US telecom giants say they’ve finally stopped collecting their customers’ location data and sharing it with third parties.
Verizon, Sprint, AT&T and T-Mobile made the claim in a series of letters to the Federal Communications Commission published on Thursday.
It comes one year after a number of bombshell reports indicated major phone companies were selling user data to shady firms, who could then track their whereabouts, raising the ire of privacy advocates and lawmakers around the country.
Last May, a New York Times report discovered carriers were selling user data to LocationSmart, a little-known phone tracking service, which then shared it with Securus, a prison technology company, giving them the ability to track any phone ‘within seconds.’
Then, a Motherboard investigation published in January found that hundreds of bounty hunters had access to highly sensitive user data thanks to every major U.S. wireless carrier.
Now, carriers say they have either put an end to the practice, or are in the process of ending the data sharing.
The letters show that it took the carriers many months to wind down the shady data sharing programs.
FCC Commissioner Jessica Rosenworcel expressed frustration around the agency’s silence on the issue, as well as the slow response from carriers.
‘The FCC has been totally silent about press reports that for a few hundred dollars shady middlemen can sell your location within a few hundred meters based on your wireless phone data,’ Rosenworcel said. ‘That’s unacceptable.’
‘This is an issue that affects the privacy and security of every American with a wireless phone.
‘…I do not believe consumers should be kept in the dark. That is why I am making these letters available today.’
AT&T claims it stopped sharing user data with third parties on March 29th.
‘Our contracts require all parties who have received AT&T customer location data in connection with those arrangements to delete that information and we are verifying that they have done so, subject to any of their preservation obligations,’ the company wrote.
Similarly, Sprint said it would cease to work with location aggregators starting May 31st, however, the firm may continue to provide some user location data to some customers for that provide roadside assistance services, as well as a company that facilitates compliance with state lottery requirements.
In these cases, the data will be encrypted and only shared ‘as necessary to fulfill its obligations under the contract.’
T-Mobile wrote that it terminated all ‘service provider access to location data’ on February 8th and ended all ‘location-based service contracts’ as of March 9th.
Verizon shut down its location aggregator program last November, aside from some roadside assistance programs. Its contracts with four companies for roadside assistance programs were officially terminated in March.
‘Those, and all other third-party entities no longer have access to Verizon subscriber location information through the aggregators,’ the company added.
The shady practices were first revealed last month and, at the time, telecom firms claimed they were isolated incidents.
However, a Motherboard investigation discovered that’s far from the case. About 250 bounty hunters were able to access users’ precise location data.
In one case, a bail bond firm requested location data some 18,000 times.
AT&T, T-Mobile and Sprint sold the sensitive data, which was meant for user by 911 operators and emergency services, to location aggregators, who then sold it to bounty hunters, according to Motherboard.
The companies pledged last month to stop selling users’ location data to aggregators.
Location aggregators collect and sell user location data, sometimes to power services like bank fraud prevention and emergency roadside assistance, as well as online ads and marketing deals, which depend on knowing your whereabouts.
Motherboard discovered last month that bounty hunters were using the data to estimate a user’s location by looking at ‘pings’ sent from phones to nearby cell towers.
But it appears that the data was even more detailed than previously thought.
CerCareOne, a shadowy company that sold location data to bounty hunters, even claimed to collect assisted-GPS, or A-GPS, data.
This A-GPS data was able to pinpoint a person’s device so accurately that it see where they are in a building.
Telecom companies began collecting this data in order to give 911 operators a more approximate location for users when they’re both indoors and outdoors.
Instead, it was being sold to aggregators, who then sold it to bail bondsmen, bounty hunters, landlords and other groups.
A bail agent in Georgia told Motherboard it was ‘solely used’ to locate ‘fugitives who have jumped bond.’
Neither AT&T, T-Mobile nor Sprint explicitly denied selling A-GPS data, according to Motherboard.
CerCareOne was essentially cloaked in secrecy when it operated between 2012 and 2017, requiring its customers to agree to ‘keep the existence of CerCareOne.com confidential,’ Motherboard said.
The company often charged up to $1,100 every time a customer requested a user’s location data.
CerCareOne said it required clients to obtain written consent if they wanted to track a user, but Motherboard found that several users received no warning they were being tracked, resulting in the practice often occurring without their knowledge or agreement.
While CerCareOne is no longer operational, its prior use and existence by location aggregators raises serious concerns about how users’ data is being utilized by these companies.
AT&T and other telecoms sought to minimize the use of CerCareOne.
‘We are not aware of any misuse of this service which ended two years ago,’ the firm told Motherboard.
‘We’ve already decided to eliminate all location aggregation services—including those with clear consumer benefits—after reports of misuse by other location services involving aggregators.’
At least 15 U.S. senators urged the FCC and the FTC to take action on shadowy data broker businesses, according to Motherboard.
‘This scandal keeps getting worse,’ Democratic U.S. Senator Ron Wyden told Motherboard.
‘Carriers assured customers location tracking abuses were isolated incidents. Now it appears that hundreds of people could track our phones, and they were doing it for years before anyone at the wireless companies took action.
‘That’s more than an oversight — that’s flagrant, wilful disregard for the safety and security of Americans,’ he added.