Legislators, regulators call for investigations into carriers’ location security practices

Reports have pointed to unauthorized leaks of carriers' location data. (Pixabay user mohamed_hassan)

Legislator Frank Pallone Jr., a House Democrat from New Jersey, and FCC Commissioner Jessica Rosenworcel are two of the latest officials to call for an investigation into the leak of Americans’ location data. The issue could grow into a black eye for the nation’s wireless network operators, which have been supplying that location data to third parties like Securus and LocationSmart.

“A hearing on how this information was made available is necessary to better understand whether the privacy protections in the Communications Act were violated and whether Congress needs to take action to ensure users’ data are protected. The issues raised by this incident mirrors the Facebook Cambridge Analytica scandal and similarly must be closely scrutinized,” wrote Energy and Commerce Ranking Member Pallone in a letter to Committee Chairman Greg Walden (R-Ore.). The full letter is available at the bottom of this article. “In light of our commitment to protect the privacy of the American people, I request a hearing on this issue so we can fully understand the use, transfer, and protection of cell phone location data and how Congress can act to protect consumers.”

In response to the letter, the FCC’s Rosenworcel tweeted “Yes. This. A congressional hearing and @FCC investigation are both in order.”

Those statements follow similar letters and statements made by Sen. Ron Wyden, D-Ore., who made similar calls to the FCC and the Energy and Commerce Committee’s Walden. “The threats to Americans’ security are grave—a hacker could have used this site to know when you were in your house so they would know when to rob it,” Wyden stated after the second leak—that of LocationSmart—was revealed. “A predator could have tracked your child’s cell phone to know when they were alone. The dangers from LocationSmart and other companies are limitless. If the FCC refuses to act after this revelation then future crimes against Americans will be [on] the commissioners’ heads.”

RELATED: Editor’s Corner—Welcome to the wireless industry’s Cambridge Analytica

Wyden also wrote a letter to AT&T CEO Randall Stephenson asking for details on the topic.

For its part, an FCC official confirmed to Cnet that the LocationSmart leak prompted an investigation by the agency’s Enforcement Bureau.

And, as TechCrunch noted, LocationSmart said that it disabled the bug on its website that allowed a researcher to obtain location information, stating that it “did not result in any customer information being obtained without their permission. … LocationSmart is continuing its efforts to verify that not a single subscriber’s location was accessed without their consent and that no other vulnerabilities exist. LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process.”

The issue came to light when the The New York Times wrote earlier this month that Securus Technologies had been selling or giving away location data to a sheriff’s office in Mississippi County, Missouri, without a court order or any kind of authorization. That report drove Robert Xiao from the Human-Computer Interaction Institute at Carnegie Mellon University to begin poking around on LocationSmart’s website. As security researcher Brian Krebs and ZDNet reported, Xiao discovered an “elementary bug” on the try-it-before-you-buy-it page on LocationSmart’s website that could be exploited so that anyone could essentially obtain real-time location information on everyone who is carrying their phone in their pocket.

In response to the situation, the nation’s wireless carriers generally stated that they would look into the issue. “We take the privacy and security of our customers’ data very seriously,” T-Mobile noted. “We have addressed issues that were identified with Securus and LocationSmart to ensure that such issues were resolved and our customers’ information remains is protected. We continue to investigate this.”