	Federal Communications Commission	FCC 24-42
DISSENTING STATEMENT OF
 COMMISSIONER NATHAN SIMINGTON

Re: 	In the Matter of Sprint Corporation, Forfeiture Order, File No.:  EB-TCD-18-00027700 (April 17, 2024)

	Today, each of the major national mobile network operators faces a forfeiture for its purported failure to secure the confidentiality of its customer proprietary network information ('CPNI') as it relates to location information of network user devices.  While the facts of each alleged violation are somewhat different, the enforcement calculation methodology used to arrive at the forfeitures is shared.  Because I am concerned principally with that issue, together with what I view as a significant and undesirable policy upshot common across the actions that the Commission takes today, I will draft one dissent.
There is no valid basis for the arbitrary and capricious finding—enunciated in the Commission's erroneous rationale in TerraCom Inc. and YourTel America, Inc., Notice of Apparent Liability for Forfeiture, 29 FCC Rcd 13325 (2014) ('TerraCom') and relied upon today—that a single, systemic failure to follow the Commission's rules (in that case, violations of sections 201(b) and 222(a) of the Act; here, a violation of section 64.2010 of the Rules) may constitute however many separate and continuing violations the Commission chooses to find on the basis of the whole-cloth creation of a novel legal ontology.  In TerraCom—which was resolved by consent decree and never proceeded to a forfeiture order—the Commission found that each customer record exposed by a single insecure data protection method (some 305,065 records) could be treated as having formed a separate and continuing violation.  Here, the Commission purports to count individual location-based services providers (‘LBS’) and aggregators relied upon by each mobile network operator to arrive at its separate and distinct continuing violations.
Whether counting individual exposed customer records or LBS providers and aggregators, the clear effect of the Commission's arbitrary selection of a violation class used to increase the number violations emerging from a single act or failure to act of a regulatee alleged to be in violation of our rules is to exceed our section 503 statutory authority.  Here it cannot credibly be argued that any of the mobile network operators, in operating an LBS/aggregator program, committed more than one act relevant for the purposes of forfeiture calculation.  It is simply not plausible that Congress intended that the Commission may arrive at forfeitures of any size simply by disaggregating an "act" into its individual constituent parts, counting the members of whatever class of objects may be related to the alleged violation to arrive at whatever forfeiture amount suits a preordained outcome.  In this case we exceed our statutory maximum forfeiture by a factor of, in some cases, dozens; in TerraCom, we asserted the right to exceed it by thousands.
What's more, the Commission ought to act prudentially here: even assuming, purely arguendo, that location-based CPNI were illicitly exposed, let us not forget that, at every moment, any of thousands of unregulated apps may pull GPS location information, Wi-Fi and Bluetooth signal strength, and other fragments of data indicating location from customer handsets at every moment the device is on.  Indeed, this can be, and routinely is, accomplished even without consumer permission.  By sending a strong market signal that any alleged violation of Commission rules regarding CPNI safekeeping (whether or not the rules actually were violated) can and will result in an outsize fine, we have effectively choked off one of the only ways that valid and legal users of consent-based location data services had to access location data for which legal safeguards and oversight actually exist.
It was available for the Commission to work with the carriers to issue consent decrees to promote best practices to develop further safeguards around location-based and aggregation services, and to actively monitor ongoing compliance in an effort to vouchsafe a regulated means of consensually sharing handset location data with legitimate users of the same.  We opt, instead, to appear "tough on crime" in a way that actually reduces consumer data privacy by pushing legitimate users of location data toward unregulated data brokerage.  Accordingly, I dissent.