Verizon promises to stop selling its subscribers' location data... for now
But T-Mobile US and Sprint? Not so much
Verizon has promised to stop selling user location data to third parties in response to a privacy campaign by US Senator Ron Wyden (D-OR).
In a letter [PDF] to the lawmaker, the American telco giant said it has "conducted a comprehensive review" of its "location aggregator program" and as a result would kill the agreements it has with the two companies in the program, LocationSmart and Zumigo.
Verizon claimed that location data was only sold if users had explicitly agreed to it, and that the sale of such information was only allowed "under specific conditions" which include fraud detection "or customer identification among others."
In reality, however, Wyden discovered back in May that Securus Technologies was harvesting location data and selling it on to the police following reports that a former Missouri sheriff had carried out unauthorized surveillance of a judge, a sheriff and state highway patrol officers using data bought from Securus.
It appears that Securus was itself buying the data from LocationSmart. But despite Wyden's best efforts to figure out how this illicit market in location data works, Verizon refused to name the other third parties that have been granted access to users' location data, noting only that another 75 companies had sub-contracted with the two companies.
The three other main US mobile operators that Wyden also contacted – AT&T, Spring and T-Mobile US – also failed to name the companies that it sells such data to.
Highlighting the privacy dangers of having user location data sold and resold, just one week after the abuse of Securus data emerged, a security researcher found that he was able to access the location of any mobile phone user through a one-line code hack on a "demo" website run by LocationSmart simply by entering their mobile number.
Verizon dug into the issue and reported back to Wyden this month that "despite the protections that Verizon built into its location aggregation arrangements, it appears that Securus and/or its affiliate 3C Interactive impermissibly permitted law enforcement agencies to request location information through LocationSmart for investigative purposes."
Lawyer warned FCC of Securus phone-tracking risks 10 months agoREAD MORE
In other words, Verizon was simply selling the data, failing to properly audit its use, and companies have been freely trading in user location data as a result.
According to Verizon, Securus was an "approved third party for the location aggregator LocationSmart" but that it was only supposed to use the data to determine "that call recipients were not within a certain distance of the prison from which a collect phone call was placed."
But once that data is readily available and people are willing to pay…
Despite saying it will kill off its "location aggregator program", however, Verizon is not ending the sale of location data altogether. Its letter noted that the termination "must be completed in careful steps so as not to disrupt beneficial services being provided using customer location data, such as the fraud prevention and call routing services." It said it would not authorize any "new uses" of the data while that "transition" went ahead.
If that response from Verizon is far from satisfying, the letters from AT&T, Spring and T-Mobile US to Senator Wyden are worse.
But they said they had asked permission
They failed to answer most of the questions Wyden had asked – most notably on the number of customers that had had their location data wrongly sold - and simply repeated the line that third parties are only allowed to access location data if users have given their consent.
Which sounds good until you consider that the fact that there is clear evidence that the opposite is true and user location data is being freely sold without any such consent. It was, after all, the abuse of this data that sparked the letters in the first place.
Sprint's response didn't even provide that level of fake reassurance – it told Wyden that users must "generally be notified" if their location data is being sold.
"Verizon deserves credit for taking quick action to protect its customers’ privacy and security," Wyden said in a statement at the same time as he published the letters.
He went on: "After my investigation and follow-up reports revealed that middlemen are selling Americans' location to the highest bidder without their consent, or making it available on insecure web portals, Verizon did the responsible thing and promptly announced it was cutting these companies off. In contrast, AT&T, T-Mobile, and Sprint seem content to continuing to sell their customers' private information to these shady middle men, Americans’ privacy be damned."
Pai in the face
Adding to the fun, following pressure from Wyden, the FCC decided to open an investigation into the unauthorized use of location data. But it then turned out that FCC chair Ajit Pai had represented the company at the heart of the issue – Securus – back in 2012, promoting Wyden to call on Pai to recuse himself from the investigation.
Wyden didn't mince words over the controversial FCC chief. "Chairman Pai's total abandonment of his responsibility to protect Americans' security shows that he can't be trusted to oversee an investigation into the shady companies that he used to represent," Wyden said.
"If your location information falls into the wrong hands, you – or you children – can be vulnerable to predators, thieves and a whole host of people who would use that knowledge to malicious ends."
It's not clear how much money the mobile operators make from selling their users' locations to third parties but it's clearly enough to make them try to weasel their way out of agreeing to stop the practice. Or promise to introduce stronger auditing measures.
AT&T for example fed Wyden the same line [PDF] that "despite AT&T's requirements to obtain customer consent, Securus did not in fact obtain customer consent before collecting customers' location information."
It didn't even place the blame on Securus but the police who were buying data bought from another company bought from another company bought from another company.
"Securus evidently relied upon law enforcement's representation that it had appropriate legal authority to obtain customer location data, such as a warrant, court order, or other authorizing document as a proxy for customer consent," AT&T said.
Nothing to see here
As far as AT&T was concerned, everything was above board because "AT&T received confirmation that Securus had obtained consent for each request for location information, which AT&T understood were all related to the approved Inmate Calling Service."
With that miserable lack of accountability and auditing, it seems very likely that there is similar abuse going on in other parts of the market. Not so, says AT&T, citing nothing beyond its own belief.
"AT&T has no reason to believe that there are other instances of unauthorized access to AT&T customer location data. Nonetheless, we are reviewing these issues carefully to ensure the proper handling of all AT&T customer information."
That response was, presumably, designed to reassure people. But following Wyden's publication of the letters and Verizon's decision to cut off – for now – its "location aggregators", AT&T then followed suit and said it would do the same.
While @Verizon & @ATT have now pledged to stop selling customer location data to shady middlemen, @TMobile & @sprint seem content to keep selling customers’ private information, Americans’ privacy be damned.— Ron Wyden (@RonWyden) June 19, 2018
That still leaves T-Mobile US and Sprint that continue to sell location data under the same program that they already know has been abused. And, of course, there is no guarantee that Verizon and AT&T won't set up a new program once the dust has settled and start selling user location data all over again.
The only thing that would prevent such programs is a new privacy law. And CEO of Salesforce, Marc Benioff, argued for exactly that in an op-ed this week that argued that "a national privacy law" would give "people a reason to believe that [tech] companies will uphold their privacy, not violate it." ®
Sponsored: Becoming a Pragmatic Security Leader