Ride the Lightning

Say What? U.S. Cell Carriers Selling Access to Your Real-Time Phone Location Data

May 17, 2018

Well, this was one I didn't know about. On May 14^th, ZDNet reported that four of the largest cell giants in the U.S. (AT&T, Verizon, T-Mobile and Sprint) are selling your real-time location data to LocationSmart, a company most people have never heard of.

Last week, Senator Ron Wyden sent a letter demanding the Federal Communications Commission (FCC) investigate why Securus, a prison technology company, can track any phone "within seconds" by using data from LocationSmart.

The story made headlines because a former police sheriff snooped on phone location data without a warrant, according to The New York Times. The sheriff has pleaded not guilty to charges of unlawful surveillance.

Kevin Bankston, director of New America's Open Technology Institute, explained that the Electronic Communications Privacy Act only restricts telecom companies from disclosing data to the government. It doesn't restrict disclosure to other companies, who then may disclose that same data to the government. Now that's one huge loophole.

LocationSmart, a California-based technology company, is one of a handful of so-called data aggregators. It claimed to have "direct connections" to cell carrier networks to obtain real-time cell phone location data from nearby cell towers. The company claims coverage of 95 percent of the country, thanks to its access to all the major U.S. carriers, including US Cellular, Virgin, Boost, and MetroPCS, as well as Canadian carriers, like Bell, Rogers, and Telus.

"We utilize the same technology used to enable emergency assistance and this includes cell tower and cell sector location, assisted GPS and cell tower trilateration," according to a case study on the company's website. "With these location sources, we are able to locate virtually any US based mobile devices," the company said. Other companies then buy access to LocationSmart's data.

LocationSmart has been silent about how it ensures its corporate customers protect the location data to prevent abuse and misuse.

As the article notes, "Companies buy into LocationSmart's location data for many reasons. Sometimes it's to help locate a nearby store, or to send a marketing text message when a person visits a rival store. Location data can even be used by companies to track deliveries or shipments, or by banks to fight fraud, such as if a person is making card transactions miles apart within just a few minutes of each other."

The company requires explicit consent from the user before their location data can be used, by sending a one-time text message or allowing a user to hit a button in an app. LocationSmart said it allows some customers to obtain "implied" consent, used on a case-by-case basis, when "the nature of the service implies that location will be used." An example might be a stranded motorist who calls roadside assistance, where the event implies the person is "calling to be found."

The requirement to obtain a person's consent is voided if a search warrant for that data is issued. According to a Nebraska state government document, an application "can also be configured — with carrier approval and appropriate warrant documentation — to retrieve location data without the user opting-in." Securus was able to return real-time location data on users without their consent because the system required a valid order be submitted first. However, Securus never verified orders before producing results.

Sprint spokesperson Lisa Belot said the company shares personally identifiable location data "only with customer consent or in response to a lawful request such as a validated court order from law enforcement." The company's privacy policy, which governs customer consent, said third-parties may collect customers' personal data, "including location information." Sprint said the company's relationship with Securus "does not include data sharing," and is limited "to supporting efforts to curb unlawful use of contraband cell phones in correctional facilities."

AT&T and Verizon were not terribly forthcoming in response to a reporter's inquiries. T-Mobile did not respond by the publication's deadline.

Wyden called on each carrier to stop sharing data with third parties. Wyden argued the sharing "skirts wireless carriers' legal obligation to be the sole conduit by which the government may conduct surveillance of Americans' phone records."

In a blog post, the Electronic Frontier Foundation (EFF) said law enforcement may be violating the law by not seeking data directly from the phone carriers. "Law enforcement shouldn't have unfettered access to this data, whether they get it from Securus or directly from the phone companies," said the EFF.

Wyden has also called on the FCC to investigate the carriers for allegedly not obtaining user consent. No word yet from the FCC.

This revelation is appalling – I hope Senator Wyden stays the course on this issue – he usually does.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson