Case: 24-60223 Document: 1-1 Page: 1 Date Filed: 05/09/2024
`
`IN THE UNITED STATES COURT OF APPEALS
`FOR THE FIFTH CIRCUIT
`
`AT&T INC.,
`
`Petitioner,
`
`v.
`
`FEDERAL COMMUNICATIONS
`COMMISSION; UNITED STATES OF
`AMERICA,
`
`Respondents.
`
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`)
`
`Case No. ____________
`
`PETITION FOR REVIEW
`
`Pursuant to 5 U.S.C. §§ 702-704, 706, 47 U.S.C. § 402(a), 28 U.S.C.
`
`§ 2342(1), and Rule 15(a) of the Federal Rules of Appellate Procedure, AT&T Inc.
`
`hereby petitions the Court for review of the Federal Communications Commission’s
`
`forfeiture order in In re AT&T, Inc., File No. EB-TCD-18-00027704, FCC 24-40
`
`(“Order”), a copy of which is attached as Exhibit A. This Petition is timely filed
`
`within 60 days of the Order’s entry on April 29, 2024. See 28 U.S.C. § 2344. Venue
`
`is appropriate in the Fifth Circuit because AT&T’s “principal office” is located in
`
`Dallas, Texas. Id. § 2343.1
`
`1 On May 6, 2024, AT&T paid the penalty (under protest), pursuant to the
`instructions set forth in the Order.
`
`1
`
`

`

`Case: 24-60223 Document: 1-1 Page: 2 Date Filed: 05/09/2024
`
`In the Order, the Commission finds that AT&T violated section 222 of the
`
`Communications Act and agency regulations governing the treatment of “customer
`
`proprietary network information,” 47 U.S.C. § 222(c); 47 C.F.R. § 64.2001 et seq.,
`
`and imposes a penalty on AT&T of $57,265,625. According to the Order, AT&T
`
`did not employ reasonable measures to discover and protect against attempts to gain
`
`unauthorized access to customer location information. Specifically, the Order finds
`
`that AT&T should have terminated access to such information for all location-based
`
`providers within 30 days of learning of an unauthorized use by one such provider
`
`(whose access was cut off immediately).
`
`AT&T seeks relief on the ground that the Order is arbitrary, capricious, and
`
`an abuse of discretion within the meaning of the Administrative Procedure Act, and
`
`is otherwise contrary to law and unsupported by substantial evidence. As a threshold
`
`matter, the location data at issue is not “customer proprietary network information”
`
`within the meaning of section 222 of the Communications Act. The Commission
`
`thus lacked statutory authority to issue the Order. At a minimum, by first
`
`announcing its novel and expansive interpretation of Section 222 in this enforcement
`
`proceeding and retroactively punishing AT&T for conduct preceding that
`
`announcement, the Commission failed to provide the fair notice that AT&T was due.
`
`Even assuming otherwise, the Commission’s finding that AT&T acted
`
`unreasonably in discovering and protecting against unauthorized access to
`
`2
`
`

`

`Case: 24-60223 Document: 1-1 Page: 3 Date Filed: 05/09/2024
`
`customers’ location data is arbitrary and capricious, while the imposition of a $57
`
`million penalty based on the existence of 84 distinct location-based-services
`
`providers (despite zero breaches by those providers) defies law and logic. The
`
`Commission has long lauded the valuable and sometimes life-saving benefits of
`
`location-based services, the growth of which AT&T has facilitated by implementing
`
`industry-leading data security safeguards. Yet the Order takes the nonsensical
`
`position that AT&T should have abruptly cut off access to customer location data in
`
`response to a news report of a single provider’s misuse (of which the Commission
`
`had been aware for a year) and despite the absence of any evidence that AT&T
`
`customers’ information was subject to unlawful use.
`
`Finally, the structure of the Commission’s enforcement regime, set forth in
`
`Title V of the Communications Act, 47 U.S.C. § 501 et seq., runs afoul of the
`
`Constitution. Rather than grant a hearing to an alleged violator, the Commission
`
`may elect to issue a “notice of apparent liability,” pass judgment on its own proposed
`
`liability finding and penalty, and then demand payment as a prerequisite to an appeal.
`
`That regime violates due process, Article III, the Seventh Amendment, and the
`
`nondelegation doctrine.
`
`For these and other reasons, this Court should grant the petition; hold
`
`unlawful, vacate, enjoin, and set aside the Order; and grant such additional relief as
`
`may be necessary and appropriate.
`
`3
`
`

`

`Case: 24-60223 Document: 1-1 Page: 4 Date Filed: 05/09/2024
`
`Dated: May 7, 2024
`
`Respectfully Submitted,
`/s/ Pratik A. Shah
`Pratik A. Shah
`Z.W. Julius Chen
`Margaret O. Rusconi
`AKIN GUMP STRAUSS HAUER &
`FELD LLP
`2001 K Street, N.W.
`Washington, D.C. 20006
`Telephone: (202) 887-4000
`Facsimile: (202) 887-4288
`pshah@akingump.com
`
`Counsel for Petitioner AT&T Inc.
`
`4
`
`

`

`Case: 24-60223 Document: 1-1 Page: 5 Date Filed: 05/09/2024
`No. ___, AT&T Inc. v. Federal Communications Commission
`
`CERTIFICATE OF INTERESTED PERSONS
`The undersigned counsel of record certifies that the following listed persons
`
`and entities as described in the fourth sentence of Rule 28.2.1 have an interest in the
`
`outcome of this case. These representations are made in order that the judges of this
`
`court may evaluate possible disqualification or recusal.
`
`Petitioner
`AT&T Inc.
`
`Counsel for Petitioner
`Pratik A. Shah
`Z.W. Julius Chen
`Margaret O. Rusconi
`Akin Gump Strauss Hauer & Feld LLP
`
`Respondents
`Federal Communications Commission
`United States of America
`
`Dated: May 7, 2024
`Respectfully Submitted,
`/s/ Pratik A. Shah
`Pratik A. Shah
`
`Counsel for Petitioner AT&T Inc.
`
`5
`
`

`

`Case: 24-60223 Document: 1-1 Page: 6 Date Filed: 05/09/2024
`Case: 24-60223
`Document:1-1
`Page:6 Date Filed: 05/09/2024
`
`EXHIBIT A
`EXHIBIT A
`
`

`

`Case: 24-60223 Document: 1-1 Page: 7 Date Filed: 05/09/2024
`
`Federal Communications Commission
`
`FCC 24-40
`
`Before the
`Federal Communications Commission
`Washington, D.C. 20554
`
`File No.: EB-TCD-18-00027704
`NAL/Acct. No.: 202032170004
`FRN: 00057193701
`
`)))))
`
`In the Matter of
`
`AT&T, Inc.
`
`Adopted: April 17, 2024
`
`FORFEITURE ORDER
`
`Released: April 29, 2024
`
`By the Commission: Chairwoman Rosenworcel issuing a statement; Commissioners Carr and Simington
`dissenting and issuing separate statements.
`
`Heading
`
`TABLE OF CONTENTS
`
`Paragraph #
`
`INTRODUCTION...................................................................................................................................1
`I.
`II. BACKGROUND.....................................................................................................................................2
`A. Legal Background.............................................................................................................................2
`B. Factual Background ..........................................................................................................................8
`III. DISCUSSION........................................................................................................................................17
`A. Location Information is CPNI ........................................................................................................18
`B. AT&T Had Fair Notice That Its LBS Practices Were Subject to Enforcement Under the
`Communications Act ......................................................................................................................31
`C. AT&T Failed to Take Reasonable Steps to Protect CPNI..............................................................38
`1. AT&T’s Customer Location Disclosures to Securus Were Unauthorized and Violated
`Section 222 ...............................................................................................................................39
`2. AT&T’s Protection of Customer Location Information Was Unreasonable Both
`Before and After the Securus/Hutcheson Disclosures..............................................................41
`3. AT&T Bore the Burden of Production.....................................................................................47
`D. The Forfeiture Amount is Lawful and Consistent with FCC Precedent.........................................54
`1. The Commission Reasonably Found that AT&T Engaged in 84 Continuing
`Violations That Warranted an Upward Adjustment.................................................................56
`2. AT&T Willfully and Repeatedly Violated the Act and the Commission’s Rules ...................63
`3. The Commission Rightfully Treated LBS Providers Equally for Purposes of
`Calculating Violations..............................................................................................................66
` E. Section 503(b) Is Employed Here Consistent With the Constitution……………………………..68
`IV. CONCLUSION .....................................................................................................................................82
`V. ORDERING CLAUSES........................................................................................................................83
`
`I.
`
`INTRODUCTION
`1.
`On February 28, 2020, the Commission issued a Notice of Apparent Liability for
`Forfeiture and Admonishment (NAL) against AT&T, Inc. (AT&T or Company).1 In the NAL, the
`Commission admonished AT&T for apparently disclosing its customers’ location information, without
`their consent, to a third party who was not authorized to receive it, and proposed to fine AT&T
`$57,265,625 for failing to take reasonable steps to protect its customers’ location information. After
`
`1 AT&T, Inc., Notice of Apparent Liability for Forfeiture and Admonishment, 35 FCC Rcd 1743 (2020) (NAL).
`
`

`

`Case: 24-60223 Document: 1-1 Page: 8 Date Filed: 05/09/2024
`
`Federal Communications Commission
`
`FCC 24-40
`
`reviewing the Company’s response to the NAL,2 we find no reason to cancel, withdraw, or reduce the
`proposed penalty, and impose a penalty of $57,265,625 against AT&T.
`II.
`BACKGROUND
`A.
`Legal Background
`As set forth fully in the NAL,3 carriers are required to protect the confidentiality of certain
`2.
`customer data related to the provision of telecommunications service. This includes location information,
`which is customer proprietary network information (CPNI) pursuant to section 222 of the
`Communications Act (Act).4 The Commission has advised carriers that this duty requires them to take
`“every reasonable precaution” to safeguard their customers’ information.5 Section 222(a) of the Act
`imposes a general duty on telecommunications carriers to “protect the confidentiality of proprietary
`information” of “customers.”6 Section 222(c) establishes specific privacy requirements for “customer
`proprietary network information” or CPNI, namely information relating to the “quantity, technical
`configuration, type, destination, location, and amount of use of a telecommunications service subscribed
`to by any customer of a telecommunications carrier” and that is “made available to the carrier by the
`customer solely by virtue of the carrier-customer relationship.”7 The Commission has promulgated
`regulations implementing section 222 (CPNI Rules), which require, among other things, that carriers
`employ “reasonable measures to discover and protect against attempts to gain unauthorized access to
`CPNI.” 8
`Customer Consent to Disclose CPNI. With limited exceptions, a carrier may only use,
`3.
`disclose, or permit access to CPNI with customer approval.9 Generally, carriers must obtain a customer’s
`“opt-in approval” before disclosing that customer’s CPNI.10 This means that a carrier must obtain the
`customer’s “affirmative, express consent allowing the requested CPNI usage, disclosure, or access after
`the customer is provided appropriate notification of the carrier’s request . . . .”11
`4.
`This opt-in requirement has been in place since 2007, when the Commission amended its
`rules in the 2007 CPNI Order after finding that once carriers disclosed CPNI to third parties, including
`
`2 AT&T, Inc., Response to Notice of Apparent Liability for Forfeiture and Admonishment (filed May 7, 2020) (on
`file in EB-TCD-18-00027704) (NAL Response or Response).
`3 See generally NAL.
`4 47 U.S.C. § 222.
`5 Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer
`Proprietary Network Information and Other Customer Information, Report and Order and Further Notice of
`Proposed Rulemaking, 22 FCC Rcd 6927, 6959, para. 64 (2007) (2007 CPNI Order).
`6 47 U.S.C. § 222(a).
`7 47 U.S.C. § 222(c), (h)(1)(A) (emphasis added). “Telecommunications service” is defined as “the offering of
`telecommunications for a fee directly to the public, or to such classes of users as to be effectively available directly
`to the public, regardless of the facilities used.” 47 U.S.C. § 153(53). The mobile voice services provided by AT&T
`are “telecommunications services.” See 47 U.S.C. § 332(c)(1); H.R. Conf. Rep. No. 104-458 at 125 (1996) (“This
`definition [of ‘telecommunications service’] is intended to include commercial mobile service.”).
`8 See 47 CFR § 64.2001 et seq.; id. § 64.2010(a). The CPNI Rules are a subset of, and are thus included within, the
`Commission’s rules.
`9 47 U.S.C. § 222(c)(1) (“Except as required by law or with the approval of the customer, a telecommunications
`carrier that receives or obtains [CPNI] by virtue of its provision of a telecommunications service shall only use,
`disclose, or permit access to individually identifiable [CPNI] in its provision of (A) the telecommunications service
`from which such information is derived, or (B) services necessary to, or used in, the provision of such
`telecommunications service, including the publishing of directories.”) (emphasis added).
`10 47 CFR § 64.2007(b).
`11 47 CFR § 64.2003(k).
`
`2
`
`

`

`Case: 24-60223 Document: 1-1 Page: 9 Date Filed: 05/09/2024
`
`Federal Communications Commission
`
`FCC 24-40
`
`joint venturers and independent contractors, that information was out of the control of the carrier and had
`a higher risk of being improperly disclosed.12 Accordingly, among other things, this opt-in requirement
`was meant to allow individual consumers to determine if they wanted to bear the increased risk associated
`with sharing CPNI with such third parties.13 In the Commission’s view, obtaining a customer’s express
`consent in these circumstances is particularly important, because a carrier cannot simply rectify the harms
`resulting from a breach by terminating its agreement with such a third party, “nor can the Commission
`completely alleviate a customer’s concerns about the privacy invasion through an enforcement
`proceeding.”14 The Commission further concluded that contractual safeguards between a carrier and such
`a third party do not obviate the need for explicit customer consent, as such safeguards do not eliminate the
`increased risk of unauthorized CPNI disclosures that accompany information that is provided by a carrier
`to such a third party.15 Thus, the Commission determined that, with limited exceptions, a carrier may
`only use, disclose, or permit access to CPNI with the customer’s opt-in approval.16
`Reasonable Measures to Safeguard CPNI. The Commission has also recognized that an
`5.
`opt-in requirement alone is not enough to protect customer CPNI, especially in light of tactics like
`“pretexting,” where a party pretends to be a particular customer or other authorized person in order to
`illegally obtain access to that customer’s information (thus circumventing opt-in requirements).17
`Therefore, the Commission adopted rules requiring carriers to “take reasonable measures to discover and
`protect against attempts to gain unauthorized access to CPNI.”18 To provide some direction on how
`carriers should protect against tactics like pretexting, the Commission included in its amended rules
`customer authentication requirements tailored to whether a customer is seeking in-person, online, or over-
`the-phone access to CPNI.19 It also adopted password and account notification requirements.20
`6.
`The Commission made clear that the specific customer authentication requirements it
`adopted were “minimum standards” and emphasized the Commission’s commitment “to taking resolute
`enforcement action to ensure that the goals of section 222 [were] achieved.”21 Although carriers are not
`expected to eliminate every vulnerability to the security of CPNI, they must employ “reasonable measures
`to discover and protect against attempts to gain unauthorized access to CPNI.”22 They must also take
`reasonable measures to protect the confidentiality of CPNI—a permanent and ongoing obligation to
`police disclosures and ensure proper functioning of security measures.23 As the Commission stated in the
`
`12 2007 CPNI Order, 22 FCC Rcd at 6947-53, paras. 37-49. Prior to the 2007 CPNI Order the Commission’s rules
`had allowed carriers to share CPNI with joint venture partners and independent contractors on an opt-out basis for
`the purpose of marketing communications-related services to customers. Id. at 6931-32, para. 8.
`13 2007 CPNI Order, 22 FCC Rcd at 6950, para. 45.
`14 2007 CPNI Order, 22 FCC Rcd at 6949, para. 42.
`15 2007 CPNI Order, 22 FCC Rcd at 6952, para. 49.
`16 See 47 CFR § 64.2007(b).
`17 See 2007 CPNI Order, 22 FCC Rcd at 6928, para. 1 & n.1.
`18 47 CFR § 64.2010(a) (emphasis added).
`19 See 47 CFR § 64.2010(b)-(d).
`20 See 47 CFR § 64.2010(e)-(f).
`21 2007 CPNI Order, 22 FCC Rcd at 6959–60, para. 65.
`22 47 CFR § 64.2010(a).
`23 See 2007 CPNI Order, 22 FCC Rcd at 6959, para. 64 (“We fully expect carriers to take every reasonable
`precaution to protect the confidentiality of proprietary or personal customer information.”).
`3
`
`

`

`Case: 24-60223 Document: 1-1 Page: 10 Date Filed: 05/09/2024
`
`Federal Communications Commission
`
`FCC 24-40
`
`NAL, several government entities provide guidance and publish best practices that are intended to help
`companies evaluate the strength of their information security measures.24
`Section 217. Finally, the Act makes clear that carriers cannot disclaim their statutory
`7.
`obligations to protect their customers’ CPNI by delegating such obligations to third parties. Section 217
`of the Act provides that “the act, omission, or failure of any officer, agent, or other person acting for or
`employed by any common carrier or user, acting within the scope of his employment, shall in every case
`be also deemed to be the act, omission, or failure of such carrier or user as well as that of the person.”25
`B.
`Factual Background
`Customer Location Information and AT&T Location-Based Services Business Model.
`8.
`AT&T provides mobile voice and data services to consumers throughout the United States by enabling
`consumer mobile phones to make and receive calls or transmit data on AT&T’s wireless network.26 As part
`of its business, AT&T ran a Location-Based Services (LBS) program until March 2019. Through the
`LBS program, AT&T sold access to its customers’ location information to companies known as “location
`information aggregators,” who then resold access to such information to third-party location-based
`service providers or in some cases to intermediary companies who then resold access to such information
`to location-based service providers.27 AT&T had arrangements with two location information
`aggregators: LocationSmart and Zumigo (the Aggregators).28 Each Aggregator, in turn, had arrangements
`with location-based service providers. In total, AT&T sold access to its customers’ location information
`(directly or indirectly) to 88 third-party entities (including the two Aggregators).29
`9.
`The AT&T LBS program was largely governed via contractual provisions that vested
`AT&T with oversight authority over the Aggregators. The Aggregators then entered into their own
`contracts with various LBS providers. This arrangement meant that it was the LBS providers who were
`obligated “to provide notice and obtain consent” from consumers—not the Aggregators or AT&T. AT&T
`asserts that its LBS program was subject to a number of safeguards and that the LBS providers and
`Aggregators had to satisfy various requirements, which were memorialized in and governed by contract
`
`24 For example, the National Institute of Standards and Technology (NIST) is responsible for developing
`information security standards and guidelines, including minimum requirements for federal information systems.
`NIST publishes cybersecurity and privacy frameworks which feature instructive practices and guidelines for
`organizations to reference. The publications can be useful in determining whether particular cybersecurity or
`privacy practices are reasonable by comparison. The model practices identified in the NIST and other frameworks,
`however, are not legally binding rules, and we do not consider them as such here. The Federal Trade Commission
`(FTC), the FCC’s Communications Security, Reliability, and Interoperability Council (CSRIC), and the
`Cybersecurity & Infrastructure Security Agency (CISA) also offer guidance related to managing data security risks.
`See NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (Apr. 16, 2018),
`https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf (NIST Cybersecurity Framework); NIST, The
`NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0 (Jan.
`16, 2020), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.01162020.pdf; FTC, Start with Security: A Guide
`for Business, Lessons Learned from FTC Cases (June 2015), https://www.ftc.gov/system/files/documents/plain-
`language/pdf0205-startwithsecurity.pdf; Communications Security, Reliability and Interoperability Council, CSRIC
`Best Practices, https://opendata.fcc.gov/Public-Safety/CSRIC-Best-Practices/qb45-rw2t/data; CISA, Cross-Sector
`Cybersecurity Performance Goals and Objectives (last visited Aug. 17, 2022), https://www.cisa.gov/cpgs.
`25 47 U.S.C. § 217.
`26 See AT&T, Inc., 2021 Annual Report, https://investors.att.com/~/media/Files/A/ATT-IR-V2/financial-
`reports/annual-reports/2021/complete-2021-annual-report.pdf.
`27 The NAL includes a more complete discussion of the facts and history of this case and is incorporated herein by
`reference. See NAL, 35 FCC Rcd at 1748-56, paras. 11-30.
`28 AT&T does not contend that its customers consented to these arrangements with the Aggregators.
`29 See NAL, 35 FCC Rcd at 1748-50, paras. 12-13 (citations omitted).
`4
`
`

`

`Case: 24-60223 Document: 1-1 Page: 11 Date Filed: 05/09/2024
`
`Federal Communications Commission
`
`FCC 24-40
`
`provisions with the Aggregators and any parties that AT&T directly sold location information to.30 The
`contracts obligated the Aggregators to monitor the practices of the location-based service providers—
`including by making sure the LBS providers notified customers and collected affirmative customer
`consent for any use of location information.31 However, AT&T did not verify the customers’ consent
`before providing access to the location information; instead it claimed to verify on a daily basis that each
`request for information was tied to a consent record.32 In addition, each LBS provider was contractually
`required to access and use AT&T customer location information only for a specific purpose (known as a
`“Use Case”) that was reviewed and approved by AT&T in advance. 33 AT&T had broad authority under
`its contracts with the Aggregators to quickly terminate access to customer location information if an
`Aggregator engaged in conduct that exposed AT&T to “sanctions, liability, prosecution or other adverse
`consequences under applicable law.”34
`10.
`AT&T also had the authority to conduct audits and other internal reviews of the LBS
`program. According to AT&T, between January 2016 and May 2019, it conducted five reviews or audits
`of its disclosure of customer location information to third parties.35 The Company claims that three of the
`five analyses are subject to attorney-client privilege, however, and submitted the results only of the two
`reviews that AT&T treated as non-privileged.36 The results of those two audits identified various issues
`of concern. One audit, which reviewed the Aggregators’ compliance with AT&T information security
`requirements for third-party vendors, identified numerous instances of non-compliance with security
`requirements by both Aggregators.37 The other audit, focused on a review of AT&T’s controls over
`certain disclosures of customer location information for the provision of location-based services,
`identified issues related to the “completeness of subscriber consents” and “record retention practices
`regarding subscriber consents.”38 AT&T averred that the issues identified in both audits were
`
`30 See NAL, 35 FCC Rcd at 1750-51, paras. 15-17 (citations omitted).
`31 See NAL, 35 FCC Rcd at 1750, para. 16 (citing Response to Initial Letter of Inquiry from AT&T, to Kristi
`Thompson, Chief, Telecommunications Consumers Division, FCC Enforcement Bureau, at 6, Response to Question
`1 (Nov. 14, 2018) (on file in EB-TCD-18-00027704) (LOI Response)).
`32 See NAL, 35 FCC Rcd at 1750-51, para. 16 (citing Response to Supplemental Letter of Inquiry from AT&T, to
`Kristi Thompson, Chief, Telecommunications Consumers Division, FCC Enforcement Bureau, at 11, Response to
`Question 9 (May 24, 2019) (on file in EB-TCD-18-00027704) (Supplemental LOI Response)).
`33 See NAL, 35 FCC Rcd at 1750, para. 15.
`34 See NAL, 35 FCC Rcd at 1751, para. 17 (citing LOI Response at ATT-LOI-00013380, Response to Request for
`Documents No. 3, 2016 Master Agreement between AT&T Corp. and TechnoCom Corporation d/b/a
`LocationSmart, at Section 8.2 - Termination or Suspension (executed on Feb. 17, 2016 by Mario Proietti, CEO for
`LocationSmart and Glenn C. Girard, Assoc Dir. Customer Contracts-AT&T Services, Inc.); LOI Response at ATT-
`LOI-00025859, Response to Request for Documents No. 3, 2014 Master Agreement between AT&T Corp. and
`Zumigo, Inc., Section 8.2 – Termination or Suspension (executed on Apr. 25, 2014 by Chira Bakshi, CEO for
`Zumigo and Ana Castaneda, Contract Specialist for AT&T)). The contracts required the Aggregators to indemnify
`AT&T for various types of claims, including those arising from privacy violations, but did not provide for any other
`remedy—such as direct restitution to affected customers—in the event of breach.
`35 See NAL, 35 FCC Rcd at 1751, para. 18 (citing LOI Response at 19-21, Response to Question 11; Supplemental
`LOI Response at 16, Response to Question 15).
`36 See NAL, 35 FCC Rcd at 1751, para. 18 (citing LOI Response at 20-21, Response to Question 11; Supplemental
`LOI Response at 16, Response to Question 15).
`37 See NAL, 35 FCC Rcd at 1751-52, para. 18 (citing LOI Response at 19-20, Response to Question 11).
`38 See NAL, 35 FCC Rcd at 1751, para. 18 (citing LOI Response at 20, Response to Question 11).
`5
`
`

`

`Case: 24-60223 Document: 1-1 Page: 12 Date Filed: 05/09/2024
`
`Federal Communications Commission
`
`FCC 24-40
`
`remediated.39 AT&T provided the general topics of the remaining three audits, but declined to produce
`any other information concerning those privileged reviews.
`Unauthorized Access and Use of Customer Location Information. On May 10, 2018, the
`11.
`New York Times published an article that detailed security breaches involving AT&T’s (and other
`carriers’) practice of selling access to customer location information.40 The NAL includes a more detailed
`summary of the article and its findings, but essentially the breaches involved a location-based service
`provider (Securus Technologies, Inc., or Securus) that offered a location-finding service to law
`enforcement and corrections officials that allowed such officials to access customer mobile device
`location without that device owner’s knowledge or consent.41 Not only was Securus’s location-finding
`service outside the scope of its approved “Use Case” or any agreement with either Aggregator (and thus
`had not been reviewed by AT&T), but despite Securus’s claims that the program required appropriate
`“legal authorization,” it did not verify such authorizations and its program was used and abused by a (now
`former) Missouri Sheriff (Cory Hutcheson) for non-law enforcement purposes and in the absence of any
`such legal authorization.42 AT&T conceded that it was unable to distinguish location requests unrelated
`to the authorized Use Case (which involved an inmate collect-calling service) because each request
`included a customer consent record that was identical to the records received for the approved service.43
`12.
`The Department of Justice’s U.S. Attorney’s Office for the Eastern District of Missouri
`charged Hutcheson with, among other things, wire fraud and illegally possessing and transferring the
`means of identification of others, and Hutcheson pleaded guilty on November 20, 2018.44 The
`Department of Justice’s investigation of Hutcheson’s actions included an examination of how the Securus
`location-finding service operated. Once Hutcheson became an authorized user of Securus’s LBS
`software, he was able to obtain the location of specific mobile telephone devices.45 In order to do so,
`users (including Hutcheson) were required to input the telephone number of the device they wanted to
`locate, and then “upload a document manually checking a box, the text of which stated, ‘[b]y checking
`this box, I hereby certify the attached document is an official document giving permission to look up the
`location on this phone number requested.’”46 As soon as Hutcheson (or any other authorized user)
`submitted his request and uploaded a document, the Securus LBS platform would immediately provide
`
`39 See NAL, 35 FCC Rcd at 1751-52, para. 18 (citing LOI Response at 19-20, Response to Question 11;
`Supplemental LOI Response at 9, Response to Question 7).
`40 See Jennifer Valentino-DeVries, Service Meant to Monitor Inmates’ Calls Could Track You, Too, N.Y. Times
`(May 10, 2018), https://www.nytimes.com/2018/05/10/technology/cellphone-tracking-law-enforcement.html.
`41 See NAL, 35 FCC Rcd at 1752-53, paras. 20-21 (citing Jennifer Valentino-DeVries, Service Meant to Monitor
`Inmates’ Calls Could Track You, Too, N.Y. Times (May 10, 2018)
`https://www.nytimes.com/2018/05/10/technology/cellphone-tracking-law-enforcement.html).
`42 See NAL, 35 FCC Rcd at 1752-53, paras. 20-21 (citing Jennifer Valentino-DeVries, Service Meant to Monitor
`Inmates’ Calls Could Track You, Too, N.Y. Times (May 10, 2018)
`https://www.nytimes.com/2018/05/10/technology/cellphone-tracking-law-enforcement.html; Doyle Murphy, Ex-
`Missouri Sheriff Cory Hutcheson Sentenced to 6 Months in Prison, Riverfront Times (Apr. 29, 2019),
`https://www.riverfronttimes.com/newsblog/2019/04/29/ex-missouri-sheriff-cory-hutcheson-sentenced-to-6-months-
`in-prison).
`43 See NAL, 35 FCC Rcd at 1753, para. 23.
`44 See Press Release, U.S. Attorney’s Office Eastern District of Missouri, Mississippi County Sheriff Pleads Guilty
`to Fraud and Identity Theft, Agrees to Resign (Nov. 20, 2018), https://www.justice.gov/usao-edmo/pr/mississippi-
`county-sheriff-pleads-guilty-fraud-and-identity-theft-agrees-resign.
`45 See Government’s Sentencing Memorandum at 3, United States v. Corey Hutcheson, Case No. 1:18-CR-00041
`JAR, Doc. No. 65 (E.D. Mo. Apr. 23, 2019) (Hutcheson Sentencing Memo),
`https://storage.courtlistener.com/recap/gov.uscourts.moed.160663/gov.uscourts.moed.160663.65.0.pdf; see also
`NAL, 35 FCC Rcd at 1752-53, paras. 20-21.
`46 Hutcheson Sentencing Memo at 3; see also NAL, 35 FCC Rcd at 1752, para. 20.
`6
`
`

`

`Case: 24-60223 Document: 1-1 Page: 13 Date Filed: 05/09/2024
`
`Federal Communications Commission
`
`FCC 24-40
`
`the requested location information (regardless of the adequacy of the uploaded document).47 Rather than
`“uploading the required legal process,” Hutcheson instead “routinely uploaded false and fraudulent
`documents . . ., each time representing that the uploaded documents were valid legal process authorizing
`the location requests the defendant made.”48 Those “false and fraudulent documents” included “his health
`insurance policy, his auto insurance policy, and pages selected from Sheriff training materials.”49
`Hutcheson “submitted thousands of Securus LBS requests and obtained the location data of hundreds of
`individual phone subscribers without valid legal authorization.”50
`AT&T’s Response to the Securus Disclosures. AT&T terminated Securus’s access to
`13.
`AT&T customer location information in May 2018, following the New York Times article.51 In June
`2018, AT&T announced that it would phase out access to locatio