Image: ALASTAIR PIKE/AFP/Getty Images
Tuesday, the Electronic Frontier Foundation (EFF) filed a class action lawsuit against AT&T and two data brokers over their sale of AT&T customers' real-time location data. The lawsuit seeks an injunction against AT&T, which would ban the company from selling any more customer location data and ensure that any already sold data is destroyed.The move comes after multiple Motherboard investigations found AT&T, T-Mobile, Sprint, and Verizon sold their customers' data to so-called location aggregators, which then ended up in the hands of bounty hunters and bail bondsman.
“To sell this information without any notification to users is deceptive, extraordinarily invasive of their privacy, and illegal,” Thomas D. Warren, a lawyer at Pierce Bainbridge, which is working on the suit with the EFF, said in a statement.The lawsuit, focused on those impacted in California, represents three Californian AT&T customers. Katherine Scott, Carolyn Jewel, and George Pontis are all AT&T customers who were unaware the company sold access to their location. The class action complaint says the three didn't consent to the sale of their location data."Plaintiffs were emotionally distressed by the discovery that their location data was sold to the Aggregator Defendants and additional unknown third parties without their consent," the class action complaint, which also seeks monetary damages, reads."Had Plaintiffs known about the real-time location practices complained of herein, they would not have signed up for AT&T wireless cell phone service or would have paid less for its services," the complaint adds.The complaint alleges that AT&T violated the Federal Communications Act by not properly protecting customers' real-time location data; and the California Unfair Competition Law and the California Consumers Legal Remedies Act for misleading its customers around the sale of such data. It also alleges AT&T and the location aggregators it sold data through violated the California Constitutional Right to Privacy.
Destroying any sold data may be difficult. When AT&T and other telecom data trickled down to bounty hunters, those individuals were largely free to retain the data as they pleased. Location data Motherboard obtained came in the form of screenshots of the phone's location on a Google Maps interface, or PDF files.
Do you know any other cases of the sale of personal information? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
An AT&T spokesperson said in a statement "While we haven’t seen this complaint, based on our understanding of what it alleges we will fight it. Location-based services like roadside assistance, fraud protection, and medical device alerts have clear and even life-saving benefits. We only share location data with customer consent. We stopped sharing location data with aggregators after reports of misuse."This isn't the first class action lawsuit to be filed related to telecom companies' sale of customers' location data. In May, a firm filed a suit on behalf of AT&T, T-Mobile, Sprint, and Verizon customers.In response to that lawsuit, on Friday AT&T argued customers have no right to sue over the sale of location data because of a forced arbitration clause in its contract. Earlier this month, T-Mobile made a similar case in a court filing.“AT&T and data aggregators have systematically violated the location privacy rights of tens of millions of AT&T customers,” EFF Staff Attorney Aaron Mackey said in a statement. “Consumers must stand up to protect their privacy and shut down this illegal market. That’s why we filed this lawsuit today.”Subscribe to our new cybersecurity podcast, CYBER.