Dave Farber
2018-06-19 21:51:35 UTC
Date: June 20, 2018 at 4:56:41 AM GMT+9
Subject: Mobile Providers to Stop Selling Location Data After Scandal
[for IP, should you choose]
A senator has strongly criticized three of the US' largest cell
carriers that have not promised to stop selling their customers'
real-time location data to third party companies.
Sen. Ron Wyden (D-OR) welcomed Verizon's move to end its agreements
with data aggregators, including LocationSmart, which sold location
data to a prison tech company that claimed to be able to track any
cell phone in the US "within seconds."
Senator wants to know how police can locate any phone in seconds
without a warrant
Real-time location data was accessible by police under "the legal
equivalent of a pinky promise," said a senator.
But the senator rebuked AT&T, T-Mobile, and Sprint for continuing the practice.
"Verizon did the responsible thing and promptly announced it was
cutting these companies off," said Wyden in a statementTuesday,
following an investigation by his office.
"In contrast, AT&T, T-Mobile, and Sprint seem content to continuing to
sell their customers' private information to these shady middle men,
Americans' privacy be damned," he said.
AT&T later said it was also cutting off access to third-parties.
Sprint said it will "determine next steps" after its internal review
is over. T-Mobile did not return a request for comment.
Letters from the four cell giants were published Tuesday after Wyden
demanded last month to know why millions of Americans' real-time
location data was being shared with so-called aggregators, which
manage data requests for customer data across the carriers.
The phone giants say it's "common" to share data, such as when
motorists are stranded or as part of workforce and fleet tracking, but
said that customer data should have more tightly controlled.
The carriers partnered with LocationSmart, which claimed it had
"direct connections" to the cell giants' cache of location data.
Aggregators could then share location data with their own customers.
But the carriers found that one of LocationSmart's customers,
3Cinteractive, shared location data with another company, Securus, a
prison technology company, which used the data in violation of the
carriers' policies.
Aggregators must obtain consent from the customer before their
location data can be used, such as by sending a one-time text message
or allowing a user to hit a button in an app. But The New York Times
found that police and correctional officers could track anyone's
location without their consent, because Securus turned over the data
without verifying that a warrant had been obtained.
The phone giants said they took "prompt steps to protect customer data
and shut down" location data access to 3Cinteractive and Securus.
A spokesperson for 3Cinteractive did not respond to a request for comment.
LocationSmart said in a statement Tuesday that it was reviewing the
letters from the carriers, and denied that it buys and sells location
data. "The company does not warehouse or track a mobile user's
historic identity and location information," said the company.
The company said that it disabled Securus' access on May 10. "We
continue to review all customer use to ensure compliance with
LocationSmart's terms of user requiring user consent."
But the phone giants remained vague on exactly how the companies
obtained customers' consent to provide data to LocationSmart in the
first place.
ZDNet previously asked how each carrier obtains consent from their
customers, but none offered concrete answers.
Sprint hinted that its privacy policy allows the phone giant to share
customers' personal data, "including location information," with
third-parties. Verizon, in its letter to Wyden's office, also hinted
that customers give their consent by agreeing to the company's privacy
Customers, unable to opt out of the phone giants' privacy policies,
may be locked in to sharing their location data with aggregators.
"I don't believe that there is anything consumers can do to opt-out of
having their location data shared with third-parties like
LocationSmart," said Stephanie Lacambra, staff attorney at the
Electronic Frontier Foundation, in an email.
LocationSmart was later forced to pull part of its website offline
after a vulnerability allowed a security researcher to obtain
real-time location data without obtaining consent from the user.
Robert Xiao said that the company had "no security oversight" before
the site served location data.
LocationSmart said that "did not result in any customer information
being obtained without their permission" beyond the researcher's
The Federal Communications Commission is investigating the website flaw.
OpenPGP: https://sks-keyservers.net/pks/lookup?op=get&search=0xFEBAD7FFD041BBA1
If you wish to request my time, please do so using bit.ly/hd1AppointmentRequest.
Si vous voudrais faire connnaisance, allez a bit.ly/hd1AppointmentRequest.
Sent from my mobile device
Envoye de mon portable
-------------------------------------------Subject: Mobile Providers to Stop Selling Location Data After Scandal
[for IP, should you choose]
A senator has strongly criticized three of the US' largest cell
carriers that have not promised to stop selling their customers'
real-time location data to third party companies.
Sen. Ron Wyden (D-OR) welcomed Verizon's move to end its agreements
with data aggregators, including LocationSmart, which sold location
data to a prison tech company that claimed to be able to track any
cell phone in the US "within seconds."
Senator wants to know how police can locate any phone in seconds
without a warrant
Real-time location data was accessible by police under "the legal
equivalent of a pinky promise," said a senator.
But the senator rebuked AT&T, T-Mobile, and Sprint for continuing the practice.
"Verizon did the responsible thing and promptly announced it was
cutting these companies off," said Wyden in a statementTuesday,
following an investigation by his office.
"In contrast, AT&T, T-Mobile, and Sprint seem content to continuing to
sell their customers' private information to these shady middle men,
Americans' privacy be damned," he said.
AT&T later said it was also cutting off access to third-parties.
Sprint said it will "determine next steps" after its internal review
is over. T-Mobile did not return a request for comment.
Letters from the four cell giants were published Tuesday after Wyden
demanded last month to know why millions of Americans' real-time
location data was being shared with so-called aggregators, which
manage data requests for customer data across the carriers.
The phone giants say it's "common" to share data, such as when
motorists are stranded or as part of workforce and fleet tracking, but
said that customer data should have more tightly controlled.
The carriers partnered with LocationSmart, which claimed it had
"direct connections" to the cell giants' cache of location data.
Aggregators could then share location data with their own customers.
But the carriers found that one of LocationSmart's customers,
3Cinteractive, shared location data with another company, Securus, a
prison technology company, which used the data in violation of the
carriers' policies.
Aggregators must obtain consent from the customer before their
location data can be used, such as by sending a one-time text message
or allowing a user to hit a button in an app. But The New York Times
found that police and correctional officers could track anyone's
location without their consent, because Securus turned over the data
without verifying that a warrant had been obtained.
The phone giants said they took "prompt steps to protect customer data
and shut down" location data access to 3Cinteractive and Securus.
A spokesperson for 3Cinteractive did not respond to a request for comment.
LocationSmart said in a statement Tuesday that it was reviewing the
letters from the carriers, and denied that it buys and sells location
data. "The company does not warehouse or track a mobile user's
historic identity and location information," said the company.
The company said that it disabled Securus' access on May 10. "We
continue to review all customer use to ensure compliance with
LocationSmart's terms of user requiring user consent."
But the phone giants remained vague on exactly how the companies
obtained customers' consent to provide data to LocationSmart in the
first place.
ZDNet previously asked how each carrier obtains consent from their
customers, but none offered concrete answers.
Sprint hinted that its privacy policy allows the phone giant to share
customers' personal data, "including location information," with
third-parties. Verizon, in its letter to Wyden's office, also hinted
that customers give their consent by agreeing to the company's privacy
Customers, unable to opt out of the phone giants' privacy policies,
may be locked in to sharing their location data with aggregators.
"I don't believe that there is anything consumers can do to opt-out of
having their location data shared with third-parties like
LocationSmart," said Stephanie Lacambra, staff attorney at the
Electronic Frontier Foundation, in an email.
LocationSmart was later forced to pull part of its website offline
after a vulnerability allowed a security researcher to obtain
real-time location data without obtaining consent from the user.
Robert Xiao said that the company had "no security oversight" before
the site served location data.
LocationSmart said that "did not result in any customer information
being obtained without their permission" beyond the researcher's
The Federal Communications Commission is investigating the website flaw.
OpenPGP: https://sks-keyservers.net/pks/lookup?op=get&search=0xFEBAD7FFD041BBA1
If you wish to request my time, please do so using bit.ly/hd1AppointmentRequest.
Si vous voudrais faire connnaisance, allez a bit.ly/hd1AppointmentRequest.
Sent from my mobile device
Envoye de mon portable
Archives: https://www.listbox.com/member/archive/247/=now
Modify Your Subscription: https://www.listbox.com/member/?member_id=26461375
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=26461375&id_secret=26461375-c2b8a462&post_id=20180619175152:F7FDEEC6-740A-11E8-BC3B-839794F84B4B
Powered by Listbox: http://www.listbox.com