Wireless Carriers Busted Sharing User 911 Location Data

from the bottomless-well-of-dysfunction dept

Recent scandals involving companies like Securus and LocationSmart made it clear that cellular carriers are collecting and selling an ocean of user location data without any meaningful oversight. Several reports have highlighted how that data is then being routinely abused by everybody from ethically dubious local Sheriffs to bounty hunters. Subsequent investigations have shown how easy it is for bounty hunters and others to access this data, and how the FCC under several administrations has failed utterly to hold cellular carriers and data brokers accountable for any of it.

This week, Motherboard exposed another location data scandal with a report highlighting how cellular carriers are also selling private user A-GPS data with companies that aren’t supposed to have access to it. A-GPS, or assisted GPS, involves using a device’s onboard GPS chip as well as cellular network data to more quickly and precisely determine a user’s location. Wireless industry filings with the government indicate this data can pinpoint a user’s location indoors up to 50 meters; more precisely if a device’s MAC and Bluetooth data are also utilized.

Motherboard’s investigation focused specifically on a now-defunct location data broker by the name of CerCareOne, which had been selling cellular user location data — including A-GPS data– as recently as 2017. As with the other scandals, this scandal involves a universe of shady middlemen who buy and sell an ocean of such data, often without carriers understanding (or bothering to understand) how widespread the practice had become:

“Like with the companies involved in Motherboard?s previous investigation, CerCareOne?s real-time location data trickled down first from telecom companies, and then to a so-called location aggregator called Locaid. From there, Locaid sold that data access to a number of different companies, including CerCareOne, which in turn sold it to its own clients. Locaid was purchased by a company called LocationSmart in 2015 . The documents Motherboard obtained indicate that LocationSmart continued to sell data to CerCareOne after it obtained Locaid, and LocationSmart confirmed that to Motherboard.”

The scale of the data collection was… not subtle:

“CerCareOne?s phone tracking service was not a one-off tool for bounty hunters and bail agents. A list of a particular customer?s phone pings obtained by Motherboard stretches on for around 450 pages, with more than 18,000 individual phone location requests in just over a year of activity. The bail bonds firm that initiated the pings did not respond to questions asking whether they obtained consent for locating the phones, or what the pings were for.

Another set of data is more than 250 pages long and covers around 10,000 phone pings. Another list of a different bounty hunter?s activity includes nearly 1,000 phone location requests in less than a year; a third details more than 4,500 pings.”

The irony in this instance is that the FCC had crafted rules to specifically address this problem. Back in 2015 as the FCC was contemplating some new rules for enhanced 911 services, a coalition of privacy and consumer groups (including Public Knowledge, the EFF, and the ACLU) had written the agency warning that A-GPS and other granular data specifically used to aid in pinpointing 911 caller location (especially indoors) created the potential for some major privacy issues:

“The development of highly-precise location technologies designed to comply with the new regulations will raise a host of privacy concerns that have not been sufficiently addressed in the E911 proceeding. Public safety should not come at the expense of consumer privacy?nor should it have to.”

The FCC obliged, and in 2017 finalized rules with carrier approval that specifically stated that this kind of A-GPS data should never be used for any purpose other than tracking user location for emergency services:

“CMRS providers must certify that they will not use the NEAD or associated data for any non-911 purpose, except as otherwise required by law.”

Many carriers claim to have completely stopped sharing this and other forms of location data entirely with data brokers or anybody else. But it’s going to take a comprehensive investigation to not only confirm that, but also to confirm that they’re not currently engaging in even worse behavior. Especially since every time we think we’ve gotten to the bottom of this scandal, the floor drops out revealing countless additional layers beneath.

Even with Ajit Pai’s efforts to neuter FCC authority over ISPs, I’ve spoken to at least four telecom and privacy experts who say the FCC very clearly has the authority and responsibility to stop this sharing of private data, they’ve just chosen not to — despite the fact the agency had the foresight to craft rules specifically designed to stop this from happening.

Filed Under: , , , , , , ,
Companies: cercareone

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Wireless Carriers Busted Sharing User 911 Location Data”

Subscribe: RSS Leave a comment
Anonymous Coward says:

if the data being shared was of the hierarchy at the various telecoms companies, for example, Pai would be falling over himself to stop it from happening! like he was told last week, he is obviously and deliberately favoring these and other companies over the public instead of doing his job of protecting the public! he needs to not only be sacked but held accountable for what he has done/is doing and then taken to court!

Rocky says:

Re: They can tell if you're in the shower or on the toilet

Depending on the structure you are in the GPS may not have a lock on enough satellites to get an accurate position, it’s not uncommon that the accuracy drops to several hundred meters if not more.

If they use information from WiFi and Bluetooth to complement the GPS you can increase the accuracy to around 50 meters in those cases.

Outdoors with a good lock on several satellites the accuracy is can be around 30 cm.

The article wasn’t real clear about the caveats surrounding the figures.

Anonymous Coward says:

FCC is broken

the FCC very clearly has the authority and responsibility

Legislators are saying the FCC should put a stop to this. But we all know the FCC is currently broken. Don’t let your legislators off the hook by letting them point to the FCC — telling you that it’s up to that disfunctional agency.

Congress has the authority, and it’s up to Congress to use it.

We need some law to get results.

Call your representatives. Write your senators. It’s time to quit trying to pass the buck. It’s time to quit pointing the finger at the broken FCC. Congress needs to act on this.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...