AT&T, Sprint, Verizon, T-Mobile US pledge, again, to not sell your location to shady geezers. Sorry, we don't believe them

Fool me once, shame on, shame on you. Fool me, you can't get fooled again*, OK

US cellphone networks have promised – again – that they will stop selling records of their subscribers' whereabouts to anyone willing to cough up cash.

In a statement on Thursday, AT&T said: "In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services – even those with clear consumer benefits," adding: "We are immediately eliminating the remaining services and will be done in March."

That same March deadline was referenced by T-Mobile US's CEO John Legere who had promised last June to end the sale of subscribers' private location data. Legere tweeted this week: "T-Mobile is completely ending location aggregator work. We’re doing it the right way to avoid impacting consumers who use these types of services for things like emergency assistance. It will end in March, as planned and promised."

Getting deja vu

That sounds a bit rich to some lawmakers, however, who extracted what appeared to be identical promises seven months ago. Back then, Senator Ron Wyden (D-OR) discovered that a company called Securus Technologies was selling people's location data to the cops, and insisted that America's telecoms watchdog the FCC investigate.

Wyden also wrote to the four major US cellular telcos – AT&T, Verizon, T-Mobile and Sprint – asking them to carry out an audit of which third parties had access to user location data, and ensure that they had people's consent before sharing such personally identifiable information.

As a result of those efforts, the network operators at the time pledged to put an end to the practice. Verizon sent a letter [PDF] saying it had "conducted a comprehensive review" of its "location aggregator program" and as a result would kill the agreements it had with the two companies in the program, LocationSmart and Zumigo.

Verizon claimed that location data was only sold if subscribers had explicitly agreed to it, and that the sale of such information was only allowed "under specific conditions" which include fraud detection "or customer identification among others."

The other operators put out similar statements. "AT&T has no reason to believe that there are other instances of unauthorized access to AT&T customer location data," the communications giant said. "Nonetheless, we are reviewing these issues carefully to ensure the proper handling of all AT&T customer information."

And T-Mobile US's Legere told Senator Wyden to his face that he would end the practice of selling location data through third parties.

That was then. Now...

But, just as we warned at the time, it was all weasel words. Fast forward to this month, and journalist Joe Cox was able to pay a bounty hunter $300 to have someone's T-Mobile US phone number tracked and located – through the exact same location reselling system that had previously been exposed.

In this case it wasn't Securus but a company called Microbilt. However, the details were identical: it was an approved third party that purchased subscribers' location records from a carrier, and through a chain of organizations, sold that private location data to pretty much anyone willing to pay it: from car salespeople, stalkers, and property managers to criminals, bounty hunters, and private investigators, potentially.

Subscribers are not informed that their location data has been provided to a third party, and it is highly debatable that they have given their explicit permission to be tracked – despite what the cell networks claim – in large part because there is no way for users to tell their mobile operators to not sell their location data.

Following the revelation this month that nothing has changed, Senator Wyden has again called for an FCC investigation, and again argued for a privacy law that would protect US citizens from having their personal data sold without their permission. Wyden has found another supporter in the form of Senator Kamala Harris (D-CA).

Groundhog Day

Cue another round of promises from the mobile networks. Having been accused of lying to Senator Wyden, T-Mobile US boss Legere embarked on some history revision.

AT&T 5GE phone branding

AT&T (sucks) upgrades folks to 5G (Evolution) that isn't actually 5G


Back in June, Legere made the seemingly unambiguous promise that he had "personally evaluated this issue and have pledged that T-Mobile will not sell customer location data to shady middlemen."

After repeat questions on what that actually meant, a few days later T-Mobile US clarified that it was "winding down our location aggregation agreements." Yet seven months later, it seems that "winding down" still hadn't started.

Following this week's outcry, Legere repeated the same argument as months earlier, and claimed that his telco was "doing it the right way to avoid impacting consumers." He claimed to have promised to end the whole thing in March, though we have been unable to find any reference to March 2019 back in June 2018.

Meanwhile, Sprint, which is being gobbled up by T-Mobile US, gave a vague promise to not "knowingly share personally identifiable geo-location information" unless lawfully compelled by the cops or Feds. Verizon, which appears to have been the only network carrier to have mostly pulled the plug on location data sales, said it is still shutting down what's left of its whereabouts-reselling operation: four location-sharing deals with roadside assistance companies, which now face the chop. Once those agreements are over, Verizon won't sell any location data, and will only share people's whereabouts to roadside assistance organizations with subscribers' permission, it is claimed.

As things stand, despite what appears, again, to be unambiguous promises to end location data selling, there is nothing to stop mobile telcos from simply coming up with a different name or spin for their location-peddling services, and firing it all up again.

While there is money to be made and no law preventing it, it is a virtual certainty that AT&T and others will figure out a way to profit from selling their customers' private data. Last time around, FCC boss Ajit Pai refused to investigate the matter, and while there has been no response from Pai on the renewed calls for an investigation thanks to the partial US government shutdown, it is a virtual certainly that he will continue his pro-telco agenda and stay away from the issue.

Meanwhile, pressure grows in Congress to introduce a privacy law – an American version of Europe's GDPR – especially in the light of abuses by Facebook and others. But that process is very far from certain given that many of the companies that benefit most from selling user data are also some of the most powerful and generous lobbyists in Washington DC. ®

*Not a typo

Similar topics

Other stories you might like

  • Research finds consumer-grade IoT devices showing up... on corporate networks

    Considering the slack security of such kit, it's a perfect storm

    Increasing numbers of "non-business" Internet of Things devices are showing up inside corporate networks, Palo Alto Networks has warned, saying that smart lightbulbs and internet-connected pet feeders may not feature in organisations' threat models.

    According to Greg Day, VP and CSO EMEA of the US-based enterprise networking firm: "When you consider that the security controls in consumer IoT devices are minimal, so as not to increase the price, the lack of visibility coupled with increased remote working could lead to serious cybersecurity incidents."

    The company surveyed 1,900 IT decision-makers across 18 countries including the UK, US, Germany, the Netherlands and Australia, finding that just over three quarters (78 per cent) of them reported an increase in non-business IoT devices connected to their org's networks.

    Continue reading
  • Huawei appears to have quenched its thirst for power in favour of more efficient 5G

    Never mind the performance, man, think of the planet

    MBB Forum 2021 The "G" in 5G stands for Green, if the hours of keynotes at the Mobile Broadband Forum in Dubai are to be believed.

    Run by Huawei, the forum was a mixture of in-person event and talking heads over occasionally grainy video and kicked off with an admission by Ken Hu, rotating chairman of the Shenzhen-based electronics giant, that the adoption of 5G – with its promise of faster speeds, higher bandwidth and lower latency – was still quite low for some applications.

    Despite the dream five years ago, that the tech would link up everything, "we have not connected all things," Hu said.

    Continue reading
  • What is self-learning AI and how does it tackle ransomware?

    Darktrace: Why you need defence that operates at machine speed

    Sponsored There used to be two certainties in life - death and taxes - but thanks to online crooks around the world, there's a third: ransomware. This attack mechanism continues to gain traction because of its phenomenal success. Despite admonishments from governments, victims continue to pay up using low-friction cryptocurrency channels, emboldening criminal groups even further.

    Darktrace, the AI-powered security company that went public this spring, aims to stop the spread of ransomware by preventing its customers from becoming victims at all. To do that, they need a defence mechanism that operates at machine speed, explains its director of threat hunting Max Heinemeyer.

    According to Darktrace's 2021 Ransomware Threat Report [PDF], ransomware attacks are on the rise. It warns that businesses will experience these attacks every 11 seconds in 2021, up from 40 seconds in 2016.

    Continue reading

Biting the hand that feeds IT © 1998–2021