In this day and age of pervasive data use, it is becoming apparent that many companies that gather data and act as its custodians are less than forthright when it comes to revealing the uses to which they put that data. This is certainly the fact with so called location data. Location data from mobile carriers makes it possible to identify the location of nearly any phone and is used by a variety of operators in order to supply services such as emergency roadside assistance or in situations that call for emergency assistance. These service providers are required by law to seek the go-ahead from their customers prior to releasing location data to third parties – in reality that rule is often flouted.
Scandal at Securus Technologies
The recent story that was broken by the New York Times in early May 2018 is a case in point regarding just how cavalier an attitude data brokers have a towards their responsibilities in safeguarding the location data of their customers. The story revealed that Securus, a prison technology company, had been selling location data to local police across the United States. This data allowed the police to locate anyone using a mobile phone of one of the major networks in the U.S. A Missouri sheriff has been accused of using the service to track a judge and other law enforcement officers.
As if this illegal practice was not damaging enough to consumer confidence, Securus was then hacked. Revealing usernames of police officers throughout the U.S.
Securus Technologies had obtained the location data from an organization by the name of 3Cinteractive, which had sourced that information from Californian location tracking company LocationSmart.
The bad news did not end with these revelations. In mid-May a PHD student at Carnegie Mellon University by the name of Robert Xiao had discovered a vulnerability on the ‘try before you buy’ demo used by LocationSmart. Xiao was able to exploit the security weakness to perform real time lookups on the location of mobile devices without authorization, authentication or consent. LocationSmart was quick to take action and took its demo page down after being notified.
AT&T, Sprint, T-Mobile and Verizon become involved
By this point the situation surrounding the use of location data was spiraling out of control and was blindingly obvious that action needed to be taken as a matter of urgency. The first step in this process was when a communication from the offices of Senator Ron Wydon, an Oregon Democrat, who has been probing the phone location-tracking market, was sent to AT&T, Sprint, T-Mobile and Verizon asking that they supply details of agreements that they had with third parties around the issue of location sharing. Verizon was quick to respond. “We conducted a comprehensive review of our location aggregator program,” Verizon’s Chief Privacy Officer Karen Zacharia wrote. “As a result of this review, we are initiating a process to terminate our existing agreements for the location aggregator program.”
“We will not enter into new location aggregation arrangements unless and until we are comfortable that we can adequately protect our customers’ location data through technological advancements and/or other practices.” In short, the initiatives are on hold until the entire chain of commercial relationships are examined, and the data concerned can be secured.
T-Mobile and Verizon – The tip of the iceberg
In fact, all the mobile carriers responded that they had terminated any data sharing agreements with Securus. However, the holdout came in the form of Sprint which declined to reveal any information on its relationship with third party data aggregation companies – and refused to confirm that it would be ending any of the relationships it had with these parties. The response from T-Mobile and Verizon indicated that the scope of the relationships they had with third party aggregators was far wider than had been thought.
Real time data was being shared with not only LocationSmart, but also with another organization by the name of Zumigo. These companies in turn were sharing data with around 75 other customers. It was becoming apparent that the initial New York Times article had only revealed the tip of the location data iceberg. Verizon confirmed that it would be terminating its relationship with both LocationSmart and Zumigo.
“Americans’ privacy be damned”
Sen. Wyden issued a statement calling on all wireless carriers to follow Verizon’s lead.
“Verizon deserves credit for taking quick action to protect its customers’ privacy and security,” Wyden said. “After my investigation and follow-up reports revealed that middlemen are selling Americans’ location to the highest bidder without their consent, or making it available on insecure web portals, Verizon did the responsible thing and promptly announced it was cutting these companies off. In contrast, AT&T, Sprint and T Mobile seem content to continuing to sell their customers’ private information to these shady middle men, Americans’ privacy be damned.”
The statement from the Senator had an almost immediate effect when combined with the proactive stance of Verizon’s, AT&T and Sprint announced that they too would start terminating agreements to share customer location data with third parties.
An AT&T spokesman also issued a statement: “Our top priority is to protect our customers’ information, and, to that end, we will be ending our work with aggregators for these services as soon as practical in a way that preserves important, potential lifesaving services like emergency roadside assistance.”
T-Mobile quickly followed suit. T-Mobile CEO John Leger announced: “I’ve personally evaluated this issue & have pledged that T-Mobile will not sell customer location data to shady middlemen.” In a follow-up statement shared by T-Mobile, the company said, “We ended all transmission of customer data to Securus and we are terminating our location aggregator agreements.
AT&T and Verizon each said they have processes for periodically auditing consent practices by the location aggregators, but that Securus’ unauthorized use of the data somehow flew under the radar – consumers were simply ignored when it came to consent issues.
“We now understand that, despite AT&T’s requirements to obtain customer consent, Securus did not in fact obtain customer consent before collecting customers’ location information for its on-demand service,” wrote Timothy P. McKone, executive vice president of federal relations at AT&T. “Instead, Securus evidently relied upon law enforcement’s representation that it had appropriate legal authority to obtain customer location data, such as a warrant, court order, or other authorizing document as a proxy for customer consent.”
Blake Reid, an associate clinical professor at the University of Colorado School of Law, said the entire mobile location-sharing debacle shows the futility of ‘transitive trust.’ Putting it simplistically there are simply too many links in the commercial chain for any ironclad certainty that consent will be sought from consumers or that the process will undergo any sort of regular meaningful review of audit process.
“The carriers basically have arrangements with these location aggregators that contractually say, ‘You agree not to use this access we provide you without getting customer consent’,” Reid said. “Then that aggregator has a relationship with another aggregator, and so on. So what we then have is this long chain of trust where no one has ever consented to the provision of the location information, and yet it ends up getting disclosed anyhow.”
Verizon’s activity around location services and its relationship with location aggregators is indicative of the problems inherent in the business model. Verizon stated that it has “mechanisms designed to protect against misuse of our customers’ location data,” if so, they were almost wholly ineffective. Perhaps most notable is the simple fact that Verizon, as primary custodian of the location data does not seem to see the need to be informed whether a customer has consented to having their location polled. That collection is the responsibility of “the aggregator or corporate customer.”
In other words, Verizon doesn’t need to ask the customer, and the company it sells the data to on a wholesale basis doesn’t need to ask the customer — the requirement devolves to the company buying access from the wholesaler. In Securus’s case, it had taken the concept of ‘plausible deniability’ one step further by allowing law enforcement full access but apparently without checking.
This situation is clearly untenable from both a legal and ethical, let alone in terms of good corporate governance. Even given the assurances of the mobile carries this situation needs urgent attention and possibly new legislation to prevent the same sorts of missteps and even willful transgressions by the carriers and their clients.