Customer location data sold: US mobile operators fined millions
All the major US mobile phone companies betrayed their customers and sold their location data for years. Now they have to pay a fine – for a few months.
(Bild: Daniel AJ Sokolov)
T-Mobile USA, AT&T, Verizon and Sprint have sold the location data of their mobile customers without obtaining customer consent. The buyers of the data should do this. However, they resold access to the data and left it to their buyers to claim with a click of the mouse that they had obtained the required consents from those affected. Dozens of companies gained access and used automatic interfaces (API). Now the network operators are to pay a fine, but only for a fraction of the time.
The US regulatory authority FCC (Federal Communications Commission) published the corresponding penalty notices on Monday. Officially, the location services were advertised for more mundane purposes, such as finding lost devices or tracking cell phone use in prisons. In reality, bounty hunters, secret services, private investigators, various companies and even police authorities have illegally monitored Americans. Since 2007, location tracking has only been permitted with the consent of the person concerned or with judicial authorization or in certain emergencies.
One sheriff was sentenced to six months in prison for this. He had always clicked that his searches were legal. He uploaded random documents, such as a car insurance policy or individual pages from a police manual, but not the necessary judicial authorizations because he would not have received them. Nobody checked his queries - and quite deliberately so. The LBS company from which the sheriff bought the surveillance access believes that it is the sheriff's own responsibility to check his compliance with the regulations.
T-Mobile is now to pay a fine of over 80 million US dollars, AT&T more than 57 million, Verizon just under 47 million and Sprint over twelve million dollars. In total, this amounts to around 196 million dollars. The penalized network operators will probably fight the fines in court.
Strange calculation
The method of calculating the penalties is strange. The authority does not count the number of people affected, but the number of direct purchasers of the location data (so-called aggregators) and their customers (so-called location-based services, LBS). At T-Mobile, for example, this was 81.
The authority multiplied this figure by 2,500 US dollars per day on which the LBS companies had direct API access – but not for the entire period of the infringement because by law the authority may only impose penalties retroactively for one year from the date the proceedings were initiated. But it is also not using one year, but June 9, 2018, which is 30 days after a New York Times report on the indictment of the aforementioned sheriff.
The FCC therefore only considers the conduct of network operators from 30 days after this report to be worthy of punishment. The network operators continued to sell their customers' location data for up to ten months after the newspaper report. In addition, there is a base amount of 40,000 dollars per LBS partner and a surcharge of 50 to 100 percent, depending on how reprehensible the network operator's behavior was according to the authorities after the New York Times report.
Republicans are now against penalties
The FCC initiated the proceedings under US President Donald Trump, at the time also with the approval of the Republican majority in the FCC. The Democrats now have a 3:2 majority there, and now the Republicans are suddenly against the penalties. One of them puts forward the obscure theory that the sale of location data is completely legal, except when the user is making a phone call. And another authority should have conducted the proceedings in the first place. The other Republican in the FCC believes that there was only a single violation of the law per network operator, and that the calculation by days and purchasing companies is inadmissible. The authority should not have imposed any penalties at all and instead have the network operators promise to be good in the future.
It is true that the network operators state that they have now stopped selling the location data. However, this does not mean that the LBS providers have become unemployed. Today, location data is secretly harvested from all kinds of smartphone apps and sold, often to authorities that are not allowed to collect such data themselves, such as the NSA (National Security Agency). To a lesser extent, Wi-Fi hotspots, Bluetooth beacons and IMSI catchers are used to collect location data from cell phones and other devices.
Fun fact: The US intelligence agency NSA itself has been warning for at least four years about the danger of location monitoring of mobile phone users for national security. Nevertheless, the USA still lacks a comprehensive data protection law.
- Penalty notices against the four network operators, statements by three FC Commissioners, FCC 24-40, FCC 24-41, FCC 24-42, FCC 24-43
(ds)
