Some privacy groups claim Big Telecom violated existing privacy laws by sharing users’ location data — and they want the Federal Communications Commission to fine them for it.
Following a bombshell report from Motherboard in January detailing how the Big Four (AT&T, Sprint, T-Mobile and Verizon) sold and shared their users’ location data with bounty hunters and third-party advertisers, members of Congress called on the FCC to investigate and penalize the mobile carriers if they broke the law.
In May, Democrat Commissioners Jessica Rosenworcel and Geoffrey Starks told the House Energy and Commerce Committee they’ve received no updates from Chairman Ajit Pai (a Republican) on the status of the investigation. Pai told the committee he could not comment on the “pending law enforcement investigation.”
On May 15, the Big Four sent letters to Rosenworcel saying they’d phased out their location-data-sharing program and no longer shared or sold their users’ location data.
But now, privacy groups including the Center on Privacy and Technology at Georgetown Law, the Samuelson-Glushko Technology Law & Policy Clinic (TLPC) at Colorado Law, the Open Technology Institute and Free Press say the Big Four definitely broke the law by not obtaining consent from consumers before sharing or selling their data, and by not protecting users’ “confidential data.”
“When you sign up for wireless service you may realize that your provider has to be able to know where you are so that it can serve you,” the Georgetown Center on Privacy and Technology’s Executive Director Laura Moy said. “What you don’t expect is for your provider to sell your location data to anyone with your phone number and a few dollars to spend.”
According to an informal complaint filed with the FCC, the Big Four violated Sections 222 and 201(b) of the Communications Act.
“The Carriers’ actions have threatened public safety, contrary to Congress’ directive that the Commission ensure communications networks promote safety of life and property,” the groups state in the complaint. “The Carriers’ improper disclosure of location information enabled stalkers, people posing as police officers, debt collectors, and others to take advantage and find unwitting individuals. Furthermore, it is likely that abuses of location data have disproportionately impacted disadvantaged and marginalized communities.”
While bad enough to sell and share location data to bounty hunters, the complaint explains how the mobile carriers put many users in harm’s way by making their locations so freely available.
“According to at least one widely cited national privacy survey, Americans consider location to be more sensitive than almost any other category of information apart from Social Security numbers,” the groups said. “Some bounty hunters allegedly use the data to track individuals they know personally. Stalkers, harassers, and other people meaning to do harm to others often turn to tracking wireless devices where they can. The Commission should not condone this behavior, and must stamp it out where it can.”
This concern, the complaint adds, is not hypothetical.
“Victims of domestic violence have been harmed by sharing of location data,” according to the complaint. “John Letcher Edens was convicted of aggravated stalking and harassing phone calls after violating a temporary protective order to contact his ex-wife for the purpose of harassing and intimidating her. Edens’ ‘victimization of others extended beyond fraudulently obtaining individuals private location information and using that information to find those individuals.’ Edens called another victim three or four times a day, ‘came to [her] home [at] all hours of the night[,] and showed up at [her] place of employment.'”
The most damning element of the complaint is that mobile carriers did not obtain consent from users before sharing their location data, so no one had a chance to opt-out. According to the complaint, the mobile carriers basically enabled abuse.
“When location information is shared without consent, the opportunity for abusers to leverage this information for menacing purposes becomes even more acute,” the groups argued.
Free Press Policy Counsel Gaurav Laroia said in a tweet Monday morning that the FCC has a legal obligation to address privacy concerns with mobile carriers.
“Once again – sharing that information with *bounty hunters* and people impersonating cops – in violation of the law!” Laroia said. “This put people are serious risk of harm and threatened public safety which the @FCC is duty (and legally) bound to protect. #privacy.”
At the House Energy & Commerce hearing in May, Rep. Mike Doyle (D-Penn.) accused the FCC of not doing enough to address the issue.
‘This committee expects you to do more than just sit on your hands,” he said.
The CTIA and the FCC did not respond to requests for comment Monday.