Your mobile network broke the law by selling location data and may be fined millions... or maybe not, shrugs FCC

US watchdog struggles to do its job over illegal sale of folks' whereabouts

Chairman Pai finally gets motivated, and it only took two years

It’s been nearly two years since it was first revealed that US cellular networks were selling real-time location data with inadequate safeguards. Late last week, after months of political pressure, the regulator in charge, the FCC, finally revealed the results of an investigation.

“I wish to inform you that the FCC’s Enforcement Bureau has completed its extensive investigation,” FCC chairman Ajit Pai informed lawmakers who demanded to know where the report was three months earlier. “It has concluded that one or more wireless carriers apparently violated federal law.”

Pai’s statement went on: “Accordingly, in the coming days, I intend to circulate to my fellow Commissioners for their consideration one or more Notice(s) of Apparent Liability for Forfeiture in connection with the apparent violation(s). We are unable to provide additional information about any pending enforcement action(s) beyond what is stated in the letter.”

If that seems unusual vague: that “one or more” mobile operators “apparently violated” the law by selling location data, you’re not the only one.

The sale of location data would, in any other era, have provoked outrage and determined federal action. But the FCC’s response to revelations that bounty hunters were buying the real-time location of people for $100 through third-parties, contracted through third-parties with little or no oversight, has been almost complete silence.

That inaction has only added to fears that FCC boss, and former Verizon executive, Pai is not only hesitant to take on the powerful companies that his office is supposed to oversee, but actively defends and supports the industry from behind the scenes.

Third time lucky

The mobile operators were caught not once, not twice, but three times over the course of eight months selling location data without adequate privacy safeguards, despite promising each time to take corrective action.

When caught for the third time, all four operators – AT&T, Sprint, T-Mobile US and Verizon – promised to stop the provision of location data to third parties altogether. But, notably, the promise is not binding and can be lifted at any time.

The issue and the failure by both the mobile companies and the FCC to take it seriously is one factor behind a broader push for federal privacy legislation.

But concerted pressure from lawmakers – who have sent repeated letters to the mobile operators and demanded answers in a series of Congressional hearings, has finally brought a promise of action from the federal regulator. It’s still not clear what that response will be however and those pushing the FCC to investigate remain frustrated.

The chair of the House Energy and Commerce Committee – which oversees the FCC – Frank Pallone (D-NJ) issued a statement: “Following our longstanding calls to take action, the FCC finally informed the Committee today that one or more wireless carriers apparently violated federal privacy protections by turning a blind eye to the widespread disclosure of consumers’ real-time location data. This is certainly a step in the right direction, but I’ll be watching to make sure the FCC doesn’t just let these lawbreakers off the hook with a slap on the wrist.”

For her part, Commissioner Rosenworcel put out a statement saying: “For more than a year, the FCC was silent after news reports alerted us that for just a few hundred dollars, shady middlemen could sell your location within a few hundred meters based on your wireless phone data."

"It’s chilling to consider what a black market could do with this data. It puts the safety and privacy of every American with a wireless phone at risk. Today this agency finally announced that this was a violation of the law. Millions and millions of Americans use a wireless device every day and didn’t sign up for or consent to this surveillance. It’s a shame that it took so long for the FCC to reach a conclusion that was so obvious.”

In the dark

It’s still not clear what the FCC will do. We spoke to both Pallone and Rosenworcel’s offices and they both told The Register they have no details beyond the statement made on Friday. As for the FCC itself, it has continued with its entirely unhelpful approach.

We asked the FCC:

  • Why it feels unable to say the number of mobile operators that have broken the law
  • What steps remain for the sale of location data to be deemed an actual violation – as opposed to an “apparent violation” – and who makes that determination
  • Whether the FCC investigation has been completed or if it waiting on feedback from the mobile operators
  • What the precedents are for similar violations
  • Whether there will be a fine and how it will be calculated
  • Whether other measures will be considered against the mobile operators

And in response the FCC gave us… nothing. “We are unable to provide additional information about any pending enforcement action(s) beyond what is stated in the letter,” it told us in a statement.

ostrich

FCC's answer to scandal of AT&T, Sprint, T-Mobile US selling people's location data: Burying its head in the ground

READ MORE

In truth, the FCC letter was likely only sent – on the last day of January – because FCC chair Pai had promised Congress to send some kind of response by January at the latest.

The FCC sometimes keeps the names of those it is placing enforcement actions against private until the action is formally voted on by the five commissioners; though not always. It’s not clear why it has refused to say how many of the main four carriers (soon to be three thanks to another controversial decision by the FCC) are affected.

It’s also not clear why the FCC won’t outline what measures it expected to take, or what precedent it will be using to access any fines, or what process it will be following from this point, or whether the mobile operators still have a say in the process.

In short, the FCC has been dragged to the point where it has been obliged to enforce its own rules and protect the privacy rights of users over the profit incentive of the mobile industry. And it isn’t happy about it, so it’ll be damned if it’s going to tell anyone what it has been forced into doing.

Yes, this is a federal regulator. And yes things really have got this petty. ®

Sponsored: Detecting cyber attacks as a small to medium business

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020