Following press investigations and congressional concern about leaks and improper use of consumer location data provided by mobile network operators, the national carriers have said that they are ending relationships with aggregators and/or will strictly limit aggregators’ access to such information.
Verizon, AT&T and Sprint have all said that they will begin limiting third-party aggregators’ access to network-based location information, and T-Mobile US CEO John Legere tweeted that his company will “not sell customer location data to shady middlemen.”
The New York Times reported last month that Securus Technologies, which utilized data from aggregator LocationSmart, had customers including a former Missouri sheriff charged with improperly using the private service to track the whereabouts of people including other police officers.
In addition, security researcher Brian Krebs reported in mid-May that LocationSmart had been “leaking this information to anyone via a buggy component of its Web site — without the need for any password or other form of authentication or authorization,” (emphasis from KrebsOnSecurity). Although LocationSmart took its service offline, Krebs had already verified that the website “could be used to reveal the location of any AT&T, Sprint, T-Mobile or Verizon phone in the United States to an accuracy of within a few hundred yards.”
As The New York Times reported, “cellphone carriers said that they relied on contracts and audits of companies to ensure that consumers had given consent for the data collected, but that those safeguards had failed to catch Securus’ activity.” In the case of Securus, the Times said that while the company ostensibly required its customers to upload a warrant, affidavit or similar legal document prior to finding a phone’s location, it didn’t check whether those documents were valid.
In response to those press reports, Senator Ron Wyden (D-Oregon) sent inquiries to companies including Verizon, asking about their practices related to data aggregators’ access. Verizon responded by outlining its approach and saying that it has decided to end its relationship with LocationSafe and fellow aggregator Zumigo as soon as possible, although the program will be unwound rather than stopped immediately so that permissable uses of the data are not disrupted.
Anonymized location data has long been seen as particularly valuable information to which carriers have unique access and which can serve as part of new revenue streams focused on monetizing data — although some have pointed out that it’s also important for carriers to properly police and vet the organizations which have access to their data treasure troves.
“Everyone had that as a line item [for] revenue growth,” said analyst Bill Ho of 556 Ventures. “What it’ll do is probably not kill, but kind of delay the business opportunity for those third parties that are being shut out from that information.”
The aggregation of data by third parties, Ho noted, meant that rather than having to request data from each carrier individually, customers such as marketers could go to aggregators to get a full, national picture.
Sounds like word hasn’t gotten to you, @ronwyden. I’ve personally evaluated this issue & have pledged that @tmobile will not sell customer location data to shady middlemen. Your consumer advocacy is admirable & we remain committed to consumer privacy. https://t.co/UPx3Xjhwog
— John Legere (@JohnLegere) June 19, 2018
