At least one wireless carrier sold real-time location data from users to third-party companies, the Federal Communications Commission said in a letter to lawmakers.
The letter from FCC chairman Ajit Pai to Congress didn’t name the offending entity—or entities, nor did it include any details about penalties. The letter is the conclusion of an investigation that began after The New York Times reported in May 2018 that real-time location data for consumers was being sold through third-party data aggregators with little oversight about who was buying them, or what kind of consumer information was being included. A Motherboard investigation found that it was possible to purchase location data for individuals for a few hundred dollars.
"I wish to inform you that the FCC's Enforcement Bureau has completed its extensive investigation and that it has concluded that one or more wireless carriers apparently violated federal law," Pai wrote.
Pai took pains to obscure the number of mobile operators that sold location data in a manner that broke federal law, and did not say whether the investigation was ongoing or completed.
The Times report that prompted the investigation found that Securus Technologies, a prison IT company, ran a phone-tracking service for police and correctional officers using data purchased from third-party “data aggregators.” Officials who subscribed to the service could enter phone numbers and receive real-time location data of the associated devices—all without going to a judge to obtain a warrant.
Caught in the act, mobile operators promised to review their relationships with data aggregators, the third-party companies that take the information collected by mobile apps and online services and sell them to others. The problem with these relationships is that consumers are left in the dark about where their data is going or who has access to them.
Giving consent to apps and services to collect information is one thing, discovering that practically anyone else can buy that information is something else entirely.
“Millions and millions of Americans use a wireless device every day and didn’t sign up for or consent to this surveillance,” wrote FCC Commissioner Jessica Rosenworcel. “It’s a shame that it took so long for the FCC to reach a conclusion that was so obvious.”
The FCC didn’t comment publicly regarding the repeated sales of location data, and didn’t even open an investigation until 11 Democratic members of the House Energy and Commerce Committee, which has oversight, accused the agency of failing to enforce privacy provisions in the Communications Act. The investigation has dragged on, prompting concerns that Pai, a former Verizon executive, was hesitant about regulating the companies. The statute of limitations regarding these violations run out after a year.
“For more than a year, the FCC was silent after news reports alerted us that for just a few hundred dollars, shady middlemen could sell your location within a few hundred meters based on your wireless phone data," Rosenworcel said.
At this point in time, the carriers—AT&T, Sprint, T-Mobile US, and Verizon—have said they would no longer provide location data to third parties, but there is no regulatory mechanism to ensure they keep that pledge.
Pai said in the letter that he will circulate the proposed penalty to other FCC commissioners, but declined to provide any details. Pai said he'd ask the full commission to consider issuing a Notice of Apparent Liability for Forfeiture, which is an official document noting that the company violated federal law, to the offender(s). It is not clear whether there will be any other penalties—monetary or otherwise, nor does the letter say what precedents the FCC will apply to determine the violations (or “apparent violations,” as the letter states). There is also no hint of what the FCC will do next or how much longer the process will take.
If the proposed penalty seems too light, Pai will be perceived as condoning this kind of behavior by the carriers.
“This is certainly a step in the right direction, but I’ll be watching to make sure the FCC doesn’t just let these lawbreakers off the hook with a slap on the wrist,” said Rep. Frank Pallone (D-NJ), the chair of the House Energy and Commerce Committee.