At least one wireless carrier in the United States has violated federal law by disclosing users’ real-time location data to third parties without permission, according to the Federal Communications Commission.
“I am writing to follow up on my letter of December 3, 2019 regarding the status of the FCC’s investigation into the disclosure of consumers’ real-time location data,” FCC Chairman Ajit Pai wrote in a letter. “Fulfilling the commitment I made in that letter, I wish to inform you that the FCC’s Enforcement Bureau has completed its extensive investigation and that it has concluded that one or more wireless carriers apparently violated federal law.”
Pai declined to name specific carriers, and when asked about the pending notice(s) of apparent liability for forfeiture that would be issued, the FCC said that it had no update and would generally not comment on law enforcement matters until they were adopted.
AT&T, one of the four largest wireless carriers in the U.S., is being sued for exactly that, however.
The Electronic Frontier Foundation filed a civil lawsuit on behalf of AT&T customers in July 2019 seeking damages over the company disclosing real-time location data to third parties, which could then make that available to further third parties, with the data ending up in the hands of just about anyone if someone was willing to pay for it.
“The access to the carriers’ real-time location, the carriers had provided that to a number of third parties and then those third parties had turned around and provided it to other downstream parties who then turned around and provided that access to others,” said Aaron Mackey, a lawyer for the EFF. “We don’t know exactly the technical and contractual relationship, that’s what we’re trying to find out in our lawsuit, but we know that there was sort of broad access such that, very far down the chain, a bunch of unscrupulous individuals and actors could obtain that information.”
A Motherboard investigation published in January showed that a bounty hunter was able to pinpoint the approximate location of any given device, down to roughly 100 meters, with just a phone number and a few $100 bills. That means that anyone from car dealerships pursuing overdue payments to stalkers could shill out some extra cash and find whoever they were looking for. This was something that, at one point, all four of the major carriers (AT&T, Verizon, T-Mobile, and Sprint) participated in.
Even the government has been using this data access to circumvent normal avenues of enforcement. From a small Missouri county sheriff (according to the New York Times) all the way up to U.S. Customs and Border Protection and Immigration and Customs Enforcement (according to the Wall Street Journal), people have gone through third parties to acquire a person’s location without getting a warrant first.
The EFF says that Pai’s letter is a boon to its civil suit, effectively proving that carriers betrayed the public trust illicitly by selling access to customers’ locations.
“It’s confirmation that the practices that were reported on were illegal under the Communications Act, and our lawsuit brings a claim under the Communications Act that these carriers can’t disclose customers’ location data without their affirmative consent,” Mackey said. “Failure to abide by the law was illegal. We called on the FCC to investigate it and enforce it.”
While the EFF, in addition to damages, is asking for the data to either be returned to AT&T or destroyed, the group acknowledges that it may be impossible to wrangle all the data that are out in the wild — which is to say, data of potentially 153 million AT&T subscribers. That’s roughly 444 million people, counting reported users from the four largest carriers. That’s more than the population of the U.S., as of 2018 estimates.
“There’s no indication that there was any limit or segments of AT&T customers whose data was off-limits,” Mackey said. “Anyone’s data was potentially available to be disclosed and accessed by any party downstream who had the ability to get the data. Once the horse has left the barn, it’s very hard to determine [who all had access to the data].”
While users are able to tell specific applications not to use location data, the way cellular technology functions today, it would be impossible to blanket “opt-out” of the collection of real-time location data without just outright not owning a smartphone.
“As we read the law, in respect to the data the carriers collect and generate, it’s not an opt-out thing,” Mackey said. “Customers shouldn’t have to do anything. You shouldn’t have to tell them, ‘Don’t disclose.’ The law already prohibits disclosure absent the customer saying affirmatively, ‘Yes, you can disclose.'”
The FCC has not put a timeline on when enforcement actions are expected to be adopted, if at all.
AT&T defended itself in May 2019 in a letter to the FCC, arguing that the specific data set being collected was not subject to the same restrictions of other location data.
