Three groups filed an informal FCC complaint against the nation’s four largest wireless carriers for selling customers’ data to aggregators. The Georgetown Law Center on Privacy & Technology, New America Open Technology Institute and Free Press asked for an investigation and potentially enforcement actions. The Communications Act requires providers “to observe heightened privacy obligations for location information,” said the complaint in docket 16-106. AT&T, Verizon, T-Mobile and Sprint "broadly violated those obligations and their customers’ privacy expectations. The Carriers have disclosed customer location information to location aggregators, other location-based services companies, and unauthorized individuals without customer approval. That location information has in some circumstances found its way into the hands of bounty hunters and stalkers.” In May, Commissioner Jessica Rosenworcel sent letters to CEOs of the carriers asking what they're doing to make sure real-time location information they collect isn’t being sold to data aggregators (see 1905010167). Commissioner Geoffrey Starks also complained about the practice (see 1902080056). The four companies didn't comment Friday.

Firefox added tracking protection as a default for new users, Mozilla said Tuesday. That protects "users from the pervasive tracking and collection of personal data by ad networks and tech companies,” blogged Peter Dolanjski, project lead. “The complexity of privacy settings shouldn’t be placed on users to figure out. The product defaults should simply align with consumer expectations.” Dolanjski said the company expects “to deliver the same functionality to existing users over the coming months,” though current users can turn on the function in settings. “Competition between products that respond to different consumer preferences serves consumers better than heavy-handed regulation,” said Computer and Communications Industry Association CEO Ed Black. “This action expands the choices consumers have when it comes to online privacy.”

Congress should pass and the FTC should adopt a federal privacy regulation pre-empting state privacy and data breach laws absent a private right of action, Business Roundtable wrote the agency Friday in docket 2018-0098. The association deferred to Congress on whether the FTC should have rulemaking authority. ISPs are “sufficiently different” from other online companies to merit privacy rules “tailored to them,” OTI said in separate comments on privacy. OTI cited a New School Digital Equity Laboratory report showing ISPs “generally employ language that is legally vague, with little specificity into their data practices for collection and use.” Disclosure about how data is used and shared is also lacking, OTI said. Users should have the right to access, correct, delete and port data, Companies should be restricted from using data for secondary and discriminatory purposes, OTI said.

Facebook’s co-founder called CEO Mark Zuckerberg’s power “unprecedented and un-American,” and said it's time to break up the company. In a 6,000-word New York Times opinion online Thursday, Chris Hughes, who left the company in 2007, called Zuckerberg’s influence controlling Facebook, Instagram and WhatsApp, “staggering, far beyond that of anyone else in the private sector or in government.” Government “must hold Mark accountable,” said Hughes, who called Zuckerberg’s “unilateral control over speech” the “most problematic aspect of Facebook’s power.” Government should break up Facebook just as it did such monopolies as Standard Oil and AT&T, said Hughes, co-chairman of the Economic Security Project and a senior adviser at the Roosevelt Institute. He called on Congress to create an agency to regulate tech companies that would protect privacy, guarantee basic interoperability across platforms and create guidelines for acceptable speech on social media. Rep. Ro Khanna, D-Calif., agreed that “in retrospect, the FTC should not have approved Facebook’s acquisition of Instagram & WhatsApp in 2012. I believe the way forward is to heavily scrutinize future mergers and to ensure no company has anti-competitive platform privileges,” he said in a statement. Vice President-Global Affairs Nick Clegg responded that Facebook acknowledges the need for accountability. He said that "you don’t enforce accountability by calling for the breakup of a successful American company. Accountability of tech companies can only be achieved through the painstaking introduction of new rules for the internet."

Of 86 countries asking Twitter for legal information, the U.S. made the most requests, with 2,092 for data on 3,860 accounts July-December, the social-media platform reported Thursday. Seventy-three percent of the time, the company gave the U.S. government some information, it said. Globally, Twitter received nearly 7,000 requests for data on more than 11,000 accounts, falling 34 percent from January-June 2018, and turned over information 56 percent of the time. It suspended 166,513 accounts for violations related to promotion of terrorism, down 19 percent, and 456,989 related to child sexual exploitation, down 6 percent. The company uploads legal requests into Lumen database, a partnership with Harvard's Berkman Klein Center, it said. "We encourage the public to explore this site to get a sense of the day-to-day queries we receive from governments and other entities."

T-Mobile has stopped selling real-time location information to data aggregators. Wednesday, FCC Commissioner Jessica Rosenworcel sought such from top carriers. (see 1905010167). As of Feb. 8, the company “terminated all service provider access to location data under the program, and T-Mobile’s location based services contracts with the Location Aggregators officially ended on March 9,” a spokesperson emailed.

FCC Commissioner Jessica Rosenworcel sent letters to CEOs of the four major national wireless carriers Wednesday asking what they're doing to make sure real-time location information they collect isn’t being sold to data aggregators. News of the sale of the data to bounty hunters and related businesses broke last May, she noted. “This is a personal and national security issue that affects every American with a cell phone,” Rosenworcel said. The FCC said it’s investigating but hasn’t “provided the public with any details,” she said. “Nor has it taken any public action to ensure this activity has stopped.” Rosenworcel released letters to AT&T, Verizon, Sprint and T-Mobile. “The FCC needs to do more to protect the privacy and security of American consumers,” she said. “It needs to do more to provide the public with basic information about what is happening with their real-time location information.” Verizon was “the first to take action” when questions arose last summer, a spokesperson said: “We followed through with our pledge and have fully terminated our location aggregator arrangements.” AT&T is "committed to end the aggregator services in March, which we did,” said a spokesperson there. The other carriers and CTIA didn't comment. Commissioner Geoffrey Starks also wants quick action on the data-selling complaints (see 1902080056).

The FTC doesn’t have proper tools or resources to regulate the data broker industry, Intel Global Privacy Officer David Hoffman wrote Tuesday. Data brokers identify as technology companies but are nothing more than “malicious profiteers” weaponizing and monetizing data, he said. The agency has difficulty extending Section 5 of the FTC Act to regulate data brokers, which gather sensitive information without directly interacting with consumers, Hoffman wrote. The agency lacks proper rulemaking authority, and the “teeth” needed to incentivize proper handling of data, Hoffman wrote, citing recent comments to the agency. The Association of National Advertisers' Data Marketing and Analytics Division didn't immediately comment.

Senate Commerce Committee lawmakers are eyeing the first week of May for a privacy hearing, lobbyists told us. This would be the third privacy-related hearing for members (see 1902270048 and 1903260068). One lobbyist said to expect the potential hearing to feature consumer groups, as the first two hearings were mostly industry-driven. The committee didn’t comment Friday.

Facebook “unintentionally” collected the email contacts of as many as 1.5 million users without consent, the company said Thursday, citing a design flaw from 2016. The issue stems from the platform verifying new accounts via user email passwords. When the verification process was altered in May 2016, language informing users of email contact collection was removed, though the uploading continued. The company ended email password verification for new users earlier this month, a spokesperson said. “These contacts were not shared with anyone and we're deleting them,” the company said, noting that affected users will be notified.