Three of the four major wireless carriers have been accused of breaking US law by selling 911 location data to third parties.

"Telecom giants broke the law by selling detailed location data" that was "meant for use only by emergency services," consumer advocacy group Public Knowledge said last week in a blog post that urged the Federal Communications Commission to punish the carriers.

Public Knowledge's statement came in response to a Motherboard article last week that provided new details about how carriers collect location data from customers and sell it to third parties.

"Around 250 bounty hunters and related businesses had access to AT&T, T-Mobile, and Sprint customer location data, according to documents obtained by Motherboard," the article said. "The documents also show that telecom companies sold data intended to be used by 911 operators and first responders to data aggregators, who sold it to bounty hunters. The data was in some cases so accurate that a user could be tracked to specific spots inside a building."

This included assisted GPS (A-GPS) data, which T-Mobile once described as "the foundation of wireless E911 location for both indoor and outdoor locations."

"Between at least 2012 until it closed in late 2017, a now-defunct data seller called CerCareOne allowed bounty hunters, bail bondsmen, and bail agents to find the real-time location of AT&T, T-Mobile, and Sprint mobile phones," Motherboard wrote. "The company would sometimes charge up to $1,100 per phone location, according to a source familiar with the company."

Selling 911 location data is outlawed

Public Knowledge explained that carriers misusing this data is a violation of US law, which requires telecommunications companies to protect Customer Proprietary Network Information (CPNI).

"The Motherboard investigation has uncovered what appears to be a clear violation of what the FCC required" in orders released in 2015 and 2017, Public Knowledge Policy Fellow Dylan Gilbert wrote. The 2017 order refers to data in the National Emergency Address Database (NEAD), saying that "the data in the NEAD and any data associated with the NEAD may not be used for any non-911 purpose, except as otherwise required by law."

In order to use that database, mobile carriers "must certify that they will not use the NEAD or associated data for any purpose other than for the purpose of responding to 911 calls, except as required by law," the FCC's 2015 order states.

Section 222 of the Communications Act is the US law that requires carriers to protect CPNI, and it says that carriers may not use or disclose location information "without the express prior authorization of the customer."

"The location of a customer's use of a telecommunications service also clearly qualifies as CPNI," the FCC said in a 2013 declaratory ruling.

"The Federal Communications Commission, led by Chairman Ajit Pai, needs to act immediately to enforce what appears to be a clear violation of the FCC’s rules against the selling of A-GPS data with third parties," Gilbert wrote.

“Unquestionably illegal”

Carriers pledged to stop selling their mobile customers' location information to third-party data brokers in June 2018 after a security breach, but a Motherboard investigation last month found that T-Mobile, Sprint, and AT&T were still doing so. In response, carriers again pledged to stop the practice—this time, for real.

The carriers' sale of location data "is unquestionably illegal and the carriers knew it," Colorado Law professor Blake Reid wrote on Twitter. "The only question left is how widespread the practice was."

Besides the CPNI rules, Reid wrote that carriers breaking their privacy promises is a violation of Section 5 of the Federal Trade Commission Act, which outlaws "unfair or deceptive acts or practices in or affecting commerce."

"The carriers solemnly promised, repeatedly, they wouldn't do this," Reid wrote. "This is one of the most egregious examples of corporate malfeasance I've ever seen."

We asked T-Mobile, Sprint, and AT&T yesterday whether they dispute the accusation that they violated FCC rules and whether they have completely stopped the data sales. None of the three carriers disputed the accusation.

"We take our customers' privacy and security seriously and were the first wireless provider to make the commitment to end these services," T-Mobile told Ars. "We have been transparent that we are ending all of our location aggregator services, and we are almost done with that process."

Sprint told Ars that it has "nothing to share on this at the moment." We're still waiting for a response from AT&T.

FCC can fine carriers

Under US law, the FCC can issue fines of up to "$160,000 for each violation or each day of a continuing violation," up to "a total of $1,575,000 for any single act or failure to act."

Under former Chairman Tom Wheeler, the FCC "seriously fined the crap out of companies for CPNI violations," Public Knowledge Senior VP Harold Feld told Ars.

In 2014, Wheeler's FCC proposed a $10 million fine after finding that TerraCom and YourTel America violated CPNI rules. Pai—who was a commissioner at the time and has been FCC chairman since January 2017—dissented from that decision. TerraCom and YourTel eventually agreed to pay a civil penalty of $3.5 million.

The FCC can also require behavioral remedies. In 2016, after investigating Verizon Wireless' use of "supercookies," Wheeler's FCC required Verizon to pay a $1.35 million fine, notify customers about its targeted advertising programs, and obtain customers' opt-in consent before sharing the supercookie information.

We contacted Chairman Pai's office yesterday about the carriers' alleged violations and will update this article if we get a response. Pai's office told Ars last month that the FCC "has been investigating wireless carriers' handling of location information." But the FCC hasn't provided an update since new details were published by Motherboard last week.

FCC Democrats call for action

The FCC's two Democratic commissioners both told Ars that the FCC should take decisive action and be more public about the investigation.

"Selling location data without customers' consent is a violation of our rules," Commissioner Jessica Rosenworcel said in a statement to Ars. "Continuing to sell this data after publicly promising to stop is a violation of our rules. While the FCC investigates, I believe it should make public what it is doing to protect consumers and fix this mess."

Commissioner Geoffrey Starks told Ars that "the chairman should be more clear on where he stands. This is a matter of public safety. Over and over, the wireless carriers have claimed that they are getting out of this business. Yet each day it seems like the universe of impacted consumers grows and the nature of the conduct is more alarming."

Location data can be used in "intrusive" and "dangerous" ways, Starks added. "I believe that the commission should act expeditiously to fully investigate any reports of misconduct and take appropriate action to hold wrongdoers accountable," he said.

Under Wheeler, the FCC voted to apply the Section 222 privacy protections to broadband services, requiring ISPs to get customers' opt-in consent before using, sharing, or selling sensitive data, including Web browsing histories and geo-location data. However, a Republican-controlled Congress prevented implementation of those rules, and Pai's FCC eliminated a related data security rule. Despite that, the privacy requirements still apply to phone services.