Federal Communications Commission 
Washington, D.C. 20554



Geoffrey Starks 
 Commissioner

August 4, 2020

John Stankey, CEO
AT&T Inc.
208 S. Akard Street, Suite 2954
Dallas, TX 75202

Dear Mr. Stankey:

In February, the Federal Communications Commission completed its investigation of telecommunications carriers and published a Notice of Apparent Liability (NAL), 	AT&T USA, Inc., Notice of Apparent Liability for Forfeiture and Admonishment, 35 FCC Rcd 1743 (EB 2020) (AT&T NAL).
 alleging misuse of customer location data and violation of Section 222 of the Communications Act by AT&T Inc. (AT&T). As stated in the NAL, “the precise physical location of a wireless device is an effective proxy for the precise physical location of the person to whom the phone belongs…. Exposure of this kind of deeply personal information puts those individuals at significant risk of harm—physical, economic, or psychological.” 	AT&T NAL at para 73.


Our investigation identified failures by AT&T to protect customer proprietary network information. For example, failures to prevent location-based service providers from misusing customer location information were first reported by the New York Times in 2018. 	See Jennifer Valentino-DeVries, “Service Meant to Monitor Inmates’ Calls Could Track You, Too,” New York Times (May 10, 2018). 
 In response, AT&T announced it would take immediate measures to implement enhanced notice and consent measures, but no evidence of such measures was provided. A second instance of misuse was then reported by Motherboard in early 2019. 	See Joseph Cox, “I Gave a Bounty Hunter $300. Then He Located Our Phone,” Motherboard (Jan. 8, 2019). 
 Despite these failures, AT&T’s formal termination notice for service provider access to customer information was not effective until the end of March 2019—approximately 325 days after the New York Times article.

Here again I find myself inquiring about data and privacy issues that lack transparency. Accordingly, I write today to seek additional information about AT&T’s practices and procedures for protecting consumer information—particularly location data—and its commitment to data privacy. This inquiry comes on the heels of a letter recently filed by a bipartisan group of members of Congress with the Federal Trade Commission and a report published by the Wall Street Journal. 	See Byron Tau and Patience Haggin, “Lawmakers Urge FTC Probe of Mobile Ad Industry’s Tracking of Customers,” The Wall Street Journal (July 31, 2020).
 The report explains that companies in the advertising technology industry are selling private data about millions of Americans, including location data tracking them to places of worship and protests—including, alarmingly, lawful Black Lives Matter protests. Accordingly, I am interested in AT&T’s allowance of and participation in these practices following our above-mentioned NAL proceedings, as they appear to promote similar threats to consumer privacy by different means. Please provide me with full responses to each of the following questions:

1. Indicate whether AT&T Inc., any of its subsidiaries or any corporate affiliates (including, but not limited to, AppNexus), have ever bought, sold, shared, or received the “bidstream” data referenced in the above-referenced congressional letter and the Wall Street Journal report. Please describe the full range of these practices, including when AT&T and/or the relevant subsidiary or affiliate began engaging in them.  
2. Provide the number of real-time bidding auctions where AT&T (including affiliates or subsidiaries) has participated and location data inside the United States was provided. Provide this information for each year since the practice began. If the practice is ongoing, please provide partial information for 2020.  
3. What policies do you have in place to prohibit the tracking of Americans attending protests, including the Black Lives Matter protests?
4. What policies do you have in place to minimize or destroy location data related to sensitive locations, including places of worship and medical facilities? How do you monitor compliance by other participants in the “bidstream” ecosystem?
5. In connection with the above-referenced NAL, AT&T indicated an end to its location-based services business model in February 2019. Explain why the practices you identify in response to Question 1 are not the functional equivalent of the practices AT&T claimed it had discontinued. 
6. Explain what authentication measures AT&T (including affiliates or subsidiaries) has requested or implemented for real-time bidding auctions to ensure customer data is being used for targeted advertising and not being inventoried.

I appreciate your attention on this matter, and I look forward to your responses. I also look forward to our collaborative efforts to ensure consumer protection and data privacy. I view this as an urgent matter. Please send your response to me electronically to Geoffrey.Starks@fcc.gov and Austin.Bonner@fcc.gov no later than August 25, 2020. If you are unable to answer the above-listed questions as of the deadline, or if there are any material changes to your responses after submission, please notify my office immediately.

Regards,



Geoffrey Starks

cc: Joan Marsh, EVP and Chief Regulatory Officer