Wanna sue us for selling your location? Think again: You should read your contract's fine print, says T-Mobile US

T-Mobile US has finally responded to a lawsuit filed in May that accuses it of trashing its customers' privacy by selling off their location data.

But in that first response [PDF], the mobile network makes no mention of the issue at the heart of the lawsuit – peddling subscribers' whereabouts to third parties who then resold the information on to just about anyone – and argues only that the case should be argued through private arbitration rather in public court.

The case was filed in Maryland, USA, by two T-Mob customers as part of a broader class-action lawsuit against all four major American cell networks, organized by consumer protection law firm Z LAW.

The complaint [PDF] digs into the extraordinary situation where mobile operators were repeatedly found to have lax controls on the sale of geolocation data of subscribers' handsets, resulting in an underground market where the location of any mobile phone in the US was available to purchase for a few hundred dollars. It was particularly popular with bounty hunters trying to track down individuals that had skipped bail.

The fact that the mobile operators failed to properly review or audit what was done with such sensitive data came to light in May 2018 when Senator Ron Wyden (D-OR) sent a letter to the Federal Communications Commission (FCC) and asked it to investigate reports that a company that provides phone-calling services for jails was providing real-time location data on mobile phones through a web portal.

Wyden noted that the cellular network operators were providing this information to prisons telecommunications supplier Securus which was then providing it to others "for nothing more than the legal equivalent of a pinky promise."

This was not the first time that Securus had been accused of violating people's rights. Back in 2015, the company was accused of recording inmates' phone calls - including those between inmates and their lawyers.

Not the first time

It was also not the first time that the FCC had received a complaint about Securus selling location data – it emerged that a lawyer digging into Securus discovered it was also running a location data database and wrote to the FCC outlining his concerns, arguing that it will breaching Section 222 of the US Communications Act which covers the protection of customer data.

The FCC acknowledged the concerns, according to the lawyer, Lee Petro, but decided not to look into the matter and closed the objection soon after Securus was sold to by private equity firm ABRY Partners to private equity firm Platinum Equity in October 2017.

After Wyden's letter caused an outcry, the mobile operators all pledged to review their practices and said they would cut off any third parties found to be breaching agreements on protecting user privacy.

In T-Mobile US's case, it sent a letter back to Wyden that said it "takes the privacy and security of our customers’ data very seriously," and said it had never approved the provision of data through Securus's web portal. It also said it had shut down that service and promised it would "take appropriate steps to ensure that our customer can receive the location-based services they desire in a manner that is consistent with applicable law, their privacy expectations and our high standards for service to our customers."

T-Mobile US's CEO John Legere also tweeted that he had "personally evaluated this issue and have pledged that T-Mob USA will not sell customer location data to shady middlemen."

But six months later, another report came out where a journalist paid a bounty hunter $300 to track a specific cellphone number – and he came back with the exact location of that handheld.

That time it was a company called MicroBilt that was selling geolocation services with little or no oversight to a wide range of customers including car salesman and property managers. Those customers were also selling their services on a black market to anyone that paid them.

Third party data party

It subsequently turned out that one of the two companies that T-Mobile US sold its geolocation services to, Zumigo, was reselling that service to MicroBilt, which was then reselling again to others.

That letter to another letter from Senator Wyden to both the FCC and the mobile operators demanding that they investigate what was going on. In his letter to T-Mobile US, Wyden addressed its CEO and noted that the continued sale of the data "is in direct contradiction of your 'personal evaluation’ of the issue six months ago."

In response, the mobile operator promised – again – that they would review the situation. Then, under growing pressure, agreed to end the sale of location services altogether. Legere tweeted again: "T-Mobile is completely ending location aggregator work. We're doing it the right way to avoid impacting consumers who use these types of services for things like emergency assistance. It will end in March, as planned and promised."

But by that point, Senator Wyden, privacy advocates and even some FCC Commissioners had had enough. Amazingly, in the same timeframe and despite having failed to open an investigation into the sale of location data, FCC chair Ajit Pai then proposed a new system that would require mobile operators to store even more accurate location data.

Wyden was furious and tweeted: "This is more than an oversight. It's flagrant, willful disregard for the safety and security of Americans. Meanwhile, instead of policing these carriers, FCC and Ajit Pai have been rewriting the rules to help cellular networks rake in more profit."

The lawsuit was filed the next month, and it accuses mobile networks of violating Section 222 – the same protections that were raised nearly two years earlier. It accuses T-Mobile US (as well as Sprint, Verizon and AT&T) of "negligent and deliberate acts, including inexplicable failures to follow its own Privacy Policy."

The plaintiffs seek a jury trial, hope to upgrade their complaint to a class action lawsuit that would cover roughly 300 million customers of the four mobile operators whose location information was provided to third parties between 2015 and 2019, and seek unspecified damages "in an amount to be proven at trial."

All the operators have either refused to comment on the case, or have said they will fight it. We now know T-Mobile US's opening gambit: to try to force the situation into private arbitration and tackle it on an individual basis, rather than face a public trial and potentially be forced to reimburse every single one of its customers. The case is still unfolding, and no decision either way on arbitration or trial has been made so far by the courts.

"As T-Mobile customers, each Plaintiff accepted T-Mobile’s Terms and Condition," T-Mob's response reads. "In so doing, they agreed to arbitrate on an individual basis any dispute related to T-Mobile’s services and waive their right to participate in a class action unless they timely opted out of the arbitration procedure outlined in the Ts&Cs. Neither Plaintiff elected to opt out." ®