Wireless Carriers Hope You Won't Notice Their Location Data Scandal Makes The Facebook, Cambridge Fracas Look Like Amateur Hour

from the ill-communication dept

When the Facebook, Cambridge Analytica scandal broke, we noted that however bad you thought that scandal was (and it certainly was bad), it couldn't hold a candle to the routine privacy abuses that have occurred in the telecom sector for the better part of the last few decades. From charging consumers hundreds of additional dollars annually to opt out of snoopvertising, to the use of private user financial data to justify providing even worse customer service, the broadband industry has long been the poster child for privacy abuses without much in the way of practical public penalty.

It's just as bad on the wireless side, where carriers like Verizon have routinely have been caught modifying user data packets to track users around the internet (without telling them or providing opt out tools), and selling user browsing, app-usage and location data to everyone that comes calling. That's before you even touch on the fact that these companies are practically bone grafted to the NSA and other intelligence services.

As such, we noted how if you were part of the #DeleteFacebook set but were still rolling around using a stock phone on an incumbent carrier network, you failed to understand that Facebook's casual treatment of private consumer data was the cross-industry norm, not some errant exception.

The Location Smart and Securus scandals (which exposed the data of 200 million cell users) quickly proved our point. Thanks to lax handling of private location data by cellular carriers and third-party brokers, those scandals quickly highlighted how anonymized data isn't really anonymous, and this data can and is routinely abused by everybody in this chain of dysfunction (including law enforcement). Oddly, even in the wake of those reports, people still seemed to view the Cambridge, Facebook fracas as somehow far more scandalous, most likely because of that particular story's political undertones.

Clearly hoping to get ahead of the scandal before the press, public and regulators realized the depths of this particular rabbit hole, Verizon proclaimed that the company would be ending all sales of location data to third party data brokers. The company announced the decision (pdf) in a letter responding to inquiries by Senator Ron Wyden, who had begun to apply some pressure on mobile carriers. From the letter:

"We conducted a comprehensive review of our location aggregator program. As a result of this review, we are initiating a process to terminate our existing agreements for the location aggregator program. We will not enter into new location aggregation arrangements unless and until we are comfortable that we can adequately protect our customers’ location data through technological advancements and/or other practices."

Verizon announced it would be suspending all data sales to location data brokers like LocationSmart and Zumigo, which the company acknowledged sold that data in turn to a roster of more than 75 different companies . And, in short, it's promising to suspend such data sales at least until it can ensure that data is actually secure (what an incredibly novel idea). Who'll actually confirm this data is secure before the program is restarted isn't clear; you'll apparently just have to trust a company with a several-decades history of severe privacy violations and blatant false statements.

Like the Facebook scandal, there wasn't much in place to really ensure that often real-time data remained protected, something made clear when the LocationSmart scandal revealed that one Missouri Sheriff routinely (ab)used the system to spy on Judges and fellow law enforcement officers without much legitimate justification (or pesky warrants). In subsequent statements to the press, Verizon has tried to argue that the company quickly took steps to thwart the abuse:

"When these issues were brought to our attention, we took immediate steps to stop it. Customer privacy and security remain a top priority for our customers and our company. We stand-by that commitment to our customers."

But again, this was Verizon only acting after the horses escaped from the barn, suggesting that no, privacy and security was not a top priority. If Verizon's self-auditing was so stellar, it seems curious it never self-identified the potential for the kind of abuse the LocationSmart and Securus scandals revealed. Or the self-audits did reveal problems, but the money made from selling this data made actually fixing them a low priority. Knowing Verizon pretty well, it seems clear it wouldn't be taking this kind of financial hit if its lawyers didn't realize the company was potentially facing some pretty steep penalties here.

One of the key problems in location and other data sharing is that wireless cell carriers have found a way to effectively operate outside any meaningful privacy guidelines by perpetually passing the onus for user consent down a long line of location data aggregators. Blake Reid, an associate clinical professor at the University of Colorado School of Law, perfectly captures the problem in comments made to Brian Krebs:

"The carriers basically have arrangements with these location aggregators that contractually say, ‘You agree not to use this access we provide you without getting customer consent’,” Reid said. “Then that aggregator has a relationship with another aggregator, and so on. So what we then have is this long chain of trust where no one has ever consented to the provision of the location information, and yet it ends up getting disclosed anyhow."

Verizon's obviously trying to pre-empt privacy regulation before we collectively realize current oversight makes the wild west seem downright domesticated. The company has long fought tooth and nail against any kind of consumer privacy protections, stating back in 2008 that federal privacy rules aren't necessary because "public shame" would keep the company honest. More recently, Verizon successfully lobbied the FCC to kill modest broadband privacy rules that would have prevented precisely this kind of scandal from happening by requiring greater transparency -- and that users opt-in to more sensitive data sharing.

None of that is to say that regulatory action is the only solution here, or that this particular Congress could even accomplish such a task. But it's also pretty clear that sooner or later, the pinky swears and winks currently passing for oversight of the telecom sector's treatment of your private data aren't going to quite cut it.

Shortly after Verizon's announcement AT&T stated that it too had suspended location data sales to third-party brokers (for all the same reasons). Sprint followed suit. T-Mobile, which cultivates a reputation as a more consumer-friendly wireless carrier, belatedly brought up the rear, initially likely wary of highlighting any missteps as it seeks regulatory approval for its looming competition eroding megamerger. But again, most of these promises were somewhat murky in scope (T-Mobile's promise to improve, for example, was entirely devoid of substance and somehow never reached Wyden's office).

With this data having bounced around so many partners with so little transparency or oversight, you can be pretty sure we haven't heard the end of this story. And while wireless carriers would very much like the public and press to believe that they've fixed the privacy problems that plague the telecom sector, several decades of evidence to the contrary -- and the press and public's general tone deafness to the scope of this particular problem -- suggest any meaningful reckoning is still likely some time away.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data, data brokers, privacy, wireless carriers

Companies: at&t, cambridge analytica, sprint, t-mobile, verizon