Verizon location data sale

Verizon location data sale refers to Verizon's practice of selling access to its customers' real-time physical location to third-party data aggregators, who resold that access downstream to bail bondsmen, bounty hunters, and other buyers who could locate a phone without the customer's knowledge or a court order. On April 29, 2024, the Federal Communications Commission (FCC) issued forfeiture order FCC 24-41, fining Verizon $46,901,250 for failing to safeguard its customers' location information in violation of Section 222 of the Communications Act.^[1] The FCC found that Verizon sold this access through the aggregators LocationSmart and Zumigo, and that it kept the program running for nearly a year after press reporting first exposed the abuse.^[1] The fine was part of a coordinated FCC action against the four largest U.S. carriers totaling nearly $200 million.^[2]

A mobile phone must repeatedly contact nearby cell towers so the network can route inbound calls and messages to the device, which means a wireless carrier holds a record of where its customers are. Under 47 U.S.C. § 222, the location of a customer's use of a telecommunications service is part of the Customer Proprietary Network Information the carrier must protect.^[3] Carriers had long shared location data with vetted partners for services such as 911 response and roadside assistance.^[1] Beginning in the early 2010s, Verizon and the other major carriers monetized the same data by granting API access to third-party aggregators, chiefly LocationSmart and Zumigo, that resold it to hundreds of downstream location-based service providers.^[1]

The carriers' contracts required the downstream provider, not Verizon, to obtain the customer's opt-in consent before requesting a location fix.^[1] Under 47 U.S.C. § 222, a telecommunications carrier has a duty to protect the confidentiality of its customers' proprietary information. The statute defines Customer Proprietary Network Information (CPNI) as:

information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship.

^[3]

The investigation grew out of journalism and a congressional inquiry rather than an FCC audit. In May 2018, reporting on the prison-telecommunications firm Securus Technologies revealed that it had bought mobile location access through the aggregator LocationSmart, and that a former Missouri sheriff, Cory Hutcheson, had used the Securus platform to track phones without warrants.^[1] Verizon and the other carriers pledged to wind down their aggregator programs, but the access continued through other channels.^[4]

In January 2019, Motherboard reporter Joseph Cox paid a bounty hunter $300 to locate a test phone.^[5] The request passed through a middleman who used MicroBilt, which in turn received the location from the aggregator Zumigo after Zumigo queried the carrier.^[5]

Senator Ron Wyden of Oregon ran a parallel inquiry and pressed the FCC and the carriers to end the programs. When the fines were issued, Wyden tied them to his own investigation:

I applaud the FCC for following through on my investigation and holding these companies accountable for putting customers' lives and privacy at risk.

^[6]

The FCC's Enforcement Bureau opened its investigation in 2019, and on February 28, 2020 the Commission issued a Notice of Apparent Liability proposing a $48,318,750 fine against Verizon.^[1] The Commission adopted the final orders in April 2024 with Commissioners Carr and Simington dissenting, and the Verizon order, FCC 24-41 (File No. EB-TCD-18-00027698), was released on April 29, 2024.^[1] The final penalty was $46,901,250, reduced from the 2020 proposal after the Commission found that two entities counted in the proposal had not participated in Verizon's LBS program.^[1]

The FCC counted each active downstream relationship as a separate continuing violation rather than fining Verizon per affected customer.^[1] The calculation accounted for 65 continuing violations, one for each ongoing relationship with an aggregator or provider that retained access more than 30 days after the May 10, 2018 New York Times report on Securus, and the Commission applied a 50 percent upward adjustment to the base amount.^[1] The FCC found that Verizon notified LocationSmart and Zumigo on June 12, 2018 that it intended to terminate the program but that transmission of customer location data did not fully stop until March 30, 2019, which the Commission counted as 324 days of continued operation measured from that New York Times report.^[1]

Verizon argued that it had taken reasonable measures to protect CPNI by hiring an outside auditor, Aegis Mobile, to oversee the aggregator program.^[1] The FCC found that the Aegis process compared location-request lists against consent records supplied by the same aggregators, then spot-checked downstream providers, a system that assumed the legitimacy of the buyers and could not detect fabricated consent.^[1] Because Verizon never contacted the customer directly to confirm consent, the Commission concluded that delegating CPNI protection to the entities buying the data failed the statute's requirement of reasonable measures.^[1]

The Verizon fine was one of four forfeiture orders the FCC released the same day against the largest U.S. carriers, totaling nearly $200 million for the same practice of selling location access through aggregators.^[2] The FCC fined T-Mobile $80 million, AT&T more than $57 million, and Sprint (which has since merged with T-Mobile) more than $12 million.^[2] In a statement accompanying the orders, FCC Chairwoman Jessica Rosenworcel described the data as uniquely sensitive:

Our smartphones are always with us, and as a result these devices know where we are at any given moment. This geolocation data is especially sensitive. It is a reflection of who we are and where we go. In the wrong hands, it can provide those who wish to do us harm the ability to locate us with pinpoint accuracy.

^[7]

Verizon said the order was wrong on the facts and the law and that it had ended the program. Company spokesperson Rich Young stated:

We immediately terminated the offender's access, discontinued the program, and took steps to prevent such incidents in the future.

^[8]

In the proceeding, Verizon argued that device-location data is not protected CPNI, that the liability finding was arbitrary, that the penalty exceeded statutory caps, and that an in-house FCC proceeding violated its Seventh Amendment right to a jury trial.^[1] Privacy analysts noted that the fine was small against Verizon's wireless service revenue, which the company reported at roughly $77 billion for 2023.^[4]