Policy Analysis: FCC to Fine Cellphone Carriers for Selling Customers’ Locations

A case of alleged malfeasance by cell phone carriers, or at least a collision between the carriers and its customers and regulators.

Note: This article was written in 2020 for a class assignment and does not necessarily represent my personal views.

The Disorder

The issue described in the New York Times article is a case of alleged malfeasance by cell phone carriers, or at least a collision between the carriers and its customers and regulators [1]. The dispute also involves the malfeasance of a group of data brokers known as location aggregators.

The Federal Communications Commission (FCC) alleges that cell phone carriers are violating the law by selling customers’ locations without authorization and failing to take reasonable measures to protect the information. In order to provide phone service and route phone calls, carriers must know the locations of their customers. By law, carriers are not allowed to share a customer’s location information with third parties unless the customer consents. In this case, the carriers sold customer locations to third party location aggregators without directly obtaining consent. Instead, the carriers relied on assurances by the aggregators that they will obtain consent from the customers. The aggregators then shared the location information with other third-party service providers and relied on these providers to obtain the required consent. This “tortured chain of data possession,” [2] from carriers to aggregators to third-party providers, had minimal accountability, and third-party providers abused it to use, abuse, and share cell phone customers’ locations without the customers’ knowledge or consent. Ultimately, several instances of abuse came to light through investigations and reporting, and the FCC issued “Notices of Apparent Liability” to start the process of issuing fines to the carriers for their alleged malfeasance [3].

Relevant Technologies and Network Layers

The issues introduced in this article mainly pertain to the Physical and Data layers of the conceptual framework described in class. The dispute arose out of cell phone carriers’ collection and sharing of customer location information. The collection occurred in the Physical layer because the carriers determined customer location based on the specific network signal towers that customer cell phones used to receive wireless network service [4]. The sharing occurred in the Data layer, because the carriers stored location information as data and then sent the data to location aggregators and third-party service providers. The location information, like other content on the Internet, became difficult to keep confidential once shared with third parties.

Relevant Social Relationships and Policy Levels

The dispute is between cell phone carriers, who are from the operator community, and their customers and regulators, who belong to civil society. Cell phone carriers offer wireless communications services, and customers agree to contracts and pay for the services. The operator community is ordered by regulations, and civil society is ordered by law and policy.

In this case, there are established rules that govern proper behavior and dispute resolution at the operator and civil society levels. Regulations require operators to protect customer information, and the cell phone carriers allegedly violated these regulations by failing to safeguard location information. The FCC is the government agency that regulates the operators, and as discussed below, the agency has procedures for enforcing operators’ compliance with regulations.

Relevant Substantive Rules

Under the applicable laws and regulations, cell phone carriers are required to take reasonable measures to protect certain types of customer information, including location data, and obtain opt-in consent before sharing the information with others.

Section 222 of the Communications Act, a federal law passed by Congress, requires telecommunications carriers to “protect the confidentiality of proprietary information of … customers.” The law defines certain information, including “location,” as “customer proprietary network information” (CPNI), and the law generally prohibits carriers from disclosing CPNI without customer approval or other legal authorization [5]. The FCC has also issued additional rules governing and limiting the use and disclosure of CPNI by carriers, generally requiring carriers to safeguard CPNI and obtain customer consent before disclosing it to third parties [6].

In this case, the FCC alleges that the carriers failed to comply with these laws and regulations, as evidenced by the cases of unauthorized location access and the carriers’ subsequent failure to take reasonable precautions. The carriers dispute these allegations, claiming that their partnership with and reliance on third parties were reasonable and that location should not be considered protected information if it is collected from a phone when it is not engaged in a phone call [7].

Relevant Procedural Rules

The FCC follows specific procedural rules when it monitors, judges, and corrects the actions of operators such as cell phone carriers. First, in the monitoring stage, the FCC sends “Letters of Inquiry” to operators to request answers to questions and the production of documents. It also has the power to issue “Administrative Subpoenas” to compel information and testimony from relevant parties. Then, in the judging stage, if the FCC decides that an operator has violated laws and regulations, it issues a “Notice of Apparent Liability for Forfeiture,” which details the basis for its decision and proposes a penalty. The operator has an opportunity to file a response to this notice, and the FCC reviews the response before issuing a subsequent order through a process governed by the Communications Act. In the correction stage, the FCC imposes a forfeiture on the operator after conducting a hearing. The FCC can also choose to issue an admonishment or cease and desist order, or the FCC can revoke the license of the operator. Alternatively, the operator can engage in settlement discussions with the FCC, which often results in a Consent Decree that requires the company to take corrective actions and pay a voluntary contribution to the government [8]. Lastly, final decisions by the FCC are subject to judicial review, where the operator can petition a federal court to review and potentially overturn the FCC decision [9].

In this case, the FCC has concluded its initial investigation and issued “Notices of Apparent Liability for Forfeiture” to the cell phone carriers. As FCC Commissioner Rosenworcel wrote, “it is just early days,” “the fines are not final,” and "there is still work to do.” [10]

Relevant Governance Institutions

The FCC is the primary regulator and governance institution for communications, including telecommunications operators such as cell phone carriers. The agency conducts rule-making pursuant to the Communications Act, which entails designing rules while inviting and considering comments from the public. The FCC’s regulatory authority comes from Congress, and the five commissioners are nominated by the President and confirmed by the Senate. The agency’s Enforcement Bureau monitors the operators for compliance with laws and regulations and investigates potential violations. The FCC then decides whether a rule has been violated and corrects the operators’ behavior by issuing orders and fines, subject to review by the courts. In this case, the FCC investigated and is now preparing to fine cell phone carriers for selling access to location data in violation of the applicable laws and FCC regulations.

The other relevant governance institutions are Congress and the federal courts. Congress is the legislative body of the federal government and makes the laws that define the FCC’s structure, authority, and procedures. Congress also makes rules by passing laws that regulate the behavior of entities such as telecommunications operators. The federal courts can interpret federal laws and regulations and review actions by federal government agencies, including the FCC. In this case, Congress created the protections for customer information in Section 222 of the Communications Act, and the carriers have the option to appeal FCC fines to the courts.

Critique

This case is interesting because it brings together the Physical and Data layers of the conceptual framework described in class. The object at issue—cell phone location data—is generated at the physical layer by the connections between cell phones and network signal towers, and the data is then sold to third parties through the data layer of the network, where information can be easily shared and difficult to control.

There is also jurisdictional complexity in this case, as the U.S. lacks “a single data protection authority to oversee personal information issues.” [11] Instead, there is varying legislation and enforcement at the federal and state levels and between different industry sectors. At the physical layer, the FCC regulates telecommunications operators’ behavior. While the FCC’s authority may extend to parts of the Internet layer, as the operators control access to and components of the Internet, the FCC’s jurisdiction mostly does not extend to the application and data layers, even though the location data sold by the phone carriers has been abused at the application layer. As FCC Commissioner Starks noted, “there may be legal limitations on the Commission’s ability to take enforcement against [the Securus location-finding service] for its misuse of customer location data.” [12] Instead, the application and data layers are mostly regulated at the federal level by different agencies with varying rules depending on the industry sector, and at the state level by state attorneys general and other state agencies enforcing state laws with further variation.

Finally, this case is also an example of well-intentioned technology being abused for malfeasance. Cell phone technology was designed to enable wireless connectivity, and the cell phone carriers enhanced their ability to track their customers’ location to comply with E911 regulations, which enable 911 call centers to quickly locate callers in an emergency. However, in this case, this location capability was used for malfeasance and allowed unauthorized individuals to obtain the real-time locations of individuals for questionable purposes.

Recommendations

In this case, we already have the rules to govern the behavior of cell phone carriers, but we need more efficient and effective judgment. The Communications Act and FCC regulations generally prohibit carriers from sharing consumer location information without opt-in consent. The rules are legitimate because they are passed by Congress, which consists of the elected representatives of the people. However, the FCC has been ineffective at enforcing these rules. The FCC spent two years investigating the case, did not use all its tools to compel information from involved parties, and issued an arguably low fine compared to the scale and severity of the carriers’ violations. Even now, the FCC process is far from complete, and the carriers have yet to be held accountable. We need more effective enforcement of the rules to ensure compliance.

Another way to resolve these issues is to create a new procedural rule that allows affected customers to directly hold carriers accountable for violating the law. Currently, customers do not have a “private right of action” to sue carriers for abusing their information, such as selling their location data. [13] When government agencies such as the FCC fail to effectively monitor, decide, and correct rules violations by companies, individual consumers currently have little recourse. Congress can create a new procedural rule to allow anyone whose data is abused to sue the companies who are responsible for the abuse, with presumed damages for unauthorized disclosures of personal information. This would allow aggrieved individuals to directly and rapidly bring complaints before judges. By giving more people the power to monitor and investigate rules violations by carriers, while entrusting the deciding and correcting powers to judges, cases such as this one can be identified and acted upon more quickly and effectively. The effective enforcement of rules could also deter similar violations in the future.

References

[1] Valentino-DeVries, Jennifer. “F.C.C. to Fine Cellphone Carriers for Selling Customers' Locations.” The New York Times, 27 Feb. 2020, https://www.nytimes.com/2020/02/27/technology/fcc-location-data.html.

[2] Rosenworcel, Jessica. “Statement of Commissioner Jessica Rosenworcel, Dissenting.” Notice of Apparent Liability for Forfeiture and Admonishment, Federal Communications Commission, FCC 20-27, 2020, p. 36, https://docs.fcc.gov/public/attachments/FCC-20-27A1.pdf. Accessed 18 Oct. 2020.

[3] Notice of Apparent Liability for Forfeiture and Admonishment, p. 1.

[4] Notice of Apparent Liability for Forfeiture and Admonishment, p. 6.

[5] 47 U.S.C. § 222

[6] 47 C.F.R. § 64.2001 et seq.

[7] Notice of Apparent Liability for Forfeiture and Admonishment, p. 16.

[8] “Enforcement Primer.” Federal Communications Commission, 2015, https://www.fcc.gov/general/enforcement-primer. Accessed 18 Oct. 2020.

[9] 47 U.S.C. § 402

[10] Rosenworcel, Jessica. “Statement of Commissioner Jessica Rosenworcel, Dissenting.” Notice of Apparent Liability for Forfeiture and Admonishment, p. 37.

[11] Swire, Peter and DeBrae Kennedy-Mayo. U.S. Private-Sector Privacy: Law and Practice for Information Privacy Professionals. 2nd ed., International Association of Privacy Professionals, 2018, p. 21.

[12] Starks, Geoffrey. “Statement of Commissioner Geoffrey Starks, Approving in Part and Dissenting in Part.” Notice of Apparent Liability for Forfeiture and Admonishment, p. 42.

[13] Conboy v. AT&T Corp., 241 F.3d 242 (2d Cir. 2001)