On Wednesday, Federal Communications Commission (FCC) Commissioner Jessica Rosenworcel demanded answers from AT&T, T-Mobile, Sprint, and Verizon on their sale of customers’ phone location information to data aggregators. As Motherboard has shown in multiple investigations, this data, which sometimes included highly precise assisted-GPS data, ended up in the hands of bounty hunters, bail bondsmen, or private investigators.
The demands are the latest move to pressure telcom companies, who said they would stop the sale of location data to third parties after Motherboard’s coverage. AT&T and T-Mobile previously told Motherboard that sale has ended, and Sprint said it would stop at the end of May.
But there are still serious concerns about how that data may have been stored and accessed. The letters from Commissioner Rosenworcel to the heads of each telco asked that the companies clarify whether data aggregators or others were allowed to save phone location data they received, and what steps the telcos are going to take to ensure the deletion of any shared data.
“The public still has very little detail about how much geolocation data is being saved and stored—including in ways that may be far too accessible to others,” the letters signed by Rosenworcel read.
Do you know anything else about location data selling? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
In January, Motherboard paid a source $300 to locate a T-Mobile phone. That was possible because T-Mobile, AT&T, and Sprint had all sold access to their customers’ location data to a network of middleman companies, before ending up in the hands of bounty hunters and bail bondsmen. Motherboard also covered how another data broker used to provide Verizon location data to the bail industry as well.
Another investigation, based on leaked data, showed that one company had provided phone location data to hundreds of bounty hunter clients. That leaked data did indicate that some information may have been stored over time; the data included lists of phone numbers that had been located or ‘pinged,’ stretching back years.
The location information included assisted-GPS data which is usually reserved to locate cell phones that dial 911 in an emergency.
“Real-time location information is sensitive data deserving the highest level of privacy protection.”
“Under federal law, A-GPS data included in the National Emergency Address Database for enhanced 911 services may not be used for any other purpose,” Rosenworcel’s letters to the telcos added.
Rosenworcel gave each telco until May 15 to respond.
AT&T, T-Mobile, Sprint, and did not immediately respond to a request for comment.
Richard Young, a Verizon spokesperson, told Motherboard in a statement “Verizon has led the industry in working to end agreements with location aggregators. We were first to take action when these issues surfaced last Summer. We followed through with our pledge and have fully terminated our location aggregator arrangements. We're happy to talk about what we've done in this area with the Commissioner.”
Rosenworcel's letters added, “Real-time location information is sensitive data deserving the highest level of privacy protection.”
“But it is evident from press reports that this data may have been sold without the explicit consent of consumers and without appropriate safeguards in place.”
Update: This piece has been updated to include a statement from Verizon.
Subscribe to our new cybersecurity podcast, CYBER.