The Federal Communications Commission (FCC) has fined the largest U.S. wireless carriers almost $200 million for sharing their customers’ real-time location data without their consent.
FCC’s forfeiture orders finalize Notices of Apparent Liability (NAL) issued against AT&T, Sprint, T-Mobile, and Verizon in February 2020.
The fines imposed on Monday include $12 million for Sprint and $80 million for T-Mobile (the two carriers have merged since the investigation began), more than $57 million for AT&T, and an almost $47 million fine for Verizon.
An investigation was launched after reports that the largest American wireless carriers disclosed customers’ location information to a Missouri Sheriff through Securus’ “location-finding service” without consent or legal authorization.
Despite being informed of the unauthorized access, all four carriers continued to operate their programs without reasonable safeguards to ensure that location-based service providers with access to customers’ location information obtained consent.
During the investigation, the FCC’s Enforcement Bureau found that each of the four mobile carriers sold their customers’ real-time location data to “aggregators,” who then resold this information to dozens of third-party location-based service providers, revealing where the customers were going and who they were.
While AT&T, Sprint, Verizon, and T-Mobile all took over 275 days to terminate their location-based service programs after The New York Times report, according to the FCC investigation, Sprint ended it after 386 days.
“In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained,” the FCC said.
“This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.”
However, according to section 222 of the Communications Act, U.S. wireless carriers must take reasonable steps to safeguard specific customer data, such as location information.
They are also required to keep this customer information confidential and seek the customer’s consent before using, revealing, or providing access to it.
“Verizon is deeply committed to protecting customer privacy. In this case, when one bad actor gained unauthorized access to information relating to a very small number of customers, we quickly and proactively cut off the fraudster, shut down the program, and worked to ensure this couldn’t happen again,” Verizon spokesman Rich Young told BleepingComputer.
“Unfortunately, the FCC’s order gets it wrong on both the facts and the law, and we plan to appeal this decision.”
A spokesperson told BleepingComputer that AT&T also plans to appeal the order because it “lacks both legal and factual merit.”
“It unfairly holds us responsible for another company’s violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that company’s failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged,” the AT&T spokesperson said.
A T-Mobile spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.
Source: www.bleepingcomputer.com