[Update 3: AT&T denies wrongdoing] T-Mobile, Sprint, and AT&T are accused of selling your phone’s location data
With everyone moving to an online world, a new industry has formed into what many have called “big data.” This type of information can be anything from application usage, browser history, location information, and more. This, combined with the rise of the smartphone, has made it even easier for companies to make money from this data as well. A new report just came out this week that accuses three of the four major wireless carriers in the United States (Sprint, T-Mobile, and AT&T) of selling smartphone location data.
Collecting location data isn’t anything new when it comes to Android. Late last year it was revealed that Google is collecting information about where you are (using the Android software) even when the user has switched off the Location Services option. This is troubling information for anyone who values their privacy and the company may end up facing a class-action lawsuit over those exact practices. The most recent report about location data isn’t about Google though. Instead, it’s from the majority of the major wireless carriers in the United States.
Motherboard recently reported on a story about a person who gave a bounty hunter $300 in order to locate a smartphone they had lost. The bounty hunter told the customer they were able to do this thanks to geolocation services from these major wireless carriers. This type of information is only meant to be used by authorized personnel (such as the police), but it looks like many bounty hunters have been able to obtain this type of information thanks to some shady services.
All it took was for the person to give the bounty hunter money to pay for the service and the phone number of the device they needed to locate. The bounty hunter sent the phone number to their contact and returned to the customer with a Google Maps screenshot showing the phones approximate location. While it seems that it’s not technically the wireless carries that are giving away this information, Motherboard showed how they were able to get phone location data with only a phone number. The data trickled down from T-Mobile through various other sources, as shown below.
T-Mobile -> Zumigo -> microbilt -> Bail Bond Company -> Bail industry source -> Motherboard
Update 1: T-Mobile, Sprint, and AT&T Respond
T-Mobile CEO John Legere has responded to the claims on Twitter. He states that the company is in the process of shutting down the sale of location data to third-parties, and will finish doing so in March of 2019.
Actually I've already spoken about this, but Ill tell you too. We are in full swing of ending it and will be completely done in March, as promised. We're doing this right and shutting them down one by one, so customers who use this for safety services can make other arrangements.
— John Legere (@JohnLegere) January 10, 2019
AT&T issued the following statement to CNET:
“Last year we stopped most location aggregation services while maintaining some that protect our customers, such as roadside assistance and fraud prevention. In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services – even those with clear consumer benefits.” AT&T spokesperson in a statement sent to CNET
AT&T further states that sales of location data will cease entirely in March.
Lastly, Sprint told The Verge that the company won’t share geolocation data except for valid law enforcement requests. The company states they are immediately ending their relationships with Zumigo and Microbilt after the two companies were found to be misusing Sprint’s customers’ location data.
Update 2: Class action lawsuit
The carriers tried to stem the tide back in January, but consumer protection firm Z LAW has filed class action lawsuits against all four major U.S. carrier. The lawsuit does not specify the damages desired, but up to 300 million consumers between April 2015 and February 2019 are covered by the lawsuit (100 million for Verizon, 100 million for AT&T, 50 million for T-Mobile, and 50 million for Sprint).
Motherboard reached out to the four carriers for comment:
“We are reviewing the legal filing and have no further comment at this time.” – Sprint
“We can’t comment on pending litigation.” – T-Mobile
AT&T and Verizon did not respond. We will follow this story as it continues to develop.
Update 3: AT&T says data sales are not illegal
AT&T has already phased out their practice of sharing customer location data, however, they are claiming that their actions were not actually illegal to begin with. Carriers like AT&T are not allowed to use data in the National Emergency Address Database (NEAD) for anything other than 911 purposes. AT&T was selling assisted GPS data, which is not part of the NEAD.
That’s not the end of the story, though. AT&T still violated the US law that prohibits phone companies from using customer location information “without the express prior authorization of the customer.” T-Mobile and Verizon have also terminated their customer location data sharing practices. Sprint says they’re ending their practice as of May 31st.
We will continue to follow this story as it unfolds.
Source: Ars Technica