Privacy invasions —

AT&T denies that selling phone location data was illegal as FCC investigates

Carrier data sales ultimately leaked real-time locations of cell phone users.

A smartphone mounted on a car dashboard and displaying a GPS map.
Getty Images | Witthaya Prasongsin

AT&T, T-Mobile, and Verizon have all told the Federal Communications Commission that they recently stopped selling their customers' phone location information to other companies. Sprint said it is phasing out the sales and will shut them down by the end of this month.

The details came in letters to FCC Commissioner Jessica Rosenworcel, who had demanded an update on the carriers' sale of customers' real-time geolocation data. Rosenworcel released the carriers' responses yesterday.

Rosenworcel, a Democrat, criticized the Republican-controlled FCC for not taking action against the carriers over the privacy invasions.

"The FCC has been totally silent about press reports that for a few hundred dollars shady middlemen can sell your location within a few hundred meters based on your wireless phone data. That's unacceptable," Rosenworcel said. "I don't recall consenting to this surveillance when I signed up for wireless service—and I bet neither do you. This is an issue that affects the privacy and security of every American with a wireless phone. It is chilling to think what a black market for this data could mean in the hands of criminals, stalkers, and those who wish to do us harm."

Rosenworcel and Geoffrey Starks, the FCC's two Democrats, say that Chairman Ajit Pai's office has refused to give them any substantial update on the agency's investigation into the matter.

All four carriers promised to stop selling their customers' phone location data to third parties in June 2018, after a security problem leaked the real-time location of US cell phone users.

But a series of reports by Motherboard beginning in January 2019 showed that T-Mobile, Sprint, and AT&T were still selling the sensitive data. (By this point, Verizon says it had stopped its location-data sales except for four roadside assistance companies.)

AT&T: Data sales not illegal

"[W]e decided in January 2019 to accelerate our phase-out of these services," AT&T told Rosenworcel in a letter on Wednesday. "As of March 29, 2019, AT&T stopped sharing any AT&T customer location data with location aggregators and LBS [location-based services] providers. Our contracts require all parties who have received AT&T customer location data in connection with those arrangements to delete that information and we are verifying that they have done so, subject to any of their preservation obligations." AT&T said that it always "limited its provision of location information to approved use cases and imposed strict standards to protect against improper use or disclosure of customer location data."

AT&T's letter denied that its sale of assisted GPS (A-GPS) data used with 911 location services violated US law. As we've previously written, carriers cannot use data in the National Emergency Address Database (NEAD) for anything other than 911 purposes.

But A-GPS data is not part of the NEAD, AT&T explained:

The FCC's prohibitions on the use of the National Emergency Address Database ("NEAD") for non-emergency services do not apply to A-GPS because A-GPS is not associated with or stored within NEAD. Instead, the NEAD is being developed to include "MAC address and BT-PDA information of fixed indoor access points (e.g., Wi-Fi and Bluetooth) that will be used to determine the specific indoor location of wireless 911 callers. While A-GPS is certainly used by 911 dispatchers to assist in locating individuals in emergency situations, it is also an important feature commonly used by app developers to provide location services. For example, ridesharing apps use A-GPS to make sure the car shows up in the right location. For these reasons, reports of purported improper use of A-GPS are incorrect.

The CTIA wireless lobby group, which created NEAD, confirmed to Ars today that A-GPS data is not included in the NEAD.

However, AT&T's letter to Rosenworcel doesn't address the question of whether AT&T and other carriers violated Section 222 of the Communications Act, a US law that says phone companies may not use or disclose customer location information "without the express prior authorization of the customer." Section 222 applies generally to what's known as "Customer Proprietary Network Information (CPNI)," and the FCC confirmed in 2013 that "[t]he location of a customer's use of a telecommunications service also clearly qualifies as CPNI."

The ongoing FCC investigation could determine whether the sales violated Section 222.

T-Mobile, Verizon, and Sprint responses

T-Mobile told Rosenworcel that it "terminated its location-based service contracts with the Location Aggregators, effective March 9, 2019." T-Mobile had notified data aggregators that it was terminating their contracts on October 26, 2018, but it told Rosenworcel that it "agreed to a phased termination approach because we did not want to abruptly terminate location-based services that provided important consumer benefits, such as emergency assistance services, without giving customers an opportunity to find alternatives."

Verizon told Rosenworcel, "Except for four roadside assistance companies, Verizon terminated its location aggregator program in November of 2018. And Verizon terminated the arrangements with the four remaining companies at the end of March 2019."

When Verizon's data sales were still in full swing, the program "allowed two third-party aggregators to share location information of certain of our wireless subscribers at particular moments in time with their corporate customers under specific conditions (including having obtained consent from our wireless subscribers)," Verizon said.

"Verizon also had a detailed process for reviewing and authorizing the aggregators' corporate customers and those customers were limited to using our subscriber location information for specific, approved use cases," the company said. "Verizon also regularly conducted audits of the program through a third-party auditor."

Sprint told Rosenworcel that it is "currently only using one location aggregator to provide LBS to two customers with a public interest—a provider of roadside assistance for Sprint customers, and a provider that facilitates compliance with state requirements for a lottery that funds state government."

Sprint said it is ending this deal as of May 31. "Sprint anticipates that after May 31. 2019, it may provide LBS services directly to customers like those described above, but there are no firm plans at this time," the company said.

At congress, Pai tries to pass the buck

Carriers are facing proposed class-action lawsuits over the location-data sales, as well as that FCC investigation.

Lawmakers questioned Pai about the investigation Wednesday at a Communications and Technology Subcommittee hearing, as Gizmodo reported. Pai reportedly tried to pass the buck to Starks, even though Pai ultimately controls the investigation and Starks wasn't yet an FCC commissioner when the investigation began.

Gizmodo wrote:

Pai said that in February, just days after Starks was sworn in, he invited the newly confirmed commissioner to take control of the investigation. It fell on Starks to explain [to Congress] Wednesday the reason that he had turned down the offer. While considering it, he had requested a briefing to gauge the investigation's progress. "What I heard at that briefing did not give me confidence that that case was moving along quickly enough," he said, and so he declined the offer.

Pai also told lawmakers that he has not withheld any information about the investigation from Starks and Rosenworcel, but Rep. Anna Eshoo (D-Calif.) suggested that Pai may have been lying. In a letter yesterday. Eshoo wrote to Pai:

After the hearing, I confirmed with Commissioners Rosenworcel and Starks that they have explicitly asked for and have not received specific information and documents related to the FCC's investigation... Given the chasm between this information and your statement yesterday, I would like to give you the opportunity to correct the comments you made at the hearing, recognizing that lying to Congress is a federal crime.

I once again request that you immediately share the information and documents that Commissioners Rosenworcel and Starks have requested from you regarding the FCC's investigation. They are full Commissioners of the FCC and their requests must be honored.

We contacted Pai's office about the letter and the investigation and will update this story if we get a response.

Channel Ars Technica