The carriers have been found selling real-time location information from customer devices to data aggregators, leading the location data to end up in the hands of private investigators, bounty hunters, law enforcement, credit companies, and more.
Companies like LocationSmart and Zumigo obtained location information from U.S.-based cellular carriers and passed that data on to dozens of other companies, putting real-time customer location information in the hands of those who should not have it.
After coming under scrutiny for their location sharing practices, AT&T, Sprint, Verizon, and T-Mobile, pledged to stop doing so, but many had not actually stopped entirely as of January.
The FCC is now demanding answers from the four carriers. FCC Commissioner Jessica Rosenworcel asked the heads of each company to provide details on whether the data aggregators were allowed to save phone location data and what steps carriers are going to take to make sure shared data has been deleted. From the letter to AT&T:
Real-time location information is sensitive data deserving the highest level of privacy protection. But it is evident from press reports that this data may have been sold without the explicit consent of consumers and without appropriate safeguards in place.
Accordingly, I appreciate your decision to end these location aggregation services by March of this year. To that end, I kindly request that you provide an update on your efforts and confirm by what date AT&T ended its arrangements to sell the location data of its customers. Please also confirm whether and by what date the company ended arrangements to sell assisted or augmented GPS data.
Finally, the public still has very little detail about how much geolocation data is being saved and stored-including in ways that may be far too accessible to others. Even de-anonymized location data may be combined with other information in ways that could make it personally identifiable again. Accordingly, please explain whether AT&T’s agreements permitted aggregators or others to save and store location data they received from your company. If so, please confirm what steps your company is taking to ensure that these companies delete or destroy previously shared data and any derivative data. Alternatively, please explain what steps AT&T is taking to safeguard such data from use or onward sale that is inconsistent with consumers’ original content.
Similar letters were also sent to Sprint, Verizon, and T-Mobile, and all four carriers have been asked to provide responses to the FCC by May 15, 2019.