The fines stemmed from an accusation that carriers didn’t do enough to stop third-party entities from misusing sensitive location data. This was brought to light when Mississippi sheriff Cory Hutcheson used a service called Securus to track people’s phones without court orders at least 11 times between 2014 and 2017.
AT&T and Verizon have both filed briefings to explain why they object to the FCC’s fine. Both carriers put forward similar arguments, claiming participants in their location-based service (LBS) programs were subject to a rigorous vetting process and were only allowed to disclose rough locations based on cell-tower triangulations after customer consent.
They said that the FCC learned about misuse of Securus’s service in 2017, but they only came to know of it after an article was published in The New York Times a year later.
Both carriers decided to wind down their LBS programs shortly after the article was published but the process was gradual to give time to customers to find an alternative solution.
AT&T immediately shut off Securus’s access and launched an investigation into its location-based services (“LBS”) program—through which companies like Life Alert and AAA provided critical and sometimes lifesaving services. AT&T eventually shuttered the program, following an orderly wind down that avoided harming AT&T customers who relied on LBS services.
AT&T, November 2024
Since Securus’s and the sheriff’s actions occurred before the statute-of-limitations period, carriers couldn’t be held accountable for them. That’s why, the FCC instead imposed a fine on them for not terminating their LBS programs fast enough.
They are contesting the punishment, arguing that the FCC overstepped its authority and violated the Communications Act and the Constitution.
The Court should vacate the Forfeiture Order and direct the FCC to take any steps necessary to ensure that the $46,901,250 Verizon paid is returned to it.
Verizon, November 2024
At the heart of the FCC’s case was the protection of customer proprietary network information (CPNI), but the companies argue that the device-location information that the LBS program provided is not CPNI.
Verizon’s LBS program used device-location information, and devicelocation information is not CPNI. First, information is CPNI only if it “is made available to the carrier by the customer solely by virtue of the carrier-customer relationship.” But Verizon can obtain device-location data whenever it provides any wireless service to customers, including from customers who purchase no common-carrier services at all. Second, “location” in the CPNI definition means call-location information, not device-location information.
Verizon, November 2024
If anything, the relatively small number of unauthorized requests shows that the program safeguards were effective and reasonable. In concluding otherwise, the FCC effectively (and improperly) imposed a strict liability standard and did so without providing fair notice.
Verizon, November 2024
AT&T has rejected claims that Securus ever unlawfully accessed the location information of any of its customers.
Even with respect to Securus, the record shows that Securus’s breach of its prisoner-use-case commitment was limited to 0.2% of AT&T lookup requests. And the Commission has never shown that those lookups were unlawful, as opposed to inconsistent with Securus’s contractual obligations.
AT&T, November 2024
FCC Commissioner Brendan Carr, who is expected to become the chairman of the commission after President-elect Donald Trump takes office, had previously opposed the fines.