Do telcos have an obligation to ensure customer data is not leaked to criminals? Are they obliged to implement controls that reduce the risk of scammers using communications services to contact potential victims? The answer is apparently not, if the telco is in the USA and the penalty for non-compliance is imposed by a regulator without a trial in a court of law. The USA has always been an outlier compared to how most countries govern communications services. Now a bombshell legal victory for AT&T over the US Federal Communications Commission (FCC) will make US regulatory enforcement even stranger. Put simply, last week’s decision in AT&T vs FCC stops the regulator from deciding fines for telcos who have broken the law on the basis that such punishments must be imposed through a federal court trial so the defendant can exercise its constitutional right to defend itself.
It should go without saying that such an outcome is:
- good news for lawyers who want to increase their wealth; and
- of doubtful benefit to citizens who need governments to be efficient with maintaining order over critical systems that everybody uses everyday.
I am as opposed to arbitrary justice as anyone, but one difficulty with modern communications is that a lot can go wrong in a short space of time and not everybody has the competence to understand where the fault lies. There is a need for effective decision-making processes that can be completed with alacrity, especially if a business is failing to do its duty to the public. There is also an obvious inefficiency in enforcing obligations on comms providers across a large country like the USA by giving much of the responsibility for consumer protection to a patchwork of laws and lawyers chosen by different geographical regions within the country. A degree of centralization and specialization is an advantage, as is obvious from the enormous salaries paid to ex-FCC lawyers when they are hired by national ‘nonprofit’ associations bankrolled by the private sector.
The implications of AT&T vs FCC will roll on and on, but the specific case concerns a USD57mn fine imposed by the FCC because AT&T violated section 222 of the Telecommunications Act, which requires telcos to protect customer data and restricts who they may share it with. In 2018 and 2019 AT&T was violating the law by failing to use ‘reasonable measures’ to prevent unauthorized access to customer location data processed by AT&T’s business partners. AT&T appealed the FCC’s fine — referred to as a forfeiture order per the American way of doing these things — on the grounds that their constitutional rights had been infringed. This is why the ramifications of this case are so enormous. The focus was not on the things that AT&T did or did not do. This argument is about whether an American regulator has the right to impose a fine without a jury trial. Judge Stuart Duncan decided the regulator did not.
No one denies the Commission’s authority to enforce laws requiring telecommunications companies like AT&T to protect sensitive customer data. But the Commission must do so consistent with our Constitution’s guarantees of an Article III decisionmaker and a jury trial.
In this context, Article III refers to the part of the US Constitution which defines the federal judiciary. The court reviewed the typical way the FCC issues fines like these, which begins with an investigation conducted by the FCC, then involves the FCC issuing a proposed fine in the form of a Notice of Apparent Liability for Forfeiture (NAL). The NAL states the upper limit for a potential fine with explanations for how this was calculated and why the FCC believes the fine is justified. Counterarguments can be made to the proposed fine, and the FCC may consequently decide no penalty is merited, or may impose a smaller fine than the figure in the NAL. The final penalty is stated in the FCC’s forfeiture order. Setting aside the American fetish for legal jargon, this process is fairly similar to the way fines are imposed by the comms and data protection regulators of many other nations. If anything, the American process is more deferential to telcos than processes followed by other democratic countries. It is established practice for the FCC. They have followed this sequence many fines since AT&T first challenged it. As explained in the court’s judgment, that challenge had four elements.
In February 2020, the Commission issued AT&T an NAL for willful and repeated violations of section 222 of the Act and section 64.2010 of the Commission’s rules. The NAL proposed a $57,265,625 penalty. Responding in writing, AT&T argued that: (1) location information is not subject to the Act… (2) AT&T acted reasonably; (3) the forfeiture amount was arbitrary and capricious; and (4) the Commission’s enforcement regime is unconstitutional under Article III, the Seventh Amendment, and the nondelegation doctrine.
Four years then passed. It is worth emphasizing this fact because the abstract notion of justice is of reduced practical value if millions of people fall victim to crime because the authorities do not or cannot take prompt action.
In April 2024, the Commission rejected all of AT&T’s arguments and affirmed the proposed $57 million penalty. In short, the Commission decided that… (4) AT&T’s constitutional arguments failed because (a) the possibility of a section 504 trial satisfied the Seventh Amendment and Article III, and (b) the Commission’s ability to choose between enforcement procedures did not implicate the nondelegation doctrine.
The Commission therefore issued a forfeiture order demanding AT&T pay the $57 million penalty within 30 days.
AT&T responded by instigating the appeal which ultimately led to the judgement reached last week.
AT&T elected to timely pay the penalty and seek review in our court. Before us, the company raises the same arguments it raised before the Commission.
I will share a link to the full opinion of the court below, for those who are interested in the details. The rest of us can cut to the chase: Judge Cory Wilson signed on to Judge Duncan’s opinion although a third panelist, Judge Catharina Haynes, concurred only with the judgment. The FCC’s forfeiture order was vacated because of fourth of the four challenges put forward, that AT&T’s constitutional rights had been infringed. I have zero interest in arguing about whether this is the right way to interpret American law. Judges are not legislators and I want to talk about ordinary people being let down by bad rules that do not serve their interests. This case is yet another example of the disastrous way the US is governed, and I will examine the particular impact it will have for strategies to protect consumers from scams.
Most readers of Commsrisk from outside of the USA will be astonished that a government agency which is supposed to have delegated power to enforce rules for a specific industry might not actually have the power to act as ‘judge and jury’ within their specialized remit. Some rules are so complicated, and some requirements so difficult to understand in practice, that it is worth asking who is competent to determine whether they have been followed. Competence matters when seeking justice. I routinely shudder when I read the crap that lawyers write about the arcane parts of the communications industry that interest me. This is not because lawyers are stupid, ill-educated people. The sum of human knowledge grows every year; as time passes it becomes increasingly unlikely that anyone will master more than a small portion of it. As a consequence, CDRs become ‘metadata’, simboxes become ‘SIM farms’, and there have been numerous other occasions when lawyers have coined new terminology for concepts that were already familiar to other professionals, but which lawyers have to learn about for the first time. As smart and as fair as a lawyer may be, there are disadvantages to training lawyers about a new subject just so they can manage the process of making decisions about it. A society may rationally conclude that regulators should exist because the converse can be more efficient: take people with expertise in a subject and train them to make fair decisions by following a process similar to that used by lawyers. Each approach will have its disadvantages, but it is unlikely that one will uniformly give better results than the other.
If this is true of the competence needed from judges, then it is even more true of the competence needed from jurors. There is a simple explanation for why advanced economies are pursuing fewer complicated fraud prosecutions than they have before. Juries lack the interest or aptitude to understand the details of cases that require them to learn about professions and technologies they have never encountered before. Prosecutors realized they could pour resources into cases with little chance of securing a conviction, irrespective of the fact that the criminals have been identified and there is evidence that shows they committed the crime. They chose to focus their finite resources elsewhere. Society as a whole has suffered because fraudsters knew they would never face any punishment so long as their crime was too complicated for an ordinary person to understand.
Regulators exist because complicated stuff will only be properly understood by people with the right experience and training. It is not for me to question the constitution of the USA, but it strikes me as improbable that men living in the 18th century could have anticipated every risk that people might face two-and-a-half centuries later. The authors of the US constitution were also men of action; sometimes they did things considered illegal from the perspective of British rules they rebelled against. American lawyers love the US legal system because it makes them wealthy but the American public has less love for a system that consumes approximately two percent of the national economy without generating confidence that the poor will receive the same justice as the rich. Anyone who does not profit from this system might reasonably ask if the kinds of people who struggle to determine if O.J. Simpson is a murderer, or who need a six-week trial to assess if Johnny Depp is more abusive than Amber Heard, are suited to the task of calculating the appropriate penalty when an organization fails to effect a variety of data protection controls.
Regular readers of Commsrisk will already appreciate that the USA has a problem with protecting the public from harm because of the impractical way rules are enforced. The people who use communications services to commit crime are rarely identified. Those few which have been identified are rarely pursued by the regulator or by prosecutors. The few fines which are issued are rarely collected. Some of these failings just come down to inadequate resourcing of bodies trusted with enforcement. If it takes a lot of resources for a prosecutor to pursue a case then prosecutors will only pursue the cases that have the best chance of success. They may be tempted to use intimidation, in the guise of ridiculously exaggerated potential penalties, to encourage an admission of wrongdoing and the negotiation of a settlement, especially if they are negotiating with somebody who has fewer resources than the prosecutor. That skews the legal system to the advantage of organizations who can spend most on fighting in a court of law.
One severe problem with the FCC is that it is overly politicized, just as the US legal system is overly politicized. AT&T won this particular appeal, but they were not singled out for punishment by the FCC. The same bad practices with location data led the FCC to impose a USD47mn fine on Verizon, and the penalty for T‑Mobile US totaled USD92mn, of which USD12 million related to Sprint. Those other mobile operators lodged similar appeals with different courts; their cases are still pending. Two of the five FCC Commissioners opposed the fines. The three Democrat Commissioners approved, Republican Commissioners Brendan Carr and Nathan Simington dissented. Carr was promoted to Chairman of the FCC following Donald Trump’s most recent election victory. The man who got the top job at the FCC after Trump’s previous victory, Ajit Pai, is now being paid over USD3.5mn per annum at the CTIA, the US telecoms industry association bankrolled by AT&T and the other big telcos. The players change seats but the rules of the game, as written into the US constitution, or section 222 of the Telecommunications Act, are supposedly the same. Reinterpreting the rules every time there is a change of power inevitably breeds cynicism.
To make matters worse, no business has an incentive to be truthful about the flaws in the USA’s regulatory approach, but some are incentivized to sell gimmicky tech that will not solve fundamental issues with how rules are written and enforced in practice. The result is a lot of short-term papering over cracks that keep getting wider each year. Technologies like AI are treated as a ‘quick fix’ to problems which are rooted in a human unwillingness to clarify what the rules should be and how to enforce them consistently in practice. The technology will inevitably fall short, but that realization will probably only occur after the problem has been passed to somebody new. On the rare occasions that somebody at the top of this industry has to resign in disgrace then it will only be after they amassed more wealth than one hundred Americans on median incomes.
One way to disguise the underlying challenge of prosecuting criminals is to demand that the private sector does more to protect the public from crime. For example, criminals use leaked personal data, so authorities can seek to punish the business that leaked the data as compensation for the authorities not punishing the criminals who used the data to commit scams. It is an intelligible response on the face of it, but it motivates businesses to challenge the obligations placed upon them instead of becoming part of a true collaboration between the public and private sector. The public sector translates some of its burden — the responsibility to catch and punish criminals — to the private sector in the form of controls to deny criminals access to resources they use, and the private sector responds by creating new burdens for the authorities — a jury trial — to escape some of these burdens. This is placed within the milieu of idiotically simplistic left-vs-right political arguments that have also infected the operation of the legal and regulatory system. The combination is guaranteed to waste resources on misdiagnosing problems rather than cooperatively working on efficient solutions.
A fair appraisal would not pick sides in the AT&T vs FCC fight because every party comes away looking selfish. AT&T broke the law, and they have continued to break data privacy laws. They should be subjected to increasingly harsh punishment. I also know from personal experience how US telcos will go after individuals who voice an opinion like mine by pressuring their employers to intervene. They lack humility, and that means they also lack the capacity for self-reflection. This contributes to a culture of silence that surrounds bad corporate behavior. On the other hand, organized crime thrives in a lawless vacuum. It is unreasonable of the US legal system to demand the private sector goes to inordinate lengths to protect the public if there is no serious intention to confiscate the proceeds of crime and to impose punishments that would deter others from repeatedly committing the same crimes.
The excuse that scam communications are transnational in nature is not a justification for the dysfunction at the core of the US strategy for consumer protection. There have been examples of American scammers who were clearly subject to US law being treated more leniently than they deserved. When foreign crooks use an American stooge as the face of their business this just proves the authorities know nothing about the people running telcos except for names and addresses. Commsrisk recently discussed evidence of the increased use of simboxes for US scams. Somebody purchased those radio devices, somebody plugged them into electricity sockets, somebody procured SIM cards from US mobile networks and somebody inserted those SIM cards into the slots in the device. These methods require the involvement of people inside the USA too. Pointing fingers at foreign countries is another sign that the first instinct of the US authorities is to look for opportunities to pass the buck instead of prioritizing consumer protection action they can take for themselves.
I have been saying for a while that the US anti-scam strategy is undermined by the absence of rigorous know-your-customer (KYC) checks. Hardly anything is known about the people who run US telcos so it is unsurprising that nothing is known about their customers. This neuters the prospect of enforcement from the outset. Nobody working for a US telco will admit it. Nobody working for the FCC will admit it. They conspire to lie to each other as they lie to the public. Each claims that calls have been ‘authenticated’. They will not admit it is meaningless to say a call has been authenticated if nobody has checked the identity of the person or business who made the call. The FCC pretends they have mandated robust KYC checks. The telcos pretend they have implemented robust KYC checks in the absence of any regulation. Each side remained content so long as neither shattered the illusion. Then Telnyx received a NAL for USD4.5mn, largely because the FCC’s own employees had received scam calls from people who pretended to work for the FCC. Telnyx vowed to fight the penalty, and one of their arguments invoked the same constitutional right to a trial by jury as used by AT&T.
The FCC was wrong to tackle Telnyx in the way they did. The FCC has not written any enforceable rules for KYC in the USA, but they evidently decided to act as if the rules existed because they had been so thoroughly embarrassed. The FCC could perform no meaningful investigation of whether Telnyx had broken the rules because it is impossible to investigate compliance with the detail of rules when there are no detailed rules. The regulator chose to work backwards from the fact that scam calls occurred to the conclusion that KYC obligations must have been violated, without admitting to the possibility that determined criminals can find ways to defeat KYC checks. They made an arbitrary decision that deserved to be challenged. Telnyx is right to fight the FCC’s NAL in their case, but they also go too far by suggesting the universal solution is for every telco to have a trial by jury.
In all likelihood, the FCC pretended to have KYC rules because they lack the competence to write actual KYC rules. When it comes to scam prevention, the FCC only knows how to endorse rules that the communications industry writes for itself. The quality of a KYC check is a practical matter that should be judged based on actual experience of the methods criminals use to disguise their true identities. Empirical observation trumps the principles that a lawyer might draw upon in the absence of relevant experience but nobody in the USA wants to defer to the underlings who do the hard work of checking who a customer is. Those employees sit near the bottom of the pyramid of power and their views are not respected even though their insights are valuable. The result is that too few genuine anti-fraud professionals try to share their experience with the FCC. The FCC only tends to listen to the loudest commercial interests, of the type that can also afford the big salaries of ex-FCC lawyers. Nobody sees the profit in being helpful.
Ensuring telcos can fight any penalty using a trial by jury will not change the FCC’s lack of competence at writing KYC rules. The wrong people make a lot of money from sitting on a regulatory merry-go-round whilst people who could make an important contribution are forced to watch from the side. This dysfunction does not motivate competent professionals to work with the FCC to draft new rules. The USA is falling into the trap of adding more and more stages to the review of bad decisions when what is really required is a tighter focus on the competences needed to make good decisions in the first place. Somebody has to take the first step towards a less adversarial approach, but the adversarial approach is the essence of American legalism.
AT&T’s victory will make a dysfunctional regulator even more dysfunctional. It offers no way forward for those parts of the industry that want robust KYC checks to be mandatory so they can compete on a fair and equitable basis whilst also safeguarding the interests of ordinary phone users. But the really important takeaway is that the rest of the world does not have to repeat American mistakes. Many articles about these subjects are written as if they are for American audiences first, and then also for the rest of the world. This article makes generalizations about the USA because its target audience is in every country but the USA. I have no confidence that the US industry can address its own flaws. It is beyond help. A perfect storm of bad politics, bad law, bad bureaucracy, bad precedent and bad actors makes American dysfunction worse each year. The same dynamic is to blame for children dying because gun laws cannot be reformed, and for the jubilation that occurred when a health insurance CEO was assassinated. The rules are not working for the benefit of ordinary people, and ordinary Americans do not know how to change the way those rules are formulated.
When regimes fail they search for scapegoats whilst manipulating the measures of success to make it seem like they are on the right track. That pattern is also evident with how the US comms industry tackles scams. The track record for data protection is shameful. American lawyers are not going to expose the truth; more money can be made by milking the system than by reforming it. Leaders in other countries need to examine the American approach in its totality so they can learn from its mistakes instead of repeating them. Not all countries will do better — corruption is a universal human flaw — but some might.
Communications is a global business, as are the scams run by organized crime. The last thing the world needs is for American dysfunction to be mistaken for a roadmap that others should follow. That is why I wrote at the beginning of this year that self-regulation has failed and that regulators need to be more muscular in their pursuit of consumer protection strategies that are practical and enforceable. AT&T vs FCC has demonstrated how far the USA has deviated from that ideal.
You can read the Fifth Circuit appellate court’s decision here.



