The major wireless carriers (AT&T, Verizon, Sprint, and T-Mobile) were fined nearly $200 million dollars for “illegally sharing access to customers’ location data” on April 29, 2024. These fines are the conclusion to an investigation and regulatory actions dating back to 2018. These fines also highlight one of the most public wins of the FCC’s Privacy and Data Protection Task Force which was established in 2023. While dealing with the consumer data and how carriers are using it, the orders with each of the wireless carriers have takeaways which can be put into practice by a wide variety of companies.
The investigation started in 2018 when New York Times article highlighted a “location-finding service” operated by Securus. Securus is a provider of communication services to correctional facilities. Securus was allowing a Missouri sheriff to use the service to track numerous individuals. The Sheriff was doing so by falsifying documents when submitting his requests for location data. Securus would “immediately provide the requested location information (regardless of the adequacy of the uploaded document).”
This is where the problems start for the carriers.
Customer location information is considered by the FCC to be customer proprietary network information or CPNI. Going back to 2007, the FCC has stated they “full expect carriers to take reasonable precaution to protect the confidentiality of proprietary or personal customer information…We further expect carriers to take additional steps to protect the privacy of CPNI to the extent such additional measures are feasible for a particular carrier.”
The FCC has even promulgated rules regarding the safe keeping of CPNI. In the FCC’s regulations on common carriers, Sec. 64.2010(a) states “Telecommunications carriers must take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI.” And in Section 217 of the Communications Act states “the act, omission, or failure of any officer, agent, or other person acting for or employed by any common carrier or user, acting withing the scope of his employment, shall in every case be also deemed to be the act, omission, or failure of such carrier or user as well as that person.”
So, piecing those last two paragraphs together: Carriers should be taking specific precautions to monitor the use and disclosure of CNPI, such as customer location information, and any contractor (as an agent of the carrier) should also be doing so.
Well……they didn’t. Neither the carrier did or the contractors.
The carriers used third-parties called “location information aggregators”. These aggregators resold access to the location information to companies called “location based service providers” such as Securus. While the carriers all had contractual provisions around oversight with the location information aggregators, it becomes pretty clear by looking at the record they didn’t use the oversight.
There is a lot going on in these forfeiture notices and each carrier has their own. Some of them are very technical and of importance only to carriers. However, there are some takeaways for other companies, including lead buyers and sellers.
- Understand who has access to your data
All of the carriers used the third-party location information aggregators. And the aggregators were reselling access to other companies. The information being passed on through these myriad of relationships is sensitive information. Even though the carriers all disputed the location information was CPNI, it is clear that location data is important to consumers and should probably be protected. If the location data is important and should be protected, then any access to the data should be scrutinized.
This is true for lead buyers. Sensitive data is important and should be protected. Access to sensitive data should be scrutinized. This is what access control policies and procedures should be in place. Who has access to it? Why do they have access to it? What can they do with it?
This lines up with the increased attention data minimization is getting. The proposed American Privacy Rights Act specifically calls out data minimization. The California Privacy Protection Agency released their very first Enforcement Advisory in early April. It dealt with data minimization. There is lots of focus on this right now.
- Use the contractual protections to monitor third-parties
The carriers all included audit provisions in their agreements with the aggregators. And they, for the most part, audited their partners. However, when the partners have partners that’s when things get difficult. All of the carriers stated they had adequate safeguards in place, but the Commission found, in the AT&T order, that “these safeguards relied almost entirely upon contractual agreement, passed on to location-based service providers through an attenuated change of downstream contracts. To enforce these safeguards, AT&T would have needed to take steps to determine whether they were actually being followed.”
We have seen multiple times at TCPAWorld the problems that can arise when a company can’t track the flow of data downstream. One day you are buying leads then another third party comes in and somehow there is a random Bosnian lead seller involved. This is not dissimilar to what happened with the carriers. They have a good partner (the location information aggregators). Those partners have good partners. Then those partners end up selling cell phone location data to bail bondsmen.
It is imperative that you understand the whole funnel and use the contract provisions to their fullest, and not just rely on the words of the contract.
- If something smells bad, then check it out completely.
T-Mobile knew as early as 2017 that they had problems with location information aggregators. But, they didn’t completely stop the problems. Specifically, around the fact they couldn’t distinguish between legitimate requests and bad requests. Yes, they took some steps to fix the problems, but there were still systemic problems they didn’t fix. That led to the Securus issues. This was one of the factors that lead the commission to a 75% upward adjustment of their forfeiture order.
This is a step companies have to take. If there is a problem, what is the source? Can you track it down? There is a reason companies do root cause analysis and it is to prevent things like this from happening. You have to completely remedy the issue, if not it will pop up again.
These FCC forfeitures outsized. And there are lots of things in them that reasonable people can disagree about. In fact, Commissioner Carr dissented from these Orders. But, reasonable people can and should take these as an opportunity to learn from these Orders and how they can apply to their businesses.