Lawsuits Alleges U.S. Cellphone Carriers Sold Customer Location Data

New class-action lawsuits have been filed against major US cellphone carriers AT&T, Verizon, T-Mobile, and Sprint in US District Court in Maryland. Each suit alleges violation of Section 222 of the US Communications Act in mostly identical terms via (in the words of the AT&T suit) the real-time “collection of geolocation data and the unauthorized dissemination to third-parties of the geolocation data collected from its users’ cell phones…including but not limited to data aggregators, who in turn, are able to use or resell the geolocation data with little or no oversight by [the service provider].”

Ars Technica reports that the lawsuits are on the behalf of “all of the four carriers’ customers in the US between 2015 and 2019” – some 300 million-plus customers in all. Damages are currently unspecified and will be “in an amount to be proven at trial.”

How did we get here?

In May 2018, the New York Times reported that a former sheriff in Missouri allegedly “used a lesser-known” service provided by American prison technology company Securus “to track people’s cellphones, including those of other officers, without court orders.” Cory Hutcheson, the sheriff in question, was alleged to have “used the service at least 11 times…[to track] a judge and members of the State Highway Patrol.”

Real-time tracking using cellular data is not a new phenomenon, but tracking has typically required a warrant from a judge or district attorney – a theoretical barrier against misuse. Cell phone carriers are allowed to “sell the ability to acquire location data for marketing purposes” with customer consent, and typically “generally sign contracts pledging to get people’s approval — through a response to a text message, for example, or the push of a button on a menu — or to otherwise use the data legally.”

While Securus said “that it required customers to upload a legal document…and certify that the [tracking] activity was authorized,” opponents soon emerged to assert the process was not rigorous enough, including Senator Ron Wyden, Democrat of Oregon. “Wireless carriers have an obligation to take affirmative steps to verify law enforcement requests,” said Wyden in a letter to the FCC – instead, wrote Wyden, the contracts between cellular carriers and Securus are “the legal equivalent of a pinky promise.” The resulting criticism led the major cell phone carriers to promise “to stop selling their mobile customers’ location information to third-party data brokers after a security problem leaked the real-time location of US cell phone users.”

What’s next?

Despite the public promises, problems remain. A January 2019 report from Motherboard “[showed] just how exposed mobile networks and the data they generate are, leaving them open to surveillance by ordinary citizens, stalkers, and criminals.” Cell phone location data “trickles down from cell phone providers to a wide array of smaller players, who don’t necessarily have the correct safeguards in place to protect [it].” A simple $300 payment from Motherboard to a bounty hunter (as well as a phone number from a consenting party) revealed a pipeline with “six different entities [having] potential access to the phone’s data.” The chain starts with T-Mobile, “[who] shares location data with an aggregator called Zumigo, which shares information with [geolocation services provider] Microbilt. Microbilt shared that data with a customer using its mobile phone tracking product. The bounty hunter then shared this information with a bail industry source, who shared it with Motherboard.”

Though the FCC agreed to investigate, they have offered little information thus far. Frustrated commissioner Jessica Rosenworcel recently called for an update on the fact-finding mission, urging the FCC in a statement “to do more to protect the privacy and security of American consumers,” by providing “basic information about what is happening with their real-time location information” – something it “has failed to do…to date.”

Cell phone carriers, for their part, have expressed their opposition to the lawsuit. AT&T told Ars Technica that “the facts don’t support this lawsuit, and we will fight it…we only share location data with customer consent..[and] stopped sharing location data with aggregators after reports of misuse.” T-Mobile said it “terminated all service provider access to location data as of February 8, 2019,” while Sprint and Verizon offered little to no comment.

As the legislative landscape clarifies itself, data use (or misuse) will remain a hot topic for legislators and a public who is increasingly aware of how and where their information is available. Geolocation data is here to stay – who has access to it, and how, is for now a question without an answer.

Quandary Peak Research

Based in Los Angeles, Quandary Peak Research provides software litigation consulting and expert witness services. We rapidly analyze large code bases, design documents, performance and usage statistics, and other data to answer technical questions about the structure and behavior of software systems.

Leave a Reply