In this day and age of pervasive data use, it is becoming apparent that many companies that gather data and act as its custodians are less than forthright when it comes to revealing the uses to which they put that data. This is certainly the fact with so called location data. Location data from mobile carriers makes it possible to identify the location of nearly any phone and is used by a variety of operators in order to supply services such as emergency roadside assistance or in situations that call for emergency assistance. These service providers are required by law to seek the go-ahead from their customers prior to releasing location data to third parties – in reality that rule is often flouted.
Scandal at Securus Technologies
The recent story that was broken by the New York Times in early May 2018 is a case in point regarding just how cavalier an attitude data brokers have a towards their responsibilities in safeguarding the location data of their customers. The story revealed that Securus, a prison technology company, had been selling location data to local police across the United States. This data allowed the police to locate anyone using a mobile phone of one of the major networks in the U.S. A Missouri sheriff has been accused of using the service to track a judge and other law enforcement officers.
As if this illegal practice was not damaging enough to consumer confidence, Securus was then hacked. Revealing usernames of police officers throughout the U.S.
Securus Technologies had obtained the location data from an organization by the name of 3Cinteractive, which had sourced that information from Californian location tracking company LocationSmart.
The bad news did not end with these revelations. In mid-May a PHD student at Carnegie Mellon University by the name of Robert Xiao had discovered a vulnerability on the ‘try before you buy’ demo used by LocationSmart. Xiao was able to exploit the security weakness to perform real time lookups on the location of mobile devices without authorization, authentication or consent. LocationSmart was quick to take action and took its demo page down after being notified.
AT&T, Sprint, T-Mobile and Verizon become involved
By this point the situation surrounding the use of location data was spiraling out of control and was blindingly obvious that action needed to be taken as a matter of urgency. The first step in this process was when a communication from the offices of Senator Ron Wydon, an Oregon Democrat, who has been probing the phone location-tracking market, was sent to AT&T, Sprint, T-Mobile and Verizon asking that they supply details of agreements that they had with third parties around the issue of location sharing. Verizon was quick to respond. “We conducted a comprehensive review of our location aggregator program,” Verizon’s Chief Privacy Officer Karen Zacharia wrote. “As a result of this review, we are initiating a process to terminate our existing agreements for the location aggregator program.”
“We will not enter into new location aggregation arrangements unless and until we are comfortable that we can adequately protect our customers’ location data through technological advancements and/or other practices.” In short, the initiatives are on hold until the entire chain of commercial relationships are examined, and the data concerned can be secured.
T-Mobile and Verizon – The tip of the iceberg
In fact, all the mobile carriers responded that they had terminated any data sharing agreements with Securus. However, the holdout came in the form of Sprint which declined to reveal any information on its relationship with third party data aggregation companies – and refused to confirm that it would be ending any of the relationships it had with these parties. The response from T-Mobile and Verizon indicated that the scope of the relationships they had with third party aggregators was far wider than had been thought.
Real time data was being shared with not only LocationSmart, but also with another organization by the name of Zumigo. These companies in turn were sharing data with around 75 other customers. It was becoming apparent that the initial New York Times article had only revealed the tip of the location data iceberg. Verizon confirmed that it would be terminating its relationship with both LocationSmart and Zumigo.