Wireless carriers vow to stop selling customers' location data to third parties

  • Wireless carriers vow to stop selling customers' location data to third parties

Wireless carriers vow to stop selling customers' location data to third parties

"Last year we stopped most location aggregation services while maintaining some that protect our customers, such as roadside assistance and fraud prevention", AT&T said in a statement provided to Ars today. He added that T-Mobile is trying to do it "the right way" to avoid affecting consumers who use these services for things like emergency assistance. "It will end in March, as planned and promised", he wrote in a tweet.

That sounds a bit rich to some lawmakers, however, who extracted what appeared to be identical promises seven months ago.

Senate Democrats called on federal agencies Wednesday to investigate the practice by major telecommunications companies of selling location data generated by subscribers' mobile devices following an undercover investigation by a security reporter that shed new light on a black market trade.

The request for an emergency briefing comes three days after Motherboard reported T-Mobile, AT&T, Sprint and other carriers were allowing third-party data aggregators to sell the sensitive information.

As a result of those efforts, the network operators at the time pledged to put an end to the practice.

New reporting by Motherboard shows that while companies may have severed ties with LocationSmart, a lot of them overlooked the other big player in the location-tracking business, Zumigo. "We have followed through on our commitment to terminate aggregation arrangements and provide location information only with the express consent of our customers".

Last year, a large number of USA carriers were under fire for selling live location data to third-party companies, including LocationSmart and Securus. "Nonetheless, we are reviewing these issues carefully to ensure the proper handling of all AT&T customer information".

When reached for comment, T-Mobile directed us to Legere's Twitter feed, where he wrote that the company has "blocked access to device location data for any request submitted by Zumigo on behalf of Microbilt" and that the company is almost finished with the process of "terminating the agreements" it has with third-dfparty data aggregators.

But, just as we warned at the time, it was all weasel words.

A researcher reportedly paid $300 to a bounty hunter who was then able to geolocate a phone down to a location in a specific neighborhood only blocks away from the actual location of the targeted phone.

In this case it wasn't Securus but a company called Microbilt. "With each data transaction, the potential for the new party to either leak data, fall victim to compromise, or further share the data means that very quickly there's no control or governance", said Ben Johnson, co-founder and CTO, Obsidian Security.

But cell phone companies deserve some attention, too. US Senator Kamala Harris and Democratic FCC Commissioner Jessica Rosenworcel have also called on US regulators to investigate the data sharing.

T-Mobile offered a similar promise, as we noted in an update to our story on Tuesday. "Over the past few months, as we committed to do, we have been shutting down everything else", AT&T said in a statement. "We are immediately eliminating the remaining services and will be done in March".

On Tuesday, Legere returned to Twitter to insist that efforts to end the practice of selling location data are proceeding apace.