Following an inquiry by a senator on the issue, Verizon, AT&T, T-Mobile and Sprint all pledged to stop providing customers’ location data to third-party brokers. But some details about the situation remain unclear.
As noted by lengthy articles in publications including the Associated Press, Ars Technica and The Wall Street Journal, all of the nation’s top carriers said they would no longer provide location data to location brokers like LocationSmart and Zumigo. That action was laid out in carriers’ letters to Sen. Ron Wyden, D-Ore., who raised the issue in letters to the carriers on May 8 following several reports of leaks of customers’ location data.
Specifically, The New York Times wrote early in May that Securus Technologies had been selling or giving away location data to a sheriff’s office in Mississippi County, Missouri, without court order or any kind of authorization. Shortly thereafter, as reported by security researcher Brian Krebs and ZDNet, an “elementary bug” on the try-it-before-you-buy-it page on LocationSmart’s website could be exploited so that anyone could essentially obtain real-time mobile phone location information.
In their responses to Wyden, the carriers generally pledged to end the sale of customers’ location information to such providers.
UPDATE -- less than a day after I made these letters public, every major wireless carrier says they will cut ties with the middlemen who sell your location information. Chalk one up for oversight and accountability getting results for consumers.— Ron Wyden (@RonWyden) June 20, 2018
Nonetheless, as the AP noted, the carriers didn’t answer Wyden’s questions about the companies to which they sold customer location data. Furthermore, the carriers said that they would work to not disrupt “beneficial services” such as fraud prevention and emergency roadside assistance.
The FCC rules crafted under the Obama administration would have required carriers to obtain consent for selling their customers’ wireless location data, but the Republican-led Congress rejected those rules last year.
As the WSJ noted, both LocationSmart and Securus rejected the notion that they were acting irresponsibly. “LocationSmart is an ‘aggregator’ only in the sense that it provides an interface that enables service providers to request location information from wireless carriers,” a LocationSmart spokesperson to the WSJ.
It's worth noting that customers’ location data continues to be used for a wide range of services. For example, smartphone operating systems can use GPS and other technologies to identify users’ locations, and then can provide that information to third-party apps like Uber. And wireless operators are required by the FCC to provide customers’ location information to 911 call centers.