ShareThis Page
Technology

Verizon, AT&T to end location data sales to brokers in wake of CMU hack

| Tuesday, June 19, 2018, 10:51 a.m.
FILE- In this Tuesday, May 2, 2017, file photo, Verizon corporate signage is captured on a store in Manhattan's Midtown area, in New York. Verizon is pledging to stop selling data to outsiders through middlemen that can pinpoint the location of mobile phones, the Associated Press has learned. (AP Photo/Bebeto Matthews, File)
FILE- In this Tuesday, May 2, 2017, file photo, Verizon corporate signage is captured on a store in Manhattan's Midtown area, in New York. Verizon is pledging to stop selling data to outsiders through middlemen that can pinpoint the location of mobile phones, the Associated Press has learned. (AP Photo/Bebeto Matthews, File)
FILE- In this June 13, 2018, file photo Federal Reserve Chair Jerome Powell speaks to the media after the Federal Open Market Committee meeting in Washington. Powell is expected to speak about the job market at a European Central Bank conference in Portugal on Wednesday, June 20. (AP Photo/Jacquelyn Martin, File)
FILE- In this June 13, 2018, file photo Federal Reserve Chair Jerome Powell speaks to the media after the Federal Open Market Committee meeting in Washington. Powell is expected to speak about the job market at a European Central Bank conference in Portugal on Wednesday, June 20. (AP Photo/Jacquelyn Martin, File)

Verizon and AT&T have pledged to stop providing information on phone owners' locations to data brokers, stepping back from a business practice that has drawn criticism for endangering privacy.

The data has apparently allowed outside companies to pinpoint the location of wireless devices without their owners' knowledge or consent. Verizon said that about 75 companies have been obtaining its customer data from two little-known California-based brokers that Verizon supplies directly — LocationSmart and Zumigo.

Verizon became the first major carrier to declare it would end sales of such data to brokers that then provide it to others. It did so in a June 15 letter to Sen. Ron Wyden, an Oregon Democrat who has been probing the phone location-tracking market. AT&T followed suit Tuesday after The Associated Press reported the Verizon move.

Neither company said they are getting out of the business of selling location data. Verizon and AT&T are the two largest U.S. mobile carriers in terms of subscribers.

Chief privacy officer Karen Zacharia said Verizon would be careful not to disrupt “beneficial services” such as fraud prevention and emergency roadside assistance. In an email to the AP, AT&T spokesman Jim Greer cited similar reasons for cutting off the intermediaries “as soon as practical.”

Concerns arose around the security of real-time cellphone data after a researcher at Carnegie Mellon University hacked LocationSmart and had access to the location of any cellphone on the major carriers. Robert Xiao, a member of CMU's elite hacking team, said it took him 15 minutes to find a bug and expose the data.

“If I knew your 10-digit phone number, I could type it in, and I could track you in real time,” Xiao told the Tribune-Review on the day after his hack. “I can watch you moving around. I can watch you driving around. I can watch you going to work and leaving from work.”

Last month, Wyden revealed abuses in the lucrative but loosely regulated field involving Securus Technologies and its affiliate 3C Interactive. Verizon says their contract was approved only for the location tracking of outside mobile phones called by prison inmates.

Verizon notified LocationSmart and Zumigo, both privately held, that it intends to “terminate their ability to access and use our customers' location data as soon as possible,” Zacharia wrote.

Location data from Verizon and other carriers makes it possible to identify the whereabouts of nearly any phone in the U.S. within seconds. Popular commercial uses for the information include keeping tabs on packages, vehicles and employees; bank fraud prevention; and targeted marketing offers.

The cutoff won't affect users' ability to share locations directly with apps and other services. Rather, it deals with the practice of providing data to third parties with which users have no direct contact.

Wyden wrote all four major U.S. wireless carriers on May 8 after learning about a web portal that let law officers track Americans' locations without proper oversight. A former sheriff in Missouri has been accused of using Securus data for unauthorized surveillance of a judge, a sheriff and state highway patrol officers.

Wyden asked the carriers to identify which third parties have been acquiring carrier location data and to provide details such as any third-party sharing of location data without customer consent. His office shared the companies' responses with The AP.

None of the four carriers named any third parties, with two exceptions. One was Securus, which all four carriers have since cut off. The other was 3CInteractive, the reseller that supplied Securus.

“Verizon did the responsible thing and promptly announced it was cutting these companies off,” Wyden said in a statement, referring to the aggregators as “shady middle men.”

“The big concern was that this was probably the tip of the iceberg,” said Laura Moy, deputy director of the Georgetown Center on Privacy and Technology. She said Verizon's move “indicates that it cannot actually police this process, that it doesn't have the ability.” Nor can the other carriers, she said.

Verizon and AT&T did not respond to questions from the AP on whether and how they plan to sell location data directly to companies or individuals instead of relying on the two California companies. Sprint and T-Mobile did not immediately respond Tuesday to emailed requests for comment.

AT&T and T-Mobile , No. 2 and 3 in customers, said in letters to Wyden they only allow authorized third parties to access customer location data if the affected customers have given consent or if it is required by law — for instance, a court order. Verizon said the same.

Sprint said account holders must “generally be notified” if the data is to be used so they can decide whether they consent. T-Mobile has offered to buy Sprint for $26.5 billion.

The carriers left most of Wyden's questions unanswered — such as how many of their customers had been affected by location sharing they never agreed to.

Gigi Sohn, a former top advisor at the Federal Communications Commission in the Obama administration, said Verizon has lately proven itself a “shining example” on privacy. “I think they understand that bad privacy practices are bad for business,” she said.

Moy said Verizon may have been motivated by a $1.4 million FCC fine for an earlier episode in which the company quietly tracked its wireless customers' online travels with a “supercookie” for at least 22 months beginning in December 2012.

The company subsequently signed a consent order with the FCC promising to restrict that tracking to customers who affirmatively agreed to it.

The case also spurred FCC rules that would have required carriers to obtain consent for selling their customers' wireless location data. But the GOP-led Congress quashed those rules last year.

Analysts say it's difficult to gauge the size of the location-tracking aggregation market.

On its website, LocationSmart claims it is the No. 1 “location-as-a-service” provider with data from every top tier U.S. wireless carrier and more than 200 enterprise customers. Zumigo appears oriented to the financial sector, and lists Intel, Wells Fargo and Capital One among investors.

Analyst Rich Mogull of Arizona-based Securosis LLC said telecom providers track and sell location data as a matter of course, with a wide range of businesses including Google extensively attempting to compile location datasets on consumers.

“We are all tracked, all the time, primarily for marketing purposes, by such a large number of companies I ‘m not sure I would even know where to start the math,” said Mogull.

TribLIVE commenting policy

You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.

click me