Jun 26, 2026 · 7 min read
The FCC's Anti-Spam-Call Plan Is Actually a Mass Surveillance Scheme
A new FCC Know Your Customer proposal would require telecom companies to collect government ID and home addresses from all customers — creating a surveillance database that carriers have already proven they can't secure.
The FCC voted 3-0 in April 2026 to advance a "Know Your Customer" rulemaking that would require every US voice provider to collect your name, physical home address, government-issued ID number, and a backup phone number before you can receive service. The stated rationale is fighting spam robocalls. The actual outcome, if adopted, would be the largest compulsory civilian identity database the telecom industry has ever built — and handing law enforcement subpoena access to it. The comment period closed June 25, 2026. Reply comments are due July 27.
Key Takeaways
- The FCC's April 2026 KYC proposal would require all US voice providers to verify a government-issued ID number and physical home address for every customer before granting service.
- Approximately 2.6 million US adults lack any government photo ID, and 34.5 million lack a current government ID — meaning the rule would functionally deny phone access to millions.
- AT&T exposed 7.6 million current and 65.4 million former customers in a single 2024 breach; Comcast exposed approximately 36 million accounts in 2023 — the same carriers that would hold this new database.
- The EFF and ACLU have called on the FCC to abandon the proposal entirely, arguing it creates a mass surveillance infrastructure rather than a spam-call solution.
- The majority of illegal robocall operations are controlled by overseas organizations that US domestic identity rules cannot reach, leaving the core problem unsolved while the surveillance burden falls on every American phone customer.
What the FCC Is Actually Proposing
The FCC's Further Notice of Proposed Rulemaking would require originating voice service providers to collect and verify — before provisioning service — a customer's full legal name, current physical address, government-issued identification number, and an alternate contact number. That means no service until the carrier has confirmed your identity against a government document.
The FCC doesn't hide the secondary purpose. The agency's own filing states that "enhanced KYC information can assist law enforcement to more easily identify callers that use the network to perpetuate crimes" — and explicitly extends that logic beyond robocalls to "national security threats and abuse in text messaging networks." Carriers would also be required to retain these records for four years after the customer relationship ends, matching the statute of limitations for certain illegal calling violations.
Read alongside the broader 2026 federal privacy debate — including the preemption fights documented in the SECURE Data Act analysis — this proposal fits a pattern: regulatory bodies claiming narrow enforcement authority while quietly assembling the infrastructure for something much larger.
Why This Won't Stop Spam Calls
The logic behind KYC for robocall enforcement rests on a faulty premise: that spam callers are US residents using domestic phone accounts. Most aren't. The 2026 State of Robocalls report documents that while roughly 90% of robocalls technically originate from a US number, a large share of the underlying operations are run from overseas — using spoofed US caller IDs purchased cheaply through unregulated foreign VoIP gateways. US KYC requirements reach none of those operations.
A technical solution already exists and already doesn't work well enough: STIR/SHAKEN, the call authentication standard the FCC mandated for large carriers years ago. Among Tier-1 carriers, 85% of traffic is now signed and verified. Among smaller carriers, that number drops to 17.5%. The robocall problem persists not because carriers don't know who their customers are, but because the authentication standard hasn't been fully deployed across the full network — and because overseas originators aren't subject to it at all. Forcing domestic consumers to produce passports at Walmart to buy a prepaid SIM does nothing to change either of those facts.
Who Gets Left Behind
The EFF, joined by the ACLU, has filed comments calling on the FCC to abandon the proposal entirely. Their core argument: phone access is not a luxury. Requiring government-issued ID to obtain a phone line would cut off people who need anonymous or lightly identified prepaid service the most.
The numbers are not small. Approximately 2.6 million US adults have no government photo ID at all. Around 34.5 million adults do not have a current, valid government-issued ID. Roughly 21 million US adults lack a current driver's license. These gaps fall disproportionately on Black Americans, Hispanic Americans, disabled individuals, and lower-income populations — groups that already face structural barriers to government services.
The EFF submission specifically names the populations who rely on anonymous prepaid phone access: domestic violence survivors using a burner phone to contact shelters without alerting an abusive partner. Human trafficking victims. Unhoused individuals. Activists documenting abuses who cannot safely attach their legal name to a contact number. Children in unstable home situations. For each of these groups, a mandatory ID-plus-address requirement is not a minor inconvenience — it removes a lifeline.
The FCC's proposal acknowledges none of this. Its fact sheet makes no mention of vulnerable population impact. This is the same pattern visible in state-level privacy legislation: rules written around a dominant-user assumption that leaves edge cases — who are often the people who need protection most — unaddressed.
The Carriers Already Proved They Can't Secure This Data
Here is what the FCC's proposal is asking you to trust with your government ID number and home address: the same companies that have demonstrated, repeatedly, that they cannot protect customer data at scale.
AT&T disclosed two separate major incidents in 2024. In March, the company confirmed a dark-web dataset containing personal information — including Social Security numbers and account passcodes — belonging to 7.6 million current customers and 65.4 million former customers. A separate July 2024 incident exposed call and text records for nearly all AT&T wireless customers and MVNO customers on its network. The two breaches, combined, touched records for well over 100 million people. Comcast disclosed a breach in 2023 affecting approximately 36 million accounts.
These aren't hypothetical risks. They are the recent track record of the exact organizations the FCC would designate as custodians of a new national identity database. Adding government ID numbers and home addresses to the information these carriers already hold and already lose does not reduce risk — it increases the severity of the next inevitable breach.
The Surveillance Ratchet — and Why It Applies to Your Inbox Too
There is a consistent structure to how surveillance infrastructure gets built. A legitimate-sounding problem is identified. A data collection mandate is proposed as the solution. The mandate is adopted. The database outlasts its original justification and gets repurposed for broader enforcement. The "ratchet" only clicks in one direction: more data, more access, longer retention, wider scope.
The FCC's own filing makes this ratchet visible. The KYC FNPRM asks whether the collected records should be available to law enforcement investigating "national security threats" and SMS abuse — not just robocall violations. Four-year retention is proposed as a baseline, not a ceiling. If the rulemaking proceeds and is later expanded, the question won't be whether the database can be used more broadly. It will be why it shouldn't be.
Email tracking operates by the same logic. A sender embeds a tracking pixel — ostensibly to understand whether their message was received. The data collected goes far beyond delivery confirmation: it captures your IP address, device type, approximate location, and the exact timestamp of every open. That data is retained, aggregated, and sold. The justification ("we just want to know if the email arrived") has long since been eclipsed by the surveillance infrastructure it built. Gblock blocks tracking pixels precisely because the data collection never stays bounded by its stated purpose.
The FCC's KYC proposal and email tracking pixels are the same argument wearing different clothes: "we need this data to stop abuse." In both cases, the infrastructure is permanent and the abuse continues anyway.
What To Watch For — and What You Can Do Now
The comment period for the FCC's KYC rulemaking closed June 25, 2026. Reply comments are due July 27, 2026. After that, the FCC can adopt final rules, issue a revised proposal, or let the proceeding stall. None of those outcomes are automatic — pressure from the public record matters.
- Read the EFF's full analysis of the proposal and its implications for vulnerable populations.
- Contact your congressional representatives. The FCC is an independent agency, but Congress can hold oversight hearings and can pass legislation that constrains or expands FCC authority.
- Watch the FCC's Electronic Comment Filing System for the KYC docket to track what organizations and individuals have submitted and how the commission responds.
- Track whether the July 27 reply comment deadline produces a significant coalition response from civil liberties organizations, disability rights groups, and domestic violence advocacy networks — that coalition is what shifted the FCC's position in prior proceedings.
- Assume the proposal will be narrowed before adoption. Watch specifically for whether prepaid services get a carveout, and whether the identity verification requirement applies to renewals as well as new activations — those details determine whether the rule functions as a targeted enforcement tool or a universal ID requirement.
Surveillance infrastructure is easiest to stop before it exists. Once a carrier is required to collect and retain your government ID for four years, the question of what else that data can be used for becomes a matter of future policy — made by people you haven't elected yet, under conditions you can't predict.