Архив метки: FCC

Robocallers face $225M fine from FCC and lawsuits from multiple states

Two men embodying the zenith of human villainy have admitted to making approximately a billion robocalls in the first few months of 2019 alone, and now face an FCC fine of $225 million and a lawsuit from multiple attorneys general that could amount to as much or more — not that they’ll actually end up paying that.
John Spiller and Jakob Mears, Texans of ill repute, are accused of (and have confessed to) forming a pair of companies to make millions of robocalls a day with the aim of selling health insurance from their shady clients.
The operation not only ignored the national Do Not Call registry, but targeted it specifically, as it was “more profitable to target these consumers.” Numbers were spoofed, making further mischief as angry people called back to find bewildered strangers on the other end of the line.
These calls amounted to billions over two years, and were eventually exposed by the FCC, the offices of several attorneys general and industry anti-fraud associations.
Now the pair have been slapped with a $225 million proposed fine, the largest in the FCC’s history. The lawsuit involves multiple states and varying statutory damages per offense, and even a conservative estimate of the amounts could exceed that number.
Unfortunately, as we’ve seen before, the fines seem to have little correlation with the amounts actually paid. The FCC and FTC do not have the authority to enforce the collection of these fines, leaving that to the Department of Justice. And even should the DoJ attempt to collect the money, they can’t get more than the defendants have.

FTC smacks down robocallers, but the penalties don’t match their heinous crimes

For instance, last year the FTC fined one robocaller $5 million, but he ended up paying $18,332 and the market price of his Mercedes. Unsurprisingly, these individuals performing white-collar crimes are no strangers to methods to avoid punishment for them. Disposing of cash assets before the feds come knocking on your door is just part of the game.
In this case the situation is potentially even more dire: the DoJ isn’t even involved. As FCC Commissioner Jessica Rosenworcel put it in a statement accompanying the agency’s announcement:
There’s something missing in this all-hands effort. That’s the Department of Justice. They aren’t a part of taking on this fraud. Why not? What signals does their refusal to be involved send?
Here’s the signal I see. Over the last several years the FCC has levied hundreds of millions in fines against robocallers just like the folks we have here today. But so far collections on these eye-popping fines have netted next to nothing. In fact, it was last year that The Wall Street Journal did the math and found that we had collected no more than $6,790 on hundreds of millions in fines. Why? Well, one reason is that the FCC looks to the Department of Justice to collect on the agency’s fines against robocallers. We need them to help. So when they don’t get involved—as here—that’s not a good sign.
While the FCC’s fine and the lawsuit will certainly put these robocallers out of business and place further barriers to their conducting more scam operations, they’re not really going to be liable for nine figures, because they’re not billionaires.
It’s good that the fines are large enough to bankrupt operations like these, but as Rosenworcel put it back in 2018 when another enormous fine was levied against a robocaller, “it’s like emptying the ocean with a teaspoon.” While the FCC and states were going after a pair of ne’er-do-wells, a dozen more have likely popped up to fill the space.
Industry-wide measures to curb robocalls have been underway for years now, but only recently have been mandated by the FCC after repeated warnings and delays. Expect the new anti-fraud frameworks to take effect over the next year.

Robocallers face $225M fine from FCC and lawsuits from multiple states

FCC mandates strict caller ID authentication to beat back robocalls

The FCC unanimously passed a new set of rules today that will require wireless carriers to implement a tech framework to combat robocalls. Called STIR/SHAKEN, and dithered over for years by the carriers, the protocol will be required to be put in place by summer of 2021.
Robocalls have grown from vexation to serious problem as predictable “claim your free vacation” scams gave way to “here’s how to claim your stimulus check” or “apply for coronavirus testing here” scams.

Be on guard for coronavirus robocalls, warns FCC

A big part of the problem is that the mobile networks allow for phone numbers to be spoofed or imitated, and it’s never clear to the call recipient that the number they see may be different from the actual originating number. Tracking and preventing fraudulent use of this feature has been on the carriers’ roadmap for a long time, and some have gotten around to it in some ways, for some customers.
STIR/SHAKEN, which stands for Secure Telephony Identity Revisited / Secure Handling of Asserted information using toKENs, is a way to securely track calls and callers to prevent fraud and warn consumers of potential scams. Carriers and the FCC have been talking about it since 2017, and in 2018 the FCC said it needed to be implemented in 2019. When that hadn’t happened, the FCC gave carriers a nudge, and at the end of the year Congress passed the TRACED Act to spur the regulator into carrying out its threat of mandating use of the system.
Rules to that effect were proposed earlier this month, and at the FCC’s open meeting today (conducted remotely), the measure passed unanimously. Commissioner Jessica Rosenworcel, who has been vocal about the lack of concrete action on this issue, gladly approved the rules but vented her frustration in a statement:
It is good news that today the Federal Communications Commission adopts rules to reduce robocalls through call authentication. I only wish we had done so sooner, like three years ago when the FCC first proposed the use of STIR/SHAKEN technology.
Commissioner Brendan Starks called the rules a “good first step,” but pointed out that the carriers need to apply call authentication technology not just on the IP-based networks but all over, and also to work with each other (as some already are) to ensure that these protections remain in place across networks, not just within them.
Chairman Ajit Pai concurred, pointing out there was much work to do:
It’s clear that FCC action is needed to spur across-the-board deployment of this important technology…Widespread implementation of STIR/SHAKEN will reduce the effectiveness of illegal spoofing, allow law enforcement to identify bad actors more easily, and help phone companies identify—and even block—calls with illegal spoofed caller ID information before those calls reach their subscribers. Most importantly, it will give consumers more peace of mind when they answer the phone.
There’s no silver bullet for the problem of spoofed robocalls. So we will continue our aggressive, multi-pronged approach to combating it.
Consumers won’t notice any immediate changes — the deadline is next year, after all — but it’s likely that in the coming months you will receive more information from your carrier about the technology and what, if anything, you need to do to enable it.

FCC mandates strict caller ID authentication to beat back robocalls

Carriers introduce plans to keep consumers connected during COVID-19 pandemic

Earlier this month, the FCC issued a new measure aimed at easing some of the burdens on consumers as COVID-19 continues to have an increasingly profound impact on nearly every aspect of life.
Most or all major internet and wireless providers in the U.S. signed up for the pledge, agreeing to take actions like waiving late fees and not terminating service. Now specific plans are starting to emerge from carriers, aimed at helping cash-strapped consumers until this pandemic blows over.
T-Mobile this morning announced the launch of a $15/month Metro plan — at half the cost of its current lowest-price plan. The pricing will be in place for the next 60 days, including unlimited talk and 2GB of data. The company is also tossing in a free eight-inch tablet (with rebate, plus fine print) and will be adjusting other data plans for the next two months.
At the same time, Verizon (TC’s parent company) announced that it will be adding 15GB of 4G data to current consumer and small business plans, in an effort to help customers use their handsets as mobile hotspots as needed. The company will also be taking $20 off select FiOS plans and waving router rental fees for 60 days.
Like the other carriers, AT&T noted in a message to TechCrunch that it will not terminate service over inability to pay. It will also be waiving late fees, along with domestic overcharges for data, voice and text, retroactive to March 13.
Sprint, meanwhile, will provide for 60 days unlimited data to customers with metered plans, starting March 18, along with 20GB of free mobile hotspot data.

Carriers introduce plans to keep consumers connected during COVID-19 pandemic

FCC looks to mandate anti-robocall tech after prodding from Congress

The FCC is finally going to require wireless carriers to implement an anti-robocalling technology, after asking them nicely for more than a year to do so at their convenience. Of course, the FCC itself is now required to do this after Congress got tired of waiting on them and took action itself.
The technology is called Secure Telephony Identity Revisited / Secure Handling of Asserted information using toKENs, mercifully abbreviated to STIR/SHAKEN, and amounts to a sort of certificate authority for calls that prevents phone numbers from being spoofed. (This is a good technical breakdown if you’re curious.)
STIR/SHAKEN has been talked about for quite some time as a major part of the fight against robocalls, and in 2018 FCC Chairman Ajit Pai said that carriers would have until the end of 2019 to implement it. 2019 came and went, and while the FCC (and indeed carriers) took other actions against robocallers, STIR/SHAKEN went largely undeployed.
Meanwhile, Congress, perhaps tired of receiving scam calls themselves, managed to collectively reach across the aisle and pass the TRACED Act, which essentially empowers the FCC and other departments to take action against robocallers — and prevents carriers from charging for anti-robocall services.

Robocall-crushing TRACED act passes Senate and heads to Oval Office

It also ordered the FCC to set a timeline for STIR/SHAKEN implementation, which is what Pai is doing now.
“It’s clear that FCC action is needed to spur across-the-board deployment of this important technology. There is no silver bullet when it comes to eradicating robocalls, but this is a critical shot at the target,” he said in a statement issued today.
There does not, however, appear to be any great hurry. The proposal, which will be voted on at the FCC’s meeting later this month, would require voice service providers to implement STIR/SHAKEN by June 30… of 2021. And one-year extensions will be available to smaller providers who claim difficulty getting the system up and running.
In other words, you can expect to keep receiving strange calls offering discounts on cruises and warning you of IRS penalties for some time to come. Of course, there are some things you can do to stem the flow of scammers — check out our 101 on preventing robocalls for some simple tips to save yourself some aggravation.

How to stop robocalls spamming your phone

FCC looks to mandate anti-robocall tech after prodding from Congress

FCC proposes $208M in fines for wireless carriers that sold your location for years

The FCC has officially and finally determined that the major wireless carriers in the U.S. broke the law by secretly selling subscribers’ location data for years with almost no constraints or disclosure. But its Commissioners decry the $208 million penalty proposed to be paid by these enormously rich corporations, calling it “not properly proportioned to the consumer harms suffered.”
Under the proposed fines, T-Mobile would pay $91M; AT&T, $57M; Verizon, $48M; and Sprint, $12M. (Disclosure: TechCrunch is owned by Verizon Media. This does not affect our coverage in the slightest.)
The case has stretched on for more than a year and a half after initial reports that private companies were accessing and selling real-time subscriber location data to anyone willing to pay. Such a blatant abuse of consumers’ privacy caused an immediate outcry, and carriers responded with apparent chagrin — but often failed to terminate or even evaluate these programs in a timely fashion. It turns out they were run with almost no oversight at all, with responsibility delegated to the third party companies to ensure compliance.

LocationSmart didn’t just sell mobile phone locations, it leaked them

Meanwhile the FCC was called on to investigate the nature of these offenses, and spent more than a year doing so in near-total silence, with even its own Commissioners calling out the agency’s lack of communication on such a serious issue.
Finally, in January, FCC Chairman Ajit Pai — who, it really must be noted here, formerly worked for one of the main companies implicated, Securus — announced that the investigation had found the carriers had indeed violated federal law and would soon be punished.

Carriers ‘violated federal law’ by selling your location data, FCC tells Congress

Today brings the official documentation of the fines, as well as commentary from the Commission. In the documents, the carriers are described as not only doing something bad, but doing it poorly — and especially in T-Mobile’s case, continuing to do it well after they said they’d stop:
We find that T-Mobile apparently disclosed its customers’ location information, without their consent, to third parties who were not authorized to receive it. In addition, even after highly publicized incidents put the Company on notice that its safeguards for protecting customer location information were inadequate, T-Mobile apparently continued to sell access to its customers’ location information for the better part of a year without putting in place reasonable safeguards—leaving its customers’ data at unreasonable risk of unauthorized disclosure
The general feeling seems to be that while it’s commendable to recognize this violation and propose what could be considered  substantial fines, the whole thing is, as Commissioner Rosenworcel put it, “a day late and a dollar short.”
The scale of the fines, they say, has little to do with the scale of the offenses — and that’s because the investigation did not adequately investigate or attempt to investigate the scale of those offenses. As Commissioner Starks writes in a lengthy statement:
After all these months of investigation, the Commission still has no idea how many consumers’ data was mishandled by each of the carriers.
We had the power—and, given the length of this investigation, the time—to compel disclosures that would help us understand the true scope of the harm done to consumers. Instead, the Notices calculate the forfeiture based on the number of contracts between the carriers and location aggregators, as well as the number of contracts between those aggregators and third-party location-based service providers. That is a poor and unnecessary proxy for the privacy harm caused by each carrier, each of which has tens of millions of customers that likely had their personal data abused.
Essentially, the FCC didn’t even look at the number or nature of actual harm — it just asked the carriers to provide the number of contracts entered into. As Starks points out, one such contract can and did sometimes represent thousands of individual privacy invasions.
We know there are many—perhaps millions—of additional victims, each with their own harms. Unfortunately, based on the investigation the FCC conducted, we don’t even know how many there were, and the penalties we propose today do not reflect that impact.
And why not go after the individual companies? Securus, Starks says, “behaved outrageously.” But they’re not being fined at all. Even if the FCC lacked the authority to do so, it could have handed off the case to Justice or local authorities that could determine whether these companies violated other laws.
As Rosenworcel notes in her own statement, the fines are also extraordinarily generous even beyond this minimal method of calculating harm:
The agency proposes a $40,000 fine for the violation of our rules—but only on the first day. For every day after that, it reduces to $2,500 per violation. The FCC heavily discounts the fines the carriers potentially owe under the law and disregards the scope of the problem. On top of that, the agency gives each carrier a thirty-day pass from this calculation. This thirty day “get-out-of-jail-free” card is plucked from thin air.
Given that this investigation took place over such a long period, it’s strange that it did not seek to hear from the public or subpoena further details from the companies facilitating the violations. Meanwhile the carriers sought to declare a huge proportion of their responses to the FCC’s questions confidential, including publicly available information, and the agency didn’t question these assertions until Starks and Rosenworcel intervened.
$200M sounds like a lot, but divided among several billion-dollar communications organizations it’s peanuts, especially when you consider that these location-selling agreements may have netted far more than that in the years they were active. Only the carriers know exactly how many times their subscribers’ privacy was violated, and how much money they made from that abuse. And because the investigation has ended without the authority over these matters asking about it, we likely never will know.
The proposed fines, called a Notice of Apparent Liability, are only a tentative finding, and the carriers have 30 days to respond or ask for an extension — the latter of which is the more likely. Once they respond (perhaps challenging the amount or something else) the FCC can take as long as it wants to come up with a final fine amount. And once that is issued, there is no requirement that the fine actually be collected — and the FCC has in fact declined to collect before once the heat died down, though not with a penalty of this scale.
“While I am glad the FCC is finally proposing fines for this egregious behavior, it represents little more than the cost of doing business for these carriers,” Congressman Frank Pallone (D-NJ) said in a statement. “Further, the Commission is still a long way from collecting these fines and holding the companies fully accountable.”
The only thing that led to this case being investigated at all was public attention, and apparently public attention is necessary to ensure the federal government follows through on its duties.
(This article has been substantially updated with new information, plus comments from Commissioner Starks and Rep. Pallone.)

FCC proposes $208M in fines for wireless carriers that sold your location for years