Wireless Carriers Caught Playing Fast and Loose With Location Data
By Richard Adhikari
Feb 8, 2019 9:28 AM PT
AT&T, T-Mobile and Sprint have sold access to subscribers' real-time location data to aggregators, which in turn
have sold it to about 250 bounty hunters and related businesses, Motherboard reported Wednesday.
In some cases, the data allowed users to track individuals to their specific locations inside a building.
Some companies made thousands of location requests to data brokers; one company made more than 18,000 such requests in just over a year.
The news, which sparked widespread outrage, prompted a range of responses, including the following:
There are legitimate uses for such data, he told TechNewsWorld. For example, Google Maps uses location data to search for nearby locations such as cafes or restaurants, "so there are social goods that derive from allowing your location to be shared."
Once data leaves the wireless carrier, however, "there are many places along the value delivery chain that can leak," Jude pointed out. "Just because a business says it will use the location data for one purpose doesn't mean it might not use it for another -- or even sell it."
The location data has been resold to buyers on the black market who were not licensed to use it, Motherboard found.
Breaching the Rules
By engaging in that type of data, the carriers might have breached the telecommunication industry's own
best practices and guidelines for location-based services.
Location-based services (LBS) providers must tell users how their location information will be used, disclosed and protected, the guidelines state. Further, users can choose when or whether location information will be disclosed to third parties, and they can revoke authorizations.
Location aggregators are not LBS providers, but the wireless carriers and the third parties that make the services available to end users are.
In the interest of child safety or business needs, authorization by a wireless carrier's account holder, rather than an account user, may be required for an LBS to be used at all, or to allow locations to be disclosed to a third party, based on the guidelines.
The data sharing might be in breach of the FCC's Customer Proprietary Network Information (CPNI) regulations, which apply to customer-specific information stored on users' devices, as well as on the carrier's network.
"The key question is not whether these networks sold data to third-party aggregators -- it's what type of data they sold," remarked Doug Henschen, principal analyst at Constellation Research.
Companies that monetize their data "have an obligation to ensure that their own standards of privacy and data protection are upheld by partners," he told TechNewsWorld.
Carriers Pledge Crackdown
Sprint said it has ensured that MicroBilt, which offers a wireless location tracking service to several industries, no longer will have access to its data. It also has terminated its contract with Zumigo, an aggregator supplying MicroBilt with phone subscriber data.
T-Mobile said that it was in the process of ending all of its location aggregator services by March, with an eye toward making sure emergency uses would not be impacted.
The issue of
customer location data sharing surfaced last year, after The New York Times reported that Securus had been selling local police forces throughout the U.S. access to the precise location of any cellphone across all the major U.S. mobile carriers' networks. Securus got its data from 3Cinteractive, which got it from location tracking firm LocationSmart.
Sen. Ron Wyden, D-Ore., at the time asked AT&T, Sprint, T-Mobile and Verizon to detail their real-time customer location data-sharing agreements with third-party data aggregation firms. Verizon, AT&T, Sprint and T-Mobile all said they planned to terminate agreements with aggregators.
Demand for Government Action
This time around, Wyden and 14 other lawmakers demanded an investigation by the FCC and the FTC into the sale of Americans' location data "by wireless carriers, location aggregators and other third parties," pointing out that the carriers last year had pledged to stop doing so.
"It is clear that these wireless carriers have failed to regulate themselves or police the practices of their business partners, and have needlessly exposed American consumers to serious harm," the letter says.
The letter, which was sent on Jan. 24, requested a response by Feb. 5.
"This is a murky area," Jude said. "The FCC does have jurisdiction, and the wireless carriers are common carriers. Yet the rules are somewhat different so that wireless service delivery can be encouraged."
The services based on data sharing "are too valuable to society as a whole" to be eliminated, he maintained.
Still, "probably the best remedy would be for someone to � file a class action lawsuit against the carriers," Jude suggested. "If the plaintiffs win, then the industry would tighten up."
Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology.