The practice continues months after Sprint, AT&T, T-Mobile, and Verizon promised to stop selling user location data.
LOCATION DATA IS SOME OF THE MOST CONFIDENTIAL AND SOUGHT-AFTER INFORMATION GENERATED BY SMARTPHONES. And wireless providers are in a unique position to have constant access to it. However, according to a Motherboard report published on Tuesday, carriers do not protect this highly personal information as carefully as consumers might believe, even though Verizon, T-Mobile, Sprint, and AT&T all pledged to stop selling it months ago.
Last May, US carriers were caught selling customer location data to a variety of third parties, ranging from legitimate services such as roadside assistance groups to data brokers who could resell the information to anyone. It revealed a shadow economy in which your location information is sold to countless companies you’ve never heard of.
Following customer outrage and increased congressional scrutiny, the major US carriers promised to stop selling user location data to third-party brokers. That is one of the things that makes the Motherboard story so troubling: Seven months later, it is still simple and inexpensive for anyone to obtain data about a phone’s location without a warrant or any other justification. You only need a phone number to target. It was a T-Mobile customer in Motherboard’s case, but data brokers claim to be able to provide location information from all major carriers.
The carriers specifically stated that they would no longer sell customer location data to third parties. They haven’t done so
So, what’s the deal? The carrier’s stance appears to be that they are actively reducing their relationships with third-party brokers, but that there is also real customer benefit from services powered by user data. “We take our customers’ privacy and security very seriously and will not tolerate any misuse of our customer’s data,” T-Mobile said in a statement. “We have previously stated that we are terminating our agreements with third-party data aggregators, and that process is nearly complete.”
T-Mobile CEO John Legere specifically stated in a tweet to Oregon senator Ron Wyden that the company will finish phasing out the location data-sharing agreements by March.
However, it is unclear how thorough that process will be. T-Mobile says it has terminated the data flow that allowed location data from partner company Zumigo to Microbilt, a third-party credit-reporting company that then resold the data in the Motherboard story to a bail bond company. Carriers contend that they only have direct data-sharing relationships with trusted partners and that problems arise when those partners sell data to other brokers, who then resell it. Credibility begins to erode as the degrees of separation increase.
The plethora of interests involved muddles this trickle-down. Some brokers purchase the data to provide genuinely useful emergency services, such as “find my phone” features. Others use it for background checks, fraud detection, and other financial transactions. The system has few controls in place to prevent a free-for-all with location data.
The promises made by carriers about selling location data reveal the semantics at work. T-Mobile declined to say whether direct partners like Zumigo are among the “third-party data aggregators” with whom it will no longer share location data. Meanwhile, Verizon, which did not respond to WIRED’s request for comment, stated explicitly in June that it was terminating its location-sharing agreement with Zumigo and other data aggregators.
Meanwhile, Sprint stated in a statement to WIRED that “we do not knowingly share personally identifiable geo-location information except with customer consent or in response to a lawful request,” such as a court order. AT&T used a similar tone: “We only allow location sharing when a customer grants permission, in cases such as fraud prevention or emergency roadside assistance, or when required by law. Everything else has been shut down over the last few months, as we promised. We have suspended MicroBilt access while we investigate these allegations.”
The Shell Game
In general, wireless carriers emphasize two points in their efforts to address criticism about selling customer location data. One is that many of the services that result from these arrangements have a real monetary value. But, while roadside assistance can be extremely beneficial, even life-saving at times, it’s not clear that an entire cottage industry based on purchasing and sharing location data will always produce products that are so concretely desirable.
Customers are also given the option to consent, according to the carriers. However, consumer advocates claim that customers are frequently unaware of what they are signing away. Even if they are aware that law enforcement can obtain data from carriers with a legal warrant, they have little reason to be aware of or comprehend the ecosystem carriers have built around the sale of location data.
“Assume you’re getting a background check to purchase something expensive. There could be a mechanism in place that asks, “Do you want your carrier location data to be made available as part of this interaction?” You could also say yes or no “Alan Butler, senior counsel at the Electronic Privacy Information Center, confirms this. “That’s very different than the carriers just saying, ‘we’re going to sell all of this in bulk in case anyone ever wants to use it for some service that may or may not be beneficial to you, and you’re not even going to know about it. But don’t worry, it’s all done with your permission in some way.’ Perhaps in the carrier’s terms of service, which no one reads.”
Senator Wyden wrote on Tuesday that the carriers’ apparent lack of urgency in dealing with the issue was unacceptable. “While major carriers pledged to end these practices, it appears that consumers were given more empty promises.” Wyden has proposed a data privacy bill that would address, among other things, location data.
“This is a blatant violation of user privacy, and companies should expect to be held accountable when they break their promises to their users.” – EVA GALPERIN, EFF
In conclusion: The carriers specifically stated that they would no longer sell customer location data to third parties. They haven’t done so. They claim to be winding down the practice to provide services in other ways and avoid negative consequences for consumers, but highly sensitive and personal data remains exposed in the meantime.
With little reason to believe that the carriers will make the necessary changes, the big question now is how the FCC will handle the situation. Butler points out that the FCC has the authority to declare carriers’ sales of location data to third parties illegal. However, the FCC has not stated whether the law applies to aggregated location data. Because of the government shutdown, the FCC could not be reached for comment.
Customers are currently unsure what to make of the carriers’ renewed promises. “I don’t think consumers have any reason to believe carriers when they say they’ve stopped selling this data,” says Eva Galperin, the Electronic Frontier Foundation’s director of cybersecurity. “This is a blatant violation of user privacy, and companies should expect to be held accountable when they break their promises to their users.”
Whether through FCC action, congressional legislation, class action lawsuits, or other means, 2019 appears to be the year for a showdown. And, according to Butler of EPIC, the recent Supreme Court decision in Carpenter v. United States, while dealing with a different aspect of location data privacy, makes a strong statement about the particularly sensitive nature of location data and the urgent need to protect it under the law.
“I think we’ve reached an inflection point, if not a crisis point, with all of the location threads out there,” Butler says. “There’s a whole system that’s been built up behind closed doors to share this data, and someone is profiting from it.”