Multiple class actions target US carriers over selling location data

The classes would cover all of the carriers' customers between 2015 and 2019, topping 300 million people, Ars Technica reported on Monday. The companies are accused of violating Section 222 of the U.S. Communications Act, which specifies that carriers can't use or share location data "without the express prior authorization of the customer." The defendants are further said to have violated their own privacy policies.

At the heart of the matter is a January 2019 report by Motherboard that found that through data brokers using carrier data, it was possible to pay a bounty hunter as little as $300 for help tracking down a smartphone — and by extension, its owner. The carriers have since started winding down their sharing practices.

The carriers made similar promises to Sen. Ron Wyden (D-OR) in June 2018 however, following a scandal with a firm called Securus. That business was not only selling location data to police forces, but found itself the victim of a hack that resulted in hundreds of police officers having their logins stolen.

In fact Securus is referenced in all four of the new lawsuits, and three of them cite Motherboard.

AT&T is promising to "fight" its case, claiming the facts don't support the plaintiffs and that there are "clear and even life-saving benefits" to sharing location data in some instances, such as roadside assistance.

"We only share location data with customer consent. We stopped sharing location data with aggregators after reports of misuse," it added.

Sprint and T-Mobile have refused to comment beyond the former saying it's "reviewing the legal filing," and the latter reiterating that it "terminated all service provider access to location data as of Feb. 8." Verizon has yet to make a public statement.

The carriers are under growing pressure from the Federal Communications Commission, which recently asked for confirmation that they're fulfilling promises, and is investigating both mobile and landline ISPs.