Over the past few years, the major U.S. mobile carriers have been in the spotlight over allegations that they have been selling their subscribers’ real-time geolocation data, including highly precise assisted GPS (A-GPS) information designed for use with “Enhanced 911” (E911). The Federal Communications Commission requires mobile carriers to offer E911, a service that provides 911 operators with a wireless caller’s location information, generally accurate within 50 to 300 meters.
In November 2017, the FCC received public comments, including those from Public Knowledge, expressing concerns that E911 location data could be shared with third parties. In response, the Commission approved an Order stating that any data associated with the National Emergency Address Database (NEAD) “may not be used for any non-911 purpose, except as otherwise required by law.” Despite the Order, in January 2019, a Motherboard investigation unearthed the troubling ease with which anyone with $300 and a cell phone number could find that phone’s location. In some cases, however, no money was needed at all – bounty hunters and people with histories of domestic violence have impersonated government officials to exploit policies designed to assist law enforcement in emergencies. Carriers have actually been required to guard against this practice of “pretexting” since 2007, but people interviewed by Motherboard claim pretexting remains common and easy for impersonators to execute.
This past March, the FCC issued a Further Notice of Proposed Rulemaking (FNPRM) draft in the E911 proceeding, which proposed mandated increases in the precision of E911 location data. The FNPRM completely neglected the glaring privacy issues with the proposal, and we filed an ex parte brief in response to voice these concerns. The Commission eventually approved an amended version of the FNPRM that addressed the oversight. Public Knowledge expressed its hope that the FCC would quickly conclude its investigation into the allegations of carriers selling E911 data.
Months have passed, however, and the investigation continues. FCC Commissioner Geoffrey Starks noted in an April 2, 2019, interview with The New York Times that the FCC usually only has one year to take action in an investigation before the statute of limitations expires. While the Commission does not comment on ongoing investigations, it is estimated that the investigation began around May 2018. If it hasn’t already expired, the statute of limitations continues to run, and the FCC remains, in the words of Commissioner Jessica Rosenworcel, “totally silent about press reports that for a few hundred dollars shady middlemen can sell your location within a few hundred meters based on your wireless phone data.”
Against this backdrop of FCC inaction, T-Mobile — one of the subjects of the Motherboard investigation — has argued that its customers waived their rights to bring into court any claims related to its selling of their sensitive real-time location data to third parties without their consent. On July 8, the carrier filed a motion to compel arbitration in an effort to avoid a class-action lawsuit. In their complaint, the plaintiffs cite Section 222 of the Communications Act, a provision that states carriers may not disclose location information “without the express prior authorization of the customer.” The carrier based its motion on a forced arbitration clause in the terms and conditions to which all of its subscribers must agree in order to sign up for its service.
Today, broadband providers that also provide telecommunications services are not subject to any comprehensive federal privacy law. But things weren’t always this way. On October 27, 2016, the FCC promulgated regulations that required broadband providers to obtain customer consent prior to using sensitive information that they collect. While the rules did not outright prohibit broadband providers from sharing sensitive information, they were the first rules outlining how broadband providers may share their customers’ private information. Public Knowledge supported these sensible privacy rules and applauded the FCC’s affirmation that consumers should be in control of their own data. However, in March 2017, Congress passed a Congressional Review Act resolution to eliminate these rules using an expedited legislative process to overrule new agency regulations, and prevent substantially similar ones from returning. President Trump signed the resolution the following month.
By eliminating some of the only explicit protections for consumers whose personal data is collected by broadband providers, Congress left millions of Americans vulnerable to harassment, stalking, and other crimes related to non-consensual dissemination their location data. The selling of sensitive real-time location data is only one of the numerous privacy scandals that have eroded the trust and confidence consumers have in companies who collect and monetize user data, often without express consent.
This incident illustrates that America needs comprehensive privacy legislation that fully protects consumers’ right to privacy, adequately equips law enforcement agencies, and provides consumers with a private right of action — which would allow private parties to bring a lawsuit based on the harm they suffered. T-Mobile’s attempt to force victims into arbitration also demonstrates that any privacy law should include a prohibition on forced arbitration agreements so victims can have their day in court individually, or as a class to seek redress. Protecting consumers calls for substantial enforcement capabilities. Federal regulators, even in robust regulatory regimes, could not possibly handle every consumer claim – it is fairly certain that state attorneys general would need to handle smaller claims. The FCC’s stagnation in its present investigation highlights the indispensability of the private right of action. A private right of action is a crucial avenue through which consumers, especially ones belonging to marginalized groups, can seek relief based on the individual or collective harm they suffered after telecommunications companies have shared their personal data without their consent.
To this end, we must also put a stop to forced arbitration clauses. Public Knowledge called upon lawmakers to take action to end forced arbitration clauses during the Equifax data breach and we continue to do so today. Forced arbitration clauses, often buried in the fine print of terms and conditions, waive consumers’ rights to have their day in court, or seek damages in class actions, when a company subsequently harms them. Instead, these agreements direct consumers into lengthy, complicated negotiations with corporations that wield comparatively more bargaining power and financial leverage.
There was technically a way to opt out of the arbitration clause in T-Mobile’s contracts, mentioned in the tenth paragraph of its terms and conditions. To opt out, consumers would have needed to be aware of the forced arbitration agreement language in the first place. A 2015 Consumer Financial Protection Bureau study found that three out of four consumers were unaware that many of the agreements they sign contain forced arbitration agreements that deny them a day in court, allow companies to forgo paying refunds, and even permit continued harmful practices. Even those who are well versed in the telecom space have been taken by surprise by provisions in wireless service contracts: Commissioner Rosenworcel stated in a May 2019 FCC press release, “I don’t recall consenting to this surveillance when I signed up for wireless service—and I bet neither do you.”
Congress should ban forced arbitration. The FCC got it right in its 2016 broadband privacy NPRM when it noted the inherent unfairness of forced arbitration clauses as they relate to privacy: “just as customers should not be forced to agree to binding arbitration and surrender their right to their day in court in order to obtain broadband Internet access service, they should not have to do so in order to protect their private information conveyed through that service.”
Congress must demonstrate that it does not place industry interests above those of individual Americans, and above the right of consumers to seek justice in the courts. Congress must hold companies responsible when businesses wrong their customers, and ensure customers have a right to full legal redress for harm caused by the unauthorized sharing of their most personal data.
Take action! Tell Congress to pass comprehensive privacy legislation that includes prohibiting forced arbitration clauses at publicknowledge.org/DataProtection.