Before the

Federal Communications Commission

Washington, D.C. 20554

TABLE OF CONTENTS

Heading Paragraph #

I. INTRODUCTION...................................................................................................................................1

II. BACKGROUND.....................................................................................................................................2

III. DISCUSSION........................................................................................................................................21

E. Section 503(b) Is Employed Here Consistent With the Constitution……………………………..96

IV. CONCLUSION ...................................................................................................................................108

V. ORDERING CLAUSES......................................................................................................................109

$91,630,000 for failing to take reasonable steps to protect its customers’ location information. After

1

(NAL).

reviewing the Company’s response to the NAL,

2

we find no reason to cancel or withdraw the proposed

penalty. However, pursuant to additional factual evidence provided in T-Mobile’s NAL Response

relevant to the forfeiture calculation, we reduce the proposed penalty by $11,550,000, and therefore

impose a penalty of $80,080,000 against T-Mobile.

Communications Act (Act).

4

The Commission has advised carriers that this duty requires them to take

“every reasonable precaution” to safeguard their customers’ information.

5

Section 222(a) of the Act

imposes a general duty on telecommunications carriers to “protect the confidentiality of proprietary

information” of “customers.”

proprietary network information” or CPNI, namely information relating to the “quantity, technical

configuration, type, destination, location, and amount of use of a telecommunications service subscribed

to by any customer of a telecommunications carrier” and that is “made available to the carrier by the

disclose, or permit access to CPNI with customer approval.

Generally, carriers must obtain a customer’s

“opt-in approval” before disclosing that customer’s CPNI.

This means that a carrier must obtain the

2

2020) (on file in EB-TCD-18-00027702) (NAL Response or Response).

3

6

7

telecommunications for a fee directly to the public, or to such classes of users as to be effectively available directly

to the public, regardless of the facilities used.” 47 U.S.C. § 153(53). The mobile voice services provided by T-

Mobile are “telecommunications services.” See 47 U.S.C. § 332(c)(1); H.R. Conf. Rep. No. 104-458 at 125 (1996)

(“This definition [of ‘telecommunications service’] is intended to include commercial mobile service.”).

8

telecommunications service, including the publishing of directories.”) (emphasis added).

10

47 CFR § 64.2007(b).

customer’s “affirmative, express consent allowing the requested CPNI usage, disclosure, or access after

the customer is provided appropriate notification of the carrier’s request . . . .”

rules in the 2007 CPNI Order after finding that once carriers disclosed CPNI to third parties, including

a higher risk of being improperly disclosed.

12

Accordingly, among other things, this opt-in requirement

was meant to allow individual consumers to determine if they wanted to bear the increased risk associated

14

a third party do not obviate the need for explicit customer consent, as such safeguards do not eliminate the

increased risk of unauthorized CPNI disclosures that accompany information that is provided by a carrier

to such a third party.

only use, disclose, or permit access to CPNI with the customer’s opt-in approval.

opt-in requirement alone is not enough to protect customer CPNI, especially in light of tactics like

“pretexting,” where a party pretends to be a particular customer or other authorized person in order to

illegally obtain access to that customer’s information (thus circumventing opt-in requirements).

the-phone access to CPNI.

19

It also adopted password and account notification requirements.

20

adopted were “minimum standards” and emphasized the Commission’s commitment “to taking resolute

enforcement action to ensure that the goals of section 222 [were] achieved.”

Although carriers are not

expected to eliminate every vulnerability to the security of CPNI, they must employ “reasonable measures

to discover and protect against attempts to gain unauthorized access to CPNI.”

22

They must also take

reasonable measures to protect the confidentiality of CPNI—a permanent and ongoing obligation to

police disclosures and ensure proper functioning of security measures.

23

NAL, several government entities provide guidance and publish best practices that are intended to help

companies evaluate the strength of their information security measures.

of the Act provides that “the act, omission, or failure of any officer, agent, or other person acting for or

known as “location information aggregators,” who then resold access to such information to third-party

location-based service providers or, in some cases, to intermediary companies who then resold access to

Mobile with oversight authority over the Aggregators. The Aggregators then entered into their own

contracts with various LBS providers. This arrangement meant that it was LBS providers who were

obligated “to notify [customers] and collect affirmative customer consent for any use of location

37

every location information request it submitted to the Aggregator, and then likewise transmitted from the

Aggregator to T-Mobile, which T-Mobile asserts allowed the Company “to track each campaign.”

terminate access to customer location information and to “suspend the transmission of location

information” to any LBS provider the Company “believed was not complying with its obligations.”

39

In

addition, T-Mobile “had the right to terminate its relationship with each Aggregator, for any reason, upon

30

See NAL, 35 FCC Rcd at 1793, para. 16 (citing Response to Letter of Inquiry from T-Mobile USA, Inc., to Kristi

33

NAL, 35 FCC Rcd at 1793, para. 17 (citing E-mail from David Solomon, Wilkinson Barker Knauer, LLC, Counsel

for T-Mobile USA, Inc., to Michael Epshteyn, Assistant Division Chief, Telecommunications Consumers Division,

FCC Enforcement Bureau (Jan. 28, 2019, 18:27 ET) (on file in EB-TCD-18-00027702) (T-Mobile E-mail)).

34

NAL, 35 FCC Rcd at 1793, para. 17 (citing LOI Response at 7-8, 11, Response to Question 1).

35

NAL, 35 FCC Rcd at 1793, para. 17 (citing LOI Response at 7-8, 11, Response to Question 1).

36

NAL, 35 FCC Rcd at 1793, para. 17 (citing LOI Response at 7-8, Introduction).

Documents No. 3, 2014 Location Aggregator License Agreement between T-Mobile and TechnoCom Corporation

d/b/a LocationSmart (executed on May 20, 2014, by Stephen Leptich, Sr., Corporate Counsel, for T-Mobile USA,

Inc., and by Mario Proietti, CEO for LocationSmart), Sections 7.2-3 (T-Mobile-LocationSmart Agreement); LOI

Response at TMOBILE0001230, Response to Request for Documents No. 3, 2014 Location Aggregator License

Agreement between T-Mobile and Zumigo, Inc. (executed on Feb. 11, 2014, by Stephen Leptich, Sr., Corporate

Counsel, for T-Mobile USA, Inc., and by Chirag Bakshi, CEO for Zumigo), Sections 7.2-3 (T-Mobile-Zumigo

Agreement)).

30 days’ prior written notice, or immediately upon the Aggregator’s breach of the contract’s

confidentiality and data security terms.”

40

program. According to T-Mobile, it conducted two risk assessments of its Aggregators (in 2016 and

in their contracts with T-Mobile.”

41

T-Mobile asserts that both assessments found that “the Aggregators

were properly obtaining consent before accessing T-Mobile customer location information.”

42

However,

the results of such periodic assessments.

and similar companies without the wireless customer’s authorization.”

T-Mobile investigated the

allegation and eventually identified LocateUrCell as the LBS provider misusing customer location

information.

approved campaign (providing customers the ability to locate their missing phones); LocateUrCell worked

with the Aggregator LocationSmart.

48

Mobile learned LocationSmart had “‘terminated its contract with LocateUrCell and permanently disabled

LocateUrCell’s access to T-Mobile customer location data on September 12, 2017, after LocateUrCell failed

authorized LocateUrCell phone-finding service from location information requests for the unauthorized . . .

tracking service.”

52

Following this incident, “T-Mobile ‘sought assurances’ from LocationSmart regarding

40

NAL, 35 FCC Rcd at 1794, para. 19 (T-Mobile-LocationSmart Agreement, Sections 7.2-3; T-Mobile-Zumigo

Agreement, Sections 7.2-3).

41

NAL, 35 FCC Rcd at 1794, para. 20 (citing LOI Response at 18, Response to Question 11).

42

its monitoring of location-based service providers and ‘reminded’ LocationSmart about its contractual

obligations to notify T-Mobile of any non-compliance it detected.”

53

New York Times published an article that detailed security breaches involving T-Mobile’s (and other

summary of the article and its findings, but essentially the breaches involved a location-based service

provider (Securus Technologies, Inc., or Securus) that offered a location-finding service to law

former) Missouri Sheriff (Cory Hutcheson) for non-law enforcement purposes and in the absence of any

such legal authorization.

Securus obtained location services from a company called 3Cinteractive, and

3Cinterative obtained T-Mobile’s consumers’ location information pursuant to a contract with the

Aggregator LocationSmart.

[unauthorized] service using the [same] campaign ID that T-Mobile had assigned” to the approved

campaign.

charged Hutcheson with, among other things, wire fraud and illegally possessing and transferring the

means of identification of others, and Hutcheson pleaded guilty on November 20, 2018.

Department of Justice’s investigation of Hutcheson’s actions included an examination of how the Securus

location-finding service operated. Once Hutcheson became an authorized user of Securus’s LBS

software, he was able to obtain the location of specific mobile telephone devices.

55

See NAL, 35 FCC Rcd at 1795-1796, paras. 27-28 (citing Jennifer Valentino-DeVries, Service Meant to Monitor

Inmates’ Calls Could Track You, Too, N.Y. Times (May 10, 2018)

https://www.nytimes.com/2018/05/10/technology/cellphone-tracking-law-enforcement.html).

56

See NAL, 35 FCC Rcd at 1795-96, paras. 27-28 (citing Jennifer Valentino-DeVries, Service Meant to Monitor

Inmates’ Calls Could Track You, Too, N.Y. Times (May 10, 2018)

https://www.nytimes.com/2018/05/10/technology/cellphone-tracking-law-enforcement.html; Doyle Murphy, Ex-

Missouri Sheriff Cory Hutcheson Sentenced to 6 Months in Prison, Riverfront Times (Apr. 29, 2019),

https://www.riverfronttimes.com/newsblog/2019/04/29/ex-missouri-sheriff-cory-hutcheson-sentenced-to-6-months-

59

See Press Release, U.S. Attorney’s Office Eastern District of Missouri, Mississippi County Sheriff Pleads Guilty

to Fraud and Identity Theft, Agrees to Resign (Nov. 20, 2018), https://www.justice.gov/usao-edmo/pr/mississippi-

county-sheriff-pleads-guilty-fraud-and-identity-theft-agrees-resign.

locate, and then “upload a document manually checking a box, the text of which stated, ‘[b]y checking

this box, I hereby certify the attached document is an official document giving permission to look up the

location on this phone number requested.’”

As soon as Hutcheson (or any other authorized user)

submitted his request and uploaded a document, the Securus LBS platform would immediately provide

63

3Cinteractive’s access to T-Mobile customer location information on May 11, 2018, following the New

disclosures, T-Mobile was made aware of a similar incident involving one of the Company’s LBS

providers, MicroBilt. In a January 8, 2019, Motherboard article, it was reported that access to customer

location information was sold and resold, with little or no oversight, within the bail bonds industry, and

70

in the LBS program (Zumigo) informed T-Mobile that it had “suspended transmission of any T-Mobile

customer location information to MicroBilt”

71

and T-Mobile itself (as a “duplicative technical measure”)

transmitting it to MicroBilt.”

In a repeat of the aftermath following both the LocateUrCell incident and

61

Hutcheson Sentencing Memo at 3; see also NAL, 35 FCC Rcd at 1795-96, para. 27.

62

See Hutcheson Sentencing Memo at 3-4; see also NAL, 35 FCC Rcd at 1795-96, para. 27.

63

Hutcheson Sentencing Memo at 4; see also NAL, 35 FCC Rcd at 1796, para. 28.

64

See NAL, 35 FCC Rcd at 1797, para. 32 (citing LOI Response at 15, Response to Question 6, Supplemental LOI

Response at 6, Response to Question 1).

Phone, Motherboard (Jan. 8. 2019), https://motherboard.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-

dollars-located-phone-MicroBilt-zumigo-tmobile).

69

See NAL, 35 FCC Rcd at 1797, para. 33 (citing T-Mobile E-mail).

70

NAL, 35 FCC Rcd at 1797, para. 33 (quoting T-Mobile E-mail).

71

See NAL, 35 FCC Rcd at 1797, paras. 34 (citing T-Mobile E-mail; Response to Supplemental Letter of Inquiry,

72

NAL, 35 FCC Rcd at 1797-98, para. 34 (quoting Supplemental LOI Response at 12, Response to Question 5.c.)

information that were made for purposes authorized by T-Mobile from those that were not”

because

MicroBilt’s malfeasance “‘was masked as a permissible use.’”

74

Company’s customers’ location information) finally ceased—in other words, 275 days from when the

by Hutcheson.

not “set out a comprehensive list of data elements that pertain to a telecommunications service and satisfy

the definition of CPNI and those data elements that do not.”

128

Thus, T-Mobile cannot reasonably have

assumed that the fact a given scenario had not been expressly addressed by Commission rules and

131

provision in prior precedent. As noted, CPNI is defined by statute, in relevant part, to include

64.2010 of the Commission’s rules. In pertinent part, that rule provides that “[t]elecommunications

carriers must take reasonable measures to discover and protect against attempts to gain unauthorized

access to CPNI.”

forth in the Commission’s rules,” to comply with section 64.2010, the Commission “further expect[s]

134

47 CFR § 64.2010(a).

carriers to take additional steps to protect the privacy of CPNI to the extent such additional measures are

feasible for a particular carrier.”

fraudulent misappropriation of [location] data” as T-Mobile suggests,

flexibility to incorporate the specific measures and practices that are consistent with their otherwise-

139

141

elements set out by the agency was not exhaustive; (2) the customer location information at issue would

cannot prevent all data breaches, they require carriers to take reasonable steps to safeguard their

where an unauthorized disclosure has occurred—as here—the burden of production shifts to the carrier to

136

See NAL Response at 39.

138

2007 CPNI Order, 22 FCC Rcd at 6946, para. 35.

139

2007 CPNI Order, 22 FCC Rcd at 6952-53, para. 49.

140

2007 CPNI Order, 22 FCC Rcd at 6959-60, para. 65.

141

See NAL Response at 41-43.

clarity that we find present in the case of section 64.2010 of the Commission’s rules. See, e.g., LabMD, 894 F.3d at

1236 (explaining that the proposed court order “is devoid of any meaningful standard informing the court of what

safeguards and its failure to investigate key details that would ensure LBS providers only were engaging in

authorized uses and disclosures of CPNI appears directly at odds with guidance the Commission has provided. Even

where a regulation is amenable to different interpretations, courts have rejected ‘fair notice’ claims where the

regulated entity did not comply with at least some viable interpretation of the requirement. See, e.g., 21st Century

Telesis Joint Venture v. FCC, 318 F.3d 192, 202 (D.C. Cir. 2003).

143

47 CFR § 64.2010(a); see also 2007 CPNI Order, 22 FCC Rcd at 6959, para. 64 (“We fully expect carriers to

take every reasonable precaution to protect the confidentiality of proprietary or personal customer information.”).

offer evidence that it did have reasonable measures in place. Once the carrier offers some evidence of

those safeguards, the rebuttable presumption falls away, and the Commission bears the burden of

persuasion and must find by a preponderance of the evidence that the carrier’s safeguards were

unreasonable in order to find a violation of 47 CFR § 64.2010(a). T-Mobile contends that the Securus

finding service evinced a consumer’s actual opt-in consent. Therefore, every time Securus submitted a

request for location information under the guise of its approved use case (a use case that required

consumer consent) and T-Mobile provided the requested location information, a separate, unauthorized

requests were properly reviewed by Securus, as evidenced by the ready success of Hutcheson’s thinly

222(c)(1). First, Securus used the façade of their approved use case to hide the true purpose and

destination of the request, resulting in T-Mobile’s unauthorized disclosure of location information to

144

See NAL Response at 31.

145

See NAL Response at 23-38.

146

See NAL Response at 18-21.

150

See Hutcheson Sentencing Memo at 3-4 (explaining that after uploading documents that were blatantly not legal

authorizations, location information was immediately transmitted with no intervening time for any documents to be

reviewed for validity); NAL, 35 FCC Rcd at 1796, para. 28 (describing Hutcheson’s uploading of documents that

were blatantly not legal authorizations in order to obtain location information). As the NAL explained, “T-Mobile

does not deny the existence of what it describes as the Securus ‘Real Time Location Service,’” nor does T-Mobile

“deny the abuse of that service by Hutcheson.” NAL, 35 FCC Rcd at 1796, para. 29. T-Mobile likewise does not

dispute here that Hutcheson was able to access location data by providing documents that were blatantly not legal

authorizations as described in the NAL and confirmed in the Hutcheson Sentencing Memo, and also does not provide

the NAL “contain no information demonstrating . . . that any CPNI was disclosed without lawful authorization,”

Securus. Second, Hutcheson likewise submitted blatantly fake requests to Securus under the guise of law

enforcement, resulting in Securus’s unauthorized disclosure of location information to Hutcheson.

responsible for the unauthorized disclosures because “Securus and other third-party location-based

within the meaning of Section 217, at least when they misappropriate information provided by

T-Mobile.”

customer location information.”

reasonableness of its safeguards, carriers’ legal duty to “take reasonable measures to discover and protect

against attempts to gain unauthorized access to CPNI” under section 64.2010(a) of the rules is separate

from the additional restriction on unauthorized use or disclosure in section 222(c)(1) of the Act and

section 64.2007(b) of the Commission’s rules.

unequivocal, as likewise reflected in section 64.2007(b) of the Commission’s rules.

obtain customer approval to use, disclose, or permit someone else to access the CPNI for any purpose not

Mobile does not contend that it directly obtained the required approval from the customers whose location

information it was sharing—nor could it, given that its entire location-based services program was

premised on the LBS providers obtaining customer authorization.

160

under the circumstances at issue here, “Securus and other third-party location-based service providers can

neither be deemed ‘agent[s]’ of T-Mobile nor ‘person[s] acting for’ T-Mobile within the meaning of

151

NAL, 35 FCC Rcd at 1803, para. 54 n.145.

154

NAL, 35 FCC Rcd at 1803, para. 54 n.145.

155

NAL Response at 31.

156

47 U.S.C. § 222(c)(1); 47 CFR § 64.2007(b).

157

We note that T-Mobile does not contend that it literally would not have been possible to avoid the disclosures, so

our interpretation does not demand the impossible of T-Mobile or any other carrier.

160

See, e.g., NAL, 35 FCC Rcd at 1792-93, paras. 16-17; NAL Response at 24-26.

Section 217.”

Therefore, consistent with the NAL, we find that the Securus disclosures, including those

made to Hutcheson, were unauthorized and T-Mobile was appropriately admonished in relation to such

disclosures.

before and after the New York Times article. T-Mobile argues that, prior to the Securus disclosure, its

efforts conformed to the CTIA Guidelines for ensuring customer consent to the use of location data.

Specifically, T-Mobile states that its safeguards included: “numerous contractual, procedural, and

technical safeguards designed to protect the privacy of customer location data; to ensure that customer

reasonable. As fully explained in the NAL:

on to location-based service providers through an attenuated chain of downstream contracts.

extent that T-Mobile’s safeguards relied on trusting Aggregators and location-based service providers to

honor their contractual commitments, consistent with the NAL we find that “such trust alone was” not “a

reasonable safeguard here,” particularly in light of the regulatory history regarding attempts to obtain

unauthorized access to CPNI in general and in the case of T-Mobile location-based data in particular.

161

NAL Response at 31.

162

NAL Response at 23.

166

NAL, 35 FCC Rcd at 1806, para. 65 n.170.

167

See NAL, 35 FCC Rcd at 1804-06, paras. 61-65.

168

NAL, 35 FCC Rcd at 1807, para. 68. T-Mobile contends that “it is the Commission’s burden to show that T-

Mobile did not take steps to ensure that its contracts were being followed.” NAL Response at 24-25. But our

analysis does not turn on the theory that T-Mobile did not take any steps to ensure that its contracts were being

followed. Setting aside broader questions regarding burden shifting that we address in the following section, see

whether they were actually being followed.

Further, T-Mobile would have had to have a way of

distinguishing between a legitimate request for customer location information (i.e., made pursuant to valid

consumer consent) and an illegitimate one (e.g., the Securus/Hutcheson requests absent valid customer

that the Company’s actions were preferable to taking the steps suggested in the NAL, as those steps would

have resulted in “[d]isrupting and even jeopardizing people’s lives by immediately interfering with . . .

valuable [LBS] services.”

172

We disagree. The issue here is not whether there are any beneficial services

offered by LBS providers, but whether T-Mobile reasonably protected its customers’ location

information. And even under T-Mobile’s reasoning, the Company would have no excuse for its failure to

promptly terminate every other non-critical LBS provider. In any event, because of the sensitive personal

information involved, the benefits of LBS must be weighed against the risks; here, the risks were grave,

particularly because T-Mobile did not have a reliable way of confirming customer consent. The

Commission considered T-Mobile’s arguments, but finds they are outweighed by these risks.

universe of affected customers because it “claims that Securus has denied its request to identify the

individuals whose customer location information may have been obtained without consent”

As the

See NAL Response at 26, 32. Without meaningful details about the risk assessments, the Commission cannot

173

NAL, 35 FCC Rcd at 1808, para. 72.

into unauthorized access to its customers’ location information, it cannot say that the same contract-based

system actually protects such information from unauthorized access by other entities. Whatever

Securus’s justification for denying T-Mobile’s request, its refusal to cooperate is further evidence of the

fact that T-Mobile disclosed CPNI to a third party over which it had little or no control or authority.”

with direct access to its customers’ location information and criticizes what it sees as “[t]he NAL’s casual

T-Mobile fails to appreciate that these approaches do not yield unqualified benefits, but carry with them

various risks—risks that T-Mobile ineffectually sought to address largely “through provisions passed

Mobile learned with the LocateUrCell incident in July 2017, where authorized and unauthorized services

used the same campaign-specific ID, ‘T-Mobile was not able to readily distinguish the unauthorized data

renders its safeguards reasonable.

aware of the risk that their location information would be shared without their knowledge—let alone

consumers to do anything to guard against such risk themselves (even assuming arguendo that could be a

181

See NAL Response at 21-22, 35-36, 39-40.

Commission.

182

view the May 2018 New York Times article as sufficiently reliable to call for some response, explaining

that “T-Mobile took decisive action within 24 hours of the New York Times article to eliminate the ability

of Securus to obtain location information for any purpose.”

Call List: “Nobody’s Records Are Untouchable,” as $90 Purchase Online Shows, Chi. Sun-Times, January 13,

2006, at A10.); id. at 6933-35, para. 12 & n.37 (stating that “companies have sued dozens of people whom they

accuse of fraudulently obtaining phone records,” and citing, among other things, Matt Richtel and Miguel Helft, An

Industry Is Based on a Simple Masquerade, N.Y. Times, Sept. 11, 2006, at C1).

monitor calls to inmates. But the former sheriff of Mississippi County, Mo., used a lesser-known Securus service to

188

See NAL Response at 33.

unauthorized access to CPNI.”

Until the new measures actually are in place, they cannot enable a

carrier to “discover and protect against” the harms that are the target of that rule—and thus, they cannot

be relied upon to satisfy that rule. Nor does the time and effort involved in T-Mobile’s work on new

processes render the procedures that remained in place in the meantime “reasonable” under that rule,

Securus/Hutcheson breach came to light is all the more dubious given that it was preceded by the

189

47 CFR § 64.2010(a).

36. The MicroBilt breach further highlights the flaw in T-Mobile’s emphasis that it “completely terminated

Securus’s ability to access customer location information one day after the New York Times article was published,

and it also terminated 3CInteractive’s access in support of Securus.” NAL Response at 18. Those actions did not

improve the safeguards for consumers whose location information could be disclosed under the location data sharing

arrangements that remained in place.

195

See NAL Response at 35-36. T-Mobile argues that “[p]rior to this NAL, the Commission had never stated that a

carrier would have just 30 days to fully investigate and implement its response to information about a

misappropriation of location data.” Id. at 39. As explained in note 121, above, the 30-day period cited in NAL was

not a deadline but a grace period. The Commission could have, but chose not to, assess a fine during that 30-day

also contends that the Commission has not adequately explained why the investigatory efforts that T-

Mobile did undertake were inadequate.

assessment that was commissioned and initiated before it became aware of the Securus breach,

the

details of which it also has not disclosed,

199

201

instead took piecemeal steps. Moreover, the steps T-Mobile took did not rectify the systemic

vulnerabilities at the heart of its LBS program—including relying on third parties to obtain customer

consent for the disclosure of location information and failing to verify the validity of that consent.

approach fall short, as well.

perfect ones—but that is not enough to help T-Mobile here. Contrary to T-Mobile’s suggestion, this is

not a situation where the Commission is relying on 20/20 hindsight after a breach to find a violation of

section 64.2010(a) of the rules based on any shortcoming in a carrier’s measures, no matter how small,

197

See NAL, 35 FCC Rcd at 1794, para. 22.

198

See supra para. 48. In connection with the NAL’s identified option of taking steps to determine whether the

Securus incident was indicative of a broader vulnerability, T-Mobile also states that “it immediately began

considering ways to limit the scope of the program and streamline the customer-consent process.” NAL Response at

36. But those are measures that might have been better informed by an assessment of whether the Securus incident

was indicative of a broader vulnerability—not steps that could have enabled an assessment of the nature of that

vulnerability in the first instance.

205

See NAL Response at 22-23.

disclosures to Hutcheson were particularly egregious (given they were essentially doubly unauthorized),

all of the Securus requests made under the false guise of the approved use case and T-Mobile’s resultant

disclosures of consumer location information were unauthorized. T-Mobile’s existing safeguards and

oversight failed to notice and (absent the New York Times article) may have never realized that the

law.”

makes the responsibility for avoiding unauthorized

disclosures a carrier obligation and prohibits use and disclosure except in certain narrow circumstances,

without any reasonableness criterion. T-Mobile should, therefore, be able to justify any unauthorized

disclosure. Given that multiple breaches occurred here and that the “reasonable measures” obligation is a

Securus/Hutcheson breach was not legally permissible in the first instance under section 222(c)(1) and section

252

See NAL, 35 FCC Rcd at 1790, para. 10. Under section 217, “the act, omission, or failure of any officer, agent, or

47 U.S.C § 217.

255

47 U.S.C. § 222(c)(1).

continuing obligation, the Commission’s application of an evidentiary presumption based upon the

disclosures involving Hutcheson and the imposition of a burden to produce evidence of reasonable

protections during the later violations period was reasonable—particularly because, as discussed, those

safeguards did not materially change in the interim timeframe.

shifted to T-Mobile to offer evidence that it had reasonable safeguards in place.

222 of the Act and section 64.2010 of the Commission’s rules—a reduction of $11,550,000 from the

$91,630,000 forfeiture proposed in the NAL.

applying a base forfeiture of $40,000 for the first day of each such violation and a $2,500 forfeiture for

the second and each successive day the violations continued (excluding the 30-day grace period granted

by the Commission).

259

continuing violations—one for each ongoing relationship with a third-party LBS provider or aggregator

that had access to T-Mobile customer location information more than 30 days after publication of the New

York Times report—and that each violation continued until T-Mobile terminated the corresponding

Mobile argues that the NAL describes at most a single continuing violation, not a separate violation for

each of the 81 entities participating in T-Mobile’s LBS program. As such, according to T-Mobile, the

forfeiture exceeds the applicable statutory maximum.

262

disproportionate to the alleged violation, inconsistent with other forfeitures imposed by the Commission,

256

We note that in some instances—most notably with regard to various audits that implicated the LBS program and

over which T-Mobile asserted privilege—T-Mobile claimed to have taken certain reasonable steps, but did not

produce documentary evidence of those steps. See NAL, 35 FCC Rcd at 1806, para. 67.

257

259

NAL, 35 FCC Rcd at 1811, para. 83.

262

NAL Response at 44-46.

and so excessive as to be unconstitutional.

263

accordance with the Commission’s own Forfeiture Policy Statement.

Commission’s application of a 75% upward adjustment to the base forfeiture, disputing both the factors

cited in calculating the upward adjustment and arguing that the Commission impermissibly cited to the

the number of participants in its LBs program and when it terminated those participants’ access to

Continuing Violations

permitted 81 separate entities to access its customers’ location information in the apparent absence of

section 64.2010 of the Commission’s rules. T-Mobile challenges this methodology, arguing that “[n]one

of the 81 entities included in this calculation was accused of misappropriating data” and that to the extent

T-Mobile violated section 64.2010 by allowing them to continue operating, it “did not have any reason or

occasion to make 81 separate decisions.”

one continuing violation (subject to the $2,048,915 penalty cap) and the NAL’s finding of 81 separate

continuing violations (one for each LBS provider or Aggregator) constitutes an impermissible attempt to

circumvent the statutory maximum.

269

more than a single violation. In TerraCom, the Commission stated that “[e]ach document containing

265

NAL Response at 52-56.

266

NAL Response at 57-58.

267

See 47 U.S.C. § 503(b)(2)(B); 47 CFR § 1.80(b)(2). These amounts reflect inflation adjustments to the forfeitures

any single act or failure to act). See Amendment of Section 1.80(b) of the Commission’s Rules, Adjustment of Civil

Monetary Penalties to Reflect Inflation, Order, DA 19-1325 (EB 2019).

268

NAL Response at 45.

270

47 U.S.C. § 503(b); 47 CFR § 1.80(b).

[proprietary information] that the Companies failed to protect constitutes a separate violation for which a

forfeiture may be assessed.”

The Commission further observed that “[e]ach unprotected document

constitutes a continuing violation that occurred on each of the 81 days [until] the date that the Companies

remedied the failure . . . .”

approach was not mandated under section 503, section 222, or the Commission’s rules. Similarly, in this

CPNI and therefore a separate violation of section 222 of the Act and section 64.2010 of the

Commission’s rules. Each such relationship relied upon a distinct and unique contractual chain (from T-

suffered from the same fundamental vulnerabilities discussed in the NAL and above—as separate

violations was thus rational and properly within the Commission’s discretion.

claim that it exceeded the statutory maximum—eminently conservative. As described in the NAL, T-

Mobile’s practices placed the sensitive location information of all of its customers at unreasonable risk of

unauthorized disclosure. As such, the Commission could well have chosen to look to the total number of

resulted in a significantly higher forfeiture than what was proposed in the NAL.

calculated the proposed forfeiture based upon every single entity with access to T-Mobile customer

location information up to the statutory maximum ($204,892 per day up to $2,048,915 for each and every

LBS provider). That would have resulted in a far higher fine than the approach that was taken (applying a

$40,000 forfeiture for the first day of the violation and a $2,500 forfeiture for each successive day the

violation continued). Instead, the Commission took a conservative approach, giving T-Mobile a 30-day

need to show that such violations are serious and ensured the proposed forfeiture amounts act as a

lacked fair notice that its LBS practices would potentially make it liable for a penalty in excess of the

271

TerraCom, 29 FCC Rcd at 13343, para. 50.

272

TerraCom, 29 FCC Rcd at 13343, para. 50.

273

TerraCom, 29 FCC Rcd at 13343, para. 52. The Commission’s investigation into apparent violations of consumer

privacy requirements in TerraCom was resolved by a consent decree in which the companies admitted to violating

sections 201(b) and 222(a) of the Act. See TerraCom, Inc. and YourTel America, Inc., Order and Consent Decree,

$2,048,915 statutory maximum for a single continuing violation. Consistent with our earlier discussion of

T-Mobile’s fair notice claims,

CPNI that is subject to protection under section 222 of the Act and section 64.2010 of the Commission’s

rules. T-Mobile knew, or should have known, that failing to reasonably protect CPNI carries with it

generally involved fraud, efforts to mislead consumers, intent to harm consumers, and the reaping of

financial benefits from unlawful conduct.

T-Mobile maintains that, by contrast, it did not engage in

behavior “even remotely approaching the malfeasance present in these matters” and its conduct did not

result in any comparable harm.

consumers, but that does not mean that its actions in this case were not egregious or worthy of a

significant monetary penalty. As stated in the NAL, “even after highly publicized incidents put the

Company on notice that its safeguards for protecting customer location information were inadequate, T-

Mobile apparently continued to sell access to its customers’ location information for the better part of a

year without putting in place reasonable safeguards—leaving its customers’ data at unreasonable risk of

unauthorized disclosure.”

282

As further explained in the NAL, the potential exposure of their location

information put those customers “at significant risk of harm—physical, economic, or psychological.”

customers into account. Moreover, they reflected the Commission’s careful consideration of the relevant

277

47 U.S.C. § 503.

278

Gore, 517 U.S. 559 (1996), to a penalty assessed by the Board and concluding that the relevant statutory maximum

penalty provisions provided adequate notice).

279

NAL Response at 46.

280

NAL Response at 46-47 (citing Adrian Abramovich, Marketing Strategy Leaders, Inc., and Marketing Leaders,

(2018)).

culpability, any history of prior offenses, ability to pay, and such other matters as justice may require.”

The plain language of the statute provides the Commission with broad discretion to assess proposed

penalties based on the statutory factors, up to the statutory maximum.

cases involving less egregious facts; and (2) . . . provide consistency with other consumer protection cases

286

Commission under section 503, as well as the NAL’s examination of how the relevant statutory factors

intersected with the facts of this case, we reject T-Mobile’s claim that the forfeiture amount is excessive

offense.

289

a telecommunications carrier, falls squarely within the class of entities section 222 of the Act and the

Commission’s implemented rules was designed to address.

nature of the harm from T-Mobile’s conduct was very serious notwithstanding T-Mobile’s attempts to

claim otherwise.

the Commission’s own rules.

287

NAL Response at 48.

288

See Newell Recycling Co. v. EPA, 231 F.3d 204, 210 (5th Cir. 2000) (internal quotation marks omitted).

Similarly, the D.C. Circuit readily upheld the Commission’s imposition of the maximum statutory penalty (adjusted

for inflation) against an unlicensed radio operator who challenged that penalty as excessive. See Grid Radio v. FCC,

278 F.3d 1314, 1322 (D.C. Cir. 2002) (noting that the statutory amount was “neither indefinite nor unlimited,” and

that it did not “seem excessive in view of the [petitioner’s] continued and willful violation of the licensing

requirement”). See also Scott Malcolm, Order on Reconsideration, 33 FCC Rcd 2410, 2413-14, para. 11 (2018)

(“Because the forfeiture was within the statutory limits, there is a strong indication that it was not excessive.”).

289

See supra III.D.1.

290

See, e.g., Scott Malcolm, 33 FCC Rcd at 2413, para. 10 (noting that an additional consideration under Eighth

293

NAL Response at 50.

(into which the terms of the Forfeiture Policy

Statement were codified), which reserve the highest base penalty (the statutory maximum) for violations

involving misrepresentation/lack of candor. According to T-Mobile, there is an unjustifiable discrepancy

between that base forfeiture amount (approximately $200,000) and the base forfeitures proposed in the

it does, T-Mobile fails to compare apples to apples. Rather than the $204,892 statutory maximum for a

single violation or each day of a continuing violation that is cited by T-Mobile, the relevant point of

comparison is the $2,048,915 overall statutory maximum for any single act or failure to act involving a

continuing violation. As explained in the NAL, the “violations in this case were continuing in nature,

Mobile’s acceptance of implied consent for certain LBS services—do not involve wrongful or egregious

factor cited in the NAL—the duration of the violation and the risk of harm it posed to consumers—was

already considered in setting the base forfeiture amount and therefore constitutes arbitrary double

counting.

NAL. With regard to the upward adjustment, section 503 of the Act requires the Commission to “. . . take

into account the nature, circumstances, extent, and gravity of the violation and, with respect to the

violator, the degree of culpability, any history of prior offenses, ability to pay, and such other matters as

justice may require.”

300

to assess proposed penalties based on the statutory factors, up to the statutory maximum. Moreover,

section 1.80 of the FCC’s rules provides a list of possible factors the Commission may use when making

a determination to adjust upward or adjust downward the base forfeiture.

importantly, “egregious misconduct,” “substantial harm,” “repeated or continuous violation,” and “ability

to pay/relative disincentive,” among others.

47 CFR § 1.80.

number of alleged violations (81), for a per-violation amount of $646,419.75.

297

NAL, 35 FCC Rcd at 1811, para. 83.

299

NAL Response at 55-56.

forfeiture in this case merited a substantial upward adjustment. T-Mobile’s conduct was egregious; the

NAL detailed how T-Mobile failed to respond reasonably to the 2017 LocateUrCell incident and how it

showed reckless disregard for CPNI requirements by relying on “implicit consent” for the disclosure of

305

“as justice may require.”

306

which is in line with upward adjustments in other cases involving consumer harms,

was unwarranted.

50% of base forfeiture amount imposed on robocaller who engaged in illegal spoofing for robocall telemarketing

access to customer location information factored into the forfeiture amount, the NAL cites two separate

termination dates (one for MicroBilt and the other for the remaining 80 entities).

Mobile, many of the LBS program participants’ access to customer location information actually was

terminated before the listed date.

Mobile, including a listing of LBS program participants and when their access to customer location

information was terminated, and reasonably expected that information to be accurate and complete.

311

violations and the length of time those violations continued.

investigatory, prosecutorial, and adjudicative roles in violation of constitutional due process and

legislative power.

ultimately adjudicate its obligation to pay a forfeiture.

order issued under section 503(b) of the Act does not provide it a decision by an Article III court,

including via a trial by jury, ignores T-Mobile’s statutory right to a trial de novo before it can be required

to pay the forfeiture.

reasons, as well. We discuss each of these in turn below.

there is an unconstitutional ‘potential for bias’”).

[email protected].

FEDERAL COMMUNICATIONS COMMISSION

Secretary

CHAIRWOMAN JESSICA ROSENWORCEL

Re: In the Matter of T-Mobile USA, Inc., Forfeiture Order, File No.: EB-TCD-18-00027702 (April

given moment. This geolocation data is especially sensitive. It is a reflection of who we are and where

we go. In the wrong hands, it can provide those who wish to do us harm the ability to locate us with

pinpoint accuracy. That is exactly what happened when news reports revealed that the largest wireless

highly sensitive data to wind up in the hands of bail-bond companies, bounty hunters, and other shady

with this order, we once again make clear that wireless carriers have a duty to keep our geolocation

COMMISSIONER BRENDAN CARR

Re: In the Matter of T-Mobile USA, Inc., Forfeiture Order, File No.: EB-TCD-18-00027702 (April

consumers, like emergency medical response and roadside assistance. Up until the initiation of the

above-captioned enforcement actions, LBS providers did so by obtaining access to certain location

information from mobile wireless carriers like AT&T, Verizon, and T-Mobile. Then, in 2018, a news

rightly prosecuted for his unlawful actions and served jail time. Subsequently, all of the participating

obtaining this same type of location information from other types of entities. That is why I encouraged

mobile wireless carriers exited the LBS line of business, the FCC unanimously voted to approve Notices

of Apparent Liability (NALs) against the carriers. Even then, it was clear that at least one LBS provider

or not the carriers had violated any provisions of the Communications Act.

circumscribed authority over privacy. Congress delineated the narrow contours of our authority in section

222 of the Communications Act. The services at issue in these cases plainly fall outside the scope of the

FCC’s section 222 authority. Indeed, today’s FCC Orders rest on a newfound definition of customer

proprietary network information (CPNI) that finds no support in the Communications Act or FCC

precedent. And without providing advance notice of the new legal duties expected of carriers (to the

extent we could adopt those new duties at all), the FCC retroactively announces eye-popping forfeitures

totaling nearly $200,000,000. These actions are inconsistent with the law and basic fairness. The FCC

has reached beyond its authority in these cases.

service. The customer did not need to make a call to convey his or her location. In fact, the carrier could

have obtained the customer’s location even if the customer had a data-only plan for tablets. Yet the Order

concludes that the carriers mishandled CPNI.

Communications Act defines as:

That definition has two key limitations. First, the information must be of a specific type. As relevant

here, CPNI must “relate to” the “location … of use of a telecommunications service.” Second, the

information must have been obtained in a specific way. The customer must have made his or her location

“available to carrier” and “solely by virtue of the carrier-customer relationship.”

information”—namely, the customer’s location while making or receiving a voice call. Section 222

CPNI to cover all location information collected by a carrier, irrespective of particular calls.

4

do not cover every piece of data collected by an FCC-regulated entity. Besides, as the Communications

Act makes clear, carriers are regulated under Title II only when they are engaged in offering Title II

services.

In situations where an FCC-regulated entity offers a Title I service, such as mobile broadband,

COMMISSIONER NATHAN SIMINGTON

Re: In the Matter of T-Mobile USA, Inc., Forfeiture Order, File No.: EB-TCD-18-00027702 (April

failure to secure the confidentiality of its customer proprietary network information ('CPNI') as it relates

to location information of network user devices. While the facts of each alleged violation are somewhat

different, the enforcement calculation methodology used to arrive at the forfeitures is shared. Because I

upshot common across the actions that the Commission takes today, I will draft one dissent.

Forfeiture, 29 FCC Rcd 13325 (2014) ('TerraCom') and relied upon today—that a single, systemic failure

Here, the Commission purports to count individual location-based services providers (‘LBS’) and

violations.

clear effect of the Commission's arbitrary selection of a violation class used to increase the number

counting the members of whatever class of objects may be related to the alleged violation to arrive at

whatever forfeiture amount suits a preordained outcome. In this case we exceed our statutory maximum