T-Mobile on the largest user location sharing abuse fine: AT&T, Verizon and Sprint did worse

by Daniel Petrov

Mar 05, 2020, 5:23 AM

T-Mobile on the largest user location sharing abuse fine: AT&T, Verizon and Sprint did worse

Did you know that T-Mobile, AT&T, Sprint and Verizon can triangulate where you are at any given time as long as you have your cell phone with active SIM card on you, even if your GPS is off? We bet you do, but did you know they store that location data and then resell it to "authorized" third party services in aggregated, supposedly anonymous state.

That could have crossed your information stream as well but the fact that those data aggregators then parse and resell your location down the flagpole was only fleshed out recently with various outlets doing their own investigations on the matter. When notified what is happening with the resold data, carriers said they will stop the practice way back in 2018, to little actual action, which made the FCC look into the issue.

The end result? Last week, the FCC announced that it has sent the so-called Notices of Apparent Liability for Forfeiture and Admonishment (NAL) to the four big US carriers, imposing a total of $209 million in fines, and T-Mobile will bear the brunt of it with $91 million.

T-Mobile vs AT&T vs Verizon vs Sprint customer location data sharing fines

Why? Well, in one instance, Motherboard was able to obtain location data for a T-Mobile customer for $300 from... a bounty hunter, and in real time, no less. It's precisely T-Mobile that tuned out the worst offender when it comes to customer location data sharing. While it only had contracts with two large aggregators - LocationSmart and Zumigo - they in turn spread its info far and wide to no less than 83 third-party entities, including a database that the bounty hunter could easily dip into to show your real-time location.

Next in line when it comes to the penalty amount is AT&T with $57.3 million), then Verizon with $48.3 million, and, finally, Sprint with $12.2 million in fines. The penalty doesn't only take into account the amount of third parties that subscriber location data was shared with, but also how long did it take the carriers to react after they were notified of the problem.

All continued the practice well into last year, even though they knew much earlier that the revenue they extracted from location data aggregators could land them in trouble since the practice had become public. T-Mobile, however, ceased sharing data without adequate safeguards earlier than the rest, and intends to fight the $91 million penalty that the FCC has imposed, according to FierceWireless:

While we strongly support the FCC’s commitment to consumer protection, we fully intend to dispute the conclusions of this NAL and the associated fine. We take the privacy and security of our customers’ data very seriously. When we learned that our location aggregator program was being abused by bad actor third parties, we took quick action. We were the first wireless provider to commit to ending the program and terminated it in February 2019 after first ensuring that valid and important services were not adversely impacted.

The FCC Commissioner Geoffrey Starks, however, is having none of it, and is already gearing for a fight with T-Mobile by commenting that the $91 million penalty is not nearly enough, if anything, for the amount of damage that unauthorized sharing of subscriber location data has wreaked.

"It should be higher," he says. "I believe that T-Mobile was on notice about the problems with its location data protections back in July 2017 and that the proposed forfeiture amount should reflect that fact – the punishment should fit the crime."

That puts the timeline of the drama in a whole new light, as if indeed the first investigations started rolling a few years ago, and T-Mobile was warned about the abuse of its system way back in 2017, a reaction in 2019 may have come too little too late.

SUBSCRIBE TO OUR NEWSLETTER!