The FCC’s top privacy cop on how the agency views its data protection mission

The Federal Communications Commission (FCC) has taken privacy enforcement up a notch under Chair Jessica Rosenworcel, who launched a privacy and data protection task force in June 2023.

Since then, the agency has announced several major privacy- and data protection-related enforcement actions. In April, it fined the major telecommunications carriers a collective $196 million for failing to obtain consumers’ consent before sharing their location data. In July, it announced that Verizon-owned TracFone Wireless, which sells anonymous prepaid mobile phones, agreed to pay $16 million and change the way it does business to settle FCC charges focused on its culpability for three data breaches in two years.

The FCC also has recently cracked down on players in the telecom sector for several massive data breaches, unlawful data storage and retention and robocalls.

Loyaan Egal is the architect behind the agency’s renewed focus on privacy and data protection. He heads both the FCC’s enforcement bureau and the privacy and data protection task force.

Recorded Future News spoke with Egal about why the agency is particularly focused on supply chain integrity enforcement; how the FCC is studying privacy concerns related to connected cars; why its enforcement mission matters for national security; and how much consumers hate robocalls, which have recently evolved to include voice cloning.

This conversation has been edited for length and clarity.

Recorded Future News: Why did Commissioner Rosenworcel create the new privacy and data protection task force at the FCC? The enforcement bureau already contained a privacy enforcement division before the task force’s creation. What additional weight does the task force bring to regulating privacy and protecting consumer data?

Loyaan Egal: When the chairwoman established the task force last year, the motivation behind that was ensuring that the commission was bringing to bear all of its resources and capabilities in addressing privacy and data protection and cybersecurity. It was an understanding and a recognition of the importance of … the amount of data that we generate on a day-to-day basis through our communications and through devices.

I saw that about 97% of people in the United States have a cellular phone and a significantly high percentage of those people have smartphones. The amount of day-to-day activities that we engage in through our communication devices, and the risks that emanate from that data — how it's housed, how it's protected, how it's used — was something that was important for the chairwoman. The task force brings not just an enforcement perspective, but also a rulemaking and an engagement aspect to it. That was the motivation behind it and since that occurred, we've had very significant developments.

RFN: Can you say more about which developments you consider significant?

LE: From the enforcement perspective, we've had a number of consent decrees that we've entered into, settlements that we've negotiated, that touch on a number of different issues related to privacy, data protection and cybersecurity. Some of those examples include settlements that we entered into, most recently with T-Mobile, which resolved a number of investigations that we had related to data breaches, and [there were] a number of terms that we were able to negotiate… 

Before that we entered into a settlement with AT&T that addressed an important issue related to supply chain integrity and large telecom companies ensuring the protection of sensitive data vis-a-vis their interaction with their vendors. And we entered into an agreement with TracFone, which was acquired by Verizon, touching on API [application programming interface] vulnerabilities where the company had significant vulnerabilities, and we addressed that through settlements. [TracFone was breached three times between 2021 and 2023, exposing customer data].

What is really important to point out about those settlements is that from the time that Chairwoman Rosenworcel announced the creation of the task force to today, we've entered into settlements with all three major wireless carriers… 

Another one of the major settlements we entered into was with a company named CaptionCall that touched on the telecommunications relay services, which provides communications services to individuals with hearing and speech disabilities or impairments. That was important from a privacy perspective because the company had retained the content of the communications which it was facilitating. From that settlement, we were able to put in some very stringent and strong terms to make sure that there was a privacy officer involved in the company and [ensure] that the company upgraded its data inventory and understanding of its retention of certain information and not retaining it for longer than it was allowed to under the authorities that it operated under.

RFN: TracFone is an especially interesting one since the whole point of getting a TracFone is to protect your privacy. Can you talk in a little bit more specific detail about what the vulnerabilities were? 

LE: The main thing for us on the API issue was that, what we saw in our investigation, and part of what we were trying to address through the consent decree, was the fact that those breaches were resulting in SIM swaps [an account takeover that allows a hacker to steal a phone number and gain access to the phone].

For us, that is a major concern because it's a vector for threat actors for the purpose of taking control of people's devices and then being able to do additional damage. So the API vulnerability, seeing that it was tied to the SIM swap that had occurred, was an area that we focused on. The mitigation steps that we took were that the company had to apply standards consistent with the NIST (National Institute of Standards and Technology) cybersecurity framework … Those were principles that we wanted [TracFone] to focus on going forward to mitigate those vulnerabilities.

FCC Chairwoman Jessica Rosenworcel established a new privacy and data protection task force last year. Image: FCC / YouTube

RFN: The FCC has said that it is prioritizing consumers’ precise geolocation data and how that is treated by data brokers and others. Can you discuss that and whether you foresee any notable enforcements in that area in the future?

LE: The commission [penalized] what was at the time the four major carriers, but now is three with the merger between Sprint and T-Mobile … and pointed out the misuse of that sensitive category of information. Not having the consent of the consumers to then provide [the data] to third parties who then used it for whatever business purposes they used it for. Those enforcement matters are currently pending in court so I can't say too much more about them given that the companies have all appealed. 

RFN: Let’s talk about the robocall enforcements you've done, and particularly related to the voice cloning of President Biden during the run-up to the New Hampshire primary. Can you talk broadly about your view of voice cloning and whether it's an increasing problem, and why enforcement is so necessary?

LE: Robocalls have been a top priority from an enforcement perspective. In addition that matter [the Biden voice cloning robocalls] involved spoofing, misuse of telephone numbers, in addition to the generative AI that was applied there … Robocalls are the number one consumer complaint issue that the commission receives. We have taken significant actions to address it and I think we've been successful in taking the fight to the bad actors. We've taken a strategic approach of identifying categorically where we're seeing some of the worst actors and then directing our enforcement resources to those categories. As an example when we used this approach we applied it first to auto warranties, and we saw a significant drop, almost unprecedented, a 99% drop in those calls. 

Coming back to your specific point about AI- and election-related matters, that is obviously something that we're focused on. We worked closely with the New Hampshire Attorney General's office [on the Biden voice cloned calls] … What we were able to do quickly was identify the source of the calls. From there when we identified the entity that was providing the traffic, we then identified who procured the service related to those specific calls, and then identified who was behind the spoofing [when a caller intentionally changes the information displayed on caller ID to hide their identity]. We [carried out] significant enforcement actions, not only against the individual that we identified, Steve Kramer, who's a political consultant, but also against the company that carried the traffic and that had attested at the highest level that the phone number that was making the call belonged to the individual making it, which turned out not to be the case. 

As a result, we now have a playbook to use to help play our part in the effort of government writ large to help protect our election, which obviously is coming up, people are voting right now as we speak. We are working closely with our partners at CISA, DHS, DOJ and the FBI, to make sure that we can support them if similar activities are identified.

RFN: What is the nexus between privacy and national security in your view? How does the agency see these issues intersecting?

LE: They're obviously distinct topics, but there's overlap … [Telecommunications companies] get access to very sensitive and personal data. So similarly to the health care sector and the financial sector, customers have to entrust these companies with their sensitive information in order to receive the service. 

[We are] also regulating critical infrastructure, which falls into the national security space. 

Whenever we approach these cases, we look at it through the lens of both privacy and national security. How the companies we regulate are gathering the information and using the information is important … 

But then we’re also working with our national security partners to ensure that these companies are protecting that sensitive data from foreign adversaries. Telecommunications providers, cable operators, these are high value targets to threat actors, whether those threat actors are cybercriminals or sophisticated foreign adversaries. It's imperative that we don't bifurcate them and only look at them through one lens, but that we bring a holistic, broad approach when we conduct our investigations, when we ask questions and when we identify vulnerabilities.

RFN: You partner with the United Kingdom’s Information Commissioner's Office, which is the country’s data privacy regulator. What has the partnership achieved?

LE: I thought it was important that we build our relationships, not just at the state and federal level, but also at the international level. We have engaged in significant interactions with our counterparts around the world, working closely with [telecommunications and privacy regulators] in Canada, the U.K., Australia and Ireland … We have borrowed from a concept that's used in the cyber world with regards to advanced persistent threats so that if we identify bad actors and we can identify their technique, tactics, procedures, we then [can] designate that entity and then share that information.

We did that first classification or designation with an entity that we called Royal Tiger [which allegedly used robocalls to commit fraud]. And we were able to identify that these individuals and group of companies had operated in the U.S., the U.K., the U.A.E. and India. We shared that information with our partners. Where you see the through line between that and privacy is in many instances where there are data breaches and sensitive information is taken, that information is then used for more precise targeting of consumers through spoof calls and scam communications.

RFN: Are there any emerging issues in privacy that would fall in your portfolio, any really cutting edge focuses that you might undertake going forward?

LE: We have really put an emphasis on supply chain integrity … many of these [telecommunications] companies having global supply chains just really increases the vulnerability. That is an area that I don't think was being emphasized from an enforcement perspective that we've focused on. 

The other part of that is also — and this is unique to the telecommunication space — many companies are called MVNOs, mobile virtual network operators, so you as a consumer may have your phone account, your wireless account, with a specific company, but that company may be running on another company's network and if the underlying company's network is breached or sensitive data is compromised, that potentially could impact the consumer of the MVNO. That is an area that we're focused on [and] an area that we will continue to focus on.

RFN: The agency has been focused on privacy issues related to connected cars, specifically around using its authorities to better protect domestic violence survivors from abusers stalking them through car location data tracking. 

LE: All I can say is that the Safe Connections Act [a law under which the FCC has made it possible for domestic violence survivors to separate their phone lines from abusers] had a very specific focus, making sure that people who were in abusive relationships, that the sensitive data that their telecommunications service may generate, isn't then used against them for further abuse. 

What the commission [recently] saw is that if that issue that the statute was looking to address was being exacerbated with vehicles, in a way that most people conceptually didn't necessarily think about, that that was an area that the commission should look into. And as you're aware, the commission issued letters [to nine major car companies] and got responses back … That is an area that we will continue to monitor.

RFN: Is there anything coming out of the letters in terms of enforcement?

LE: I can’t say anything about whether there will or will not be enforcement action.