More than a year after a Motherboard investigation revealed that wireless carriers were collecting and selling user location data to often dubious data brokers who then sold it to bounty hunters, the head of the FCC is finally acknowledging that at least one and possibly several wireless carriers broke the law.
“I wish to inform you that the FCC’s Enforcement Bureau has completed its extensive investigation and that it has concluded that one or more wireless carriers apparently violated federal law,” FCC boss Ajit Pai said in a letter sent to Representative Frank Pallone.
Lawmakers had written the FCC last November, expressing concern that the agency had done nothing to crack down on the wireless industry’s practice of collecting user location data, then selling access to that data to a variety of often shady middlemen and even stalkers.
A New York Times investigation revealed how this data was repeatedly abused by law enforcement. Additional investigations from Motherboard show the practice even extended to the collection and sale of more detailed 911 emergency location data, a practice forbidden by U.S. law.
In a letter sent by FCC boss Ajit Pai to Representative Frank Pallone, the agency boss confirmed fines will likely be coming for several unnamed wireless carriers.
Do you work at the FCC or know anything else about this investigation? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on [email protected], or email [email protected]
“In the coming days, I intend to circulate to my fellow Commissioners for their consideration one or more Notices of Apparent Liability for Forfeiture in connection with the apparent violations,” Pai said.
Pai’s fellow commissioners applauded the move, but complained that Pai’s apparent foot dragging and stonewalling throughout much of last year delayed meaningful accountability and posed significant potential harm to U.S. consumers.
“For more than a year, the FCC was silent after news reports altered us that for just a few hundred dollars, shady middlemen could sell your location within a few hundred meters based on your wireless phone data,” FCC Commissioner Jessica Rosenworcel said in a statement. “It’s chilling to consider what a black market could do with this data. It puts the safety and privacy of every American with a wireless phone at risk,” she added.
“These pay-to-track schemes violated consumers’ privacy rights and endangered their safety,” added Commissioner Geoffrey Starks who had gone so far as to recently write an editorial in the New York Times criticizing Pai’s lack of follow through. “I’m glad we may finally act on these egregious allegations. My question is: what took so long?”
The question now shifts toward what those fines will look like, what happens to the data already collected, and how to prevent it from happening again. Historically the FCC hasn’t done a particularly good job holding big telecom accountable, with fines that often wind up being a tiny fraction of the money earned from repeated instances of industry wrongdoing.
Senator Ron Wyden, whose office has investigated the sale of phone location data, said in a statement “When I alerted the FCC in 2018 that wireless carriers were selling their customers’ location data to a shady prison phone company which was allowing prison guards to track Americans’ cell phones, I knew immediately that the practice was a security and privacy nightmare. Dogged reporting by Motherboard and the New York Times revealed that this was just the tip of the iceberg and that stalkers, rogue sheriff’s deputies, and shady data brokers had used this massive loophole to track Americans without their permission or knowledge.”
“Thanks to an outcry from consumers, last year the big wireless companies finally stopped allowing shady data brokers to track their customers. I’m eager to see whether the FCC will truly hold wireless companies accountable, or let them off with a slap on the wrist,” the statement added.
Sprint declined to comment. Verizon and AT&T directed requests for comment to the CTIA, a trade body for the wireless communications industry.
CTIA said in a statement “Wireless companies are committed to protecting the privacy of consumers and share location data only with customer consent. Upon hearing allegations of misuse of the data, carriers quickly investigated, suspended access to the data and subsequently terminated those programs.”
Update: This piece has been updated to include a statement from the CTIA and Senator Ron Wyden.
Subscribe to our cybersecurity podcast, CYBER.