Following last month's revelations of privacy violations, mobile carriers have been shamed into taking action.
Following pressure from US Senator Ron Wyden, the four major mobile network operators in the United States have pledged to stop selling location data to third parties. The practice had come under a high level of scrutiny following separate incidents of third parties leaking the data due to poor security practices.
Last month, a report indicating that Securus--a company that provides smartphone tracking tools for US law enforcement--was hacked, with thousands of pieces of data including account credentials leaked. While Securus focused on the law enforcement market, the backend service provider of that company was LocationSmart, according to a ZDNet report.
One day later, an unsecured product demo on LocationSmart's website was discovered, which allowed any user to find the location of any mobile phone without authenticating in any way. Critically, the demo has no protection against users directly interacting with the backend API, potentially allowing malicious users to access the location of users. At the time, LocationSmart claimed to have access to the four major US carriers, as well as US Cellular, and the Canadian carriers Bell, Rogers, and Telus.
While the four major carriers have apparently pledged to stop this data sharing, the timeline of these commitments is somewhat peculiar, and seems to be made possible by peer pressure. Sen. Wyden's office recently released a letter from Verizon's Chief Privacy Officer Karen Zacharia, which stated in part that the company has "decided to end our current location aggregation arrangements with LocationSmart and Zumigo," but that "this termination, however, must be completed in careful steps so as not to disrupt beneficial services being provided using customer location data."
Verizon concluded the letter stating that the company "will not enter into new location aggregation arrangements unless and until we are comfortable that we can adequately protect our customers' location data."
That statement was released alongside commentary from Sen. Wyden that said: "AT&T, T-Mobile, and Sprint seem content to continue to sell their customers' private information to these shady middle men, Americans' privacy be damned," alongside letters from representatives from those companies indicating that the sale of location data would continue.
SEE: Information security policy (Tech Pro Research)
Hours after this was released publicly, AT&T was the first to back away from this position, telling Ars Technica that "Our top priority is to protect our customers' information, and, to that end, we will be ending our work with aggregators for these services as soon as practical in a way that preserves important, potential lifesaving services like emergency roadside assistance."
Similarly, following the publication of Ars' story on the matter, Sprint announced that they would also be discontinuing the practice, though representatives indicated that it will "take some time in order to unwind services to consumers," mirroring the position of Verizon and AT&T, though Sprint claims that it stopped providing data to LocationSmart on May 25th.
The last holdout was T-Mobile--despite their posturing as a pro-consumer company. The statement provided to Sen. Wyden by VP of Federal Legislative Affairs Anthony Russo noted that the firm "will continue to monitor our program and take appropriate steps to ensure that our customers can receive the location-based services they desire in a manner that is consistent with applicable law," which clearly indicates that no plans existed to cut off access in the way that Verizon clearly stated at the outset.
In a staggeringly tone-deaf tweet, T-Mobile USA CEO John Legere indicated:
Sounds like word hasn't gotten to you, @ronwyden. I've personally evaluated this issue & have pledged that @tmobile will not sell customer location data to shady middlemen. Your consumer advocacy is admirable & we remain committed to consumer privacy. https://t.co/UPx3Xjhwog
-- John Legere (@JohnLegere) June 19, 2018
This falls very short of being a clear plan to cut off access.
A screenshot tweeted by Jon Brodkin of an update to his article at Ars Technical indicates that T-Mobile's PR team told Wyden's office that the company "ended all transmission of customer data to Securus and will wind down our location aggregator agreements," though that passage was missing from the live version of the article at the time of this article's publication. Sen. Wyden did subsequently tweet that "every major wireless carrier says they will cut ties with the middlemen who sell your location information."
Executives who lead companies that work with such data should take notice of the move made by these four major US carriers, as it fundamentally shifts a major revenue stream away from the business. Company leaders should work with legislators and regulators often, and early, and make sure they address user concerns with certain aspects of their business model. This could help them stay on top of changing trends in data use and prevent them from having to make a massive shift in their business without a backup plan.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Verizon was the first mobile network operator to announce an end to the mobile location data sharing program, though AT&T, Sprint, and T-Mobile followed shortly thereafter.
- LocationSmart, the vendor of the recently hacked Securus, had an unsecured API on their website that allowed malicious users to track any phone in the US or Canada.
- Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
- Is the Indian government developing a tool for mass surveillance of its citizens? (ZDNet)
- EU General Data Protection Regulation (GDPR): A cheat sheet (TechRepublic)
- MysteryBot: Android malware delivers keylogger and ransomware (ZDNet)
- 8 biggest risk factors for company-owned mobile devices and how to avoid them (TechRepublic)