Yesterday, Gizmodo reported that the FCC was planning to seek around $200 million in fines against major phone carriers accused of negligently sharing the real-time locations of its customers with a host of shady third-party firms without even the most basic safeguards in place to protect them. Today, the FCC made the actual figures public, so here’s what they’re going to pay:
- T-Mobile faces a proposed fine of more than $91 million
- AT&T faces a proposed fine of more than $57 million
- Verizon faces a proposed fine of more than $48 million
- Sprint faces a proposed fine of more than $12 million
Each of the companies, FCC Chairman Ajit Pai said in a statement, sold access to their customers’ locations to companies that aggregate such information for profit, including Securus Technologies, one of the largest prison phone providers in the country, which, as the New York Times reported in May 2018, gave location data to a former Missouri sheriff without a legal court order.
In lieu of an actual warrant, Pai said, the sheriff provided Securus with “irrelevant documents like his health insurance policy, his auto insurance policy, and pages from Sheriff training manuals as evidence of his authorization to access wireless customer location data.”
“All four carriers mentioned above sold access to their customers’ location information to ‘aggregators,’ who then resold access to such information to third-party location-based service providers (like Securus). Although their exact practices varied, each carrier relied heavily on contract-based assurances that the location-based services providers (acting on the carriers’ behalf) would obtain consent from the wireless carrier’s customer before accessing that customer’s location information.”
Rep. Frank Pallone, Jr., chairman of the House Energy and Commerce Committee, said in a statement sent to Gizmodo that the FCC notice confirms his belief that carriers have a responsibility to protect sensitive location information. But the punishment, he suggested, doesn’t fit the crime. “While I am glad the FCC is finally proposing fines for this egregious behavior, it represents little more than the cost of doing business for these carriers. Further, the Commission is still a long way from collecting these fines and holding the companies fully accountable,” he said.
FCC Commissioner Jessica Rosenworcel went further in a statement, calling the fine set by her agency “a day late and a dollar short.”
She went further, saying:
Where we drop off our kids every day at daycare or school, the routes we take to and from work, or homes of our friends and family were all on the market for just a few hundred dollars. For far too long, the largest wireless companies were profiting from the sale of this data. It’s chilling to think what this data could do in the hands of stalkers or abusers. Our real-time location information is some of the most sensitive data there is about us, and it deserves the highest level of privacy protection. It did not get that here—not from our nationwide wireless carriers and not from this agency.
FCC Commissioner Geoffrey Starks likewise said he could not “fully approve” of his agency’s actions, in part, he said, because the investigation “lost track of the most important part of our case—the very consumers we were charged with protecting.” Starks, the former assistant chief of the enforcement bureau, argued that the dollar amount of the fines should have been based, on the number of customers impacted by the abuse, saying:
Despite the clear message from the FCC, these carriers did not treat the protection of their customers’ data as a key responsibility. Instead, they delegated responsibility for protecting this sensitive information to aggregators and third-party location service providers. They subjected these arrangements to varying degrees of oversight, but all were ineffective and failed to prevent the problem. Significant penalties are more than justified.
He went on to criticize the FCC’s lack of urgency, saying in his experience as a former enforcement official, similar investigations have been concluded with greater expedience. “By allowing this investigation to drag on when we knew that important public safety and public policy issues were at stake, we failed to meet our responsibilities to the American people,” Starks said.
“The carriers have shown an egregious contempt for the law,” Free Press Senior Policy Counsel Gaurav Laroia said in an email, adding: “With all the attention devoted to the serious misdeeds of online platforms like Facebook, Twitter, and Google, we haven’t paid enough attention to the very real threats the carriers pose to our privacy rights.”
The fines proposed by the FCC are not final. The carriers will each have an opportunity to challenge the enforcement bureau’s findings and the amounts proposed. While the proposed fines can be lowered depending on these legal arguments, the FCC cannot increase them as of today.