The U.S. wireless industry has been caught in a fresh scandal amid a new report that detailed how three of the nation’s largest carriers have continued the practice of selling personal location data of their customers to third parties. AT&T, T-Mobile and Sprint were found to be selling access to their customer’s location data seven months after all of the major U.S. carriers promised to stop selling user location to data brokers, according to a report by Motherboard.
All of the carriers—including Verizon, which was not among the companies cited in the report—have since issued another round of apologetic and sometimes ambiguous statements about how private location data end up in the wrong hands and what they’re doing to stop abusive behavior.
After paying a bounty hunter’s bail bond company $300, Motherboard was provided with a screenshot of the real-time location of a specific phone down to a radius of a few blocks.
“This is what happens when there are no financial penalties that are meaningful to the companies when they breach your data and destroy your privacy,” said Jamie Court, president of Consumer Watchdog. “This is the poster child for why we need damages built into a law in every state in the nation and the federal government for when companies violate your privacy and abuse your private information.”
Sen. Ron Wyden (D-Oregon) is trying to change that. Wyden has been a leading voice for consumer protections in Congress, and particularly when a similar circumstance occurred last May that culminated with promises from all the major wireless carriers to end the practice of selling location data to third parties.
CTIA guidelines and best practices agreed to by marketing associations and their members appear to be meaningless when nefarious practices such as those reported by Motherboard continue unencumbered. “Major carriers pledged to end these practices, but it appears to have been more empty promises to consumers,” Wyden wrote in a tweet.
Wyden authored a bill, the Consumer Data Protection Act, which would allow consumers to control the sale and sharing of their data and give the Federal Trade Commission authority to render stiffer penalties when companies are found to be out of compliance. “It’s time for some sunshine on this shadowy network of information sharing,” he wrote in a statement after releasing the draft legislation in November 2018. The bill calls for fines up to 4% of a company’s annual revenue on first offense and 10- to 20-year criminal penalties for senior executives.
“There are no good laws except the one that’s going to be on the books in California in 2020 to make these companies pay a big price for when they violate their promises and betray your privacy,” Court said in a phone interview. The California Consumer Privacy Act of 2018 is the strictest online privacy law in the country and aims to give consumers widespread control over their personal data.
“Now there’s no protection. In 2020, Californians will have the right to say no and opt out—the companies may choose to charge them more. But until 2020, and until other states become as proactive as California, we have no choice, and that’s why the lack of a penalty for the abuse is so galling,” Court said.
AT&T, Verizon and T-Mobile have all made new pledges this week to end the practice of selling customers’ location data, including agreements with companies that provide services such as roadside assistance.
“We only permit sharing of location when a customer gives permission for cases like fraud prevention or emergency roadside assistance, or when required by law. Over the past few months, as we committed to do, we have been shutting down everything else,” AT&T said in a statement. “In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services—even those with clear consumer benefits. We are immediately eliminating the remaining services and will be done in March.”
Verizon, the only major U.S. carrier not cited for the most recent problem, said it is working hard to implement commitments made last summer about location aggregation agreements. “We have followed through on our commitment to terminate aggregation arrangements and provide location information only with the express consent of our customers,” the company wrote in a statement. “To be transparent, we have maintained the prior arrangements for four roadside assistance companies during the winter months for public safety reasons but they have agreed to transition out of the existing arrangements by the end of the March. We have terminated all other such arrangements.”
Sprint said it does not “knowingly share personally identifiable geo-location information except with customer consent or in response to a lawful request such as a validated court order from law enforcement.” The company says it has terminated its relationship with the outside firms cited in Motherboard’s report, but didn’t say when, or if, the practice would come to an end with all third-party companies. “We don’t tolerate violations of privacy and data security protections for our customer data,” the company said in a statement.
T-Mobile, the carrier most directly cited in Motherboard’s report, said it takes the privacy and security of its customers’ information seriously and will not tolerate misuse of customer data. “We have previously stated that we are terminating the agreements we have with third party data aggregators and we are nearly finished with that process,” the company wrote in a statement.
After Wyden called T-Mobile CEO John Legere out on Twitter for failing to live up to a promise he made in June, Legere responded and said he keeps his word. “T-Mobile is completely ending location aggregator work. We’re doing it the right way to avoid impacting consumers who use these types of services for things like emergency assistance. It will end in March, as planned and promised,” he wrote in a tweet.
No word from T-Mobile or the other major carriers about why it’s taking about nine months to end the practice.
“This is not the Russian government or the North Korean government hacking into a system that hasn’t been protected. This is a company making a profit-based decision to share and sell data so they’re fully culpable and they should be fully responsible,” Court said. “I think there should be a federal law that respects California and other state laws but adds to them and creates financial penalties for when companies violate your trust and sell your information against your will.”