The Federal Communications Commission announced Monday it has blocked more than 1,200 voice service providers from having access to the country’s phone network for failing to comply with anti-robocall regulations, marking the agency’s largest enforcement action against companies that facilitate illegal automated calls.

The providers were disconnected after violating FCC rules requiring accurate certifications in the agency’s Robocall Mitigation Database, a system designed to track compliance with caller authentication protocols. The action affects approximately half of the 2,411 companies that received compliance warnings in December 2024.

“Robocalls are an all-too-common frustration — and threat — to Americans (sic) households,” FCC Chairman Brendan Carr  said in a release. “The FCC is doing everything in its power to fight back against these malicious and illegal calls. Providers that fail to do their duty when it comes to stopping these calls have no place in our networks. We’re taking action and we will continue to do so.” 

The removal follows a preliminary warning issued to 185 companies, along with further action from attorneys general dubbed “Operation Robocall Roundup,” which among other things, included sending warning letters to 37 voice providers demanding compliance with federal requirements.

The removals center on the STIR/SHAKEN protocol system, a caller authentication framework that requires telecommunications carriers to verify caller identity before routing calls through networks. The system addresses a core challenge in robocall prevention: tracing calls that traverse multiple carrier networks before reaching consumers.

Providers must certify STIR/SHAKEN implementation on all internet protocol-based network portions and submit robocall mitigation plans to maintain database access. Companies removed can only rejoin with express approval from FCC enforcement bureaus.

The FCC has invested approximately $250 million in STIR/SHAKEN implementation since the system’s 2020 launch, but significant gaps remain. The authentication system functions only on modern Voice Over Internet Protocol (VoIP) networks, leaving older telephone infrastructure vulnerable.

The enforcement action reflects the government’s struggle in defeating the scourge of robocalls. Earlier this year, Federal Trade Commission Chair Andrew Ferguson told Congress that his agency received more than 2 million complaints about unwanted calls in fiscal year 2024, with 1.1 million specifically concerning robocalls.

The FTC has also contacted 31 Voice Over Internet Protocol providers believed responsible for more than 450 distinct robocalling campaigns. Ferguson indicated in testimony that earlier communications resulted in behavioral changes and reduced activity from most contacted providers.

During May congressional testimony, Carr described robocalling as “probably the number one issue” raised by consumers, calling the problem “exceptionally frustrating.” He noted that robocallers have demonstrated adaptability to previous mitigation efforts, often shifting tactics when one avenue is blocked.

Recent actions have established significant penalties for non-compliance. Lingo Telecom, a Texas-based provider, received a $1 million fine for authenticating AI-generated robocalls that targeted New Hampshire primary voters with fake Joe Biden messages. The incident prompted new FCC rules in January tightening STIR/SHAKEN reporting requirements.

While the focus of the action is on bad actors inside the U.S., international robcall operations present ongoing challenges. Many illegal calls originate from overseas locations where U.S. agencies lack direct authority, complicating efforts to pursue bad actors at their source.

You can read the full list of blocked providers here. 

The post FCC removes 1,200 voice providers from telephone networks in major robocall crackdown appeared first on CyberScoop.

A federal district court declined to step in and review a combined $92 million fine imposed by the Federal Communications Commission on T-Mobile and Sprint for selling customer geolocation data to third parties, saying Congress has recognized “the highly sensitive nature” of such information.

In a unanimous decision, the U.S. District Court of Appeals for the District of Columbia ruled that the FCC “correctly determined” that customer location data is protected under the Communications Act and that “The Carriers therefore had a duty to protect such information from misuse by third parties.”

Judge Florence Pan, who authored the opinion, said the FCC also “reasonably concluded” that Sprint and T-Mobile violated that duty when they failed to take measures to prevent buyers from abusing access to that location data.

“Indeed, the Carriers failed to promptly take such measures even after they became aware of serious abuses,” Pan wrote.

In 2018, the New York Times reported that a Missouri sheriff used data sold by the carriers to track the location of a judge and state law enforcement officers.

That kicked off a broader investigation by the FCC into the data-selling practices of T-Mobile, Sprint, Verizon and AT&T. T-Mobile acquired Sprint in 2020.

The investigation found that all four companies had programs in place until at least 2019 that sold access to the location data of customers to two data aggregators, LocationSmart and Zumigo. Those companies in turn sold that data to dozens of different third-party, location-based service providers and other businesses. Because both Sprint and T-Mobile phones must continually ping nearby cell towers to maintain network service, their location data could provide constant real-time tracking of individuals.

The investigation found the telecoms had effectively shirked their regulatory requirements to safeguard their own customers’ location data by outsourcing responsibility to their third-party buyers in contract language. Meanwhile, internal audits of the companies’ customer data-sharing programs revealed numerous instances where auditors knew third parties were not holding to those agreements.

The FCC fined the companies a combined $200 million, with T-Mobile on the hook for $92 million in penalties between their own offenses and the Sprint acquisition.Pan expressed incredulity that T-Mobile and Sprint would ask a court to intervene on their behalf without substantively disputing the FCC’s case.

“Neither denies what happened. Instead, they argue that the undisputed facts do not amount to a violation of the law,” Pan wrote, adding that these and other legal arguments by the telecoms about the case “lack merit.”

Reached for comment, a T-Mobile spokesperson told CyberScoop that the company is “currently reviewing the court’s action. We don’t have anything new to add right now.” Last year, the telecom told CyberScoop they halted the sale of location data to third-party aggregators in 2019.

Eric Null, co-director of privacy and data at the Center for Democracy and Technology, called the ruling a “welcome decision,” and argued that such fines were necessary to hold telecoms accountable when they “sell off customers’ location data to the highest bidder and violate the law.”

“This is a huge win for privacy and for everyone who owns a cell phone,” Null said in a statement. “Location data is one of the most personal and sensitive types of data, and is particularly harmful in the hands of bad actors.”

The post Court rebuffs request by telecoms to review $92 million privacy fine   appeared first on CyberScoop.

A federal court has upheld the Federal Communications Commission’s authority to impose stricter data breach notification regulations on the telecom sector, including requirements that the industry notifies customers when their personally identifiable information is exposed in a hack.

In a 2-1 decision, the U.S. Sixth Circuit Court of Appeals concluded that the FCC did not overstep its statutory authority last year when it updated existing data breach notification requirements to require telecoms to report on any customer PII lost during a data breach.

In its opinion, the majority wrote that “based on the statutory text, context, and structure, [existing law] gives the FCC the authority to impose reporting requirements in the event of a data breach of customer PII.”

In 2024, the FCC under the Biden administration updated federal regulations on the telecom sector when reporting on the impact of a data breach.

Under previous rules, telecoms were only required to report to the government when a breach exposed customer proprietary network information, which includes any customer information concerning the quantity, technical configuration, type, destination, location and amount of use of a telecommunication service.

The 2024 order concluded that telecoms are also responsible for safeguarding customer PII — a customer’s name, address, date of birth, etc. — along with “any information that is linked or reasonably linkable to an individual or device.” 

The expanded regulations were quickly challenged in court by trade groups representing telecommunications firms, including the Ohio Telecom Association, the Texas Association of Business and USTelecom.

In a consolidated case before the Sixth Circuit, the groups argued  that the FCC lacked authority under the two laws they cited to include customer PII in data breach reporting requirements. They further argued that the 2024 order violated the Congressional Review Act, as Congress had formally moved to block a larger set of FCC Net Neutrality rules in 2016 that included a similar section on data breach notification.

In its decision, the court’s majority disagreed with the telecom group’s argument that the FCC lacked the legal power to regulate poor data privacy practices or to make rules that go beyond information specified by Congress in the Communications Act.

But the court concluded that Congress clearly intended for the federal government, and specifically the FCC, to regulate telecoms’ data privacy. Laws like the Federal Trade Commission Act not only give the FTC similar authority to regulate inadequate data privacy among other industries, they also specifically exempt telecommunications carriers because that industry’s data privacy regulation falls under FCC jurisdiction.

“Contrary to Petitioners’ assertions, this is not a situation in which an agency has “claim[ed] to discover in a long-extant statute an unheralded power to regulate ‘a significant portion of the American economy,’” the majority wrote. “Rather, it is part of the FCC’s longstanding, flexible, and incremental application of [existing law] to data regulation in the evolving environment of data collection and retention.”

Former FCC officials and legal experts told CyberScoop that while the ultimate fate of the regulation is still uncertain, the Sixth Circuit’s decision is a clear win for the agency’s authority to regulate cybersecurity and data privacy.

In an interview with CyberScoop, Loyaan Egal, former chief of the FCC’s enforcement bureau, said he believes “most people thought this new expansion of data breach notification requirements was more than likely probably going to be rejected by the court, and surprisingly it wasn’t.”

Telecom groups could appeal the ruling to the Supreme Court. Current FCC Chair Brendan Carr was one of two commissioners to vote against the data breach notification rules last year. However, after taking the gavel this year, Carr has not moved to rescind the rules, and the FCC continues to vigorously defend their validity in court.

Over the past year, policymakers have been dealing with fallout from Chinese hackers that have systematically compromised U.S. telecommunications infrastructure.

Several sources told CyberScoop that the emergence of the Salt Typhoon and Volt Typhoon campaigns over the past year, as well as the revelation that hacking groups maintained access to telecom networks by exploiting widespread cybersecurity vulnerabilities, may have upended attempts to kill cybersecurity-related regulations like the FCC data breach rules.

Rick Halm, a cybersecurity attorney at law firm Clark Hill, said the FCC’s authority to regulate cybersecurity and data privacy has to be viewed through the lens of the persistent threats the sector is facing from hackers and foreign spies.

“I see this ruling against the backdrop of the looming national cybersecurity threat of Chinese infiltration of critical infrastructure in preparation to inflict damage if an actual conflict erupts,” Halm said.

Chevron’s dead, but cybersecurity regulations live on

In reaching its conclusion, the court cited Loper Bright Enterprises vs. Raimondo — a  2024 Supreme Court case that said, courts, not federal agencies, have the authority to interpret congressional laws — at least 15 times.

When the Supreme Court ended the practice of automatically deferring to agencies’ interpretations of laws, many worried the shift could jeopardize the legality of cybersecurity regulations. That’s because many rules, like the FCC’s data breach regulations, depend on applying old laws to new technologies, which might not meet stricter legal scrutiny. 

But in this instance, the Sixth Circuit used its independent authority to agree with the  FCC: regulating how firms handle and protect PII is a core part of the agency’s responsibilities.

Peter Hyun, a former chief of staff and acting enforcement chief at the FCC, told CyberScoop that “as a substantive matter, this was a clear signal that the FCC did not overreach here.”

“In other words it is in its rightful lane, looking at the practices of these telecom carriers in order to ensure they were protecting customer information and PII,” he said.

However, other observers think future cybersecurity regulations will now face tougher standards.

“I think that this opinion is a warning shot to both the FCC and other federal agencies that you better be able to firmly tie any data privacy or cybersecurity rules directly to a clear statutory premise,” Halm said.

The court also determined that the agency did not violate the Congressional Review Act by proposing “substantially similar” regulation to data privacy regulations that had been formally blocked by Congress in 2016.

While the blocked 2016 order did include similar data breach notification requirements, the court determined it was “far more expansive, imposing a broad array of privacy rules on broadband Internet access services” than the FCC’s 2024 rule.

“The data breach notification requirements were a mere subset of the broader compendium of privacy rules in [the 2016] Order,” the majority wrote. “The 2024 Order, by contrast, addresses only data breach reporting requirements. The two rules are not substantially the same.”

The Sixth Circuit’s ruling appears to reaffirm “a narrower reading of the CRA than some companies would have liked,” Cobun Zweifel-Keegan, managing director at the International Association of Privacy Professionals, told CyberScoop.

The majority’s conclusion earned a rebuke from Judge Richard Griffin, who wrote in his dissent that “our interpretation of the [Congressional Review Act] ought to elevate the will of Congress over that of an administrative agency.”

The post Court upholds FCC data breach reporting rules on telecom sector appeared first on CyberScoop.

The Federal Communications Commission has adopted new rules to make it more difficult for foreign firms to apply for licensing to build out submarine cables, citing the need to protect the continued construction of critical undersea cables that underpin the internet and transcontinental communications.

The rules would require the FCC to presumptively deny “certain foreign adversary-controlled license applicants” from obtaining licenses needed to operate in U.S.-controlled waters. It would also restrict undersea capacity leasing agreements, ban the use of unspecified covered equipment and establish a range of physical and cybersecurity requirements on those same firms.

The FCC said that as the U.S. seeks to become “the unrivaled world leader in critical and emerging technologies and secure AI dominance,” the cables responsible for powering that data explosion must be protected from acts of foreign sabotage.

According to figures provided by the FCC, there are 90 cable systems already licensed by the agency. The FCC expects those numbers to grow significantly in coming years as businesses and governments continue to build out additional infrastructure.

In a statement, Chair Brendan Carr said the FCC’s order was meant to “facilitate, not frustrate” this expansion of submarine cable infrastructure, while making it harder for foreign nations to potentially gain influence or access to that infrastructure through an affiliate third-party company.

“We not only want to unleash the deployment of new undersea cables — we want to make sure those cables are secure. In recent years, we have seen submarine cable infrastructure threatened by foreign adversaries, like China,” Carr said.

An assessment by Recorded Future’s Insikt Group in July found that the growing submarine cable industry is facing a threat landscape that has “very likely escalated” over the past 18 months. Accidents continue to be the primary means of damage in publicly reported submarine cable incidents, but cybersecurity threats and cable-cutting techniques like anchor dragging are also rising.

Commissioner Anna Gomez noted that the FCC had not updated its rules around submarine cables in decades, despite their evolution into the backbone of global internet communications.

“As national security risks increased and our Government took steps large and small to protect our networks from foreign adversaries on multiple fronts, the Commission long coordinated with key federal agencies to protect submarine cables,” Gomez said.

One key challenge facing policymakers as this expansion continues will be putting hard security restrictions in place without slowing things down.

“The hard work of this item really was in finding the balance between, on the one hand, necessary security measures to protect critical U.S. communications infrastructure against foreign adversary threats and, on the other hand, clarifying and streamlining processes to provide economic certainty that will facilitate investment and minimizing regulatory burdens by removing duplicative or unnecessary requirements where possible,” Gomez said.

The FCC did not respond to a request for more details on the order by the time of publication.

The post FCC tightens rules on foreign firms building undersea cables, citing security appeared first on CyberScoop.