Roger Fingas
All four major U.S. carriers — AT&T, T-Mobile, Verizon, and Sprint — are facing proposed class action lawsuits over their selling of customer location data.
The classes would cover all of the carriers' customers between 2015 and 2019, topping 300 million people, Ars Technica reported on Monday. The companies are accused of violating Section 222 of the U.S. Communications Act, which specifies that carriers can't use or share location data "without the express prior authorization of the customer." The defendants are further said to have violated their own privacy policies.
At the heart of the matter is a January 2019 report by Motherboard that found that through data brokers using carrier data, it was possible to pay a bounty hunter as little as $300 for help tracking down a smartphone — and by extension, its owner. The carriers have since started winding down their sharing practices.
The carriers made similar promises to Sen. Ron Wyden (D-OR) in June 2018 however, following a scandal with a firm called Securus. That business was not only selling location data to police forces, but found itself the victim of a hack that resulted in hundreds of police officers having their logins stolen.
In fact Securus is referenced in all four of the new lawsuits, and three of them cite Motherboard.
AT&T is promising to "fight" its case, claiming the facts don't support the plaintiffs and that there are "clear and even life-saving benefits" to sharing location data in some instances, such as roadside assistance.
"We only share location data with customer consent. We stopped sharing location data with aggregators after reports of misuse," it added.
Sprint and T-Mobile have refused to comment beyond the former saying it's "reviewing the legal filing," and the latter reiterating that it "terminated all service provider access to location data as of Feb. 8." Verizon has yet to make a public statement.
The carriers are under growing pressure from the Federal Communications Commission, which recently asked for confirmation that they're fulfilling promises, and is investigating both mobile and landline ISPs.
Oliver Haslam
Christine McKee
Malcolm Owen
William Gallagher
Amber Neely
Andrew O'Hara
8 Comments
Even if the phone companies stopped selling your data, that wouldn't impact companies outside the US from selling that data. You ask, "How would companies outside the US know where I am?" You can read the answer by doing a web search for "SS7". The SS7 protocol by which all cell phones world-wide operate make it possible for any phone company outside the US to find where you are (if your cell phone is turned on, of course.) And they are legally allowed to operate, and they do sell location data online. https://en.wikipedia.org/wiki/Signalling_System_No._7 So I'm not really sure what the point is in getting US companies to stop selling your data. Here's a decent introduction to the topic: https://www.sans.org/reading-room/whitepapers/critical/fall-ss7-critical-security-controls-help-36225
Prediction: if corporatocracy doesn’t win and throw the suit out of court, there will be a minor settlement, no wrongdoing admitted, most of the money will go to lawyers, and the carriers will add the appropriate “we may sell your location data” language to their non-negotiable contracts that no one reads nor can refuse (if they want cellular service).
How was this ever a thing they thought they could do? Stunning.