In a series of letters published by FCC Commissioner Jessica Rosenworcel on Thursday, representatives of T-Mobile, AT&T, Sprint, and Verizon all said they had ceased or significantly curtailed the sale of their customers’ location data to companies whose shady practices brought to light triggered alarms among privacy advocates and lawmakers on Capitol Hill.
The companies were responding to questions from Rosenworcel prompted by news reports that location data originating with America’s largest telecoms was being acquired and sold downstream by bounty hunters and others without the consent of the companies themselves or their customers. The New York Times, for instance, reported last year that law enforcement officials had also purchased access to location data, circumvented the usual need for a warrant.
On Wednesday, House lawmakers grilled the FCC’s chairman, Ajit Pai, for details about the status of the commission’s nearly year-long investigation into the malpractice. After two hours, it adjourned with no new information.
“The FCC has been totally silent about press reports that for a few hundred dollars shady middlemen can sell your location within a few hundred meters based on your wireless phone data,” Rosenworcel said in a statement. “That’s unacceptable.”
In a May 15 letter, AT&T said that as of March 29 it was no longer sharing its customers’ data with location aggregators. “Our contracts require all parties who have received AT&T customer location data in connection with those arrangements to delete that information and we are verifying that they have done so, subject to any of their preservation obligations.”
Sprint said in its letter that it is now only sharing location data with one location aggregator and two customers “with a public interest,” a roadside assistance company and another that facilities compliance with state lottery requirements. The company said, however, its contracts with location aggregators have permitted them to “store location data for time periods, which allows for adequate response to any claims that may arise.” The contracts, it said, require the data to be encrypted. It added vaguely that the data may only be shared “as necessary to fulfill its obligations under the contract.”
T-Mobile said that, as of February 8, it had “terminated all service provider access to location data” under its aggregator program, and that, as of March 9, it had terminated all existing aggregator contracts.
“Except for four roadside assistance companies,” Verizon terminated its location aggregator program as of November 2018, the company said. It added that the four remaining contracts were terminated by the end of March. “The location information that the aggregators received through Verizon’s prior location aggregator program included the approximate latitude and longitude of the subscriber’s mobile phone, as well as the error radius and other error information for location queries, and the date and time stamp for the location transaction,” the company said, adding that while “generally” the information it sold was “coarse,” a “small percentage ... was more accurate location information.”
“This is an issue that affects the privacy and security of every American with a wireless phone,” Rosenworcel said. “It is chilling to think what a black market for this data could mean in the hands of criminals, stalkers, and those who wish to do us harm. I will continue to press this agency to make public what it knows about what happened. But I do not believe consumers should be kept in the dark. That is why I am making these letters available today.”
You can read each of the mobile providers’ letters here.