FCC Concludes Sharing of Consumers’ Real-Time Location Data Violates Federal Law

After an extended investigation, the FCC Enforcement Bureau has concluded that at least one wireless carrier apparently violated U.S. law by improperly disclosing consumers’ location data.

FCC Chairman Ajit Pai announced the agency’s conclusion in a January 31 letter to Congress. While the letter did not identify any carriers by name, it confirmed that one or more Notice(s) of Apparent Liability for Forfeiture would be issued in the coming days in connection with the apparent violation(s). 

“I am committed to ensuring that all entities subject to our jurisdiction comply with the Communications Act and the FCC’s rules, including those that protect consumers’ sensitive information, such as real-time location data,” said Chairman Pai.

The security of consumers’ real-time location data is an issue that gained widespread attention in 2018 after press reports revealed that carriers including T-Mobile, Sprint and AT&T were selling phone geolocation services to outside companies.  While it is common knowledge that law enforcement agencies can track phones with a warrant to service providers or through the use of IMSI catchers (also known as “Stingrays”), what

journalists found was that data made available to asset tracking and other legitimate enterprise location service providers was being resold to a host of different private industries, ranging from car salesmen and property managers to bail bondsmen and bounty hunters, with little or no oversight.  Compounding this already highly unscrupulous business practice, this data was then being leaked and/or resold to black market data brokers. An investigation by Senator Ron Wyden (D-Ore.) into the commercial relationships between Verizon and a pair of obscure data vendors found that one of Verizon’s indirect corporate customers, a prison phone company called Securus, had used Verizon’s customer location data in a system that effectively let correctional officers spy on millions of Americans.

Shortly after the reports surfaced, Verizon, AT&T and Sprint announced that they would no longer share customers’ location data with third-party companies who failed to adequately protect the data. The FCC took up the matter in early 2019 after FCC Commissioner Jessica Rosenworcel sent letters to major phone companies to confirm whether they lived up to their commitments to end these location aggregation services.

Commissioner Rosenworcel criticized the agency for its delay in taking enforcement action in a written statement..

“For more than a year, the FCC was silent after news reports alerted us that for just a few hundred dollars, shady middlemen could sell your location within a few hundred meters based on your wireless phone data. It’s chilling to consider what a black market could do with this data. It puts the safety and privacy of every American with a wireless phone at risk.

Today this agency finally announced that this was a violation of the law. Millions and millions of Americans use a wireless device every day and didn’t sign up for or consent to this surveillance. It’s a shame that it took so long for the FCC to reach a conclusion that was so obvious.”

While the focus of this violation investigation is on provision of location information to third party aggregators, one can wonder whether the FCC’s crackdown will cause the cellular carriers to be more difficult to deal with on the new direct provision arrangement we understand alarm companies have worked out for location info.