC in 2018 that wireless carriers were selling their customers’ location data to a shady prison phone company which was allowing prison guards to track Americans’ cell phones, I knew immediately that the practice was a security and privacy nightmare,” Sen. Wyden told Gizmodo.
“Dogged reporting by Motherboard and the New York Times revealed that this was just the tip of the iceberg and that stalkers, rogue sheriff’s deputies, and shady data brokers had used this massive loophole to track Americans without their permission or knowledge,” he added.
CTIA, a trade association representing the wireless communications industry, said in a statement that, last year, wireless carriers “quickly investigated” the issue and suspended access to location data, adding: “Wireless companies are committed to protecting the privacy of consumers and share location data only with customer consent.”
Last May, major carriers, including T-Mobile, AT&T, and Sprint, said they had ceased, or at least significantly curtailed, the sale of customers’ location data in response to inquiries by FCC Commissioner Jessica Rosenworcel. Verizon, for example, said it had terminated all such arrangements except with four roadside assistance companies. Sprint said it was continuing to provide location data to a company that facilities comply with state lottery requirements.
Democrats at the FCC applauded Pai’s announcement about the investigation concluding on Friday but remained critical of how long it took for Pai’s office to reach its decision.
“These pay-to-track schemes violated consumers’ privacy rights and endangered their safety,” FCC Commissioner Geoffrey Starks said in an email to Gizmodo. “I’m glad we may finally act on these egregious allegations. My question is: what took so long?”
Rosenworcel wrote in a statement that it was “chilling” to imagine the abuse that has occurred from the illegal trade of Americans’ location data, which placed their privacy and safety at risk. “Today this agency finally announced that this was a violation of the law. Millions and millions of Americans use a wireless device every day and didn’t sign up for or consent to this surveillance. It’s a shame that it took so long for the FCC to reach a conclusion that was so obvious,” she said.
An FCC source told Gizmodo that despite repeated requests over the past year and a half, Chairman Pai refused to provide Democrats at the agency with any information concerning his investigation, even though he had previously indicated a willingness to do so before Congress.