Revealed: US telcos admit to storing, handing over location data
Letters to FCC confirm what many believed, don't address a bigger problem
US mobile carriers know a lot about where their customers every move, and according to letters sent to the Federal Communications Commission (FCC), they routinely store such location data for years, willingly hand it over to law enforcement if served a proper subpoena, and say users can't opt out.
FCC chairwoman Jessica Rosenworcel said in a missive published last week that the 15 largest mobile carriers in America responded to letters sent to them in July demanding answers on their data retention and sharing policies. This includes data tracking the movement of people via their devices.
"Carriers know who we are, who we call, and where we are at any given moment," Rosenworcel said. "That data is a sensitive record of not only a person's travel, but also their identity, she added, which is "why the FCC is taking steps to ensure this data is protected."
News that cellular carriers are storing sensitive location data – where and when you've been with your device – isn't surprising given previous actions taken against AT&T, Verizon, T-Mobile US and Sprint (T-Mo and Sprint have since merged) by the FCC in 2020 for selling location data to third parties.
The providers all say in their letters that they no longer sell people's location data to third parties. What they do suggest is that the same data is still being stored, and while data brokers may not have a seat at the bargaining table anymore, those records can still be passed to police or civil authorities without the customer – in most cases – being notified.
In AT&T's case, records that include cell-site-level data (which can provide an approximate location for the customer at any one time) are retained for five years, while T-Mobile US retains similar records for two years. Verizon holds cell site data for one year, while smaller network operators UScellular and C-Spire both store geolocation data for 18 months.
In each case, the providers said they had complied with legal subpoenas, and they don't notify customers of this except in specific circumstances, for example civil litigation cases.
Verizon and T-Mo did provide slightly more detail than their competitors, sharing details of two instances of location data sharing that differ from the rest. In Verizon's case, the company made specific mention that law enforcement could seek a warrant compelling Verizon to provide "cell tower dumps" containing the numbers of all devices connected to a particular tower during a period of time.
T-Mobile US, on the other hand, said it was willing to disclose geolocation data "as necessary to protect T-Mobile's legal interests."
None of those five cellular network operators allow users to opt out of the collection or storage of this data, with all saying it's necessary for the operation of its network and to provide services to customers.
How two-thirds of carriers differ
Rosenworcel's letters didn't just target AT&T, C-Spire, T-Mobile US, UScellular and Verizon: 10 other cell service providers were asked for the same data:
- Best Buy Health (which operates senior health cellular services Lively and Jitterbug),
- Consumer Cellular,
- Dish (which operates the Boost, Republic, Ting and Gen brands),
- Google Fi,
- H2O Wireless,
- Ultra and Mint Mobile, and
- Red Pocket
Where those 10 differ from the big five mobile network operators (MNOs), is that they all piggyback on one of the MNO networks to operate as mobile virtual network operators (MVNOs).
Those companies all had varying degrees of the same response: because we don't manage the network hardware, we don't have any location data to protect.
In the few instances where MVNOs said they did retain data from their network partners, the companies said it came in the form of cell site location data, or CSLI, that contained limited information on the tower a phone was connected to when placing a call.
MVNOs said they collect that data to facilitate billing and improve their service, but don't treat it the same way as the precise data held by the physical network operator.
"We do not view this information as geolocation information because it does not provide information as to a subscriber's precise physical location," said Locus Telecommunications, which operates H2O Wireless.
In instances of requests from law enforcement or civil authorities, the MVNOs said they typically direct inquiries to their parent network operators.
Telco coordinates not necessary
Rosenworcel's request and the telecom's responses come after the US Supreme Court overturned Roe v. Wade, which had made access to abortion legal in all 50 US states.
Prior to the reversal, a number of US senators made an effort to ban data brokers from selling location and health data information, but the bill has sat in committee since June. Despite the law not being passed, the Federal Trade Commission still launched a suit against data broker Kochava this week in which it alleges the company openly sells data that geolocates customers.
But those instances are different.
Many major tech companies have been silent on how Roe's reversal affects their businesses, which also gather an abundance of data on their customers, but which can differ from the data obtained by cellular networks. Others have quietly acquiesced to the new legal standard and have given authorities the data they want, even though it's precise location data that can provide the same details as cellular records.
Earlier this month, Facebook confirmed it received a warrant from police in Nebraska, which it complied with. Officers in that case were seeking Facebook chats between a teen and her mother, which they used to build a criminal case against the pair for facilitating the teen's illegal abortion.
App location and other non-cellular data may not be tracked by telecom companies, but just as well, police and civil authorities don't necessarily need a precise latitude and longitude to ascertain whether an individual was breaking a state-wide law.
In the case of MVNOs, who only hold the data that their host networks provide to them, the records are still enough to locate an individual to the cell tower their phone was connected to. If a particular tower's service area is located entirely within the boundaries of a state, that data could be used as evidence of a crime.
Given the high profile of such cases recently, the police and other agencies looking for location data may not want to approach telecom companies, but that's not necessarily a good thing when the alternative is a data broker.
Fog Data Science is one such data broker, and has multiple deals in place with US law enforcement to provide data sourced from mobile apps containing tracking code. According to a recent EFF report, for less than $10,000, subscribers gain access to Fog's alleged 15 billion sets of data points collected monthly from 250 million US devices, all without the need to obtain a warrant for similar information that could be gleaned from phone records.
- Why bother with warrants when cops can buy location data for under $10k?
- FTC sues data broker for selling millions of people's 'precise' location info
- Meta offers $37.5m to settle location tracking lawsuit
- Google fined $42.5m over misleading Android location settings in Australia
Most of the letters to the FCC argue that such data is out of the control of telecom companies, as it's provided by apps that aren't managed by them or their networks.
What can the FCC really do?
In a press release, Rosenworcel said that she was asking the FCC Enforcement Bureau to launch a new investigation into whether mobile carriers were complying with FCC rules requiring carriers to fully disclose how they use and share location data.
To aid in its work, the FCC said it was also adding a simplified privacy complaint filing system "so we can take action under the law."
Whether fines like those levied against carriers in 2020 would come out of the investigation or consumer complaints is unclear, as is the efficacy of such an investigation.
In the letters, telecoms businesses claimed they were doing everything in their power to only share data when legally obligated. An investigation may very well prove that's the case, or find violations that would hopefully cause the company to clean up its act.
In the meantime, all the data any agency could want is already for sale online, and the FCC might not have any power to stop it. ®