Who Owns Your Real-Time Location Data?
Your mobile device's real-time location data is being sold and resold. Here’s what you can do about it.
Cyber + Co., No. 7
Today’s smartphone is thousands of times more powerful than the computer used by NASA to send astronauts to the moon. But this power comes at a cost. Our phones gather and transmit vast amounts of information about us. And that data is being treated as a product and being sold and resold.
Recently, news broke that all the major wireless carriers have been selling their customers’ real-time physical location to companies that, in turn, have been reselling this data to others, all without the customers’ consent.
Here’s a closer look at what’s been happening and what you can do about it.
What’s Been Happening
The four major wireless carriers—AT&T, Sprint, T Mobile, and Verizon—each promise that they will not sell customers’ personal information without the customers’ consent. For some time, it seems that they’ve been breaking this promise.
The carriers have been selling, among other things, customers’ physical location to a variety of companies. One is LocationSmart. A data broker, LocationSmart describes itself as “the worldwide leader in geolocation services.” One of its products is software giving the user the physical location, in real time, of "more than 15 billion devices worldwide," including “virtually any US-based mobile device.” (The company has since removed this information from its site, but it is still available on the Internet Archive.)
After buying your real-time location data (yes, if you have a cellphone, your data is being sold), LocationSmart resells the data to a variety of companies. Most are marketers and advertisers, who use the data to target ads based on location.
Other companies, however, have been buying the data for other reasons. And one of these is Securus Technologies. One of the nation’s largest prison phone companies, Securus has been reselling the data to law enforcement agencies. In practice, this has effectively eliminated the need to get a court order for this form of surveillance because, as Securus admitted to Senator Ron Wyden (D-Or.), it “takes no steps to verify that uploaded documents in fact provide judicial authorization for real-time location surveillance, or conduct any review of surveillance requests.”
Moreover, individual officers have been using the program not just to surveil inmates, suspects, and their families, but also (in at least one case) fellow law enforcement officers and judges.
On May 8, Senator Wyden demanded that the Federal Communications Commission investigate. In his letter to the FCC, Senator Wyden observed:
It is incredibly troubling that Securus provides location data to the government at all—let alone that it does so without a verified court order or other legal process. This clear abuse is only possible because wireless carriers sell their customers’ private information to companies claiming to have consumer consent without sufficiently verifying those claims.
First, Motherboard broke the news that Securus had been hacked and nearly 3,000 user credentials stolen (username, password, email address, and phone number).
The next day, Brian Krebs broke the news that LocationSmart was also inadvertently leaking the data. "Anyone with a modicum of knowledge about how Web sites work,” Krebs noted, could “figure out how to conduct mobile number location lookups at will, all without ever having to supply a password or other credentials.”
In short, real-time location data has not only been up for sale, but also exposed to those with mere rudimentary skills. So what can be done?
What You Can Do
“Right now,” as Brian Krebs pointedly observes, “to be free of constant tracking the only thing you can do is remove the SIM card from your mobile device.” That is, give up your cellphone. But giving up shouldn’t be the only option.
To create a viable alternative—one where you can use your cellphone without your location being sold and resold—change is necessary. And this change can come through at least three forces: (1) market-based actions; (2) legislative and regulatory actions; and (3) private enforcement actions.
The classical free market approach, in which companies’ behavior is modified through consumers’ purchasing decisions, and vice versa, maximizes freedom of choice and minimizes government intervention.
Here, however, applying direct market pressure isn't an option. You can't voice your dissatisfaction by switching carriers. They're all doing it. But applying less direct forms of market pressure, including raising public awareness and imposing reputation costs on the carriers, may be possible.
So if you have a problem with your carrier selling your real-time physical location without your permission, speak up. Talk your family and friends. Tweet about it. Post about it. Or share this post.
Legislative and Regulatory Solutions
Seeking direct government intervention is another option. Indeed, given the current market concentration in the wireless carrier market, it is perhaps the most viable path forward. And although enacting bicameral legislation appears unlikely in today's political climate, regulatory action remains a distinct possibility.
Senator Wyden, as noted, has been leading the call for regulatory action. In a statement on May 18, Senator Wyden praised the FCC for opening an enforcement investigation, but cautioned:
The location aggregation industry has operated with essentially no oversight by the Federal Communications Commission. The only real surprise is that it took this long for the public to learn that the wireless carriers and their business partners were demonstrating such a total disregard for Americans’ privacy and safety. . . . The negligent attitude toward Americans’ security and privacy by wireless carriers and intermediaries puts every American at risk.
Senator Mark Warner (D-Va) added in a statement to Krebs Security, “This is one of many developments over the last year indicating that consumers are really in the dark on how their data is being collected and used,” adding “It’s more evidence that we need 21st century rules that put users in the driver’s seat when it comes to the ways their data is used.”
If you agree with Senators Wyden and Warner, speak up. Talk your family and friends about the issue. Call or write to your elected representatives and share your views.
Private Enforcement Solutions
Finally, in appropriate cases, it may be possible for aggrieved consumers to bring claims themselves, either individually or as a class. Theories of relief might include, among others, breach of contract, breach of implied contract, violations of state consumer protection statutes, unjust enrichment, and invasion of privacy (intrusion upon seclusion).
The carriers, however, have effectively immunized themselves from the risk of class actions (through mechanisms discussed here). And the costs of pursuing the claims on an individual basis may well be irrationally expensive, absent evidence of significant, concrete economic injury.
And although the companies who purchased the data may not have immunized themselves from the risk of collective actions, they have a variety of other potential defenses, including, standing, privity, duty, and proximate causation, among others.
So while private enforcement actions may be possible in appropriate cases, they will likely face significant challenges.
Who owns your real-time location data is actually at least three related questions.
On one level, it's a factual question—an investigation into how the data flows. And recently, we've learned that this flow extends farther than previously assumed, though exactly how much farther remains an open question.
At another level, it's a legal question—an inquiry into whether the carriers have the right to sell the data, and the purchasers to buy the data, and if so, what conditions (if any) must be satisfied before the data can be lawfully bought and sold.
And at still deeper level rests a fundamental policy question. Here, the title of the post gives away this author's ideological priors (it's your real-time location data). But as a technical matter, the answer is of course more complex (for a sampling on the related issue of data portability, see here and here.) But a look into this deeper question will have to wait for another post.
About Cyber + Co.
Cyber + Co. covers the intersection of cybersecurity and the law for companies and consumers.
About the Author
Tom Cummins is the founder of Potomac Litigation. He has deep experience assisting clients in some of history’s largest data breaches, as well as a host of other cybersecurity incidents.