Federal Communications Commission DA 22-825 Before the Federal Communications Commission Washington, D.C. 20554 In the Matter of ) ) Quadrant Holdings LLC, ) File No.: EB-TCD-21-00032935 Q Link Wireless LLC, ) NAL/Acct. No.: 202232170008 and Hello Mobile LLC ) FRN: 0021593975; 0027619089 NOTICE OF APPARENT LIABILITY FOR FORFEITURE Adopted: August 5, 2022 Released: August 5, 2022 By the Acting Chief, Enforcement Bureau: I. INTRODUCTION 1. The Commission is committed to protecting the sensitive personal information of American consumers from misappropriation, breach, and unlawful disclosure. Consumers expect, and the Commission requires, service providers to implement reasonable measures to protect private information, including customer proprietary network information (CPNI), that they obtain about their customers. The potential unauthorized exposure of details regarding whom a consumer may have called violates the most basic expectations of privacy and can result in disastrous consequences in the lives and livelihoods of affected consumers. The Commission has a crucial duty to investigate allegations involving potential violations of its rules and will not tolerate late, incomplete, or inadequate responses to its investigative inquiries. Instead, we expect investigated parties to reply promptly and fully and to provide all responsive information in its possession and control so the Commission can ascertain whether consumers have been protected in accordance with statutory requirements and associated Commission rules. 2. We find that Q Link Wireless LLC (Q Link), Hello Mobile Telecom LLC (Hello Mobile), and Quadrant Holdings LLC (Quadrant Holdings) (collectively, the Companies) apparently willfully and repeatedly violated the law by failing to respond to a Commission order to provide information and documents concerning an alleged security flaw in the Q Link mobile app, which may have permitted unauthorized access to consumer proprietary information. We propose a forfeiture of $100,000 against the Companies for their apparent violation of section 503(b)(1)(B) of the Communications Act of 1934, as amended (Communications Act or Act). II. BACKGROUND A. Legal Framework 3. The Commission has broad authority under the Communications Act to investigate matters within its purview and to enforce its orders.1 Section 4(i) of the Act authorizes the Commission to “issue such orders, not inconsistent with this Act, as may be necessary in the execution of its functions.”2 Section 4(j) permits the Commission to conduct its investigations “in such manner as will best conduce to the proper dispatch of business and the ends of justice.”3 Section 218 of the Act authorizes the Commission to “obtain 1 See, e.g., ABC Fulfillment Servs. LLC d/b/a Hobbyking USA LLC & Hobbyking.com; & Indubitably, Inc. d/b/a Hobbyking Corp., Hobbyking USA LLC, Hobbyking, & Hobbyking.com, Forfeiture Order, 35 FCC Rcd 7441 (2020) (“The Commission’s authority to conduct investigations and to compel entities to provide information and documents sought during investigations is well-settled.”), aff’d, Memorandum Opinion and Order, FCC 21-76 (2021). 2 47 U.S.C. § 154(i). 3 Id. § 154(j). Federal Communications Commission DA 22-825 from . . . carriers . . . full and complete information necessary to enable the Commission to perform the duties and carry out the objects for which it was created.”4 Section 403 gives the Commission broad authority to commence an investigation on its own motion and the “power to make and enforce any order or orders in the case” relating to the inquiry.5 4. Through section 0.111(a) of the Commission’s rules, the Commission delegates to the Enforcement Bureau (Bureau) the authority to investigate potential violations of the Act and the rules and the power to issue all orders necessary to enforce its mandate.6 Furthermore, section 416(c) of the Act provides, “[i]t shall be the duty of every person . . . to observe and comply with such orders so long as the same shall remain in effect.”7 A Letter of Inquiry (LOI) issued by the Bureau constitutes a Commission order directing the recipient to provide the specified information and documents, in the manner directed, within the stated response period.8 Any failure to completely, diligently, or timely respond to an LOI apparently constitutes a violation of a Commission order and, thus, a violation of the Act.9 5. The Act and the Commission Rules govern and limit telecommunications carriers’ use and disclosure of certain customer information. Section 222(a) of the Act imposes a general duty on telecommunications carriers to “protect the confidentiality of proprietary information of customers.”10 Section 222(c) establishes specific privacy requirements for “customer proprietary network information” or CPNI, namely information relating to the “quantity, technical configuration, type, destination, location and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier” and that is “made available to the carrier by the customer solely by virtue of the carrier-customer 4 Id. § 218. 5 Id. § 403. 6 See id. § 0.111(a)(1) (granting the Bureau the authority to resolve complaints regarding acts or omissions by any common carrier); § 0.111(a)(17) (granting the Bureau the authority to conduct investigations and collect information, including pursuant to sections 218, 220, 308(b), 403 and 409(e) through (k) of the Communications Act). “Any order, decision, report or action made or taken pursuant to any such delegation . . . shall have the same force and effect and shall be made, evidenced, and enforced in the same manner, as orders, decisions, reports, or other actions of the Commission.” 47 U.S.C. § 155(c)(3). 7 Id. § 416(c). 8 See e.g., Neon Phone Service, Inc., Notice of Apparent Liability for Forfeiture, 32 FCC Rcd. 7964, 7970, at para. 16 (2017) (“It is well established that a failure to respond to a Bureau LOI [letter of inquiry] constitutes a violation of a Commission Order.”); Technical Communication Network, LLC, Notice of Apparent Liability for Forfeiture and Order, 28 FCC Rcd. 1018, 1019, at para. 5 (2013) (“The LOI the Bureau directed to TCN served as a legal order of the Commission to produce the requested documents and information.”). The Companies were fully on notice of this fact as the cover letter to Bureau letters of inquiry, including those sent to the Companies, include a statement that “Failure to respond appropriately to this LOI constitutes a violation of the Act and our rules.” Letter of Inquiry from Kristi Thompson, Chief, Telecommunications Consumers Division, FCC Enforcement Bureau, to Issa Asad, CEO, Quadrant Holdings Group LLC (Dec. 3 2021) (on file in EB-TCD-21-00032935) (Initial LOI) (emphasis in original). 9 See 47 U.S.C. § 503(b)(1(B); see also ABC Fulfillment Servs. LLC d/b/a Hobbyking USA LLC & Hobbyking.com, Memorandum Opinion and Order, 36 FCC Rcd 10688, para. 1 (2021); Aura Holdings of Wisconsin, Inc., Notice of Apparent Liability for Forfeiture, 33 FCC Rcd 3688, 3696, para. 21 (2018), forfeiture order issued, 34 FCC Rcd 2540 (2019); SBC Commc’ns, Inc., Forfeiture Order, 17 FCC Rcd 7589, 7599-600, paras. 23-28 (2002) (SBC Forfeiture Order); Cellco Partnership D/B/A Verizon Wireless, Notice of Apparent Liability for Forfeiture, DA 22- 725, para. 13 (EB 2022); Net One Int'l, Net One, LLC, Farrahtel Int’l, LLC, Forfeiture Order, 29 FCC Rcd 264, 267, para. 9 (EB 2014), recons. denied, Memorandum Opinion and Order, 30 FCC Rcd 1021 (EB 2015). 10 47 U.S.C. § 222(a). 2 Federal Communications Commission DA 22-825 relationship.”11 The Commission has issued regulations implementing the privacy requirements of section 222 (CPNI Rules),12 and has amended them over time. B. Factual Background 6. Q Link is a Mobile Virtual Network Operator (MVNO) that offers the Commission’s Lifeline assistance program13 to qualifying wireless subscribers, as well as prepaid wireless service for both Lifeline and non-Lifeline subscribers.14 Hello Mobile, through its online presence, is also a common carrier that provides nationwide wireless service to consumers as an MVNO. Q Link and Hello Mobile are wholly owned by Florida-based Quadrant Holdings LLC, which in turn is wholly owned by Quadrant’s Chief Executive Officer, Mr. Issa Asad. 7. On April 9, 2021, the Ars Technica website published an article stating that Q Link’s data management practices potentially exposed the private information of an unknown number of its subscribers.15 The article noted that a social media post on Reddit suggested that the Companies’ “My Mobile Account” app, used by subscribers to access their confidential account services, would permit access to subscriber account information without a password.16 The author of the Ars Technica article apparently verified this claim and was able to gain access to a Q Link account (with permission of the subscriber) solely by logging in to the app with the phone number, which apparently permitted the author to view that subscriber’s personal information, including phone numbers that the subscriber had recently dialed.17 8. Consequently, the Bureau’s Telecommunications Consumers Division (TCD or Division) opened an investigation and, on December 3, 2021, issued an initial LOI (Initial LOI) to the Companies18 directing them to provide information and documents regarding their duty to protect CPNI and other 11 47 U.S.C. § 222(c), (h)(1)(A) (emphasis added). “Telecommunications service” is defined as “the offering of telecommunications for a fee directly to the public, or to such classes of users as to be effectively available directly to the public, regardless of the facilities used.” 47 U.S.C. § 153(53). The mobile voice services provided by Q Link are “telecommunications services.” See 47 U.S.C. § 332(c)(1); H.R. Conf. Rep. No. 104-458 at 125 (1996) (“This definition [of ‘telecommunications service’] is intended to include commercial mobile service.”). 11 47 CFR § 64.2001 et seq. 12 47 CFR § 64.2001 et seq. 13 The Lifeline program, administered by the Universal Service Administrative Company (USAC), provides qualifying low-income consumers discounts on voice or broadband Internet access service to help ensure that all Americans have access to affordable communications service. Bridging the Digital Divide for Low-Income Consumers, Fifth Report and Order, Memorandum Opinion and Order and Order on Reconsideration, and Further Notice of Proposed Rulemaking, 34 FCC Rcd 10886, 10887, para. 3 (2019); see also 47 CFR § 54.401 (describing the Lifeline program). 14 See Q Link Wireless, About Q Link Wireless, https://qlinkwireless.com/about-q-link-wireless.aspx (last viewed July 26, 2022). Q Link also participates in the Affordable Connectivity Program and participated in its predecessor, the Emergency Broadband Benefit Program. 15 See Dan Goodin, No password required: Mobile carrier exposes data for millions of accounts, (Apr. 9, 2021) https://arstechnica.com/information-technology/2021/04/no-password-required-mobile-carrier-exposes-data-for- millions-of-accounts/. 16 See id. 17 See id. See also Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, 22 FCC Rcd 6927, 6931, para. 5 (“CPNI includes information such as the phone numbers called by a consumer; the frequency, duration, and timing of such calls; and any services purchased by the consumer, such as call waiting. CPNI therefore includes some highly-sensitive personal information.”). 18 Letter of Inquiry from Kristi Thompson, Chief, Telecommunications Consumers Division, FCC Enforcement Bureau, to Issa Asad, CEO, Quadrant Holdings Group LLC (Dec. 3 2021) (on file in EB-TCD-21-00032935) (Initial LOI). 3 Federal Communications Commission DA 22-825 proprietary information under section 222 of the Act and section 64.2010 of the Commission’s rules.19 Specifically, the Initial LOI sought detailed information regarding the presence or omission of security features to protect private consumer data, the Companies’ knowledge of the alleged security flaw prior to the publication of the article, the Companies’ remedial actions subsequent to publication, and the extent of any potential disclosure of consumer information. The Companies provided a response on February 7, 2022, which noted that answers to numerous substantive inquiries would be provided in a forthcoming response.20 Q Link provided some additional responsive information approximately seven weeks later on March 31, 2022, but those responses were insufficient.21 TCD then issued the Companies a Supplemental LOI on June 10, 2022, that directed the Companies to provide detailed information regarding the mobile app’s login, authentication, and account access features.22 The Companies failed to file any response to the Supplemental LOI, which was due on or before July 10, 2022. III. DISCUSSION A. Q Link, Hello Mobile, and Quadrant Holdings Violated the Act by Failing to Properly Respond to Commission Orders 9. We find that Q Link, Hello Mobile, and Quadrant Holdings apparently willfully and repeatedly violated a Commission order by failing to respond to the Bureau’s Supplemental LOI. 10. Section 503(b)(1)(B) of the Act, in part, provides that a person who willfully or repeatedly fails to comply with a Commission rule or order shall be liable for a forfeiture penalty.23 As noted above, a letter of inquiry is an order of the Commission, and recipients that fail to provide a complete response may be subjected to a monetary forfeiture penalty.24 Congress enacted section 222 of the Act to ensure that telecommunications carriers acknowledge and satisfy their “duty to protect the confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers, including telecommunication carriers reselling telecommunications services provided by a telecommunications carrier.”25 It is imperative that carriers provide timely, accurate, and complete responses to investigative inquiries to demonstrate their full compliance with this duty. 11. The Bureau had to issue a Supplemental LOI to the Companies because they failed to provide sufficient or complete answers to the Bureau’s December 3, 2021 Initial LOI. The Companies’ response was initially due on January 2, 2022; after the Division granted the Companies’ request for an extension of time, the Companies eventually submitted their Initial LOI Response on February 7, 2022. In that Initial LOI Response, and more than two months after receipt of the Initial LOI, Q Link and the Companies failed to provide any substantive response to more than half of the LOI’s inquiries. Instead, in response to multiple inquiries, Q Link advised that “[t]he Company will address this request in a 19 47 U.S.C. § 222; 47 CFR § 64.2010. 20 Response to Letter of Inquiry from John T. Nakahata, Counsel to Q Link Wireless LLC (Feb. 7, 2022) (on file in EB-TCD-21-00032935) (Initial LOI Response). 21 Response to Letter of Inquiry from John T. Nakahata, Counsel to Q Link Wireless LLC (Mar. 31, 2022) (on file in EB-TCD-21-00032935) (Mar. 31 LOI Response). 22 Letter of Inquiry from Kristi Thompson, Chief, Telecommunications Consumers Division, FCC Enforcement Bureau, to John T. Nakahata, Counsel to Q Link Wireless LLC (June 10, 2022) (on file in EB-TCD-21-00032935) (Supplemental LOI). 23 47 U.S.C. § 503(b)(1)(B). 24 See supra para. 4. 25 47 U.S.C. § 222(a). The scope of “proprietary information” covered by section 222 extends beyond CPNI data to include private or sensitive data that a customer would normally wish to protect. See, e.g., TerraCom Inc. and YourTel America Inc., Notice of Apparent Liability for Forfeiture, 29 FCC Rcd 13325, 13330-32, paras. 14-20 (2014). 4 Federal Communications Commission DA 22-825 supplemental response.” 26 After requesting a further extension of time, Q Link finally furnished limited additional information on March 31, 2022. 12. Despite having nearly four months to respond to the Initial LOI, the Companies’ March 31 LOI Response still failed to provide satisfactory responses to several inquiries and was accompanied by a negligible document production totaling 18 documents.27 In multiple instances, the Company ignored the specificity requested by the inquiry and provided only superficial responses.28 13. To address the inadequacies of the Companies’ response to the Initial LOI, and avoid the submission of additional incomplete responses, the Supplemental LOI set forth a series of narrow, focused questions regarding the functionalities of the mobile app and login/authentication protocols. 29 In fact, much of this information should have been provided in their Initial Response to the LOI. However, the Companies failed to provide any written response to the Supplemental LOI, which was due on July 10, 2022. Accordingly, we find that Q Link, Hello Mobile, and Quadrant Holdings apparently willfully and repeatedly violated a Commission order by failing to fully respond to both the Bureau’s Initial LOI and by failing to respond to the Bureau’s Supplemental LOI. B. Proposed Forfeiture 14. Section 503(b) of the Act authorizes the Commission to impose a forfeiture against any entity that “willfully or repeatedly fail[s] to comply with any of the provisions of … [the Act] or of any rule, regulation, or order issued by the Commission[.]”30 Here, section 503(b)(2)(B) of the Act authorizes us to assess a forfeiture against the Companies, in their capacity as common carriers, of up to $220,213 for each violation or each day of a continuing violation, except that the amount assessed for any continuing violation shall not exceed a total of $2,202,123 for any single act or failure to act.31 In exercising our forfeiture authority, the Commission must consider the “nature, circumstances, extent, and gravity of the violation and, with respect to the violator, the degree of culpability, any history of prior offenses, ability to pay, and such other matters as justice may require.”32 In addition, the Commission has established forfeiture guidelines; they establish base penalties for certain violations and identify criteria that we consider when determining the appropriate penalty in any given case.33 Under these guidelines, we may adjust a forfeiture upward for violations that are egregious, intentional, or repeated, or that cause substantial harm or generate substantial economic gain for the violator.34 15. Section 1.80 of the Commission’s rules specifies a base forfeiture of $4,000 for a party’s failure to respond to Commission communications that applies to each violation or each day of a continuing violation.35 We have discretion, however, to depart from these guidelines, taking into account the particular 26 See Initial LOI Response at 5-11, Response to Inquiries 5(f), 5(g)(i)-(ii), 5(j), 5(l), 5(m), 5(n)(i)-(iii), 7, 9, 14, and 16-24. 27 The incomplete and superficial responses to the LOI, combined with the apparent dearth of accompanying documentation, raises grave concerns not only about the Companies’ security practices related to the alleged breach of the “My Mobile account” app, but about whether the Companies broader security practices are reasonable. 28 The Attachment to this NAL contains a detailed list of each shortcoming in the Companies’ response to the Initial LOI. 29 See generally, Supplemental LOI. 30 47 U.S.C. § 503(b). 31 Id. § 503(b)(2)(B); 47 CFR § 1.80(b)(2). These amounts reflect the inflationary adjustments to the forfeitures specified in section 503(b) of the Act. See Amendment of Section 1.80(b) of the Commission’s Rules, Adjustment of Civil Monetary Penalties to Reflect Inflation, Order, DA 21-1631, 2021 WL 6135287 (EB Dec. 22, 2021). 32 47 U.S.C. § 503(b)(2)(E). 33 47 CFR § 1.80(b)(10), Note to paragraph (b)(10). 34 Id. 35 Id. § 1.80, Table 1 to paragraph (b)(10). 5 Federal Communications Commission DA 22-825 facts of each individual case.36 The Commission has imposed a range of forfeitures to address a party’s failure to provide required information, including by failing to respond to a Bureau LOI, assessing forfeitures from $25,000 in cases involving a target’s failure to respond to Bureau LOIs,37 to forfeitures of $100,000 for failure to timely submit a sworn written response to a Bureau LOI.38 In each case, the orders have emphasized the impact on the Commission’s ability to carry out its duties as a result of the failures. 16. In addition, given the totality of the circumstances, and consistent with the Forfeiture Policy Statement, we conclude that an upward adjustment is warranted under section 1.80 of the rules for the intentional nature of the violations. 39 Consistent with Commission precedent, that upward adjust should be substantial because the apparent violations were intentional; the misconduct was egregious; and the proposed forfeiture must be high enough to serve a deterrent effect in view of Q Link’s ability to pay.40 The Bureau finds that the Companies’ deliberate omissions and failure to respond hindered its ability to conduct a more thorough investigation of potentially significant violations of section 222 of the Act and section 64.2010 of the Commission’s rules. Importantly, the core investigation here sought to determine whether the Companies employed reasonable measures to protect CPNI and other proprietary information, including consumer account information and call details. The Companies’ sustained failure to provide responses needlessly increased the difficulty of the Bureau’s investigation, hindered the Bureau’s efforts to determine the nature and the extent of the reported incident and its effect on Q Link’s customers, and caused the expenditure of additional Commission resources. 17. Accordingly, based on these factors and the particular circumstances of this case, we find that Q Link is apparently liable for a forfeiture in the amount of $100,000. The egregiousness and intentional nature of Q Link’s misconduct, as well as Q Link’s ability to pay, considered in conjunction with the deterrent effect of the proposed forfeiture, dictate that Q Link be held liable for an amount significantly higher than the base forfeiture set for the relevant misconduct. IV. CONCLUSION 18. We have determined that Q Link, Hello Mobile, and Quadrant Holdings apparently willfully and repeatedly violated Commission orders to produce information and documents as directed by Bureau letters of inquiry. As such, the Companies are apparently liable for a forfeiture of $100,000. 36 The Commission’s Forfeiture Policy Statement and Amendment of Section 1.80 of the Rules to Incorporate the Forfeiture Guidelines, Report and Order, 12 FCC Rcd 17087, 17098–99, para. 22 (1997) (noting that “[a]lthough we have adopted the base forfeiture amounts as guidelines to provide a measure of predictability to the forfeiture process, we retain our discretion to depart from the guidelines and issue forfeitures on a case-by-case basis, under our general forfeiture authority contained in Section 503 of the Act”) (Forfeiture Policy Statement), recons. denied, Memorandum Opinion and Order, 15 FCC Rcd 303 (1999). 37 See, e.g., GPSPS, Inc., Forfeiture Order, 30 FCC Rcd 7814, para. 2 (2015) (affirming the forfeiture proposed in the Notice of Apparent Liability for Forfeiture); GPSPS, Inc., Notice of Apparent Liability for Forfeiture, 30 FCC Rcd 2522, 2533, para. 28 (2015) (proposing a $25,000 forfeiture for failure to respond to an LOI) (forfeiture paid); Net One International, Net One, LLC, Farrahtel International, LLC, Forfeiture Order, 29 FCC Rcd 264, para. 1 (EB 2014) (assessing the monetary forfeiture proposed in the Notice of Apparent Liability for Forfeiture); Net One International, Net One, LLC, Farrahtel International, LLC, Notice of Apparent Liability for Forfeiture, 26 FCC Rcd 16493, 16496, para. 8 (EB 2011) (proposing a $25,000 forfeiture for failure to respond to an LOI). 38 See, e.g., SBC Forfeiture Order, 17 FCC Rcd 7589. 39 See Forfeiture Policy Statement, 12 FCC Rcd. at 17100-101, para. 27 (“the adjustment factors we evaluate . . . include . . . intentional violation, prior violation of same or other requirements . . . and history of overall compliance”); 47 CFR § 1.80, Table 3 to paragraph (b)(10). 40 See, e.g., SBC Forfeiture Order, 17 FCC Rcd. at 7599, para. 23. 6 Federal Communications Commission DA 22-825 V. ORDERING CLAUSES 19. Accordingly, IT IS ORDERED that, pursuant to section 503(b) of the Act41 and section 1.80 of the Commission’s rules,42 Q Link Wireless LLC, Hello Mobile Telecom LLC, and Quadrant Holdings LLC are hereby NOTIFIED of this APPARENT LIABILITY FOR A FORFEITURE in the amount of One-Hundred Thousand Dollars ($100,000) for willful and repeated violations of section 503(b)(1)(B) of the Act.43 20. IT IS FURTHER ORDERED that, pursuant to section 1.80 of the Commission’s rules,44 within thirty (30) calendar days of the release date of this Notice of Apparent Liability for Forfeiture, Q Link Wireless LLC, Hello Mobile Telecom LLC, and Quadrant Holdings LLC SHALL PAY the full amount of the proposed forfeiture or SHALL FILE a written statement seeking reduction or cancellation of the proposed forfeiture consistent with paragraph 23 below. 21. Q Link Wireless LLC, Hello Mobile Telecom LLC, and Quadrant Holdings LLC shall send electronic notification of payment to Shana Yates, Deputy Chief, Telecommunications Consumers Division, Enforcement Bureau, Federal Communications Commission, at Shana.Yates@fcc.gov on the date said payment is made. Payment of the forfeiture must be made by credit card using the Commission’s Registration System (CORES) at https://apps.fcc.gov/cores/userLogin.do, ACH (Automated Clearing House) debit from a bank account, or by wire transfer from a bank account. The Commission no longer accepts Civil Penalty payments by check or money order. Below are instructions that payors should follow based on the form of payment selected:45 • Payment by wire transfer must be made to ABA Number 021030004, receiving bank TREAS/NYC, and Account Number 27000001. In the OBI field, enter the FRN(s) captioned above and the letters “FORF”. In addition, a completed Form 15946 or printed CORES form47 must be faxed to the Federal Communications Commission at 202-418-2843 or e-mailed to RROGWireFaxes@fcc.gov on the same business day the wire transfer is initiated. Failure to provide all required information in Form 159 or CORES may result in payment not being recognized as having been received. When completing FCC Form 159 or CORES, enter the Account Number in block number 23A (call sign/other ID), enter the letters “FORF” in block number 24A (payment type code), and enter in block number 11 the FRN(s) captioned above (Payor FRN).48 For additional detail and wire transfer instructions, go to https://www.fcc.gov/licensing-databases/fees/wire-transfer. • Payment by credit card must be made by using CORES at https://apps.fcc.gov/cores/userLogin.do. To pay by credit card, log-in using the FCC Username associated to the FRN captioned above. If payment must be split across FRNs, complete this process for each FRN. Next, select “Manage Existing FRNs | FRN Financial | Bills & Fees” from the CORES Menu, then select FRN Financial and the view/make payments option next to the FRN. Select the “Open Bills” tab and find the bill number associated with the NAL Acct. No. The bill number is the NAL Acct. No. with the first two digits excluded (e.g., NAL 1912345678 41 47 U.S.C. § 503(b). 42 47 CFR § 1.80. 43 47 U.S.C. § 503(b)(1)(B). 44 47 CFR § 1.80. 45 For questions regarding payment procedures, please contact the Financial Operations Group Help Desk by phone at 1-877-480-3201 (option #1). 46 FCC Form 159 is accessible at https://www.fcc.gov/licensing-databases/fees/fcc-remittance-advice-form-159. 47 Information completed using the Commission’s Registration System (CORES) does not require the submission of an FCC Form 159. CORES is accessible at https://apps fcc.gov/cores/userLogin.do. 48 Instructions for completing the form may be obtained at http://www fcc.gov/Forms/Form159/159.pdf. 7 Federal Communications Commission DA 22-825 would be associated with FCC Bill Number 12345678). After selecting the bill for payment, choose the “Pay by Credit Card” option. Please note that there is a $24,999.99 limit on credit card transactions. • Payment by ACH must be made by using CORES at https://apps.fcc.gov/cores/userLogin.do. To pay by ACH, log in using the FCC Username associated to the FRN captioned above. If payment must be split across FRNs, complete this process for each FRN. Next, select “Manage Existing FRNs | FRN Financial | Bills & Fees” on the CORES Menu, then select FRN Financial and the view/make payments option next to the FRN. Select the “Open Bills” tab and find the bill number associated with the NAL Acct. No. The bill number is the NAL Acct. No. with the first two digits excluded (e.g., NAL 1912345678 would be associated with FCC Bill Number 12345678). Finally, choose the “Pay from Bank Account” option. Please contact the appropriate financial institution to confirm the correct Routing Number and the correct account number from which payment will be made and verify with that financial institution that the designated account has authorization to accept ACH transactions. 22. Any request for making full payment over time under an installment plan should be sent to: Chief Financial Officer—Financial Operations, Federal Communications Commission, 45 L Street, NE, Washington, D.C. 20554.49 Questions regarding payment procedures should be directed to the Financial Operations Group Help Desk by phone, 1-877-480-3201, or by e-mail, ARINQUIRIES@fcc.gov. 23. The written statement seeking reduction or cancellation of the proposed forfeiture, if any, must include a detailed factual statement supported by appropriate documentation and affidavits pursuant to sections 1.16 and 1.80(f)(3) of the Commission’s rules.50 The written statement must be mailed to the Office of the Secretary, Federal Communications Commission, 45 L Street, NE, Washington, D.C. 20554, ATTN: Enforcement Bureau – Telecommunications Consumers Division, and must include the NAL/Account Number referenced in the caption. The statement must also be e-mailed to Shana Yates at Shana.Yates@fcc.gov. 24. The Commission will not consider reducing or canceling a forfeiture in response to a claim of inability to pay unless the petitioner submits the following documentation: (1) federal tax returns for the past three years; (2) financial statements for the past three years prepared according to generally accepted accounting practices; or (3) some other reliable and objective documentation that accurately reflects the petitioner’s current financial status.51 Any claim of inability to pay must specifically identify the basis for the claim by reference to the financial documentation. Inability to pay, however, is only one of several factors that the Commission will consider in determining the appropriate forfeiture, and we retain the discretion to decline reducing or canceling the forfeiture if other prongs of 47 U.S.C. § 503(b)(2)(E) support that result.52 49 See 47 CFR § 1.1914. 50 47 CFR §§ 1.16, 1.80(f)(3). 51 47 U.S.C. § 503(b)(2)(E). 52 See, e.g., Ocean Adrian Hinson, Surry County, North Carolina, Forfeiture Order, 34 FCC Rcd 7619, 7621, para. 9 & n.21 (2019); Vearl Pennington and Michael Williamson, Forfeiture Order, 34 FCC Rcd 770, paras. 18–21 (2019); Fabrice Polynice, Harold Sido and Veronise Sido, North Miami, Florida, Forfeiture Order, 33 FCC Rcd 6852, 6860–62, paras. 21–25 (2018); Adrian Abramovich, Marketing Strategy Leaders, Inc., and Marketing Leaders, Inc., Forfeiture Order, 33 FCC Rcd 4663, 4678-79, paras. 44-45 (2018); Purple Communications, Inc., Forfeiture Order, 30 FCC Rcd 14892, 14903-904, paras. 32-33 (2015); TV Max, Inc., et al., Forfeiture Order, 29 FCC Rcd 8648, 8661, para. 25 (2014). 8 Federal Communications Commission DA 22-825 25. IT IS FURTHER ORDERED that a copy of this Notice of Apparent Liability for Forfeiture shall be sent by first class mail and certified mail, return receipt requested, to Issa Asad, Chief Executive Officer, Quadrant Holdings LLC, 499 East Sheridan Street, Suite 400, Dania Beach, FL 33004, and to John Nakahata, Counsel for Q Link Wireless LLC, Harris, Wiltshire & Grannis LLP, 1919 M Street NW, Suite 800, Washington, D.C. 20036. FEDERAL COMMUNICATIONS COMMISSION Loyaan A. Egal Acting Chief Enforcement Bureau 9 Federal Communications Commission DA 22-825 ATTACHMENT Inquiry 3: sought { }1 but did not actually answer the question asked and, oddly, omitted any mention of when it in fact discovered the existence of a potential breach or a security vulnerability.2 Inquiry 5(a): sought information “in detail” regarding {[ ]}, the March 31 LOI Response provided a terse and woefully inadequate response that failed to provide the specifically requested information.3 Inquiry 5(d): sought a {[ ]}, Q Link merely asserted that it [ } and Q Link’s answer completely failed to address the rest of the question, which asked for {[ ]}.4 Inquiry 5(e): sought information “in detail” about { ]}5 This response failed to describe {[ ]} Inquiry 5(k): sought detailed information about { ]} Q Link merely responded that Apple and Google approved the app for distribution on their app stores.6 Inquiry 5(l): sought information about { }7 Inquiry 5(n): sought “in detail” information about {[ ]} Q Link responded only that it uses a crash-reporting tool that “does not monitor App security per se.”8 In response to a sub-question asking for specific information that Q Link {[ ]}, Q Link responded only that it was {[ ]} Inquiry 6: sought “in detail” information about {[ 1 Material set off by double brackets {[ ]} is confidential and is redacted from the public version of this document. 2 See March 31 LOI Response at 3-4, Response to Inquiry 3. Documents provided with the LOI Response suggest that consumers may have communicated with Q Link regarding the potential vulnerability prior to publication of the Ars Technica article. 3 See id. at 3-4, Response to Inquiry No. 5(a). 4 See id. at 4, Response to Inquiry No. 5(d). 5 Id., Response to Inquiry No. 5(e). 6 See id. at 7, Response to Inquiry No. 5(k). 7 See https://firebase.google.com/docs/crashlytics/get-started. 8 March 31 LOI Response at 7, Response to Inquiry 5(n). 9 Id. at 8, Response to Inquiry No. 5(n)(ii). 10 Federal Communications Commission DA 22-825 ]} Q Link responded with the brief conclusory statement that they “designed the App to satisfy the standards that Apple and Google impose as prerequisites for distribution.”10 Inquiry 8: sought an explanation of the basis for {[ ]} Q Link’s responses again lacked the requisite level of detail. Q Link answered that { ]}11 This response did not confirm how Q Link {[ } In response to a sub-question asking { }12 Inquiry 11: asked whether Q Link { }] This response was incomplete because it failed to identify {[ ]}13 Document Request 16: requested {[ } Document Request 18: requested {[ }15 {[ ]} Document Request 19: requested documents { ]} It seems unlikely at best that Q Link could have engaged in these activities—and responded to the news report— without {[ ]} 10 Id., Response to Inquiry No. 6. 11 Id. at 9, Response to Inquiry No. 8. 12 Id., Response to Inquiry No. 8(c). 13 See id. at 10, Response to Inquiry No. 11. 14 See id. at 11, Response to Request for Documents No. 16. 15 Id. at 12, Response to Request for Documents No. 18. 11