FCC Fines Major US Wireless Carriers for Selling Customer Location Data – Krebs on Security

The US Federal Communications Commission (FCC) today imposed fines totaling nearly $200 million on four major carriers — including AT&T, Sprint, T-Mobile and Verizon — for illegally sharing access to customers’ location information without consent.

The fines are the culmination of a more than four-year investigation into the conduct of major carriers. In February 2020, the FCC notified all four wireless providers that their practices of sharing access to customers’ location data likely violated the law.

The FCC said it found that each of the carriers sold access to their customers’ location information to “aggregators,” who then sold access to the information to third-party location-based service providers.

“In doing so, each carrier attempted to shift its obligations to obtain customer consent to subsequent recipients of location information, which in many cases meant that no valid customer consent was obtained,” the FCC said in a statement on the action. “This initial failure was compounded when carriers, after discovering that their safeguards were ineffective, continued to sell access to location information without taking adequate measures to protect it from unauthorized access.”

For example, the FCC’s findings against AT&T show that AT&T sold customer location data directly or indirectly to at least 88 third-party entities. The FCC found that Verizon sold access to customer location data (directly or indirectly) to 67 third-party entities. The location data of Sprint customers reached 86 third-party entities, and in the case of T-Mobile customers, it reached 75 third parties.

The commission said it then took action Senator Ron Wyden (D-Ore.) sent a letter to the FCC detailing the company’s response Securus technology sold customer location data of virtually any major mobile carrier to law enforcement.

That same month, KrebsOnSecurity reported that LocationSmart — a data aggregation firm working with major wireless carriers — had a free, unsecured demo of its service online that anyone could exploit to find the near-precise location of virtually any cell phone in North America.

The carriers have promised to “end” location data sharing agreements with third-party companies. But in 2019, reports on Vice.com showed that little had changed, detailing how reporters were able to find a test phone after paying $300 to a bounty hunter who simply bought the data through a little-known third-party service.

Senator Wyden said no one who signed up for a cellular plan thought they were giving their phone company permission to sell a detailed record of their movements to anyone with a credit card.

“I applaud the FCC for completing my investigation and holding these companies accountable for endangering the lives and privacy of customers,” Wyden said in a statement today.

The FCC fined Sprint and T-Mobile $12 million and $80 million, respectively. AT&T was fined more than $57 million, while Verizon was fined $47 million. Still, these fines represent a tiny fraction of each carrier’s annual revenue. For example, $47 million is less than one percent of Verizon’s total wireless revenue in 2023, which was nearly $77 billion.

The fines vary because they were calculated in part based on the number of days carriers continued to share customers’ location data after being told it was illegal (the agency also took into account the number of active third-party location data sharing agreements hillside). The FCC notes that AT&T and Verizon took more than 320 days after the Times story was published to terminate their data-sharing agreements; T-Mobile took 275 days; Sprint shared customers’ location data for 386 days.

Update, 6:25 p.m. ET: Clarified that the FCC opened an investigation at the request of Senator Wyden.