We've noted a few times now that while Facebook gets a lot of justified heat for its privacy scandals, the stuff going on in the cellular data and app market in regards to location data makes many of Facebook's privacy issues seem like a grade-school picnic. That's something that was pretty well highlighted by the recent Securus and LocationSmart scandals, which showcased perfectly how cellular carriers and location data brokers routinely buy and sell your daily travel habits with only a fleeting effort to ensure all of the subsequent buyers and sellers of that data adhere to basic privacy and security standards.
This week, Joseph Cox at Motherboard dropped yet another bombshell report on this subject, noting how he was easily able to pay a bounty hunter $300 to obtain the (supposedly) private location data collected by his cellular provider (T-Mobile). Much like the Securus scandal, the problem once again is the countless location data brokers and third party vendors which are being sold this data, then doing pretty much whatever they'd like with it. In this instance, his data was collected by T-Mobile, shared with brokers and aggregators like Microbilt and Zumingo, then in turn shared with bail bond outfits and private investigators:
"Microbilt buys access to location data from an aggregator called Zumigo and then sells it to a dizzying number of sectors, including landlords to scope out potential renters; motor vehicle salesmen, and others who are conducting credit checks. Armed with just a phone number, Microbilt’s “Mobile Device Verify” product can return a target’s full name and address, geolocate a phone in an individual instance, or operate as a continuous tracking service."
Cellular carriers make a small fortune collecting and selling this data, and there's virtually no oversight of the practice. Consumers often sign one privacy agreement with their cellular provider, which in turn is then broadly interpreted as a green light down a long road of companies which then collect and sell that data in turn. As we saw with the Securus scandal (when a local Sheriff was busted snooping on the private cellular location data of Judges and fellow law enforcement officers), everybody in this chain of dysfunction likes to play stupid when the problem repeatedly comes to light. The same thing occurred here:
“We take the privacy and security of our customers’ information very seriously and will not tolerate any misuse of our customers’ data,” A T-Mobile spokesperson told Motherboard in an emailed statement. “While T-Mobile does not have a direct relationship with Microbilt, our vendor Zumigo was working with them and has confirmed with us that they have already shut down all transmission of T-Mobile data. T-Mobile has also blocked access to device location data for any request submitted by Zumigo on behalf of Microbilt as an additional precaution.”
When the NY Times broke the Securus scandal story last year, cellular carriers all played stupid, insisted they'd ceased the sale of such data, and breathlessly assured everybody that this behavior wouldn't happen again. When Senator Ron Wyden complained, you might recall that T-Mobile CEO John Legere took to Twitter at the time to insist he'd learned the error of his ways:
Sounds like word hasn’t gotten to you, @ronwyden. I’ve personally evaluated this issue & have pledged that @tmobile will not sell customer location data to shady middlemen. Your consumer advocacy is admirable & we remain committed to consumer privacy. https://t.co/UPx3Xjhwog
— John Legere (@JohnLegere) June 19, 2018
Needless to say, Wyden, who has been pushing new privacy legislation, isn't particularly impressed:
After I exposed these dangerous practices last year, several carriers, including @tmobile’s CEO @JohnLegere told me point blank that his company would stop selling customer location data to shady third parties. https://t.co/JSASCP2PWH
— Ron Wyden (@RonWyden) January 8, 2019
If you were an industry hoping to avoid government regulation of your business, you'd think you'd be a little more cautious in the way you treat private data. But as we've noted countless times, this kind of cavalier treatment of private data is the norm for telecom. From hoovering up your clickstream data to covertly modifying data packets to track you around the internet, telecom has long played fast and loose with consumers' private data. Some have even flirted with the idea of only seriously respecting your privacy if you pay an additional fee, effectively making consumer privacy a luxury feature.
So while broadband giants will surely whine incessantly during the looming quest to pass some meaningful rules of the road, it's worth remembering they had ample opportunities, over decades, to avoid stricter government intervention by adopting better, more ethical business practices. It's also worth reminding folks that ISPs lobbied furiously to convince the GOP to kill some fairly basic privacy protections at the FCC that would have required ISPs clearly inform users who is buying and selling this data, giving users a little more control over how it was shared.
And it's also worth noting that even without legislation or those rules, the FCC still has Section 222 authority to police this kind of behavior. While the FCC's privacy rules were killed, mobile carriers are still subject to CPNI rules for voice calls, which were expanded in 2005 to include subscriber location information. The bottom line is that the Ajit Pai FCC could easily address this problem using the authority it has now, they've just chosen not to because it might just hurt telecom revenues. The FTC could also probably ding T-Mobile for being "unfair and deceptive" under Section 5 of the FTC act, yet has been similarly mute as carriers bullshit their way around their failures on this front.
All of that said, there's countless folks who think they're taking meaningful steps to protect their privacy by deleting Facebook (or on-phone apps), yet are oblivious to the perils of walking around with a stock carrier phone in their pocket. It might be time to stop being quite so collectively naive about US privacy practices if we're going to have a serious (and undeniably difficult) adult conversation on what privacy rules of the road should look like. One thing we can probably mostly agree upon: this practice of hoovering up your every move and selling it to an ocean of companies with little to no real attempt to protect it is behavior we need to change, one way or another.