A broker that helped sell AT&T customers' real-time location data says it will fight a class action lawsuit against it. The broker, called LocationSmart, was involved in a number of data selling and cybersecurity incidents, including selling location data that ended up in the hands of bounty hunters.
"LocationSmart will fight this lawsuit because the allegations of wrongdoing are meritless and rest on recycled falsehoods," a LocationSmart spokesperson said in an emailed statement. LocationSmart did not point to any specific part of the lawsuit to support these claims.
On Tuesday, activist group the Electronic Frontier Foundation (EFF) and law firm Pierce Bainbridge filed a class action lawsuit against LocationSmart, another data broker called Zumigo, and telecom giant AT&T. The lawsuit's plaintiffs are three California residents who say they did not consent to AT&T selling their real-time location data through the data brokers. The lawsuit alleges all three companies violated the California Constitutional Right to Privacy, and seeks monetary damages as well as an injunction against AT&T to ensure the deletion of any sold data.
“The location data AT&T offered up for sale is extremely precise and can locate any of its wireless subscribers in real time, providing a window into the intimate details of their lives: where they go to the doctor, where they worship, where they live, and much more,” Abbye Klamann Ognibene, an attorney at Pierce Bainbridge said in a statement at the time of the lawsuit's filing.
Zumigo did not respond to a request for comment.
In February, Motherboard reported that AT&T, T-Mobile, and Sprint sold their customers' location data to LocationSmart, which then resold it to a secret company called CerCareOne. CerCareOne provided that data to around 250 bounty hunters and bail bondsman, according to leaked documents obtained by Motherboard. LocationSmart confirmed it was part of that supply chain of data at the time.
In another incident, LocationSmart sold access to the real-time location data of AT&T and other telecom customers to a company called Securus. Securus sold that data to prison officials who used it to track people without their consent. Shortly after the New York Times broke that story, Motherboard reported a hacker had stolen data from Securus.
On that same day, multiple outlets reported a security researcher had found a serious security vulnerability in LocationSmart's website, which allowed anyone to access the real-time location information of AT&T and other telecom customers.
Do you know about an instance of data selling or abuse? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
In its statement, LocationSmart emphasised some of the other use cases of its location data.
"LocationSmart’s API platform facilitates life-saving and other vital location-based services, which require end-user consent," the statement added.
After Motherboard's initial investigation, in which we paid a bounty hunter $300 to track a T-Mobile phone, AT&T, T-Mobile, and Sprint said they would stop the sale of location data to third parties. All of the telecoms have since told Motherboard that service has been cut.
Subscribe to our new cybersecurity podcast, CYBER.