Архив метки: FCC

FCC proposes $208M in fines for wireless carriers that sold your location for years

The FCC has officially and finally determined that the major wireless carriers in the U.S. broke the law by secretly selling subscribers’ location data for years with almost no constraints or disclosure. But its Commissioners decry the $208 million penalty proposed to be paid by these enormously rich corporations, calling it “not properly proportioned to the consumer harms suffered.”
Under the proposed fines, T-Mobile would pay $91M; AT&T, $57M; Verizon, $48M; and Sprint, $12M. (Disclosure: TechCrunch is owned by Verizon Media. This does not affect our coverage in the slightest.)
The case has stretched on for more than a year and a half after initial reports that private companies were accessing and selling real-time subscriber location data to anyone willing to pay. Such a blatant abuse of consumers’ privacy caused an immediate outcry, and carriers responded with apparent chagrin — but often failed to terminate or even evaluate these programs in a timely fashion. It turns out they were run with almost no oversight at all, with responsibility delegated to the third party companies to ensure compliance.

LocationSmart didn’t just sell mobile phone locations, it leaked them

Meanwhile the FCC was called on to investigate the nature of these offenses, and spent more than a year doing so in near-total silence, with even its own Commissioners calling out the agency’s lack of communication on such a serious issue.
Finally, in January, FCC Chairman Ajit Pai — who, it really must be noted here, formerly worked for one of the main companies implicated, Securus — announced that the investigation had found the carriers had indeed violated federal law and would soon be punished.

Carriers ‘violated federal law’ by selling your location data, FCC tells Congress

Today brings the official documentation of the fines, as well as commentary from the Commission. In the documents, the carriers are described as not only doing something bad, but doing it poorly — and especially in T-Mobile’s case, continuing to do it well after they said they’d stop:
We find that T-Mobile apparently disclosed its customers’ location information, without their consent, to third parties who were not authorized to receive it. In addition, even after highly publicized incidents put the Company on notice that its safeguards for protecting customer location information were inadequate, T-Mobile apparently continued to sell access to its customers’ location information for the better part of a year without putting in place reasonable safeguards—leaving its customers’ data at unreasonable risk of unauthorized disclosure
The general feeling seems to be that while it’s commendable to recognize this violation and propose what could be considered  substantial fines, the whole thing is, as Commissioner Rosenworcel put it, “a day late and a dollar short.”
The scale of the fines, they say, has little to do with the scale of the offenses — and that’s because the investigation did not adequately investigate or attempt to investigate the scale of those offenses. As Commissioner Starks writes in a lengthy statement:
After all these months of investigation, the Commission still has no idea how many consumers’ data was mishandled by each of the carriers.
We had the power—and, given the length of this investigation, the time—to compel disclosures that would help us understand the true scope of the harm done to consumers. Instead, the Notices calculate the forfeiture based on the number of contracts between the carriers and location aggregators, as well as the number of contracts between those aggregators and third-party location-based service providers. That is a poor and unnecessary proxy for the privacy harm caused by each carrier, each of which has tens of millions of customers that likely had their personal data abused.
Essentially, the FCC didn’t even look at the number or nature of actual harm — it just asked the carriers to provide the number of contracts entered into. As Starks points out, one such contract can and did sometimes represent thousands of individual privacy invasions.
We know there are many—perhaps millions—of additional victims, each with their own harms. Unfortunately, based on the investigation the FCC conducted, we don’t even know how many there were, and the penalties we propose today do not reflect that impact.
And why not go after the individual companies? Securus, Starks says, “behaved outrageously.” But they’re not being fined at all. Even if the FCC lacked the authority to do so, it could have handed off the case to Justice or local authorities that could determine whether these companies violated other laws.
As Rosenworcel notes in her own statement, the fines are also extraordinarily generous even beyond this minimal method of calculating harm:
The agency proposes a $40,000 fine for the violation of our rules—but only on the first day. For every day after that, it reduces to $2,500 per violation. The FCC heavily discounts the fines the carriers potentially owe under the law and disregards the scope of the problem. On top of that, the agency gives each carrier a thirty-day pass from this calculation. This thirty day “get-out-of-jail-free” card is plucked from thin air.
Given that this investigation took place over such a long period, it’s strange that it did not seek to hear from the public or subpoena further details from the companies facilitating the violations. Meanwhile the carriers sought to declare a huge proportion of their responses to the FCC’s questions confidential, including publicly available information, and the agency didn’t question these assertions until Starks and Rosenworcel intervened.
$200M sounds like a lot, but divided among several billion-dollar communications organizations it’s peanuts, especially when you consider that these location-selling agreements may have netted far more than that in the years they were active. Only the carriers know exactly how many times their subscribers’ privacy was violated, and how much money they made from that abuse. And because the investigation has ended without the authority over these matters asking about it, we likely never will know.
The proposed fines, called a Notice of Apparent Liability, are only a tentative finding, and the carriers have 30 days to respond or ask for an extension — the latter of which is the more likely. Once they respond (perhaps challenging the amount or something else) the FCC can take as long as it wants to come up with a final fine amount. And once that is issued, there is no requirement that the fine actually be collected — and the FCC has in fact declined to collect before once the heat died down, though not with a penalty of this scale.
“While I am glad the FCC is finally proposing fines for this egregious behavior, it represents little more than the cost of doing business for these carriers,” Congressman Frank Pallone (D-NJ) said in a statement. “Further, the Commission is still a long way from collecting these fines and holding the companies fully accountable.”
The only thing that led to this case being investigated at all was public attention, and apparently public attention is necessary to ensure the federal government follows through on its duties.
(This article has been substantially updated with new information, plus comments from Commissioner Starks and Rep. Pallone.)

FCC proposes $208M in fines for wireless carriers that sold your location for years

TRACED Act signed into law, putting robocallers on notice

The Pallone-Thrune TRACED Act, a bipartisan bit of legislation that should make life harder for the villains behind robocalls, was signed into law today by the president. It’s still possible to get things done in D.C. after all!
We’ve covered the TRACED Act several times previously, as robocalls are, in addition to being horribly annoying, a uniquely annoying high-tech threat. Using clever targeting and spoofing technology, scammers are placing millions of calls that at best irritate and at worst take advantage of the vulnerable.
The new law won’t end that practice overnight, but it does add some useful tools to regulators’ toolboxes. Here’s how I summarized the bill’s provisions earlier this month:
Extends FCC’s statute of limitations on robocall offenses and increases potential fines
Requires an FCC rulemaking helping protect consumers from spam calls and texts (this is already underway)
Requires annual FCC report on robocall enforcement and allows for it to formally recommend legislation
Requires adoption on a reasonable timeline of the STIR/SHAKEN framework for preventing call spoofing
Prevents carriers from charging for the above service, and shields them from liability for reasonable mistakes
Requires the attorney general to convene an interagency task force to look at prosecution of offenders
Opens the door to Justice Department prosecution of offenders
Establishes a handful of specific cutouts and studies to make sure the rules work and interested parties are giving feedback
Senate Minority Leader Chuck Schumer (D-NY) took a break from other business to laud the enactment of the law:

Americans were battered by 48 billion robocalls last year.
I get them, too. I hate them. They need to stop.
I’m so proud I fought for the #TRACEDact to protect Americans from these annoying, persistent, & dangerous calls.
And I’m so proud it’s now law.https://t.co/HgNjuRiQXe
— Chuck Schumer (@SenSchumer) December 31, 2019

And FCC Chairman Ajit Pai’s praise was effusive in a statement his office sent along:
I applaud Congress for working in a bipartisan manner to combat illegal robocalls and malicious caller ID spoofing.  And I thank the President and Congress for the additional tools and flexibility that this law affords us.  Specifically, I am glad that the agency now has a longer statute of limitations during which we can pursue scammers and I welcome the removal of a previously-required warning we had to give to unlawful robocallers before imposing tough penalties.
And I thank the American people for never letting us forget how fed up they are with scam, spoofed robocalls.  It’s their voices that power our never-ceasing push to fight back against the scourge of robocalls and malicious spoofing.
Of course the new law isn’t a magic wand; The FCC is still limited in what it can do and how quickly it can act. Even major fines like this $120 million one have had a negligible effect on the nefarious industry. “Like emptying the ocean with a teaspoon,” said Commissioner Jessica Rosenworcel at the time.
Here’s hoping the TRACED Act amounts to more than a bigger spoon. We’ll find out as regulators and the mobile industry grow into their new capabilities and begin the long process of actually applying them to the problem. It may take months or more to see any real abatement, but at least we’re taking concrete steps.

TRACED Act signed into law, putting robocallers on notice