For years, the biggest telecom network operators in the U.S. – including AT&T, T-Mobile and Sprint – have been secretly selling location data of their customers to a shadowy network of data brokers and data aggregators. Despite promises and assurances from these companies that this practice has stopped, a continuing series of investigations by media outlets such as VICE Motherboard have found that selling of location data persists to this day. That’s why a new FCC proposal for enhanced 911 location data is so troubling – it’s almost a certainty that, no matter how well-intentioned this 911 location data proposal is, this information is going to wind up in the hands of bounty hunters, bail bondsmen, stalkers and overly aggressive marketers.
Details of the new FCC proposal on 911 location data
Earlier this year, the Federal Communications Commission (FCC) released a new Further Notice of Proposed Rulemaking (FNPRM) for enhanced 911 (E911) location data. According to this FNPRM (“Furthering 911 Location Accuracy in Multi-Story Buildings”), wireless carriers would need to provide vertical location accuracy of a user making a 911 call to within a height of plus or minus 3 meters. The goal, as expressed by the FCC, is to require wireless carriers to provide this enhanced 911 location data in the Top 25 U.S. markets by April 2021, and in the Top 50 U.S. markets by April 2023.
This enhanced 911 location data (known as z-axis data) would make it possible for emergency first responders to more accurately find and locate people making 911 calls. Right now, for example, a 911 operator might be able to find your precise location on a map with x-axis and y-axis data, but what if you are located in a large apartment building, a corporate office building, or a skyscraper? That’s when the additional z-axis data, found by using the barometric pressure sensors on a smartphone, would prove to be invaluable for emergency first responders. Simply being able to find someone a few seconds earlier with 911 location data might be the difference between life and death.
Privacy implications of enhanced 911 location data
But there’s just one problem here – if emergency responders are able to find your precise 911 location in a building with emerging technologies, then so could anyone else, if the information fell into the wrong hands. To underscore that point, privacy advocates point out that FCC Commissioner Ajit Pai’s plan for phone location data related to 911 calls never mentions the word “privacy.” Even after a period of extended public comment, it appears that the FCC is still not taking user privacy seriously. That’s unfortunate, because when customers dial 911, there is a reasonable expectation that only emergency services should have access to their precise location.
The FCC, in its defense, says that any 911 location data may not be used for non-911 purposes. In general, wireless carriers cannot disclose location data without express prior authorization. That’s because customer location data is officially considered to be a form of protected data known as CPNI. It’s uncertain at this point in time whether the new z-axis data (used to pinpoint your location on a certain floor in a building) would be classified as CPNI data, or as NEAD data (which carries with it much stronger protection). But here’s the big takeaway: if the FCC approves the FNPRM, it would theoretically make it much harder to prevent other third-party entities (i.e. not just 911 operators) to find out exactly where you are at any point in time.
Past privacy snafus involving customer location data
Certainly, if past is prologue, then it’s not looking good for the customer. A recent VICE Motherboard investigation found, for example, that 3 of the top 4 network carriers in the U.S. routinely sell customer location data from mobile phones, thereby breaking U.S. law. And that’s even after some top political figures – such as Oregon Senator Ron Wyden – have emerged as very public critics of the big network carriers in the United States. In fact, according to VICE Motherboard, a vast network of 250+ data brokers, data aggregators, bail bondsmen, skiptracers and bounty hunters regularly tap into the location data stream produced by an average smartphone.
And it’s not particularly difficult or expensive, either, to get access to this location services data. One of the most notorious abusers of this data was a data seller known as CerCareOne that operated between 2012 and late 2017. Over that time, the data seller’s call center regularly offered up customer data to anyone willing to pay the price. One customer of the data seller, for example, made more than 18,000 data requests – enough to fill 450 pages of text. In some cases, CerCareOne was even selling assisted GPS (A-GPS) data, making it possible to find a user’s precise location within a building.
That type of sensitive information was only ever intended for emergency first responders as a public safety measure, but many in this shadowy network of data sellers (and data re-sellers) have figured out how to work the system to their advantage. In another undercover investigation, for example, VICE Motherboard found that some unscrupulous debt collectors and stalkers were impersonating law enforcement personnel or making emergency calls in order to get access to customer data. In one example, a debt collector looking to repossess a car impersonated a U.S, marshal, claiming he needed the information to prevent a kidnapping from taking place. Under these so-called “exigent circumstances,” network carriers are required to hand over the enhanced 911 location data. That creates a perfect loophole for scammers to get the data they need – all without paying any price at all for the data, and all in complete violation of U.S. law.
Holding the big telcos to their privacy promises
So what can be done to ensure that any enhanced 911 location data does not wind up in the wrong hands? To date, a policy of publicly shaming these companies has not worked. As soon as a big telco giant apologizes in public and promises that it will never happen again … it happens again. The FCC assessing big fines against the big telcos has had some effect, but privacy advocates argue that even more has to be done. The Electronic Frontier Foundation (EFF), for example, says that, “The scale of this abuse is outrageous,” and that regulatory or legislative action needs to be taken to address the core reasons for this abuse of location data. And, indeed, it does appear as if public momentum is growing for a government crackdown on rampant data selling and abuse of customer privacy by wireless carriers.