Lawmakers demand answers from data providers over sale of location data
Washington — There are calls on Capitol Hill for an investigation into the sale of cellphone data. A report from the website Motherboard revealed T-Mobile and other cell providers sold data to third parties resulting in unauthorized information sharing, ultimately allowing a bounty hunter to track a reporter's phone location.
"This is outrageous. I didn't sign up for this when I signed up for wireless service and I bet neither did you," said FCC Commissioner Jessica Rosenworcel.
She wants to investigate how cellphone companies sell your location.
"It turns out that they're selling that information to companies called location aggregators who in turn are selling that to shady middlemen who for a few hundred dollars will sell to anyone, your location within a few hundred meters. I think that is a problem," Rosenworcel said.
"Location data is now so precise, this is a dream for spies and stalkers and predators," said Sen. Ron Wyden of Oregon.
He is proposing legislation to better protect personal information.
"What we were told in 2018 is that they would stop selling location data and now we're seeing evidence that it's still happening. It's a pattern. You know, they do it, they get caught, they apologize and its kind of wash rinse and repeat," Wyden said.
T-Mobile and AT&T have both pledged to stop selling location data to third parties. Sprint tells CBS News its investigation determined some companies it sold to were not sufficiently protecting customer data. Those deals have been terminated.
These companies provided the following statements to CBS News:
T-Mobile
"We take the privacy and security of our customers' information very seriously and will not tolerate any misuse of our customers' data. While T-Mobile does not have a direct relationship with Microbilt, our vendor Zumigo was working with them and has confirmed with us that they have already shut down all transmission of T-Mobile data. T-Mobile has also blocked access to device location data for any request submitted by Zumigo on behalf of Microbilt as an additional precaution. We have previously stated that we are terminating the agreements we have with third party data aggregators and we are nearly finished with that process."
MicroBilt
"The intended use of MicroBilt's location services is to verify individuals, with their consent, who are submitting applications for financial services products. This type of verification ultimately protects all consumers and businesses from fraud. Our customer credentialing and compliance processes required to use the services are among the best in the industry, which involves site inspections of the business premises, and extensive background screening on every customer before access to any data is granted. If a customer violates our terms, as this client did when a reporter paid them to do so, we permanently terminate the client from the service. Microbilt is committed to using its services to protect consumers and business from fraud."
AT&T
"Last year we stopped most location aggregation services while maintaining some that protect our customers, such as roadside assistance and fraud prevention. In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services — even those with clear consumer benefits. We are immediately eliminating the remaining services and will be done in March."
Sprint
"Protecting our customers' privacy and security is a top priority, and we are transparent about that in our Privacy Policy. We do not knowingly share personally identifiable geo-location information except with customer consent or in response to a lawful request such as a validated court order from law enforcement.
"As a result of our investigation, we determined that Zumigo violated the terms of our contract by not sufficiently protecting Sprint customer data in its relationship with MicroBilt. We took immediate action to ensure MicroBilt no longer had access to Sprint location data, and have notified Zumigo that we are immediately terminating our contract. We don't tolerate violations of privacy and data security protections for our customer data."
