The top national wireless carriers in the U.S. have told the Federal Communications Commission they stopped selling customer location data to third-party aggregators.
FCC Commissioner Jessica Rosenworcel, who had asked carriers Sprint, AT&T, Verizon and T-Mobile to update the FCC on their efforts to curb improper use of customers’ location data, has released the statements from carriers (PDF) to the public.
A wave of media investigations in 2018 found that between 2012 and 2017, location data from carriers, including T-Mobile, AT&T and Sprint, had been captured by a so-called location aggregator called Locaid (later renamed LocationSmart). LocationSmart then sold that data to a number of different companies, including CerCareOne. In turn, CerCareOne sold the data to bounty hunters and bail bondsmen, enabling them to find the real-time location of mobile phones.
“The FCC has been totally silent about press reports that for a few hundred dollars shady middlemen can sell your location within a few hundred meters based on your wireless phone data. That’s unacceptable,” Rosenworcel said in a statement. “I do not believe consumers should be kept in the dark. That is why I am making these letters available today.”
RELATED: FCC asks AT&T, others for proof that it stopped selling location data to third parties
In its response to the FCC’s request, Verizon said it had worked with LocationSmart and Zumigo, another third-party aggregator, but that it required the aggregators’ corporate customers to obtain subscriber consent prior to requesting any location information.
Verizon said it terminated the majority of its contracts as part of its location aggregator program in November 2018. The company had maintained relationships with four roadside assistance companies under the program, but later terminated those contracts in March 2019. “Those, and all other third-party, entities no longer have access to Verizon subscriber location information through the aggregators,” Verizon’s chief privacy officer, Karen Zacharia, said in the letter to the FCC. But Zacharia said Verizon still shares “personally identifiable subscriber location information only with the affirmative opt-in consent of a subscriber,” with “limited exceptions.”
T-Mobile said it had also contracted with LocationSmart and Zumigo as location aggregators. In its letter to the FCC, T-Mobile’s SVP of government affairs, Kathleen O’Brien Ham, said the company’s location aggregator program was “always relatively small” and that it governed how its customer location data was used by both the aggregators and the downstream location-based service (LBS) providers through “contracts, service use approvals, and periodic assessments conducted by an outside audit firm at the direction of T-Mobile’s counsel.”
After initiating an evaluation of its location aggregator program in the summer of 2018, T-Mobile said it decided to terminate the program entirely, and began phasing out its location data aggregator agreements in October 2018. As of February 8, 2019, T-Mobile said it had terminated all LBS provider access to location data under the program. T-Mobile’s contracts with aggregators LocationSmart and Zumigo expired March 9, 2019.
RELATED: AT&T, T-Mobile, Sprint seek to make amends over location breach
AT&T announced in June 2018. it would phase out its location aggregator relationships. But, the carrier made exceptions for use cases such as emergency services and fraud prevention “in order to avoid undue disruption to providers of such services given their potentially important public benefits,” said Joan Marsh, AT&T’s EVP of regulatory and state external affairs.
AT&T said its location aggregator contracts imposed “strict standards” on aggregators and LBS providers. “Before we provided customer location data to an aggregator or [LBS] provider, we investigated them — their corporate history, security policies, and privacy policies — and approved each planned use of customer location data,” Marsh said.
AT&T decided to accelerate its phase-out of location aggregator contracts in January 2019, and by March 29, 2019, AT&T had ceased to share any AT&T customer location data with location aggregators and LBS providers, Marsh said.
Finally, Sprint told the FCC that it currently only works with one location aggregator, though Sprint did not name the company. Maureen Cooney, head of privacy at Sprint, said the aggregator provides LBS to only two customers, both of whom offer services in the public interest: a roadside assistance provider and “a provider that facilitates compliance with state requirements for a lottery that funds state government.”
Cooney said that Sprint will terminate all contracts with its location aggregator by May 31, 2019. The company is also considering offering location-based services directly to customers in lieu of relying on third party companies to do so, but Cooney said the company has no firm plans to do so at present.
RELATED: Carriers pledge to cease sale of location data, but questions remain
In their responses, all four carriers noted that media claims that carriers were using National Emergency Address Database (NEAD) data as part of the customer location data sold to third parties was incorrect. T-Mobile pointed out that the database is still in development, and that it relies on Wi-Fi access points and Bluetooth beacons, not smartphone location data.