The FCC proposed a $100,000 fine against Q Link Wireless LLC, for apparently willfully and repeatedly violating the law by failing to respond to a Commission order to provide information and documents concerning an alleged security flaw in the Q Link mobile app.
Q Link is a Mobile Virtual Network Operator (MVNO) that offers the Commission’s Lifeline assistance program to qualifying wireless subscribers, as well as prepaid wireless service for both Lifeline and non-Lifeline subscribers. Hello Mobile, through its online presence, is also a common carrier that provides nationwide wireless service to consumers as an MVNO. Q Link and Hello Mobile are wholly owned by Florida-based Quadrant Holdings LLC, which in turn is wholly owned by Quadrant’s Chief Executive Officer, Issa Asad. The NAL applies to Hello Mobile and Quadrant as well, though it’s combining them as one party in this case.
Carriers are required to implement reasonable measures to protect customer proprietary network information (CPNI), which includes information about phone numbers called, and the frequency, location, duration, and timing of such calls. The potential unauthorized exposure of details regarding whom a consumer may have called, violates the most basic expectations of privacy, according to the FCC’s Enforcement Bureau.
“Slow-walking the Enforcement Bureau’s investigation into potential data breaches and providing partial answers will not cut it,” said Enforcement Bureau Acting Chief Loyaan Egal. “We take very seriously carriers’ obligations to protect consumers’ sensitive information and require prompt and fulsome responses to our questions.”
The FCC’s Telecommunications Consumers Division opened an investigation and, on December 3, 2021, issued an initial Letter of Interest to the companies directing them to provide information and documents regarding their duty to protect CPNI and other proprietary information. Specifically, the Initial LOI sought detailed information regarding the presence or omission of security features to protect private consumer data and the companies’ knowledge of the alleged security flaw prior to the article’s publication. The bureau also sought information on remedial actions the companies took and the extent of any potential disclosure of consumer information.
The companies responded this February, which noted that answers to numerous substantive inquiries would be provided soon. Q Link provided some additional information this March, but the FCC said the responses were “insufficient.”
The bureau then issued the companies a supplemental LOI last month that directed the companies to provide detailed information regarding the mobile app’s login, authentication, and account access features. The FCC said the companies failed to file any response to the supplemental LOI, which was due by July 10.
The FCC proposed the maximum fine allowed, calling the lack of information “intentional” and saying the “misconduct was egregious.” The proposed fine, says the Commission, “must be high enough to serve a deterrent effect in view of Q Link’s ability to pay.”
Q Link Wireless and the other companies will have a chance to respond. The Enforcement Bureau will consider their evidence and legal arguments before acting further to resolve the case.
By Leslie Stimson, Inside Towers Washington Bureau Chief
Reader Interactions