US telcos in line for fine over non-consensual location data sales

FCC Chairman Ajit Pai has written to member of Congress following the conclusion of a geo-location investigation. The result; the telcos have been breaking the law.

What the punishment will be remains to be seen, but this draws to an end an investigation which the FCC seemingly did not really want to get involved with. It also remains to be seen which telcos will be drawn into the melee; Verizon stopped selling data to suspect companies when asked, the others did not.

“Fulfilling the commitment I made in that letter, I wish to inform you that the FCC’s Enforcement Bureau has completed its extensive investigation and that it has concluded that one or more wireless carriers apparently violated federal law,” Pai said in the letters to various different politicians.

In 2018, a Silicon Valley security researcher suggested telcos were able to monitor the data coming off many cell towers to effectively track customers without consent. This data was then in turn sold to any party willing to pay, with the telcos seemingly making zero ethical judgments on whether this should be done.

The data would usually be sold to companies such as Securus or Microbilt, before being farmed out further afield with little official oversight. This data might end up in the hands of a bounty hunter, searching for a fugitive who skipped bail, or with more nefarious characters.

“Thanks to an outcry from consumers, last year the big wireless companies finally stopped allowing shady data brokers to track their customers,” tweeted Senator Ron Wyden, one of the politicians who raised concerns in 2018.

“I’m eager to see whether the FCC will truly hold wireless companies accountable or let them off with a slap on the wrist.”

Perhaps one of the most interesting elements to this story was the reluctance of the FCC to move forward with any investigations.

Initial reports outlining the practice of selling geo-location without consent were initially unveiled in early 2018, though another report in January 2019 suggested T-Mobile US, AT&T and Sprint were continuing with the practice despite making public commitments to stop. In December 2019, almost 18 months after the initial reports, the FCC agreed to an investigation.

“For more than a year, the FCC was silent after news reports alerted us that for just a few hundred dollars, shady middlemen could sell your location within a few hundred meters based on your wireless phone data,” said FCC Commissioner Jessica Rosenworcel. “It’s chilling to consider what a black market could do with this data. It puts the safety and privacy of every American with a wireless phone at risk.

“Today this agency finally announced that this was a violation of the law. Millions and millions of Americans use a wireless device every day and didn’t sign up for or consent to this surveillance. It’s a shame that it took so long for the FCC to reach a conclusion that was so obvious.”

What is worth noting is that selling data to aggregators who work with third parties is not always so shady. This is a tried and tested strategy in the financial services industry to identify and prevent fraud, ultimately protecting the consumer. But these efforts are transparent and given oversight.

Given that there was apparent reluctance by the FCC to get involved in the saga in the first place, it will be interesting to see how much of a punishment is dolled out. Chairman Pai has traditionally been a friend of the telcos, but to keep the public on side, he might have to make a political call to punish appropriately.