Cell Phone Carriers Are Secretly Selling Your Real-Time Location Data

Four of the country's largest cellular providers have been selling your real-time location information, allowing a Texas-based prison technology company, Securus, to track any phone "within seconds," without a warrant.  The system uses data sold by AT&T, Sprint, T-Mobile, Verizon and other carriers - who provide it through an intermediary called LocationSmart. 

The service can find the whereabouts of almost any cellphone in the country within seconds. It does this by going through a system typically used by marketers and other companies to get location data from major cellphone carriers, including AT&T, Sprint, T-Mobile and Verizon, documents show. -New York Times

Last week Sen. Ron Wyden (D-OR) sent a letter to the FCC demanding an investigation into Securus, after the New York Times revealed that former Mississippi County sheriff Cory Hutcheson used the service almost a dozen time to track the phones of other officers, and even targeted a judge. 

Between 2014 and 2017, the sheriff, Cory Hutcheson, used the service at least 11 times, prosecutors said. His alleged targets included a judge and members of the State Highway Patrol. Mr. Hutcheson, who was dismissed last year in an unrelated matter, has pleaded not guilty in the surveillance cases. -NYT

Hutcheson has pleaded not guilty to charges of unlawful surveillance. 

How did this happen?

How is it that LocationSmart obtained real time location data on millions of Americans? Moreover, who else has access to that information?

Kevin Blankston, director of New America's Open Technology Institute told ZDNet in a phone call that the Electronic Communications Privacy Act only restricts telecom companies from disclosing data to the government. It does not restrict carriers from disclosing information to other companies - a loophole Blankston calls "one of the biggest gaps in US privacy law.

"The issue doesn't appear to have been directly litigated before, but because of the way that the law only restricts disclosures by these types of companies to government, my fear is that they would argue that they can do a pass-through arrangement like this," he said.

LocationSmart, a California-based technology company, is one of a handful of so-called data aggregators. It claimed to have "direct connections" to cell carrier networks to obtain real-time cell phone location data from nearby cell towers. It's less accurate than using GPS, but cell tower data won't drain a phone battery and doesn't require a user to install an app. Verizon, one of many cell carriers that sells access to its vast amounts of customer location data, counts LocationSmart as a close partner. -ZD Net

LocationSmart boasts coverage of 85 percent of the country due to its relationships with major US carriers - including Virgin, Boost, MetroPCS and US Cellular, along with Canadian providers Rogers, Telus and Bell.

We utilize the same technology used to enable emergency assistance and this includes cell tower and cell sector location, assisted GPS and cell tower trilateration," said a case study on the company's website.

"With these location sources, we are able to locate virtually any US based mobile devices," the company claimed. The precise location of a target can be returned in as little as 15 seconds, according to a different study.

LocationSmart sells its data to companies for all sorts of reasons. In some instances it's used to help local businesses send marketing text messages to customers visiting rival stores. In others, location data can be used by companies to track deliveries or shipments - or allow banks to track fraud if a person is making suspicious transactions within close proximity of each other. 

LocationSmart also said it allows some customers to obtain "implied" consent, used on a case-by-case basis, when "the nature of the service implies that location will be used." The company said one example could be when a stranded motorist calls roadside assistance, and the event implies the person is "calling to be found."

The company says it has access to location data "because privacy is built into its cloud-based platform." That said, Securus was able to return real-time location data on users without a warrant, or even without a user opting-in. 

ZDNet reached out to carriers for comments. What follows is their responses:

Sprint spokesperson Lisa Belot said the company shares personally identifiable location data "only with customer consent or in response to a lawful request such as a validated court order from law enforcement."

The company's privacy policy, which governs customer consent, said third-parties may collect customers' personal data, "including location information."

Sprint said the company's relationship with Securus "does not include data sharing," and is limited "to supporting efforts to curb unlawful use of contraband cell phones in correctional facilities."

When asked the same questions, Verizon spokesperson Rich Young provided a boilerplate response regarding Securus and would not comment further.

"We're still trying to verify their activities, but if this company is, in fact, doing this with our customers' data, we will take steps to stop it," he said.

AT&T spokesperson Jim Greer said in a statement: "We have a best practices approach to handling our customers' data. We are aware of the letter and will provide a response." Our questions were also not answered.

A spokesperson for T-Mobile did not respond by our deadline.

"It's important for us to close off that potential loophole and that can easily be done with one line of legislative language," said Bankston, "which would also have the benefit of making every other company careful about always getting consent before disclosing your data to anyone."

Senator Wyden has called on each carrier to stop sharing data with third parties - arguing that it "skirts wireless carriers' legal obligation to be the sole conduit by which the government may conduct surveillance of Americans' phone records."