Telecom Giants Broke the Law By Selling Detailed Location Data. Will They Face Consequences?February 8, 2019
More details have emerged from the Motherboard investigation into carriers selling their customers’ real-time location data, including assisted GPS (“A-GPS”) data intended only for emergency services. The reports are shocking and illustrate both a brazen disregard for consumer privacy on the part of the companies involved and the disturbing, unregulated behavior of the data brokerage industry. The Federal Communications Commission, led by Chairman Ajit Pai, needs to act immediately to enforce what appears to be a clear violation of the FCC’s rules against the selling of A-GPS data with third parties. In addition, Congress must pass comprehensive privacy legislation that forces the data broker industry out of the shadows and stops the persistent misuse of data at the expense of consumer privacy.
If you haven’t read the story yet, be sure check it out, but the TL;DR is: Three of the four major telecom carriers (shout out to Verizon who did not) sold to third parties incredibly detailed location data meant for use only by emergency services. That can’t be legal, right?! That’s correct, it’s not, and Public Knowledge was right in the middle of ensuring that the rule was in place.
Back in 2014, the FCC put on public notice an industry proposal for improving location accuracy for emergency services (“the E911 Roadmap”). We filed public comments in response, as did a number of other organizations and members of the public, expressing serious concerns that the E911 Roadmap lacked safeguards to ensure that the A-GPS location data weren’t shared with third parties. In response to our concerns, the FCC determined that while the collection and use of the info for 911 was covered by the 911/public safety exception of the CPNI rules, any other use of the data would violate CPNI. The FCC required the industry/public safety working group developing the National Emergency Address Database (“NEAD”) to include a privacy and security plan and committed to putting the privacy and security plan out on public notice. The industry submitted the plan to the FCC in February 2017, and the Commission put it out on public notice and approved it by Order the following November.
The key point here is, as the November 2017 Order states, “the data in the NEAD and any data associated with the NEAD may not be used for any non-911 purpose, except as otherwise required by law.” So the Motherboard investigation has uncovered what appears to be a clear violation of what the FCC required when it approved the NEAD and the general Advanced 911 mandate in 2015. All of this makes Chairman Pai's statement on the same day that the report was released that industry needs to work harder on improving 911 geolocation accuracy both incredibly ironic and worrisome.
Democrat Commissioners Rosenworcel and Stark have issued clear and forceful condemnations in response to the details of this investigation, but thus far we have yet to hear from the Commissioners in the majority, and the silence is deafening. Small wonder that carriers treat violating consumer privacy as no big deal.
Is the FCC going to enforce the law that we helped put in place to protect consumers, or will it continue to sit on the privacy sidelines? How long are companies and data brokers going to have free rein to profit at the expense of consumer privacy in an utterly consequence-free environment? The country is watching, Chairman Pai.