Tomasz Zajda - Fotolia
No more selling mobile location data, promise carriers
Sen. Ron Wyden got all major U.S. wireless carriers to promise not to sell mobile location data to third parties, but experts question the basic security practices in place.
A recent public backlash against the way wireless carriers share mobile location data led to questioning from Sen. Ron Wyden (D-Ore.), but experts aren't fully sold on the carriers' responses.
In May, news broke that major wireless carriers were selling real-time mobile location data to third-party companies who were then using that data improperly. One of those companies, Securus, was breached exposing the firm's practice of providing that real-time mobile location data to law enforcement.
Sen. Wyden sent letters to the major wireless carriers questioning practices surrounding the sharing and resale of mobile location data. Earlier this week, Wyden published the responses he received.
UPDATE -- less than a day after I made these letters public, every major wireless carrier says they will cut ties with the middlemen who sell your location information. Chalk one up for oversight and accountability getting results for consumers.
— Ron Wyden (@RonWyden) June 20, 2018
All major U.S. carriers -- Verizon, AT&T, T-Mobile and Sprint -- promised to stop sharing mobile location data to data brokers, and all gave similar responses citing policies requiring explicit permission from users for third parties to share such information, while also claiming they had no knowledge of inappropriate use of mobile location data.
Skeptical experts
However, two experts were troubled by the claims that the major carriers had no prior knowledge of the data misuse.
Gary McGraw, vice president of security technology at Synopsys, said the carriers "likely knew about this all along [and] so did most sophisticated security-aware users of mobile technology."
"What is happening is that political circles are just beginning to get a technical clue. Turns out that the internet is not a 'series of tubes' and mobile phones are personal tracking devices that report their location to the closest cell tower by design," McGraw wrote via email. "Some people may have thought that law enforcement needed a warrant to get location data. But location data has been available for advertising and marketing (mostly through third-party solutions) for years. Limits on the use of tracking data are important and will come via regulation."
Rebecca Herold, CEO of Privacy Professor, said whether the carriers didn't know or didn't acknowledge the misuse of mobile location data "indicates they likely have little to no oversight of the vendors they contract, and that they have not established strong controls and contractual requirements for the entities to whom they sell or give their consumer data to."
Rebecca HeroldCEO, Privacy Professor
"When personal data is sold or otherwise shared with other entities, organizations need to ensure controls, beyond a EULA or other contract, exist to prevent and limit further sharing and use are implemented. This applies to large telecommunications organizations," Herold told SearchSecurity. "Good grief, they have digital tools to determine every other type of activity being done with their devices and their telecommunications customers so that they can charge and market down to every minute detail of device use. They could certainly also create controls to also actually track and prevent inappropriate sharing and use of that data from those they've given data to as well."
McGraw lauded Sen. Wyden for his efforts, but said user education and government regulation are needed to affect privacy more.
"I find it sad that most users have no idea how their technology works or its impact on their security and privacy. Heck, users are even willing to install listening devices in their kitchens now, on purpose," McGraw wrote. "The carriers are in a fight to the death with Facebook and Google. The future of advertising is at stake. Whoever builds the panopticon will win. Privacy and security are simply collateral damage."
Herold agreed that promises from carriers that they will not sell mobile location data "does not mean they will not take actions to find other ways to share the data."
"The fact that law enforcement, government and many other entities get location and other personal data through these legal loopholes, and then they have generally no obligations in such cases to protect that data, still leaves that data and the associated individuals at risk of experiencing privacy harms. The big question is, after the words are said by these wireless carriers, what actions will actually be taken?" Herold asked.
"When will those legal loophole data recipient entities ever be held accountable for how they use, share and make decisions with the growing huge repositories of personal data that they've scooped up but that generally no one is overseeing? The government needs to implement requirements for objective audits and assessments to ensure that words turn into effective actions, and they need to implement laws so that loophole entities collecting all this personal data are also held accountable."