AT&T, Sprint, Verizon, T-Mobile US pledge, again, to not sell your location to shady geezers. Sorry, we don't believe them
Fool me once, shame on, shame on you. Fool me, you can't get fooled again*, OK
US cellphone networks have promised – again – that they will stop selling records of their subscribers' whereabouts to anyone willing to cough up cash.
In a statement on Thursday, AT&T said: "In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services – even those with clear consumer benefits," adding: "We are immediately eliminating the remaining services and will be done in March."
That same March deadline was referenced by T-Mobile US's CEO John Legere who had promised last June to end the sale of subscribers' private location data. Legere tweeted this week: "T-Mobile is completely ending location aggregator work. We’re doing it the right way to avoid impacting consumers who use these types of services for things like emergency assistance. It will end in March, as planned and promised."
Getting deja vu
That sounds a bit rich to some lawmakers, however, who extracted what appeared to be identical promises seven months ago. Back then, Senator Ron Wyden (D-OR) discovered that a company called Securus Technologies was selling people's location data to the cops, and insisted that America's telecoms watchdog the FCC investigate.
Wyden also wrote to the four major US cellular telcos – AT&T, Verizon, T-Mobile and Sprint – asking them to carry out an audit of which third parties had access to user location data, and ensure that they had people's consent before sharing such personally identifiable information.
As a result of those efforts, the network operators at the time pledged to put an end to the practice. Verizon sent a letter [PDF] saying it had "conducted a comprehensive review" of its "location aggregator program" and as a result would kill the agreements it had with the two companies in the program, LocationSmart and Zumigo.
Verizon claimed that location data was only sold if subscribers had explicitly agreed to it, and that the sale of such information was only allowed "under specific conditions" which include fraud detection "or customer identification among others."
The other operators put out similar statements. "AT&T has no reason to believe that there are other instances of unauthorized access to AT&T customer location data," the communications giant said. "Nonetheless, we are reviewing these issues carefully to ensure the proper handling of all AT&T customer information."
And T-Mobile US's Legere told Senator Wyden to his face that he would end the practice of selling location data through third parties.
That was then. Now...
But, just as we warned at the time, it was all weasel words. Fast forward to this month, and journalist Joe Cox was able to pay a bounty hunter $300 to have someone's T-Mobile US phone number tracked and located – through the exact same location reselling system that had previously been exposed.
In this case it wasn't Securus but a company called Microbilt. However, the details were identical: it was an approved third party that purchased subscribers' location records from a carrier, and through a chain of organizations, sold that private location data to pretty much anyone willing to pay it: from car salespeople, stalkers, and property managers to criminals, bounty hunters, and private investigators, potentially.
Subscribers are not informed that their location data has been provided to a third party, and it is highly debatable that they have given their explicit permission to be tracked – despite what the cell networks claim – in large part because there is no way for users to tell their mobile operators to not sell their location data.
Following the revelation this month that nothing has changed, Senator Wyden has again called for an FCC investigation, and again argued for a privacy law that would protect US citizens from having their personal data sold without their permission. Wyden has found another supporter in the form of Senator Kamala Harris (D-CA).
Cue another round of promises from the mobile networks. Having been accused of lying to Senator Wyden, T-Mobile US boss Legere embarked on some history revision.
AT&T (sucks) upgrades folks to 5G (Evolution) that isn't actually 5GREAD MORE
Back in June, Legere made the seemingly unambiguous promise that he had "personally evaluated this issue and have pledged that T-Mobile will not sell customer location data to shady middlemen."
After repeat questions on what that actually meant, a few days later T-Mobile US clarified that it was "winding down our location aggregation agreements." Yet seven months later, it seems that "winding down" still hadn't started.
Following this week's outcry, Legere repeated the same argument as months earlier, and claimed that his telco was "doing it the right way to avoid impacting consumers." He claimed to have promised to end the whole thing in March, though we have been unable to find any reference to March 2019 back in June 2018.
Meanwhile, Sprint, which is being gobbled up by T-Mobile US, gave a vague promise to not "knowingly share personally identifiable geo-location information" unless lawfully compelled by the cops or Feds. Verizon, which appears to have been the only network carrier to have mostly pulled the plug on location data sales, said it is still shutting down what's left of its whereabouts-reselling operation: four location-sharing deals with roadside assistance companies, which now face the chop. Once those agreements are over, Verizon won't sell any location data, and will only share people's whereabouts to roadside assistance organizations with subscribers' permission, it is claimed.
As things stand, despite what appears, again, to be unambiguous promises to end location data selling, there is nothing to stop mobile telcos from simply coming up with a different name or spin for their location-peddling services, and firing it all up again.
While there is money to be made and no law preventing it, it is a virtual certainty that AT&T and others will figure out a way to profit from selling their customers' private data. Last time around, FCC boss Ajit Pai refused to investigate the matter, and while there has been no response from Pai on the renewed calls for an investigation thanks to the partial US government shutdown, it is a virtual certainly that he will continue his pro-telco agenda and stay away from the issue.
Meanwhile, pressure grows in Congress to introduce a privacy law – an American version of Europe's GDPR – especially in the light of abuses by Facebook and others. But that process is very far from certain given that many of the companies that benefit most from selling user data are also some of the most powerful and generous lobbyists in Washington DC. ®
Sponsored: Becoming a Pragmatic Security Leader