The country's leading carriers this week vowed to put a stop to the unauthorized collection of customer location information by cutting off contracts with location aggregators.
The four leading wireless carriers -- AT&T, Sprint, T-Mobile, and Verizon -- have been selling real-time location data to third parties to be used for targeted advertising, as well as location-based services, including roadside assistance and cargo tracking. However, U.S. Sen. Ron Wyden of Oregon sounded the alarm on location sharing practices last month in a letter to the Federal Communication Commission (FCC) after he said his own investigation revealed questionable data handling practices by third-party providers.
The four carriers launched their own investigations, all of which concluded that location data has in fact been misused. While service providers scramble to break off agreements with these location data aggregators, it's yet to be seen whether the move will impact IoT and location-based services that solution providers are offering their end customers today.
The problem began when Dallas-based Securus Technologies, a company that helps prisons monitor inmate phone calls, was found to have a web portal that allowed correctional officers to enter any US phone number and obtain real-time location data on consumers. This ability that had not been authorized by carriers, and a former sheriff had used the service to illegally locate a judge and five police officers, according to Wyden's report. LocationSmart, another data aggregator that partners with service providers, recently suffered a glitch that could have given any user access to customer location data without vetting, the report said.
Verizon was the first carrier to take action. The Basking Ridge, N.J.-based company has had a so-called Location Aggregator Program with third-party data aggregators and pledged it would cut off its agreements with the two firms it had been working with, LocationSmart and Zumigo, as soon as possible.
Verizon did add, however, that it would be terminating access carefully so that "beneficial services," such as fraud prevention and call routing, wouldn't be disrupted, according to Verizon's Chief Privacy Officer Karen Zacharia in a letter to Wyden.
"We decided to end our current location aggregation arrangements with LocationSmart and Zumingo … Verizon will work with the aggregators to ensure a smooth transition for these beneficial services to alternative arrangements so as to minimize the harm caused to customers and end users," Zacharia said.
Verizon added that it won't initiate any new location data agreements with third-parties until it's comfortable that it can adequately protect customers' location data.
Wyden immediately responded to Verizon's letter by saying that the carrier "did the responsible thing" by promptly cutting these companies off. He then assailed AT&T, T-Mobile, and Sprint for continuing to sell real-time location data, but all three major carriers all responded within hours, also promising to sever ties with third parties that have allegedly been misusing the data.
While AT&T, like its carrier competition, allows authorized third parties access to customers' location-based data for the purpose of services that a customer consents to, such as roadside assistance, the carrier said that it is actively investigating how data aggregators may have gained unauthorized access to location data.
"Our top priority is to protect customer's information, and, to that end, we have suspended all access by Securus to AT&T customer location data," said Timothy McKone, executive vice president of Federal relations for AT&T in a letter to Wyden.
Altaworx is a Fairhope, Ala.-based solution provider that is offering IoT services to end customers today. Most of its use cases center around GPS tracking using AT&T's network. Rickie Richey, CEO of Altaworx, said he's not sure that GPS-related services that triangulate user and asset location will be affected as a result of carriers cutting their contracts with location data aggregators. However, businesses that are using location-based services to push out advertising to end customers may be impacted, he said.
Sprint, for its part, said it had suspended all services with LocationSmart since May 25 and will begin the process of terminating its contracts with data aggregators after it completes its internal review.
T-Mobile's vocal CEO, John Legere, also took to Twitter to let Wyden know that the Bellevue, Wash.-based wireless carrier was also stepping up to the plate.
"Sounds like word hasn’t gotten to you, [Wyden] I’ve personally evaluated this issue and have pledged that [T-Mobile] will not sell customer location data to shady middlemen. Your consumer advocacy is admirable and we remain committed to consumer privacy," Legere wrote in a tweet.
But the move to sever ties with location data aggregators could be because carriers would rather keep customer location to themselves to benefit their own marketing services, according to one solution provider that partners with AT&T and Verizon that requested anonymity.
"I'm not sure if it's more of revenue thing, if [the carriers] are concerned with how the data is being used, or if it's both," an executive for the solution provider said. "Your vertical gets a little stronger if you’re the one who is controlling where the data goes and what it's being used for."
Reports emerged this week that said Dallas-based AT&T is currently in talks to buy advertising technology company AppNexus for $1.6 billion in a deal that would give the carrier a foothold in digital ad sales, according to the Wall Street Journal.
AT&T declined to comment on the AppNexus reports.
Data privacy isn't just top of mind for carriers and customers; the government is also taking a stand against the misuse of location data.
On Friday, the U.S. Supreme Court ruled that warrants are necessary for obtaining cell phone location data. The new federal law, in a 5-4 ruling, says that police will need a court-approved warrant for access to a wireless carrier's database of user location data.
The ruling sets a higher bar to clear for police trying to obtain cellphone location data that could indicate the location of a suspect. The court said that access to wireless carrier data without a warrant, a routine request from many police agencies, amounts to an unreasonable search and seizure under the U.S. Constitution’s Fourth Amendment.