In today’s edition of “you probably didn’t know this was still a thing but be glad it stopped,” Verizon, AT&T, and Sprint have all confirmed that they’re cutting ties with some third-party data brokers to whom the wireless networks had been selling customer location data. All the major cell networks have long sold location data to third parties, who were supposed to vet how it was being used. It will come as no surprise to learn that the data was being misused across a number of brokers, and security researcher Brian Krebs even found that one data firm was enabling anyone to find location data on any cell number, for free.
AT&T, Verizon, and Sprint have confirmed that they’re all ending or curtailing their location-sharing programs, which should hopefully limit the extent to which strangers and anonymous companies can track your every move.
“Our top priority is to protect our customers’ information, and, to that end, we will be ending our work with aggregators for these services as soon as practical in a way that preserves important, potential lifesaving services like emergency roadside assistance,” AT&T said in a statement. Verizon confirmed in a letter to Senator Ron Wyden, who has been probing the issue, that it’s cutting off location data to third-party brokers.
“Based on our current internal review, Sprint is beginning the process of terminating its current contracts with data aggregators to whom we provide location data,” Sprint told BGR. “This will take some time in order to unwind services to consumers, such as roadside assistance and fraud prevention services. Sprint previously suspended all data sharing with LocationSmart on May 25, 2018. We are taking this further step to ensure that any instances of unauthorized location data sharing for purposes not approved by Sprint can be identified and prevented if location data is shared inappropriately by a participating company.”
T-Mobile didn’t address issues with third-party data brokers more generally, but said in a recent letter to Sen. Wyden that it “requires internal approval of every service provider and use, including the mechanism by which the service provider will obtain customer consent before any location information is shared with partners and service providers.”
In a follow-up tweet today, T-Mobile CEO John Legere said that T-Mobile “will not sell customer location data to shady middlemen,” but didn’t give any more specific details.
The extent of carrier location sharing was made clear by a recent case in Missouri, which involved a former sheriff in Missouri using a system supplied by Securus Technologies to track the cellphones of other individuals, including some of his deputies. Securus provides services to track and monitor inmates’ phone calls to prisons and county jails, but it also used third-party location data from carriers to offer other services to clients, including phone tracking without requiring a warrant.
Security reporter Brian Krebs also discovered a tool on the website of a company called LocationSmart, which offers mobile location technology to customers. LocationSmart is supposed to obtain permission from cellphone owners before serving location data, but a bug in its website let anyone track any cell number from a US carrier without getting consent.