Fines of more than $200m proposed for selling subscribers’ real-time location data, but critics say the penalties are little more than a slap on the wrist
The US’ communications regulator has proposed fines totalling more than $200 million (£157m) on the country’s top four mobile phone network operators after finding they sold subscribers’ real-time location data without adequate safeguards to prevent the information from being misused.
The Federal Communications Commission (FCC) confirmed on Friday it had voted to propose fining T-Mobile US more than $91m, with additional fines of $57m for AT&T, $48m for Verizon and $12m for Sprint.
“This FCC will not tolerate phone companies putting Americans’ privacy at risk,” said FCC chairman Ajit Pai in a statement.
The carriers will have an opportunity to challenge the fines, as laid out in its Notices of Apparent Liability for Forfeiture and Admonishment (NALs), and the FCC is to consider their arguments before making its final decision, in which the amounts of the fines may be revised.
The proposed fines stem from an investigation launched by the FCC following reports in early 2018 that real-time mobile phone location data, which in theory should only be available to law-enforcement with appropriate authorisations, was being disseminated much more broadly.
Aside from law enforcement, the data was reportedly being accessed by bounty hunters, tracking services and alleged stalkers.
In some cases, the online portals that made the data available required users to upload a relevant legal document, such as a warrant, but did not actively verify the legitimacy of requests.
Carriers reportedly accessed subscribers’ real-time location via programmes aimed at uses such as roadside assistance, logistics, medical emergency alert services, fraud prevention or human trafficking alerts.
But the tracking details were made available much more broadly, and following an outcry by the public, network providers stopped selling the data in early 2019.
“Shady middlemen could sell your location within a few hundred meters based on your wireless phone data,” said FCC Commissioner Jessica Rosenworcel in January. “It’s chilling to consider what a black market could do with this data.”
Critics such as Rosenworcel have pointed out the links of some FCC officials with the mobile network industry, with chairman Pai, for instance, being a previous associate general counsel at Verizon.
She and other critics said the fines were little more than a slap on the wrist.
“The FCC proposes fining carriers who sold your real-time location data for years,” Rosenworcel said on Twitter. “But this is a day late and a dollar short. Our fines are discounted. It took too long to get here. Americans’ privacy and security deserves the highest level of protection. That didn’t happen here.”
‘Too little too late’
Senator Tammy Duckworth said the FCC’s actions were “too little too late”.
“The fines imposed won’t serve as a meaningful deterrent for carriers or others who try to profit off of our personal privacy and security,” Duckworth said on Twitter.
T-Mobile US, which is currently in the process of merging with Sprint, said it would fight the decision.
“We take the privacy and security of our customers’ data very seriously,” T-Mobile US said in a statement.
“When we learned that our location aggregator program was being abused by bad actor third parties, we took quick action.
“While we strongly support the FCC’s commitment to consumer protection, we fully intend to dispute the conclusions of this NAL and the associated fine.”
AT&T, Sprint and Verizon did not immediately respond to requests for comment.