Location data is some of the most sensitive, and sought after, information that smartphones generate. And wireless providers are in a unique position to access it all the time. But a Tuesday report from Motherboard shows that carriers don’t protect this deeply private information as carefully as consumers might think—especially considering that Verizon, T-Mobile, Sprint, and AT&T all pledged to stop selling it months ago.
Last May, US carriers were caught selling customer location data to all manner of third parties, from legitimate services like roadside assistance groups to data brokers who could resell the information to virtually anyone. It exposed a shadow economy, where your location information ends up in the hands of countless companies you’ve never heard of.
Amid the ensuing customer outrage and mounting congressional scrutiny, the major US carriers promised to stop selling user location data to outside brokers. Which is part of what makes the Motherboard story so troubling: Seven months later, it remains easy and cheap for anyone to buy data about a phone’s location without a warrant or any justification at all. All you need is a phone number to target. In Motherboard’s case it was a T-Mobile customer, but data brokers claim to be able to provide location information from all the major carriers.
The carriers said specifically they would stop selling customer location data to third parties. They haven’t.
So what gives? The carrier position seems to be that they are actively scaling back their relationships with third-party brokers, but that there is also real customer benefit from the services fueled by user data. “We take the privacy and security of our customers’ information very seriously and will not tolerate any misuse of our customers’ data,” T-Mobile said in a statement. “We have previously stated that we are terminating the agreements we have with third-party data aggregators and we are nearly finished with that process.”
In a tweet to Oregon senator Ron Wyden, T-Mobile CEO John Legere specifically added that the company will finish phasing out the location data-sharing agreements by March.
It’s unclear, though, how comprehensive that process will be. T-Mobile says that it has shut down the data flow that had allowed location data to travel from partner company Zumigo to Microbilt, a third-party credit-reporting company, which then resold the data in the Motherboard story to a bail bond company. Carriers argue that they only have direct data-sharing relationships with trusted partners, and that problems tend to arise when those partners sell data to other brokers, who then sell it again. The degrees of separation begin to erode credibility.
Part of what muddies this trickle-down is the myriad interests involved. Some brokers buy the data to offer genuinely useful emergency services, or “find my phone” features. Others use it for background checks, to combat fraud, or for other financial dealings. The system has few curbs on it to prevent a location data free-for-all.
The promises carriers have made about selling location data lay bare the semantics at work. T-Mobile would not clarify whether it counts direct partners like Zumigo among the “third-party data aggregators” that it will stop sharing location data with. Meanwhile, Verizon, which did not respond to a request from WIRED for comment, said specifically in June that it was ending its location-sharing agreement with Zumigo and other data aggregators.
Sprint, meanwhile, told WIRED in a statement that, “We do not knowingly share personally identifiable geo-location information except with customer consent, or in response to a lawful request,” like a court order. AT&T struck a similar tone: “We only permit sharing of location when a customer gives permission, for cases like fraud prevention or emergency roadside assistance, or when required by law. Over the past few months, as we committed to do, we have been shutting down everything else. We have shut down access for MicroBilt as we investigate these allegations.”
In general, wireless carriers emphasize two points in attempting to combat criticism about selling customer location data. One is that many services that stem from these arrangements have real value. But while roadside assistance is certainly helpful, even life-saving at times, it’s not as obvious that an entire cottage industry premised on buying and sharing location data is always going to produce products that are so concretely desirable.
The carriers also stress that customers are given the opportunity to consent. Yet consumer advocates say that customers are often unaware of the what exactly they’re signing away. Even if they understand that law enforcement may get data from carriers with a legal warrant, they don’t have much reason to be aware of or understand the ecosystem carriers have built around the sale of location data.
“Let’s say you’re getting a background check to buy something expensive. There could be a mechanism that says, ‘do you want your carrier location data to be made available as part of this interaction?’ And you could say yes or no,” says Alan Butler, senior counsel at the Electronic Privacy Information Center. “That’s very different than the carriers just saying, ‘we’re going to sell all of this in bulk in case anyone ever wants to use it for some service that may or may not be beneficial to you, and you’re not even going to know about it. But don’t worry, it’s all done with your consent somehow.’ Maybe in the carrier terms of service that nobody reads.”
Senator Wyden wrote on Tuesday that the carriers’ apparent lack of urgency on the matter was unacceptable. “Major carriers pledged to end these practices, but it appears to have been more empty promises to consumers.” Wyden has proposed a data privacy bill that would address location data, among other issues.
“This is a blatant abuse of user privacy, and when companies break their promises to their users, they should expect to be held accountable.”
Eva Galperin, EFF
Bottom line: The carriers said specifically they would stop selling customer location data to third parties. They haven’t. They claim to be winding the practice down to offer services in other ways and avoid negative impacts on consumers, but meanwhile highly sensitive and personal data remains exposed.
With little good will left to assume that the carriers will actually make the necessary changes, the big question now is how the FCC will handle the issue. Butler points out that the FCC has the authority to deem it illegal for carriers to sell location data to third-parties. But so far the FCC has not said whether the law applies to this type of aggregated location data. The FCC could not be reached for comment because of the government shutdown.
For now, customers are left wondering what to make of the carriers renewed promises. “I don’t think that consumers have any reason to trust the carriers when they say they’ve stopped selling this data,” says Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation. “This is a blatant abuse of user privacy, and when companies break their promises to their users, they should expect to be held accountable.”
Whether this means FCC action, legislation from Congress, class action lawsuits or other avenues, 2019 seems primed as the year for a showdown. And EPIC’s Butler notes that the recent Supreme Court decision in Carpenter v. United States, though related to a different aspect of location data privacy, makes a strong statement about the especially sensitive nature of location data and urgent need to protect it under the law.
“I think we’ve reached if not a crisis point then at least an inflection point with all of the location threads out there,” Butler says. “There’s a whole system that’s built up in the background behind closed doors to share this data, and obviously somebody is earning money off of that.”