Mobile carriers are again promising to stop selling your phone location data to other companies—this time for real.
The four major carriers pledged to stop selling customer location data to third-party data brokers in June 2018, but a Motherboard investigation published this week found that T-Mobile, Sprint, and AT&T were still doing so.
Earlier this week, AT&T said it “only permit[s] sharing of location when a customer gives permission for cases like fraud prevention or emergency roadside assistance or when required by law.” But the Motherboard investigation showed that the data was being re-sold on the black market, allowing pretty much anyone to get the location of other people’s phones.
The scandal has resulted in new promises from carriers.
“Last year we stopped most location aggregation services while maintaining some that protect our customers, such as roadside assistance and fraud prevention,” AT&T said in a statement provided to Ars today. “In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services—even those with clear consumer benefits. We are immediately eliminating the remaining services and will be done in March.”
T-Mobile offered a similar promise, as we noted in an update to our story on Tuesday. T-Mobile CEO John Legere wrote on Twitter that “T-Mobile IS completely ending location aggregator work. We’re doing it the right way to avoid impacting consumers who use these types of services for things like emergency assistance. It will end in March, as planned and promised.” T-Mobile’s initial promise in June 2018 did not specify an end date.
“We have previously stated that we are terminating the agreements we have with third-party data aggregators and we are nearly finished with that process,” a T-Mobile spokesperson told Ars this week.
Sprint said earlier this week that it is “investigating this matter and it would be inappropriate to comment further until that process is complete.” We asked Sprint for an update today and will update this article if we get a response.
Verizon mostly stopped sharing location data
Verizon was the only one of the four major carriers that wasn’t flagged by Motherboard’s investigation. When contacted by Ars, Verizon said it has already stopped location data sharing agreements with limited exceptions for roadside assistance companies.
“As you’re most likely aware, Verizon is not among the companies cited in recent media accounts regarding issues with location tracking,” Verizon said. “We have worked hard to implement the commitments we made last summer about location aggregation arrangements. We have followed through on our commitment to terminate aggregation arrangements and provide location information only with the express consent of our customers.”
Verizon said it has “maintained the prior arrangements for four roadside assistance companies during the winter months for public safety reasons, but they have agreed to transition out of the existing arrangements by the end of the March. We have terminated all other such arrangements.” Verizon also said it terminated its relationship with Zumigo, a data aggregator named in the Motherboard report.
If Verizon reaches any new data-sharing agreements in the future, “we’re insisting that customers will have to proactively consent before any location information is shared,” Verizon said.
Google Fi, which provides service over the T-Mobile and Sprint networks, said it has “never sold Fi subscribers’ location information,” according to Motherboard. “Google Fi is an MVNO (mobile virtual network operator) and not a carrier, but as soon as we heard about this practice, we required our network partners to shut it down as soon as possible.”
Calls for investigation
Democrats have called for an investigation of the carriers’ data-sharing practices. “The FCC needs to investigate. Stat,” Federal Communications Commission member Jessica Rosenworcel wrote on Twitter on Tuesday.
“It shouldn’t be that you pay a few hundred dollars to a bounty hunter and then they can tell you in real time where a phone is within a few hundred meters,” Rosenworcel then wrote on Wednesday. “That’s not right. This entire ecosystem needs oversight.”
US Sen. Ron Wyden (D-Ore.) wrote, “This information could be obtained by anyone: a stalker, an ex, or a child predator. It’s time for the FCC to get its act together.”
Sen. Kamala Harris (D-Calif.) similarly wrote that “The FCC needs to immediately investigate reports of this system of repackaging and reselling location data to unregulated third-party services and take the necessary steps to protect Americans’ privacy.”
FCC Chairman Ajit Pai hasn’t offered any comment. The FCC is closed because of the government shutdown.
Obama-era privacy rules were eliminated
During the Obama administration, the FCC voted to impose privacy rules that would have required mobile and home broadband providers to get opt-in consent from consumers before sharing or selling sensitive data such as Web browsing history and precise geo-location data.
Pai and other Republicans opposed the rules, which were halted by Congress and President Trump. Separately, Pai led an FCC vote to prevent implementation of a related rule intended to protect customers’ private data from security breaches.
Still, it’s possible that the FCC or Federal Trade Commission could take action. Phone carriers are legally required to protect “Customer Proprietary Network Information [CPNI],” and the FCC’s definition of CPNI includes location data. The FTC can punish companies that fail to keep promises to consumers.
But the Republican-controlled agencies haven’t shown much willingness to go after telecom companies for privacy violations. For example, Pai’s decision to stop classifying broadband providers as common carriers limits the FCC’s authority over their privacy practices. While mobile voice and landline phones are still treated as common carrier services, mobile broadband and home Internet services aren’t subject to the CPNI rules that apply to common carriers.
https://arstechnica.com/?p=1439933