Major wireless providers are facing new scrutiny into their privacy practices after a bombshell report sparked a public outcry and questions from lawmakers.
A story from tech news site Motherboard last week detailed how easy it is to track individuals with just a cellphone number using data aggregation companies. The report put a new spotlight on how wireless providers monetize their users’ real-time location data and set off a rush in the industry to abandon the practice and avoid new regulations.
Democratic lawmakers are questioning why the data practices were in place for so long and are pushing the Trump administration’s regulators to get serious about cracking down on the industry.
Rep. Frank Pallone Jr. (D-N.J.), the new chairman of the House Energy and Commerce Committee, demanded that Republican Federal Communications Commission (FCC) Chairman Ajit Pai provide Congress with an emergency briefing and investigate the location-sharing agreements, writing in a letter that “the public can no longer rely on [the wireless industry’s] voluntary promises to protect this extremely sensitive information.”
“This briefing should explain why the Federal Communications Commission has yet to end wireless carriers’ unauthorized disclosure of consumers’ real-time location data and what actions the FCC has taken to address this issue to date,” Pallone wrote in his letter Friday. “An emergency briefing is necessary in the interest of public safety and national security, and therefore cannot wait until President Trump decides to reopen the government.”
Pai declined the request, with his staff telling Pallone on Monday the shutdown prevented a briefing because the issue did not involve a “threat to the safety of human life or property.”
Pallone countered that there was “nothing in the law that should stop the Chairman personally from meeting about this serious threat that could allow criminals to track the location of police officers on patrol, victims of domestic abuse, or foreign adversaries to track military personnel on American soil.”
Across the Capitol, Democratic senators also criticized the sale of customers’ location data.
“Wireless carriers are promising, yet again, to stop sharing Americans’ location data without their consent,” Sen. Ron Wyden (D-Ore.) said on Twitter last week. “I’ll believe it when I see it. It’s not enough for these tech giants and their CEOs to lay blame for misuse and abuse of information on downstream companies.”
The telecom industry has largely avoided the tough questions on privacy practices that have dogged tech companies, in particular Silicon Valley’s social media giants. But following the Motherboard report, the mobile industry now finds itself grappling with the same questions about customer data in the public spotlight.
In its report, Motherboard managed to track the location of a person’s T-Mobile phone after giving a bounty hunter $300 and a cell number. The location information had traveled through a chain of data aggregation companies, who buy and sell customer data. According to the report, T-Mobile shared its data with a data company called Zumigo. Zumigo in turn shared that with a firm called Microbilt, which sells data to different industries, including bounty hunters.
Wireless companies responded to the report and lawmakers’ concerns by vowing to end those practices.
T-Mobile reiterated an earlier promise to stop selling data to location aggregators and said it was finalizing those changes.
“We take the privacy and security of our customers’ information very seriously and will not tolerate any misuse of our customers’ data,” a T-Mobile spokesperson said in a statement. “While T-Mobile does not have a direct relationship with Microbilt, our vendor Zumigo was working with them and has confirmed with us that they have already shut down all transmission of T-Mobile data. T-Mobile has also blocked access to device location data for any request submitted by Zumigo on behalf of Microbilt as an additional precaution.”
T-Mobile CEO John Legere said on Twitter that the company expects to finish cutting the data-sharing agreements by March.
AT&T also announced that it would stop selling location data to third parties.
“Last year we stopped most location aggregation services while maintaining some that protect our customers, such as roadside assistance and fraud prevention,” an AT&T spokesman said in a statement. “In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services — even those with clear consumer benefits.”
A spokeswoman for Sprint said it had terminated its contract with Zumigo for “not sufficiently protecting Sprint customer data in its relationship with” Microbilt. Verizon says it had already terminated its location-sharing agreements, with the exception of four roadside assistance companies.
But the industry’s critics are unlikely to be assuaged by those assurances, especially since a similar scandal bubbled up last year involving location data mined from providers.
Following major privacy scandals involving internet giants including Facebook and Google, momentum has grown for Congress to come up with the nation’s first comprehensive privacy law to crack down on the collection and sale of sensitive user information. But it is unclear if lawmakers are any closer to a framework that could pass both the Democratic House and GOP Senate.
Republicans have been comparatively quiet since the Motherboard story came out. A Senate Commerce Committee aide, though, told The Hill that data privacy would be a priority for the new chairman, Sen. Roger Wicker (R-Miss.).
For now, Democrats are putting pressure on the FCC to investigate the industry and use its existing authority to crack down.
Pallone said Monday his committee would “continue to press the FCC to prioritize public safety, national security, and protecting consumers.”
Due to the shutdown, the FCC did not respond to a request for comment from The Hill.
Privacy advocates say that telecommunications companies are already prohibited from sharing information like real-time location data with third parties without their customers’ consent. They place the blame solely on the FCC for allowing the practice to fester.
“If there was an agency interested in living up to its mandate I don’t think you’d see this cascade of troubling scandals,” said Gaurav Laroia, a policy counsel at the consumer group Free Press.
A set of rules adopted by the FCC in 2007 gives the agency the authority to investigate “unauthorized disclosures” of personal information and take enforcement actions against carriers found to have not taken reasonable measures to protect such data.
“It’s not as if the commission has lost any power to do something about this, it’s just chosen to not exercise that power over the last couple of years,” Laroia said.
He added that until regulators act, the industry is unlikely to avoid monetizing its vast troves of user information.
“I don’t think these promises are worth very much,” he said. “We’ve been through this song and dance before.”
Lawmakers, too, are vowing to keep up pressure on the industry and on regulators, while continuing to push for legislation that would put the first real checks on the vast data collection industry.
“It’s not that people ‘don’t care about privacy,’ as some have argued – it’s that customers, along with policymakers, have been kept in the dark for years about data collection and commercialization practices,” Sen. Mark Warner (D-Va.) said in a statement. “Responsible federal agencies and the U.S. Congress should continue to hold hearings to shine a light on these practices and look at regulations to ensure companies are actually upfront with consumers about whether and how their sensitive data is being used and sold.”