Photo: Getty / Spencer Platt

Last May, T-Mobile promised to stop selling its subscribers’ location data after reports surfaced that it was being funneled to law enforcement officers who’d otherwise need a warrant to get it. But that hasn’t happened so far.

CEO John Legere on Thursday said that the delay was to protect consumers who rely on emergency services. Companies offering roadside assistant, for example, use that data to locate people in need. And that would’ve been fine. That’s actually a really good use for that data: saving people who are stranded, possibly because they’ve been in an accident. You can imagine, there are probably few people who would have a problem with that.

Advertisement

Unfortunately, T-Mobile and its pals were so reckless in sharing this data that earlier this month, a reporter was able to purchase the location of a cellphone with a wad of cash in some undercover, back-alley transaction. Now, almost every major teleco is being forced to reckon with their own negligence by severing all ties to these so-called “location aggregators,” which have paid god knows what for access to our whereabouts.

AT&T, T-Mobile, and Sprint have reportedly all agreed to do this. But at this point, who can believe them?

Motherboard reported on Tuesday that it paid a source in the bail bond industry $300 to locate a cellphone. That information was purchased from T-Mobile by one of these “aggregators” (Zumigo) and then sold to a third company (Microbilt), who in turn was apparently selling it to bond agents, or “bounty hunters” as they’re colloquially known. Whether T-Mobile was aware of the issue or not, it had a responsibility to its customers to handle their data properly and it fucked that up royally.

Advertisement

For whatever reason—the shutdown, the immigration debate, the fact that AT&T owns its own cable news channel—this scandal is receiving only a small fraction of the attention Facebook got after its Cambridge Analytica debacle last year. But fine. All these companies say they’re going to do the right thing now. We’ll see.

Here are the promises they’ve made so far:

Sprint, in a statement published by The Verge on Thursday, said it won’t “knowingly share personally identifiable geo-location information” outside a legal request. The company also reportedly acknowledged that both Zumigo and Microbilt had violated its privacy practices. “We took immediate action to ensure Microbilt no longer had access to Sprint location data, and have notified Zumigo that we are immediately terminating our contract,” the company reportedly said.

Advertisement

T-Mobile, as mentioned, has been promising to do the same thing for nearly a year. Legere, the CEO, said in a tweet Thursday that the company would uphold its promise and that its contracts with Zumigo and other data aggregators would be ended in March, “as planned and promised.” Legere’s tweet came in response to another by Sen. Ron Wyden, who’d called the company out a day before.

“I’ll believe it when I see it,” Wyden told Gizmodo by email. “Carriers are always responsible for who ends up with their customers data–it’s not enough to lay the blame for misuse on downstream companies. The time for taking these companies at their word is long past–Congress needs to pass strong legislation to protect Americans’ privacy and finally hold corporations accountable when they put your safety at risk by letting stalkers and criminals track your phone on the dark web.”

AT&T has reportedly offered the same, says The Washington Post: “In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services,” the company said, “even those with clear consumer benefits. We are immediately eliminating the remaining services and will be done in March.”

Advertisement

Verizon has somehow escaped this whole mess for now and it’s unclear how it will respond to its only three competitors all ditching location aggregators simultaneously. Notably, it’s the only company Motherboard said it wasn’t able to get location data from. It’s unclear if that’s simply because its source wasn’t plugged in. Possibly it’s managing its subscriber data better? We don’t know. (We’ve reached out for a comment and will report back if Verizon responds.)

So there you have it. Lots of promises; some we’ve heard before. Honestly, it’s difficult to put stock in any claim by a major company that holds massive amounts of consumer data. We’ve been burnt so many times over the past few years. Frankly, it’s just too easy for them to push out a press release, rake in a few glowing headlines, and then wait for everyone to forget what they’ve said.

At least this time, when March rolls around, you can bet we’ll be watching and demanding results.

Advertisement