Mobile network operators who sold their customers' real-time location data violated US law and the Federal Communications Commission will try to punish carriers that did so, FCC Chairman Ajit Pai wrote today.

"[T]he FCC's Enforcement Bureau has completed its extensive investigation and... it has concluded that one or more wireless carriers apparently violated federal law," Pai wrote in a letter today to Democratic members of Congress who asked for an update on the probe.

"I am committed to ensuring that all entities subject to our jurisdiction comply with the Communications Act and the FCC's rules, including those that protect consumers' sensitive information, such as real-time location data," Pai's letter continued. "Accordingly, in the coming days, I intend to circulate to my fellow Commissioners for their consideration one or more Notice(s) of Apparent Liability for Forfeiture in connection with the apparent violation(s)."

The carriers could fight such notices in an attempt to avoid punishment. AT&T has claimed that selling location data wasn't illegal.

Democratic FCC Commissioner Jessica Rosenworcel has repeatedly urged Pai to reveal details of the investigation. In a statement released today, Rosenworcel said:

For more than a year, the FCC was silent after news reports alerted us that for just a few hundred dollars, shady middlemen could sell your location within a few hundred meters based on your wireless phone data. It's chilling to consider what a black market could do with this data. It puts the safety and privacy of every American with a wireless phone at risk. Today this agency finally announced that this was a violation of the law. Millions and millions of Americans use a wireless device every day and didn't sign up for or consent to this surveillance. It's a shame that it took so long for the FCC to reach a conclusion that was so obvious.

House Commerce Committee Chairman Frank Pallone, Jr. (D-N.J.) said that Pai's response to lawmakers "is a step in the right direction, but I'll be watching to make sure the FCC doesn't just let these lawbreakers off the hook with a slap on the wrist."

Sen. Ron Wyden (D-Ore.) said that he is "eager to see whether the FCC will truly hold wireless companies accountable or let them off with a slap on the wrist."

Carriers sold data after promise to stop

The controversy over location-data sales ramped up in 2018 when a security problem leaked the real-time locations of US cell phone customers on all four major carriers. Verizon, AT&T, T-Mobile, and Sprint subsequently pledged to stop selling their mobile customers' location information to third-party data brokers.

However, an investigation by Motherboard in January 2019 found that "T-Mobile, Sprint, and AT&T are [still] selling access to their customers' location data and that data is ending up in the hands of bounty hunters and others not authorized to possess it, letting them track most phones in the country."

The carriers made further promises to stop selling the data and later confirmed to the FCC that they had phased out the data-selling programs.

Pai's letter today did not say exactly which federal law the carriers broke, but Section 222 of the Communications Act says that carriers may not use or disclose location information "without the express prior authorization of the customer." Carriers have also been accused of violating rules on the usage of 911 location data.