EFF Hits AT&T With Class Action Lawsuit for Selling Customers’ Location to Bounty Hunters

Tuesday, the Electronic Frontier Foundation (EFF) filed a class action lawsuit against AT&T and two data brokers over their sale of AT&T customers' real-time location data. The lawsuit seeks an injunction against AT&T, which would ban the company from selling any more customer location data and ensure that any already sold data is destroyed.

The move comes after multiple Motherboard investigations found AT&T, T-Mobile, Sprint, and Verizon sold their customers' data to so-called location aggregators, which then ended up in the hands of bounty hunters and bail bondsman.

“To sell this information without any notification to users is deceptive, extraordinarily invasive of their privacy, and illegal,” Thomas D. Warren, a lawyer at Pierce Bainbridge, which is working on the suit with the EFF, said in a statement.

The lawsuit, focused on those impacted in California, represents three Californian AT&T customers. Katherine Scott, Carolyn Jewel, and George Pontis are all AT&T customers who were unaware the company sold access to their location. The class action complaint says the three didn't consent to the sale of their location data.

"Plaintiffs were emotionally distressed by the discovery that their location data was sold to the Aggregator Defendants and additional unknown third parties without their consent," the class action complaint, which also seeks monetary damages, reads.

"Had Plaintiffs known about the real-time location practices complained of herein, they would not have signed up for AT&T wireless cell phone service or would have paid less for its services," the complaint adds.

The complaint alleges that AT&T violated the Federal Communications Act by not properly protecting customers' real-time location data; and the California Unfair Competition Law and the California Consumers Legal Remedies Act for misleading its customers around the sale of such data. It also alleges AT&T and the location aggregators it sold data through violated the California Constitutional Right to Privacy.

The lawsuit points to several instances of abuse of AT&T data. In May 2018, The New York Times reported AT&T sold its data through a location aggregator to Securus. Low level law enforcement then used Securus' tool to look up phone location information without a warrant or other legal authority. Motherboard then reported that a company called Captira was selling real-time location data of all major phone carriers to bail bondsman for $7.50 each. Then earlier this year, Motherboard bought the location data of a phone in Queens, New York, showing AT&T and others were still selling their customers' data, despite promises to stop. Finally, a cache of leaked documents from a secret company called CerCareOne showed hundreds of bounty hunters had access to AT&T, T-Mobile, and Sprint data for years. The lawsuit also points to Motherboard's reporting which showed telecoms companies were selling access not just to cell phone tower data, but highly precise A-GPS location information.

As the lawsuit highlights, AT&T's Privacy Policy says "We will not sell your personal information to anyone, for any purpose. Period."

Destroying any sold data may be difficult. When AT&T and other telecom data trickled down to bounty hunters, those individuals were largely free to retain the data as they pleased. Location data Motherboard obtained came in the form of screenshots of the phone's location on a Google Maps interface, or PDF files.

An AT&T spokesperson said in a statement "While we haven’t seen this complaint, based on our understanding of what it alleges we will fight it. Location-based services like roadside assistance, fraud protection, and medical device alerts have clear and even life-saving benefits. We only share location data with customer consent. We stopped sharing location data with aggregators after reports of misuse."

This isn't the first class action lawsuit to be filed related to telecom companies' sale of customers' location data. In May, a firm filed a suit on behalf of AT&T, T-Mobile, Sprint, and Verizon customers.

In response to that lawsuit, on Friday AT&T argued customers have no right to sue over the sale of location data because of a forced arbitration clause in its contract. Earlier this month, T-Mobile made a similar case in a court filing.

“AT&T and data aggregators have systematically violated the location privacy rights of tens of millions of AT&T customers,” EFF Staff Attorney Aaron Mackey said in a statement. “Consumers must stand up to protect their privacy and shut down this illegal market. That’s why we filed this lawsuit today.”

Subscribe to our new cybersecurity podcast, CYBER.