Mobile providers at center of privacy storm

Mobile providers at center of privacy storm
© iStock, The Hill illustration

Major wireless providers are facing new scrutiny into their privacy practices after a bombshell report sparked a public outcry and questions from lawmakers.

A story from tech news site Motherboard last week detailed how easy it is to track individuals with just a cellphone number using data aggregation companies. The report put a new spotlight on how wireless providers monetize their users’ real-time location data and set off a rush in the industry to abandon the practice and avoid new regulations.

Democratic lawmakers are questioning why the data practices were in place for so long and are pushing the Trump administration’s regulators to get serious about cracking down on the industry.

ADVERTISEMENT

Rep. Frank Pallone Jr.Frank Joseph PalloneMcConnell, Kaine introduce bill to raise tobacco purchasing age from 18 to 21 The Hill's Morning Report - Presented by Pass USMCA Coalition - Restrictive state abortion laws ignite fiery 2020 debate Work on surprise medical bills goes into overdrive MORE (D-N.J.), the new chairman of the House Energy and Commerce Committee, demanded that Republican Federal Communications Commission (FCC) Chairman Ajit Pai provide Congress with an emergency briefing and investigate the location-sharing agreements, writing in a letter that “the public can no longer rely on [the wireless industry’s] voluntary promises to protect this extremely sensitive information.”

“This briefing should explain why the Federal Communications Commission has yet to end wireless carriers’ unauthorized disclosure of consumers’ real-time location data and what actions the FCC has taken to address this issue to date,” Pallone wrote in his letter Friday. “An emergency briefing is necessary in the interest of public safety and national security, and therefore cannot wait until President TrumpDonald John TrumpThe Hill's Morning Report - White House, Congress: Urgency of now around budget GOP presses Trump to make a deal on spending Democrats wary of handing Trump a win on infrastructure MORE decides to reopen the government.”

Pai declined the request, with his staff telling Pallone on Monday the shutdown prevented a briefing because the issue did not involve a “threat to the safety of human life or property.”

Pallone countered that there was “nothing in the law that should stop the Chairman personally from meeting about this serious threat that could allow criminals to track the location of police officers on patrol, victims of domestic abuse, or foreign adversaries to track military personnel on American soil.”

Across the Capitol, Democratic senators also criticized the sale of customers’ location data.

“Wireless carriers are promising, yet again, to stop sharing Americans’ location data without their consent,” Sen. Ron WydenRonald (Ron) Lee WydenIRS audit rate down in fiscal 2018 Oregon man sentenced after threatening to chop off Dem senator's tongue House to vote on retirement bill next week MORE (D-Ore.) said on Twitter last week. “I’ll believe it when I see it. It’s not enough for these tech giants and their CEOs to lay blame for misuse and abuse of information on downstream companies.”

The telecom industry has largely avoided the tough questions on privacy practices that have dogged tech companies, in particular Silicon Valley’s social media giants. But following the Motherboard report, the mobile industry now finds itself grappling with the same questions about customer data in the public spotlight.

ADVERTISEMENT

In its report, Motherboard managed to track the location of a person’s T-Mobile phone after giving a bounty hunter $300 and a cell number. The location information had traveled through a chain of data aggregation companies, who buy and sell customer data. According to the report, T-Mobile shared its data with a data company called Zumigo. Zumigo in turn shared that with a firm called Microbilt, which sells data to different industries, including bounty hunters.

Wireless companies responded to the report and lawmakers’ concerns by vowing to end those practices.

T-Mobile reiterated an earlier promise to stop selling data to location aggregators and said it was finalizing those changes.

“We take the privacy and security of our customers’ information very seriously and will not tolerate any misuse of our customers’ data,” a T-Mobile spokesperson said in a statement. “While T-Mobile does not have a direct relationship with Microbilt, our vendor Zumigo was working with them and has confirmed with us that they have already shut down all transmission of T-Mobile data. T-Mobile has also blocked access to device location data for any request submitted by Zumigo on behalf of Microbilt as an additional precaution.”

T-Mobile CEO John Legere said on Twitter that the company expects to finish cutting the data-sharing agreements by March.

AT&T also announced that it would stop selling location data to third parties.

“Last year we stopped most location aggregation services while maintaining some that protect our customers, such as roadside assistance and fraud prevention,” an AT&T spokesman said in a statement. “In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services — even those with clear consumer benefits.”

A spokeswoman for Sprint said it had terminated its contract with Zumigo for “not sufficiently protecting Sprint customer data in its relationship with” Microbilt. Verizon says it had already terminated its location-sharing agreements, with the exception of four roadside assistance companies.

But the industry’s critics are unlikely to be assuaged by those assurances, especially since a similar scandal bubbled up last year involving location data mined from providers.

Following major privacy scandals involving internet giants including Facebook and Google, momentum has grown for Congress to come up with the nation’s first comprehensive privacy law to crack down on the collection and sale of sensitive user information. But it is unclear if lawmakers are any closer to a framework that could pass both the Democratic House and GOP Senate.

Republicans have been comparatively quiet since the Motherboard story came out. A Senate Commerce Committee aide, though, told The Hill that data privacy would be a priority for the new chairman, Sen. Roger WickerRoger Frederick WickerSenate Republicans running away from Alabama abortion law Hillicon Valley: Trump takes flak for not joining anti-extremism pact | Phone carriers largely end sharing of location data | Huawei pushes back on ban | Florida lawmakers demand to learn counties hacked by Russians | Feds bust 0M cybercrime group Senate Commerce chair to renew push for regs on self-driving vehicles MORE (R-Miss.).

For now, Democrats are putting pressure on the FCC to investigate the industry and use its existing authority to crack down.

Pallone said Monday his committee would “continue to press the FCC to prioritize public safety, national security, and protecting consumers.”

Due to the shutdown, the FCC did not respond to a request for comment from The Hill.

Privacy advocates say that telecommunications companies are already prohibited from sharing information like real-time location data with third parties without their customers’ consent. They place the blame solely on the FCC for allowing the practice to fester.

“If there was an agency interested in living up to its mandate I don’t think you’d see this cascade of troubling scandals,” said Gaurav Laroia, a policy counsel at the consumer group Free Press.

A set of rules adopted by the FCC in 2007 gives the agency the authority to investigate “unauthorized disclosures” of personal information and take enforcement actions against carriers found to have not taken reasonable measures to protect such data.

“It’s not as if the commission has lost any power to do something about this, it’s just chosen to not exercise that power over the last couple of years,” Laroia said.

He added that until regulators act, the industry is unlikely to avoid monetizing its vast troves of user information.

“I don’t think these promises are worth very much,” he said. “We’ve been through this song and dance before.”

Lawmakers, too, are vowing to keep up pressure on the industry and on regulators, while continuing to push for legislation that would put the first real checks on the vast data collection industry.

“It’s not that people ‘don’t care about privacy,’ as some have argued – it’s that customers, along with policymakers, have been kept in the dark for years about data collection and commercialization practices,” Sen. Mark WarnerMark Robert WarnerOvernight Defense: Congressional leaders receive classified briefing on Iran | Trump on war: 'I hope not' | Key Republican calls threats credible | Warren plan targets corporate influence at Pentagon Key Republican 'convinced' Iran threats are credible Hillicon Valley: Trump takes flak for not joining anti-extremism pact | Phone carriers largely end sharing of location data | Huawei pushes back on ban | Florida lawmakers demand to learn counties hacked by Russians | Feds bust 0M cybercrime group MORE (D-Va.) said in a statement. “Responsible federal agencies and the U.S. Congress should continue to hold hearings to shine a light on these practices and look at regulations to ensure companies are actually upfront with consumers about whether and how their sensitive data is being used and sold.”