Phone Companies Say They've (Mostly) Stopped Selling Your Location Data to Shady Middlemen

Illustration for article titled Phone Companies Say They've (Mostly) Stopped Selling Your Location Data to Shady Middlemen
Photo: Richard Drew / AP

In a series of letters published by FCC Commissioner Jessica Rosenworcel on Thursday, representatives of T-Mobile, AT&T, Sprint, and Verizon all said they had ceased or significantly curtailed the sale of their customers’ location data to companies whose shady practices brought to light triggered alarms among privacy advocates and lawmakers on Capitol Hill.


The companies were responding to questions from Rosenworcel prompted by news reports that location data originating with America’s largest telecoms was being acquired and sold downstream by bounty hunters and others without the consent of the companies themselves or their customers. The New York Times, for instance, reported last year that law enforcement officials had also purchased access to location data, circumvented the usual need for a warrant.

On Wednesday, House lawmakers grilled the FCC’s chairman, Ajit Pai, for details about the status of the commission’s nearly year-long investigation into the malpractice. After two hours, it adjourned with no new information.

“The FCC has been totally silent about press reports that for a few hundred dollars shady middlemen can sell your location within a few hundred meters based on your wireless phone data,” Rosenworcel said in a statement. “That’s unacceptable.”

In a May 15 letter, AT&T said that as of March 29 it was no longer sharing its customers’ data with location aggregators. “Our contracts require all parties who have received AT&T customer location data in connection with those arrangements to delete that information and we are verifying that they have done so, subject to any of their preservation obligations.”

Sprint said in its letter that it is now only sharing location data with one location aggregator and two customers “with a public interest,” a roadside assistance company and another that facilities compliance with state lottery requirements. The company said, however, its contracts with location aggregators have permitted them to “store location data for time periods, which allows for adequate response to any claims that may arise.” The contracts, it said, require the data to be encrypted. It added vaguely that the data may only be shared “as necessary to fulfill its obligations under the contract.”


T-Mobile said that, as of February 8, it had “terminated all service provider access to location data” under its aggregator program, and that, as of March 9, it had terminated all existing aggregator contracts.

“Except for four roadside assistance companies,” Verizon terminated its location aggregator program as of November 2018, the company said. It added that the four remaining contracts were terminated by the end of March. “The location information that the aggregators received through Verizon’s prior location aggregator program included the approximate latitude and longitude of the subscriber’s mobile phone, as well as the error radius and other error information for location queries, and the date and time stamp for the location transaction,” the company said, adding that while “generally” the information it sold was “coarse,” a “small percentage ... was more accurate location information.”


“This is an issue that affects the privacy and security of every American with a wireless phone,” Rosenworcel said. “It is chilling to think what a black market for this data could mean in the hands of criminals, stalkers, and those who wish to do us harm. I will continue to press this agency to make public what it knows about what happened. But I do not believe consumers should be kept in the dark. That is why I am making these letters available today.”

You can read each of the mobile providers’ letters here.


Senior Reporter, Privacy & Security



It doesn’t seem like roadside assistance companies would need it anymore either. There was a time, like a decade ago, when GPS in phones wasn’t common, and neither were consumer-installed apps, so I can see that cellular location tracking data would actually have served a useful third party purpose - only the phone company would actually know roughly where you were via cell tower triangulation*, and that data would actually have been useful for those third party roadside assistance services to locate you.

These days, however, as virtually all phones have a GPS receiver (which works outdoors even without any data connection), so there’s no reason why cellular-location based roadside assistance needs to exist. If they want to sell you a roadside assistance service, simply put it in an app and give the consumer control over when and how the GPS location data is shared with the third party. (Of course, cell phone companies themselves will always know your location, since it’s your phone connecting to their towers, and they know where their towers are. There’s nothing inherently wrong with that alone.)

*And yes, cell tower triangulation is still one part of the “assisted GPS” features built into most phones now, but it’s not necessarily required - you can get a purely satellite-driven GPS signal on most phones without any cell coverage at all. Whether you have a corresponding offline map is another story, of course.