Carriers broke law disclosing customer location data, FCC says

More than a year after investigative news reports revealed that wireless customers’ real-time location data was being sold to third-party aggregators, the FCC has concluded that at least one unnamed carrier broke the law, and the agency intends to take enforcement action.

The FCC’s Enforcement Bureau has yet to release the findings of its investigation but FCC Chairman Ajit Pai sent a letter (PDF) to Congress Friday informing them of the conclusion.

“I wish to inform you that the FCC’s Enforcement Bureau has completed its extensive investigation, and that it has concluded that one or more wireless carriers apparently violated federal law” in disclosing consumers’ real-time location data, wrote Pai.

RELATED: Cellphone location data from T-Mobile, AT&T and Sprint was sold to bail bondsmen

The letter does not name which carrier or carriers violated the law, but Pai said he intends to circulate at least one Notice of Apparent Liability for Forfeiture (NAL) in the coming days. An NAL advises the party in question how it violated the law and the amount of the proposed penalty.

Commissioner Jessica Rosenworcel in a statement (PDF) Friday called it “a shame” that it took the agency so long “to reach a conclusion that was so obvious.”

“For more than a year, the FCC was silent after news reports alerted us that for just a few hundred dollars, shady middlemen could sell your location within a few hundred meters based on your wireless phone data. It’s chilling to consider what a black market could do with this data,” said Rosenworcel. “It puts the safety and privacy of every American with a wireless phone at risk. Today this agency finally announced that this was a violation of the law. Millions and millions of Americans use a wireless device every day and didn’t sign up for or consent to this surveillance.”

RELATED: FCC asks AT&T, others for proof that it stopped selling location data to third parties

A Motherboard report in early 2019 found that personal real-time location data of AT&T, Sprint and T-Mobile customers made its way into the hands of bounty hunters and could be accessed for a few hundred dollars, after having first been sold to third party location aggregators and related companies.  

This came after a flurry of 2018 reports that included a New York Times article about carriers selling individuals’ location data to middle men companies that then misused the personal information.   

After investigative reports surfaced, all four major carriers last year promised to stop location data sharing abuse and end the practice of selling to third parties, including Verizon, which was not cited in the Motherboard findings. This followed earlier pledges that they would end data location misuse after a U.S. senator raised the issue (PDF) with the FCC in the summer of 2018.  

Rosenworcel in May 2019 pressed the carriers for proof that they had ended such practices.

In response, carriers all said that they had or would be terminating contracts with location aggregators, though some like AT&T noted it made exceptions for applications like emergency services and to prevent fraud.

RELATED: Wireless carriers tell FCC they stopped selling user location data to aggregators

Verizon had said it terminated most of its location aggregator contracts in November 2018 and in March 2019 ended remaining relationships with roadside assistance companies that had been part of its location aggregator program.

As for the recent FCC conclusion, Sprint did not have a comment to share, while T-Mobile and Verizon representatives did not respond to inquiries. AT&T directed FierceWireless to industry trade group CTIA.

A CTIA spokesperson released the following statement, “Wireless companies are committed to protecting the privacy of consumers and share location data only with customer consent. Upon hearing allegations of misuse of the data, carriers quickly investigated, suspended access to the data and subsequently terminated those programs.”