In Letters To Senate, Wireless Carriers Downplay Their Latest Location Data Scandal

Carriers insist location data scams are rare and they do their best to police them. Government investigators may want to confirm that claim.

The nation’s biggest wireless carriers this week downplayed revelations that they’ve been tricked into handing over sensitive customer data by scammers posing as law enforcement. The practice was first uncovered in a Motherboard investigation culminating in a Congressional inquiry into the companies’ business practices.

Motherboard has obtained letters from AT&T, Verizon, T-Mobile, and Sprint responding to a March 13 inquiry by Senator Ron Wyden, asking for more detail into how the companies verify an individual’s identity before handing over sensitive consumer location data. Motherboard’s reporting found carriers have routinely collected and sold private user location data to a long list of companies, often doing little to confirm this data was adequately secured. Subsequent Motherboard investigations have shown how other, sometimes malicious parties can gain access to this data directly from the carriers themselves by posing as law enforcement. “It is now abundantly clear that you have failed to be good stewards of your customers’ private location information,” Senator Wyden said in his letter. Wyden highlighted how carriers are required under federal law to protect Customer Proprietary Network Information (CPNI), and requested that carriers provide data on how many times they’d been tricked since 2010. Unsurprisingly, none of the carriers were willing to cite specific examples of having been directly scammed, and insisted they do their best to verify the identities of law enforcement before handing over personal location data. Specific details, however, were lacking. “AT&T reviews each request to determine it is valid and obtains a certification from the relevant law enforcement agency confirming that the request calls for information relating to a case of potential death or serious injury,” the company said in its letter to Wyden. “But we are careful not to publicly disclose more internal process beyond this, because we do not want to give criminal actors a blueprint for our fraud and detection tools.” Motherboard’s reporting has shown how a debt collector was able to trick T-Mobile into releasing location data by fabricating cases of child kidnapping. Sources have told Motherboard that similar scams are routinely run on Verizon, T-Mobile, and Sprint, and have resulted in third parties obtaining unauthorized access to sensitive GPS and even E-911 location data. More specifically, Motherboard found that scammers, bounty hunters, and others have been exploiting carrier procedures for “exigent circumstances,” where a human life may be at risk and time is of the essence. Sources said the speed of such exchanges often open the door to more lax protection of consumer data than would otherwise be the norm.

In its letter to Wyden, T-Mobile insisted such fraud is “rare,” and that the company takes prompt action when such activity is detected. “In the rare circumstance in which a bad actor uses pretexting to improperly request and obtain location data (for example, by unlawfully impersonating law enforcement), T-Mobile takes swift and forceful action,” the company said.

Verizon’s letter attempts to shift the focus to how location data has proven helpful in emergency situations, citing examples ranging from a woman being stuck in the snow in Oregon, to a lost dementia patient found only thanks to Verizon’s coordination with law enforcement. “We recognize that location information can provide many pro-consumer benefits but we must protect that data from unauthorized access and use,” Verizon said. “Our subscribers trust and comfort surrounding the use of location information will remain paramount, and we plan to act accordingly. In its letter, Sprint also downplayed the frequency of such scams, and reiterated its promise that the company would no longer be selling such data to third-party aggregators.

“Sprint appreciates your concern regarding these issues and would also note that it has announced that as of May 31, 2019, it will no longer be providing (LBS) [location based services] to location aggregators,” Sprint head of privacy Maureen Cooney said.

The problem is the telecom industry isn’t a sector exactly known for its honesty or its respect for consumer privacy. As such, it’s going to take additional government inquiries and investigations to ensure the companies truly are following up on promises to be more responsible stewards of private consumer data.