Phone carriers make money selling your location data
The companies had promised to stop, except they didn’t
Last spring, Robert Xiao got a tour of Hawaii from a bird’s-eye view. He wasn’t flying a drone. He wasn’t in a plane. No helicopters, either.
Then a Ph.D. student at Carnegie Mellon University’s Human-Computer Interaction Institute, he sat in Pittsburgh and — on his computer -— watched a friend drive around the island. All Mr. Xiao needed was the friend’s cell phone number to track his location in real time.
It was a test. Mr. Xiao wanted to ensure he had really found a security breach that exposed nearly every American’s realtime location, just using a phone number.
What resulted was a “bizarre” tour of the island, he said, and a slew of questions about LocationSmart, the Carlsbad, Calif.-based company he was checking up on. It aggregates location data from cell phone providers and, in turn, sells that information to other parties — even bounty hunters.
“This little company that nobody had ever really heard of had access to every American cell phone in real time,” Mr. Xiao said. “I found that you could basically track anyone in the continental U.S. and even some places in Canada.”
After Mr. Xiao’s findings went viral in the tech news media in 2018, the U.S. Federal Communications Commission opened an investigation into the LocationSmart security flaw that for years made public virtually every cell phone user’s location.
Then the telecommunications companies who collect location data — like AT&T, T-Mobile and Sprint — promised to stop selling it.
Except, they didn’t.
It was the same song and dance in January when those companies again were caught selling customers’ location data.
A Motherboard investigation revealed that, through location data collected from carriers, bounty hunters could find pretty much anyone, as long as they had a phone number. For the second time in the past year, carriers said they would stop selling customer location data to third parties.
More promises
Cell phone carriers have a history of selling your location data for some legitimate purposes, like making sure someone else isn’t using your credit card or tracking your location after you’ve gotten into a car
crash.
Still, once location data is in the hands of aggregators like LocationSmart, there’s no telling what could happen to it.
“There’s nothing to hold those third parties responsible,” said Tom Dugas, director of information security and chief information security officer for Duquesne University in Uptown. “They want to monopolize and commercialize that data.”
Sprint said it would end arrangements with data aggregators last year, but at the time kept some agreements in place to sell location data when it could benefit consumers, like in roadside assistance or to prevent bank fraud.
“We implemented new, more stringent safeguards to help protect customer location data, but as a result of recent events, we have decided to end our arrangements with data aggregators,” said Lisa Belot, a spokeswoman for Sprint.
Similarly, AT&T promised to stop selling location data to aggregation services last year, with the exception of those that could help customers, said Jim Greer, assistant vice president of corporate communications.
“In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services — even those with clear consumer benefits,” Mr. Greer said in an email Thursday. “We are immediately eliminating the remaining services and will be done in March.”
A T-Mobile spokesperson said it, too, is winding down sales of location data, though that process will not be finalized until at least March.
“We have been transparent that we are ending all of our location aggregator services and we are almost done with that process,” the company said in an emailed statement. “We have been working to wind it down in a responsible way that won’t impact customers who use these services for things like emergency assistance.”
By contrast, Verizon is the only company not implicated in the Motherboard report.
“We have followed through on our commitment to terminate virtually all location information arrangements and provide location information only with the express consent of our customers,” said Richard Young, spokesman for Verizon.
The company maintains roadside assistance during the winter months for “public safety reasons,” Mr. Young said, but Verizon will transition out of those agreements by the end of March.
Outspoken skeptics like Sen. Ron Wyden, D-Ore., say there’s no way to believe carriers now.
“Major carriers pledged to end these practices, but it appears to have been more empty promises to consumers,” he wrote in a Tweet.
Incentive for risky business
After he found the LocationSmart security flaw last year, Mr. Xiao said he realized carriers were still working with other third-party data aggregators.
“From my perspective, I was really hoping they’d stop location tracking entirely ... but they didn’t fully commit to stopping,” he said.
Beside LocationSmart, carriers were still working with companies like San Jose, Calif.-based Zumigo, which describes itself as a “leading provider of enhanced mobile identity solutions.” In practice, that means it works with credit bureaus, financial institutions and retailers to try to stop fraud.
“Our cell phone carriers have a financial incentive to sell your location data, or information about where you are,” Mr. Dugas explained. “They said [they’re] going to stop selling our location data except where there is a valid business use case for it.”
Aggregators pay cell phone carriers a fee for the location data they collect.
That can be risky business, though, as relatively small third-party firms like LocationSmart and Zumigo may not have the budgets to hire strong cybersecurity teams — hence the risk of hacks similar to what Mr. Xiao found, even if the cell phone carrier, itself, is completely secure.
“The investment that [these companies are] able to make in information security just isn’t there ... they first think about sales people and finance people,” Mr. Dugas said.
“They don’t really think about the security side all the way, and when they do, they have a handful of people. It’s kind of an afterthought.”
And with no regulatory framework to tell the location service companies how to act, he added, it’s difficult to trust these data aggregators will put the correct security measures in place to protect your location data.
“What’s to say, for example, that someone poses as a bounty hunter, signs up for one of these aggregators, they’re not a bounty hunter, and they’re perhaps a stalker or looking to do some ill intent?” Mr. Dugas said.
As telecommunication companies double down on their promises to stop selling location data, Mr. Xiao remains skeptical.
“Hopefully we evaluate the entire industry of selling peoples’ location data in the future,” he said. “It’s annoying that we basically have to find massive breaches in trust before we can get this thing fixed.”