The big four mobile carriers face fines of between $12 million and $91 million each for selling their customers' real-time location data to third-party data brokers without customer consent, Federal Communications Commission Chairman Ajit Pai's office announced today.
These are "proposed" fines, meaning the carriers can dispute them and try to get them reduced or eliminated. The proposed fines are $91 million for T-Mobile, $57 million for AT&T, $48 million for Verizon, and $12 million for Sprint. That's a total of $208 million.
The FCC announcement said the carriers' punishments are for "apparently selling access to their customers' location information without taking reasonable measures to protect against unauthorized access to that information." The FCC said it also "admonished these carriers for apparently disclosing their customers' location information, without their authorization, to a third party."
Pai said that the FCC has taken "strong enforcement action" with today's proposed fines. But the two Democrats on the Republican-majority commission said the fines are too low and criticized the Pai-led FCC for secrecy during the investigation.
"The FCC's investigation is a day late and a dollar short," Democratic Commissioner Jessica Rosenworcel said in a statement. "The FCC kept consumers in the dark for nearly two years after we learned that wireless carriers were selling our location information to shady middlemen."
Commissioner Geoffrey Starks, the FCC's other Democrat, said the FCC's investigation wasn't extensive enough:
I am concerned that the penalties proposed today are not properly proportioned to the consumer harms suffered because we did not conduct an adequate investigation of those harms. The Notices make clear that, after all these months of investigation, the Commission still has no idea how many consumers' data was mishandled by each of the carriers. I recognize that uncovering this data would have required gathering information from the third parties on which the carriers' relied. But we should have done that via subpoenas if necessary.
Fines are tiny portion of revenue
Relative to the carriers' collective revenue, the fines are "a slap on the wrist amounting to less than one one-thousandth of their annual take," consumer-advocacy group Free Press said. Revenue in calendar year 2019 was $181.2 billion for AT&T; $131.9 billion for Verizon; $45 billion for T-Mobile; and $32.5 billion for Sprint.
"The carriers have shown an egregious contempt for the law. The Communications Act plainly lists location data as the kind of private information that carriers have a duty to protect and are forbidden to sell without their customers' permission," Free Press Senior Policy Counsel Gaurav Laroia said. "Yet the companies showed complete disregard for the law and for our safety in pursuit of a few extra dollars."
The $208 million "represents little more than the cost of doing business for these carriers," House Commerce Committee Chairman Frank Pallone, Jr. (D-NJ) said today.
The FCC said the size of each fine was based on how long each carrier sold access to customer-location data without appropriate safeguards and on the number of entities each carrier sold data to.
According to Rosenworcel, the FCC is proposing "a $40,000 fine for the violation of our rules—but only on the first day. For every day after that, it reduces to $2,500 per violation. The FCC heavily discounts the fines the carriers potentially owe under the law and disregards the scope of the problem." Rosenworcel also said each carrier was given a "30-day pass," eliminating 30 days worth of fines.
"This 30-day 'get-out-of-jail-free' card is plucked from thin air," Rosenworcel said.
Location data leaked in 2018
The controversy over location-data sales ramped up in 2018 when a security problem leaked the real-time locations of US cell phone customers on all four major carriers. Verizon, AT&T, T-Mobile, and Sprint in June 2018 pledged to stop selling their mobile customers' location information to third-party data brokers, but carriers continued the sales until several months into 2019.
Starks said today's FCC action "has been too long delayed."
"From the beginning, it has been difficult to get the facts straight," Starks said. "The carriers repeatedly told the public that they were stopping their location-sharing program while hiding behind evasive language and contractual terms. For example, on June 15, 2018, Verizon told Senator Ron Wyden, '[w]e are initiating a process to terminate our existing agreements for the location aggregator program.' But Verizon didn't terminate its aggregator agreements until November 2018, and didn't end all of its location data sharing programs until April 2019."
The FCC said it began its investigation "following public reports that a Missouri Sheriff, Cory Hutcheson, used a 'location-finding service' operated by Securus, a prRead More – Source
[contf] [contfnew] 
arstechnica
[contfnewc] [contfnewc]
