The Supreme Court Just Debated Phone Privacy Fines. It’s Still the Wrong Question.

The Supreme Court Just Debated Phone Privacy Fines.

Nicholas Merrill

By Nick Merrill

supreme court ruling

On April 21, the Supreme Court heard arguments over whether the FCC can fine phone carriers for selling customers’ location data without consent. The case—Verizon Communications v. FCC, consolidated with FCC v. AT&T—stems from a 2018 investigation that revealed carriers were selling real-time location data to brokers who then resold it to bounty hunters, stalkers, and federal agencies.

The fines in question total nearly $200 million. The carriers say the FCC’s process for imposing them violates their Seventh Amendment right to a jury trial. The FCC says its enforcement authority is essential to protecting consumers. Both sides are arguing about the wrong thing.

Chief Justice John Roberts put his finger on the problem without quite realizing it. During Tuesday’s arguments, he suggested the carriers might be fighting mostly to avoid “bad PR”—that under the FCC’s process, they don’t actually owe anything until the Justice Department files a separate lawsuit and wins a jury verdict. He may be right about the legal mechanics (I’m not a lawyer, FYI). But the framing only deepens the irony. The Supreme Court can only rule on what’s in front of it -- a procedural dispute over fines, not on why the carriers were selling your location data to bail bondsmen and stalkers in the first place.

The debate assumes that if we impose steep fines, carriers will stop misbehaving. But I spent over a decade learning a harder lesson: as long as companies hold data that links customers’ identities to their activities, that data will be exploited. The only question is by whom.

In 2004, I was running a small internet service provider in New York when the FBI showed up at my door with a National Security Letter—an order demanding that I turn over private information about one of my customers. No judge had signed it. No court had reviewed it. And a gag order told me I couldn’t tell anyone I’d received it.

I refused to comply and spent the next 11 years in court, fighting for the right to even talk about what had happened. I won. But while I was battling over one letter, the government issued roughly 500,000 more. The legal system can’t protect privacy at scale.

That experience taught me something I’ve never forgotten: if you hold data that connects a customer’s identity to their behavior, someone will eventually come for it. It might be the FBI with a National Security Letter. It might be a data broker offering to buy it. It might be a hacker who steals it. But if the dots can be connected, they will be—by someone, for some purpose you never intended.

This is exactly what a 2018 investigation exposed. Carriers weren’t breached by sophisticated hackers. They simply sold what they had: a continuous feed of which phones were connecting to which cell towers, linked to names and billing addresses. That data ended up with Securus, a prison telecom company, and LocationSmart, a data aggregator—and from there, it spread to bail bondsmen, private investigators, and immigration enforcement.

The FCC fined the carriers. The carriers fought the fines. But even if the FCC wins in the end, what changes? The carriers will still collect the same data. They’ll promise to be more careful about who they sell it to. And the next scandal will arrive on schedule.

We’ve seen this cycle before. In 2016, the FCC passed rules requiring carriers to get customer consent before sharing data. The rules were repealed before they took effect. In 2020, the FCC fined carriers for the location-data sales. The carriers paid and appealed. Now the Supreme Court has heard the case, arguing about administrative procedure while the underlying problem remains untouched: carriers hold a detailed record of everywhere their customers go, and that record is a liability waiting to be exploited.

There’s a better approach, but it requires rethinking how phone systems are built.

Cell networks inherently generate location data—that’s how they work. When your phone connects to a tower, the tower knows your phone is there. We can’t change physics. But we can build systems that separate identity from activity. A carrier can verify that an account is paid without knowing who paid it. It can provide service to a phone number without knowing whose phone it is.

The cryptographic techniques to do this—like zero-knowledge proofs—have existed for decades. They allow systems to verify facts without storing the underlying information. The technology isn’t new. The will to use it has been what’s missing.

The carriers argue they need customer data for billing and fraud prevention. That was a reasonable position 20 years ago. Today, it’s a choice. They collect this data because it’s profitable, not because it’s necessary.

The Supreme Court will decide whether the FCC followed the right procedures in fining the carriers. Chief Justice Roberts may have identified a genuine legal problem with how those fines were imposed. But the more important question still isn’t before the court: Why are we still building phone systems that make this kind of surveillance inevitable?

A 2018 investigation exposed the problem. Congress hasn’t fixed it. The courts are arguing about administrative procedure. Meanwhile, every American with a cell phone is still generating a detailed location diary that will eventually be sold, subpoenaed, or stolen.

Better lawyers can fight the fines. Better architecture can make the fines unnecessary. The only way to truly protect customer privacy is to make sure no one can connect the dots—because there’s simply nothing there to find.

Nicholas Merrill is the founder and CEO of Phreeli, a privacy-focused wireless carrier. In 2004, he became the first person to challenge a National Security Letter under the Patriot Act, a legal battle that lasted over a decade.