In January 2019 we reported that AT&T, T-Mobile and Sprint were apparently selling real time cell phone customer location data to at least one unauthorized company, and that company resold this information to anyone, including companies not authorized to possess this data. According to Motherboard,

at least one company, called Microbilt, is selling phone geolocation services with little oversight to a spread of different private industries, ranging from car salesmen and property managers to bail bondsmen and bounty hunters, according to sources familiar with the company’s products and company documents obtained by Motherboard. Compounding that already highly questionable business practice, this spying capability is also being resold to others on the black market who are not licensed by the company to use it... seemingly without Microbilt’s knowledge. (Motherboard Report, January 8, 2019).

Motherboard noted that “a wide variety of companies can access cell phone location data, and that the information trickles down from cell phone providers to a wide array of smaller players, who don’t necessarily have the correct safeguards in place to protect that data.”

When this practice became public, the mobile providers reacted quickly, pledging to stop selling location data. For example, AT&T stated:

In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services – even those with clear consumer benefits. We are immediately eliminating the remaining services and will be done in March. (AT&T Statement released January 9, 2019).

These appear to be empty promises. We know that because on February 28, 2020, the FCC issued four Notices of Apparent Liability proposing more than $200 million in fines against the four largest mobile carriers for “apparently selling access to their customers’ location information without taking reasonable measures to protect against unauthorized access to that information.”

As a result, T-Mobile faces a proposed fine of more than $91 million; AT&T faces a proposed fine of more than $57 million; Verizon faces a proposed fine of more than $48 million; and Sprint faces a proposed fine of more than $12 million. (FCC February 28, 2020 News Release).

The agency noted that it began this investigation following reports that a Sheriff in Missouri named Cory Hutcheson, used a “location-finding service operated by Securus, a provider of communications services to correctional facilities, to access the location information of the wireless carriers’ customers without their consent between 2014 and 2017.”

All four carriers mentioned above sold access to their customers’ location information to “aggregators,” who then resold access to such information to third-party location-based service providers (like Securus). Although their exact practices varied, each carrier relied heavily on contract-based assurances that the location-based services providers (acting on the carriers’ behalf) would obtain consent from the wireless carrier’s customer before accessing that customer’s location information.

Hutcheson’s unauthorized access of hundreds of wireless customers’ location information made clear that the carriers’ existing measures to safeguard this data were inadequate. Yet all four carriers apparently continued to sell access to their customers’ location information without putting in place reasonable safeguards to ensure that the dozens of location-based services providers acting on their behalf were actually obtaining consumer consent. Although the carriers had several commonsense options to impose reasonable safeguards (such as verifying consent directly with customers via text message or app), the carriers apparently failed to take the reasonable steps needed to protect customers from unreasonable risk of unauthorized disclosure. The size of the proposed fines for the four wireless carriers differs based on the length of time each carrier apparently continued to sell access to its customer location information without reasonable safeguards and the number of entities to which each carrier continued to sell such access. (Id.).

The mobile providers now have a chance to respond to the Notices. Within 30 calendar days they must either pay the proposed fines or file a written statement explaining why the fine should be reduced or cancelled. No doubt all the providers will defend their actions. It is important to note that the majority of FCC Commissioners are unhappy with the proposed fines. Republican Commissioner Michael O’Rielly believes the fines are premature since the mobile providers have not yet had a chance to defend themselves. The two Democrat Commissioners are not satisfied because they believe the Commission waited too long to address this major privacy issue and the fines are too small. Regardless of these concerns, the three Republican Commissioners ultimately supported the current action, so it stands for now. However, their affinity for these large companies suggests that the proposed fines could be reduced. And that would tick off both consumer advocates and Congress!