Mobile providers at center of privacy storm

Mobile providers at center of privacy storm
© iStock, The Hill illustration

Major wireless providers are facing new scrutiny into their privacy practices after a bombshell report sparked a public outcry and questions from lawmakers.

A story from tech news site Motherboard last week detailed how easy it is to track individuals with just a cellphone number using data aggregation companies. The report put a new spotlight on how wireless providers monetize their users’ real-time location data and set off a rush in the industry to abandon the practice and avoid new regulations.

Democratic lawmakers are questioning why the data practices were in place for so long and are pushing the Trump administration’s regulators to get serious about cracking down on the industry.

ADVERTISEMENT

Rep. Frank Pallone Jr.Frank Joseph PalloneHouse reaches deal on continuing resolution, vote expected Thursday Democrats hold first hearing in push for clean energy by 2050 EXCLUSIVE: Swing-state voters oppose 'surprise' medical bill legislation, Trump pollster warns MORE (D-N.J.), the new chairman of the House Energy and Commerce Committee, demanded that Republican Federal Communications Commission (FCC) Chairman Ajit Pai provide Congress with an emergency briefing and investigate the location-sharing agreements, writing in a letter that “the public can no longer rely on [the wireless industry’s] voluntary promises to protect this extremely sensitive information.”

“This briefing should explain why the Federal Communications Commission has yet to end wireless carriers’ unauthorized disclosure of consumers’ real-time location data and what actions the FCC has taken to address this issue to date,” Pallone wrote in his letter Friday. “An emergency briefing is necessary in the interest of public safety and national security, and therefore cannot wait until President TrumpDonald John TrumpTrump conversation with foreign leader part of complaint that led to standoff between intel chief, Congress: report Pelosi: Lewandowski should have been held in contempt 'right then and there' Trump to withdraw FEMA chief nominee: report MORE decides to reopen the government.”

Pai declined the request, with his staff telling Pallone on Monday the shutdown prevented a briefing because the issue did not involve a “threat to the safety of human life or property.”

Pallone countered that there was “nothing in the law that should stop the Chairman personally from meeting about this serious threat that could allow criminals to track the location of police officers on patrol, victims of domestic abuse, or foreign adversaries to track military personnel on American soil.”

Across the Capitol, Democratic senators also criticized the sale of customers’ location data.

“Wireless carriers are promising, yet again, to stop sharing Americans’ location data without their consent,” Sen. Ron WydenRonald (Ron) Lee WydenDefense bill talks set to start amid wall fight Hillicon Valley: Zuckerberg to meet with lawmakers | Big tech defends efforts against online extremism | Trump attends secretive Silicon Valley fundraiser | Omar urges Twitter to take action against Trump tweet Lobbying groups ask Congress for help on Trump tariffs MORE (D-Ore.) said on Twitter last week. “I’ll believe it when I see it. It’s not enough for these tech giants and their CEOs to lay blame for misuse and abuse of information on downstream companies.”

The telecom industry has largely avoided the tough questions on privacy practices that have dogged tech companies, in particular Silicon Valley’s social media giants. But following the Motherboard report, the mobile industry now finds itself grappling with the same questions about customer data in the public spotlight.

ADVERTISEMENT

In its report, Motherboard managed to track the location of a person’s T-Mobile phone after giving a bounty hunter $300 and a cell number. The location information had traveled through a chain of data aggregation companies, who buy and sell customer data. According to the report, T-Mobile shared its data with a data company called Zumigo. Zumigo in turn shared that with a firm called Microbilt, which sells data to different industries, including bounty hunters.

Wireless companies responded to the report and lawmakers’ concerns by vowing to end those practices.

T-Mobile reiterated an earlier promise to stop selling data to location aggregators and said it was finalizing those changes.

“We take the privacy and security of our customers’ information very seriously and will not tolerate any misuse of our customers’ data,” a T-Mobile spokesperson said in a statement. “While T-Mobile does not have a direct relationship with Microbilt, our vendor Zumigo was working with them and has confirmed with us that they have already shut down all transmission of T-Mobile data. T-Mobile has also blocked access to device location data for any request submitted by Zumigo on behalf of Microbilt as an additional precaution.”

T-Mobile CEO John Legere said on Twitter that the company expects to finish cutting the data-sharing agreements by March.

AT&T also announced that it would stop selling location data to third parties.

“Last year we stopped most location aggregation services while maintaining some that protect our customers, such as roadside assistance and fraud prevention,” an AT&T spokesman said in a statement. “In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services — even those with clear consumer benefits.”

A spokeswoman for Sprint said it had terminated its contract with Zumigo for “not sufficiently protecting Sprint customer data in its relationship with” Microbilt. Verizon says it had already terminated its location-sharing agreements, with the exception of four roadside assistance companies.

But the industry’s critics are unlikely to be assuaged by those assurances, especially since a similar scandal bubbled up last year involving location data mined from providers.

Following major privacy scandals involving internet giants including Facebook and Google, momentum has grown for Congress to come up with the nation’s first comprehensive privacy law to crack down on the collection and sale of sensitive user information. But it is unclear if lawmakers are any closer to a framework that could pass both the Democratic House and GOP Senate.

Republicans have been comparatively quiet since the Motherboard story came out. A Senate Commerce Committee aide, though, told The Hill that data privacy would be a priority for the new chairman, Sen. Roger WickerRoger Frederick WickerHillicon Valley: Zuckerberg to meet with lawmakers | Big tech defends efforts against online extremism | Trump attends secretive Silicon Valley fundraiser | Omar urges Twitter to take action against Trump tweet Tech giants defend efforts against extremist content The 13 Republicans needed to pass gun-control legislation MORE (R-Miss.).

For now, Democrats are putting pressure on the FCC to investigate the industry and use its existing authority to crack down.

Pallone said Monday his committee would “continue to press the FCC to prioritize public safety, national security, and protecting consumers.”

Due to the shutdown, the FCC did not respond to a request for comment from The Hill.

Privacy advocates say that telecommunications companies are already prohibited from sharing information like real-time location data with third parties without their customers’ consent. They place the blame solely on the FCC for allowing the practice to fester.

“If there was an agency interested in living up to its mandate I don’t think you’d see this cascade of troubling scandals,” said Gaurav Laroia, a policy counsel at the consumer group Free Press.

A set of rules adopted by the FCC in 2007 gives the agency the authority to investigate “unauthorized disclosures” of personal information and take enforcement actions against carriers found to have not taken reasonable measures to protect such data.

“It’s not as if the commission has lost any power to do something about this, it’s just chosen to not exercise that power over the last couple of years,” Laroia said.

He added that until regulators act, the industry is unlikely to avoid monetizing its vast troves of user information.

“I don’t think these promises are worth very much,” he said. “We’ve been through this song and dance before.”

Lawmakers, too, are vowing to keep up pressure on the industry and on regulators, while continuing to push for legislation that would put the first real checks on the vast data collection industry.

“It’s not that people ‘don’t care about privacy,’ as some have argued – it’s that customers, along with policymakers, have been kept in the dark for years about data collection and commercialization practices,” Sen. Mark WarnerMark Robert WarnerSenate Democrats introduce legislation to limit foreign interference in elections Navy acknowledges footage of 'unidentified' flying objects California Law to rebuild middle class shows need for congressional action MORE (D-Va.) said in a statement. “Responsible federal agencies and the U.S. Congress should continue to hold hearings to shine a light on these practices and look at regulations to ensure companies are actually upfront with consumers about whether and how their sensitive data is being used and sold.”