201 comments

[ 3.9 ms ] story [ 179 ms ] thread
How much is the cost per user? Maybe it is not that much in the end (as usual)
The total fine seems to be $200M, so maybe a buck a person. That’s still a whole lot more than their previous fine of $0.00 for it. Now we have a precedent.
A precedent that selling out your users gets you a slap on the wrist
Alternatively, a precedent that the FCC can and will actually fine someone for breaking the law. The leap from $0 to $200M is much larger than the step from $200M to real fines.
So, we improved from fining $0 to $1.
Correct, and imagine the amount of work it took to make that possible at all. If you build a car factory, you're not going to make a whole lot of net profit off the first one you sell. It's way easier to make car #2 after you have everything in place to make car #1. Given the size and complexity of the organizations involved in this fine, that may actually be a reasonable analogy. I'd bet person-years of work went into making it happen, and that a lot of that could be dusted off and re-used if the FCC wanted to do it again.
>That’s still a whole lot more than their previous fine of $0.00

No, it's barely more.

Right on! I’m happy to see the FCC on a roll lately. Keep it up!
[flagged]
> I'll be honest, a Republican president would never have give us this win.

The announcement makes it clear that a republican president started the investigation and in turn had a clear contribution to this.

But if we don't have completely unfounded attempts at saying "my side good, other side bad!", what political discourse would remain?
If we did away with First Past The Post voting, we could have more then two sides. Then it could be "my side good, all other sides bad!"

Progress.

I’m really hoping before I die citizens are just all collectively against big companies treating citizens like shit, and regardless of a political party, the government works for us and protect us
(comment deleted)
That would never be regardless of party. Part of choosing a party would be choosing whether you want them to work for you or for corporations.
> Sprint and T-Mobile – which have merged since the investigation began – face fines of more than $12 million and $80 million, respectively. AT&T is fined more than $57 million, and Verizon is fined almost $47 million

This seems fundamentally unserious. To scope it, Verizon's gross profit for the twelve months ending December 31, 2023 was $79.087B.

They'll just write it off as cost of doing business.

Increase the fines by 2 orders of magnitude, that will get their attention.

You mean 100x?

(Still might be ignorable)

That would decrease their EPS by like 50%, investors would probably care which means the company wouldn't ignore it IMO
would be hard to consider it an operating expense for sure
(comment deleted)
Did they ever fine anyone over AT&T letting NSA tap into all decrypted network data, cause that seems a lot more egregious lol.

https://techcrunch.com/2018/06/25/nsa-att-intercept-surveill...

Just forward the bill to the NSA...
No, for that there was bi-partisan support for retroactive immunity....
The NSA could be self-funding if they simply charged people for the restoration of backups they made of everyones' drives.
Sprint - $12 million fine (In 2019, Sprint Corporation's revenue amounted to 33.6 billion U.S. dollars)

T-Mobile – $80 million fine (T-Mobile US annual revenue for 2021 was $80.118B)

AT&T - $57 million fine (AT&T revenue for the twelve months ending March 31, 2024 was $122.317B)

Verizon - $47 million fine (Verizon annual revenue for 2023 was $133.974B)

Just the cost of doing business.
Sprint - 0.0003 of revenue

T-Mobile - 0.0009 of revenue

AT&T - 0.0004 of revenue

Verizon - 0.0003 of revenue

That’s like fining me $1 if I did my math right.
I appreciate the point, but the numbers there are the proportion of revenue, not the percentage of revenue, so they're off by a factor of 100.
You're absolutely right; updated!
(comment deleted)
Makes a speeding ticket for someone making minimum wage look expensive
Look expensive? It means not eating
Yeah, it looks like that comparatively.

I don’t think you can just state the result for everyone.

Seems like a weird comparison to make considering the money they made selling the data is only a small fraction of their overall revenue.
It is a weird comparison, because it's intentionally deceptive.
The relevant denominator is the revenue from these data sales.
Welcome to the new charge on my bill:

$2.00 FCC Fine Recovery Charge

How much does a data broker pay for an individual's location?
A few cents. It wasn't that good since it would just give you what cell tower their phone was pinging off of.
The core issue is transparency. I don't want to see a 'privacy policy', I want to see who a company has sold/given my information to and what limitations that sale has. The concept is simple. If you collect anything about me and allow some other entity access, you tell me about it/make it easy for me to see -and- block. Most of this abuse of personal data would go away if people knew it was going on.
> Most of this abuse of personal data would go away if people knew it was going on.

GDPR proves this wrong. Most people click OK/accept even in front of relatively clear information (to be fair sometimes the options are "accept for you to be tracked and shared with 'our partners' or pay a subscription/fee", which is an easy choice for many.

Yet if the business model / customer's _existing_ service agreement is changed, the temperature of the water that the frog is in just went up a little bit, so folks continue using it, which is what often happens as well.

"well, I'm not sure if they're going to start collecting or using my data, because I don't actually really KNOW that or the extent of everything, just an email from them with a vague update to an equally vague privacy policy that I apparently implicitly agree to if I don't discontinue using their service."

Just like a manufacturer/seller on say, amazon shouldn't be able to revise their product with cheaper quality under the same model number (and yet it happens all the time), changes to the agreement of a service should be treated as a new service.

Whatever the solution, it should be a big enough deal that it cannot be implicitly agreed to, and clear enough language (maybe vetted by a third party review of the agreement) to communicate to all users, what is at stake and how, to which third parties, etc.

This is misleading. The OK is almost universally made easier to click through dark patterns, with the "reject" being hidden or taking more clicks
Yup. At least 2 clicks and you have to process what you are clicking to understand. I've seen more than a few sites where it's

"Ok" then "Customize" followed by a bunch of checkboxes to disable cookies while the "accept all button" is where typically "OK" would be and the "reject all" is often labeled something else that isn't clear.

This is also not often remembered on future visits so you end up doing this dance every time you visit that site.

And those are illegal under gdpr, and enforcement is slow but happening. Whats your point?
In this very case, the GDPR is scary enough that European carriers make sure to anonymize and aggregate analytics they sell to third parties. Even if you click OK, a data leak would be pretty harmless and wouldn't identify you personally.
Location data that includes your home in the suburbs is pretty identifiable.
Carrier position accuracy is pretty shit in low density areas, you aggregate (e.g. per H3 tile), apply scaling (no operator has 100% market share) and K-anonymity.
When presented with 50 prompts throughout the day, 95% of which makes clicking OK easier than clicking decline, most people (allegedly) click OK.

What an easy choice to be nagged at every new website.

AND if people had viable alternatives. (Sorry, I see now that you mentioned blocking, which would also work.)
Everything should be opt-in. Burden should be on them, something like, "We want to share your data and if you agree here are the benefits to you."
That's something I think the EU got right -- being hard-nosed about true tracking consent requiring a user to receive the same outcome regardless of their choice.

Anything shy is begging companies to dark-engineer patterns around obtaining it.

The EU didn't get this right - or else they aren't enforcing it. I'm in the EU right now and the crap I see is a popup "We respect your privacy. Us and 352 (not an exaggeration!) of our partners are collecting data on you. Approve or Details?" Pick details and you can spend your time going through the partners

https://pasteboard.co/rrL2bpmiE6Zq.png

And most you can't reject

Even more hilarious. pageboard itself said 847 partners!

https://pasteboard.co/XQHhPzTw42Pv.png

This is mostly unenforced, as it WAS ruled that it must be as easy to reject as to accept. However, they're going after "consent to ads or buy a subscription" which I thought was a pretty fair compromise business model.
I'm generally okay with Ads, that is fair. But I'm not okay with tracking, consolidating data about me from different sources, analyzing it and selling that. It is too hard to understand how that may impact me and others.
Imho, the problem with "consent to ads or buy a subscription" is that it becomes the new CableCARD [0].

I.e. all companies really want to be in the business of tracking customers, because they can repackage derivative products and increase their revenue.

So the "subscription" option ends up experiencing a lack of support, mysterious technical issues, underinvestment, etc.

End result, customers don't choose it, which businesses use to lobby for further eroding mandates.

You can't force a company to provide and support a product they don't want to. You can force them to turn one off.

[0] https://en.m.wikipedia.org/wiki/CableCARD

I don’t think the Eu got it right; crucially they missed requiring these choice points to be automatedly navigable for users (eg “.. and if you must publish the metadata representing the choice architecture this way, use these standard keywords to present options, and must allow users to use automation to make their selection “)

The first reg this happens in will I think make billions the world over realize this is what the template of all opt-in online regulation has to be and will hopefully change the world.

That's a case of the perfect being the enemy of the good.

If you boil the lobster all at once, the huge ad industry will ensure such regulation never passes.

If you gradually increase regulation, then it stands a change of actually passing, and eventually accomplishes the same goal (even if over a longer timeframe).

Getting everyone to agree that a mandatory, regulated prompt is required is step 1.

if this is the case, it really needs to MATERIALLY benefit you. My friend uses all the rewards apps and really uses credit card points, programmes, etc, and it does benefit them.

Me? I just use cash everywhere and now the guy at harbor freight knows I'm the guy who says 'I dont have a cell phone number'.

Contracts you know, they need to benefit both sides.

I have mixed feelings about opt in. A single accidental click on a web site and GDPR has failed to protect the user. Dark patterns allow that to be gamed. And it complicates legitimate uses.

I'd like auditable data. I should have an easy way to discover everyone with my data (including things like IP logs), see how it's used (at the level of source), and have it destroyed.

Why would anyone opt-in to having their location sold? Some things should just be banned.
For the right price, I'd sell every bit of data I produce!
Yeah, if the profit comes back to me, totally different situation :)
That's the current model, except "the benefits to you" are you get a telephone. Don't like it, go to the one other phone company that has an identical "agreement".

Opt-in doesn't fix anything. Only by making these practices illegal (and aggressively enforcing the law) can this be stopped.

The core issue isn’t transparency. It’s surveillance and powerlessness
I would extend this to include companies like Facebook that study your data to derive deeper insights about you. I want to be entitled to every conclusion they reach about me from my own data, so I can correct whatever assumptions they have about me and possibly learn more about myself.
I read somewhere if you call up a towing company, the wireless carrier will provide them your location.

they don't even say "your call^H^H^H^Hlocation will be recorded for quality purposes"

Transparency is good, but I think it’s also important to impose contractual liability and fines too. GDPR has a good model here; a data processor must list all of their sub-processors, AND have contracts with each that let them enforce transitively your data deletion rights.

This guards against the case where a processor transparently updates their ToS to share your data with someone you do not consent to.

> I want to see who a company has sold/given my information to and what limitations that sale has

To expand on this more - I feel like laws requiring companies to keep a "custody chain" of personal data at every transfer step would be relatively un-controversial. Sure, I'd rather do away with personal data being able to be bought and sold entirely, but an easy first step is "massive fines for any company that doesn't carefully track exactly which entity touched the user's data".

I just don't want 'em to do it. I expect companies I have a paying business relationship with to not report on my private comings and goings, especially not to bounty hunters and other shady characters. Back in the day if you did something like this, you would be run out of town on a rail, but unfortunately we've allowed mobile phone companies and a lot of others to get such a large national market share that there is no recourse.
This was not a fine. It was a below the line operating cost.
It was a first time warning. If they don't reform they can get hit with repeated fines that are larger.
Fining them after several years of the bad behavior doesn't un-share the data, which means even the "first time warning" should be painful enough so that they don't chance it next time.

If the fines are cheap, companies have every motivation to try and see if they get away with shady or even knowingly illegal behavior - if not, the fine won't hurt too much and if yes, free profit.

If the fines hurt even the first time, there's a much bigger motivation to actually comply with the law from the start.

(comment deleted)
What's the point of a regulatory agency if it isn't supported by law? Also, if the companies believe they can win in court, it's already worth it for them to file a lawsuit since based on these numbers alone. They were fined $10M+, that's absolutely worth a court case.
That was what I was going to say. You can't fine them $8B if the precedent wasn't set yet.
These are civil penalties. What limits (if any) is FCC subject to? Could they have issued larger fines? Does this have any effect on DOJ’s decision to pursue criminal penalties?
The bigger question is whether the fine was less than the amount they made selling the location data.
I feel that up to a point the fines do little in the grand scheme of things, as they will pass the expense of the fines on to us, the consumer.
Since Corporations are people, revoke their corporate charter for a couple years while they "do time" to pay for their criminal behavior.
If they are people, do three strike laws apply to them?
We need corporal punishment for company executives and members of the board. Cane or flog them Singapore style, then they'll start to pay attention to their company's compliance with the law.
If the fine was more than the income in the past, that still doesn’t matter because of the income from future sales will still make this behaviour worthwhile
>that still doesn’t matter because of the income from future sales will still make this behaviour worthwhile

Wouldn't future sales also be fined?

Depends on how successful their lobbying is in the next decade
I used to work for a hedge fund that bought data for 125 million americans a month, all of their mobile phone pings. All sorts of deep learning algorithms analyze shopping, warehouse, and other foot traffic. People have no idea the level of understanding some private investors have. It goes far beyond anything you see in public numbers. Some of the smartest people on the planet, teasing out wild facts about daily habits of americans. Every statistical algorithm known to man has been run on this data
> People have no idea the level of understanding some private investors have

Is this to be able to analyse "the market" (how regular humans are consuming)?

Enough so that the Federal Reserve was (and potentially still is) consuming this data.

> Eric Swanson, an economics professor at the University of California, Irvine, said that early in the pandemic, when things were changing quickly, the Fed looked at online rent prices, anonymized cellphone location data and credit card transaction data.

https://www.marketplace.org/2024/03/20/the-fed-loves-a-data-...

how far along are they into correlating different datasets and de-anonymizing? say i buy everything in cash: prepaid SIM, a cellphone without my name in the purchase history, not running anything i didn't compile from source (NixOS on a phone): do you figure my data's useless enough so as to not make it into these datasets? or they're accustomed to correlating so many data points that the cash-only route doesn't accomplish much anymore?
Drop in an ocean. Should've done 5% of annual revenue. That would send a much bigger message.
perhaps. but guess who gets to pay that fine? it sure will not be phone companies. it will be in your next bill.
That excuse can be used for all violations of regulations, and thus quickly becomes somewhat unreasonable. Particularly since the question being asked is the theoretical of if the prices would not increase by the same percent if the fine was not levied (eg "due to inflation").
I get that you do not like that they will do it but do it they will. All costs are born by the customer. To do otherwise is a one way ticket to lower stock prices and less C-suite compensation. If they are not then your business will eventually go out of business.

Here is how they will do it too. Them: 'have you seen our NEW plan? It is amazing. It is only 5 dollars, the cost of a cup of coffee, more a month and all the amazing new things you get access to.' Me: looks at their plan. Me: 'Seems about the same as my previous one.' Them: 'But this NEW one is amazing. Our glossy advert campaign says so.'

They will not say they are raising prices because of it. They will sell you on how their new plan is 'better' and make your bear the cost (plus a little more for them).

I sat in a meeting where one company was selling unlimited plans. The company I was working for were still selling 1MB per month at 40 bucks a megabyte. They said their customers would pay it and more because of who they were. They are tone deaf and blind to it. The second the advert campaigns changed the tone of the meetings changed. In that case they had to change their pricing because of external pressures. However in this case all the carriers are being zinged. They will all raise prices. Because for sure they are not going to cover it.

You know it to be true. But do not like it which is fair. I do not like it much either.

Hey, that's okay! At least our taxes pay money towards investigating and building these toothless fines! I don't have a problem with the taxes, just that it doesn't do anything.
They can't increase the prices without customers going to competitors. So it's still an incentive against paying fines.
These 4 companies are the market. Everyone else (Google Fi, Mint mobile, Boost) are all effectively reselling the product through a carrier agreement.

So, not really any competitors to go to when the entire industry colludes to violate privacy.

Make the C-Suite and Board personally responsible, and make sure the fine is LARGE. $47 million for Verizon is nothing. They profited nearly $80 Billion last year. They spent roughly the same amount for the naming rights to an NBA team's practice facility back in 2020. They paid Beyonce $30 million for a 30 second Super Bowl commercial.

You have to fine the drivers of the corporation's unethical behavior, not the corporation itself, or else there will be no fundamental change or reason for corporations at large to not act with complete disregard for the law.

The shady shit would stop in a heartbeat if some 25-30 people at the top had to collectively come up with a billion+ in cash in a week. No bonds, debt, IOU's from the corporation itself, stocks, mortgages, nothing - straight up cash.

It should be set to 10x of all the profits they made from it to create a dilemma for the next time.
Except there is no way to prove what profits they made from it. They'll just pay an "accounting firm" to audit and say that the venture was unprofitable.
I don't know how it works in that particular situation, but usually government has its own auditors who can verify other auditor's work just in case they made mistakes.
why don't they fine them for delivering spam? like $1 per instance or something motivating?
Spam (like other unwanted communication) is better handled at origination than delivery.
What does that have to do with selling data?
the point is they fine spammers supposedly and nothing changes; i wasn't clear.
Ok? Your question betrays a complete misunderstanding of how our system of government and law enforcement works. This is not a system of vengeful retribution. It’s based on measured checks and balances. Your feelings are irrelevant.
Perhaps you can explain how it doesn’t and does work, since you presume to know this more than I?

Are you asserting FCC fines have produced results in these high audience press release cases?

Famously they have not.

Just don't allow receiving SMS from frikin email addresses and that solves most of the problem. Why is that even a thing?
Of course. What did we expect? Can't trust tech corpo these days.
> "sharing access to customers’ location information without consent..."

I'm not seeing anything here preventing the carriers from just adding "sharing location data" to the EULA / privacy policy that no one reads and continuing on - now with "consent". Without a requirement to offer a separate opt-out, this just seems like a temporary road bump that changes nothing in the long run.

Does carrier even have to do anything when say your bank inserts consent language for location data into credit card application? They might or might not qualify that with “for fraud prevention and/or other purposes”. Same for insurance carriers…

I saw such clauses and I’m sure it was about pulling data from your phone carrier.

I would like to see laws addressing the issue itself, e.g. banning any collection of location data unless it's explicitly needed and used by the collecting agent/service themselves, and banning sharing/selling it.
Require companies that store that kind of data to carry insurance that can make anyone damaged by the data collection (and leaks of said data) whole. And the 'make whole' amount definitely needs to be individually defined. You shouldn't get away with paying a little fine of a couple thousand USD if your data leak causes me millions in damages; In that case, you owe me those millions back.
This is covered in the longer version of the document: https://docs.fcc.gov/public/attachments/FCC-24-41A1.pdf

>The Commission has also recognized that an

>opt-in requirement alone is not enough to protect customer CPNI, especially in light of tactics like

>“pretexting,” where a party pretends to be a particular customer or other authorized person in order to

>illegally obtain access to that customer’s information (thus circumventing opt-in requirements).17

$200M is chump change. These carriers have been doing this for a long time.

Nothing will change. At most, a footnote in the privacy policy will be added.

The amount is not the point. It's the fact that they were fined.

Shareholders tend to be unhappy with "We were fined for doing this, and so we kept doing it and now owe another fine."

Also, exec bodies/courts/juries tend to be more skeptical of an ignorance defense if a company was literally fined for doing that exact thing previously.

What if the pitch were "we made $10x selling this data and were fined $x" - seems quite compelling if you're amoral about it.
This is a bribe masquerading as a fine.
(comment deleted)
Shareholders also don't care if the behavior continues so long as the profits from the behavior continue to vastly outweigh the cost of the activity in question.

If the fine is $ABC, and that fine never changes, but profits grow from $ABC x3 to $ABC x10, shareholders will actually get mad that the corporation doesn't continue the activity in question because there's net profit growth.

Sadly, sometimes the cost of quelling an FCC or SEC violation charge is simple "lobbying".

The business community seems pretty upset by the penalties the SEC has been levying lately...

https://news.bloomberglaw.com/us-law-week/the-supreme-court-...

(The Supreme Court declined to hear the case)

To be fair, they are not mutually exclusive. Businesses are incentivized to fight penalties as long as they think the legal costs are small enough compared to the fines themselves, regardless whether the activity their fine on was still profitable after the fine.
> Shareholders tend to be unhappy with "We were fined for doing this, and so we kept doing it and now owe another fine."

Only if the fine exceeds what they made. Otherwise, shareholders tend to more side with the "try to keep that shit on the down low next time eh?" approach when they're still making money.

> that exact thing previously.

Yes, it stops them from doing that exact same thing again while incentivizing the general behavior of intentionally breaking laws until told to stop.

> $200M is chump change. These carriers have been doing this for a long time.

But how much did they make from selling it? The fact $200M is "chump change" because they made $200B (or whatever) is hardly relevant. If they made far less than $200M then they're going to stop doing it, period.

to clarify, this was a third party company called securus that offered a blanket deal to track practically everyone based on a deal they had with cellular companies to purchase tracking data. Securus normally only works with US prisoners. They were collecting data on everyone and then rebranding that capability/relationship as a service. it no longer exists apparently in a hamfisted attempt to avoid more litigation beyond the FCC judgement.

https://securustechnologies.tech/investigative/investigation...

no technical details yet though about how precise the tracking was...im a bit hazy on where the carrier modem stops and where the firmware/hardware start (thats probably by design...) Is it possible to poll GPS in realtime for coordinates? likely not...is it likely the ASN was polled from towers to provide a range of affinity for a user? definitely.

According to AT&T, yes they can get your GPS location. In this article they claim they only do so when the user is making a 911 call, to which I say “yeah right”.

https://www.theverge.com/2022/5/10/23065777/att-route-911-ca...

How does this work? I assumed it was tower triangulation, but the article makes it sound like it really is using GPS location.

Does the SIM card have a program that somehow can access the GPS sensor via the baseband processor?

The carriers can ping your phone to have it report its current GPS location. Passive collection of location scales better but the carrier directing the phone to actively transmit its current location is definitely a thing and you can't turn it off.
What a coincidence, I got an email from Verizon that my lines are going up $5 each and so is my Internet (ATT).

Good guy FCC raked in $200M in fines, while no prison time was handed out and $0 of those $200M goes to people whose privacy was infringed.

So really just a typical Monday, business as usual.

The FCC can’t send people to prison. FCC fines do not preclude criminal prosecution.
Verizon’s fine totals approximately 0.2% of their profits in 2022.
How about selling my data means I get a large cut of the profits?
> The fines are unfair, Carr said, because the commission "has never held that location information other than 'call location information' constitutes CPNI [Customer Proprietary Network Information].

Sure would be a shame if someone leaked this guy's location history.

I mean c'mon it's just common sense that if your location when you place a call must be kept private then your location when you're just walking around not making a call is also private.

Doesn’t US law enforcement purchase commercial data like this to get around having to get a warrant?
(comment deleted)
"Three big carriers."

As if there are other "big carriers."

it actually says "big three", you've just read it incorrectly