Why Is It OK for Cellphone Companies to Sell Your Location Data to Third Parties?

We shouldn’t be complacent about this.

Person with a cellphone with location tracking on, allowing their data to be collected and sold.
Photo illustration by Slate. Photo by SIphotography/iStock.

Last week, we learned that AT&T, Verizon, Sprint, and T-Mobile were all sending their users’ location data to a firm called LocationSmart. That information was so poorly secured that a Carnegie Mellon security researcher was able to pinpoint the location of just about anyone in the U.S. with a cellphone and wireless service. Although this hasn’t drawn the level of outrage that Cambridge Analytica has, the situation is worse. “[M]ajor wireless carriers have for years been carelessly allowing their users’ location data to be exposed in all kinds of unauthorized and scary ways,” Slate’s Will Oremus wrote Monday. “It’s analogous to how Facebook allowed users to sign away not only their own data but their friends’ data to third-party app developers up until 2015, a practice that allowed leaks to firms like Cambridge Analytica. Except the wireless companies are still doing it, and as of Monday, Ars Technica has reported that not one had expressly pledged to stop working with LocationSmart.”

Carnegie Mellon’s Robert Xiao didn’t have to do a lot of work to discover the vulnerability in the LocationSmart platform that revealed the real-time location of basically everyone with a cellphone in the United States. He didn’t have to hack into five layers of security. He didn’t have to use social engineering to scam passwords from the company. He was able to access incredibly sensitive information by simply changing the value on a web form.

“It’s not extraordinarily complicated rocket-science hacking stuff,” said Xiao.

And though savvy consumers can often protect their data, Xiao points out that there is no way to opt out of LocationSmart’s tracking. It works regardless of your phone operating system. It works even if you turn off location services or the privacy settings on your device. “If your phone is online and communicating with any cell tower, you can be tracked,” said Xiao. Short of pulling out your SIM card and not using your phone as a phone, there is no way to opt out.

LocationSmart’s lax data security raises lots of questions. Chief among them: Why are telecoms collecting and retaining cellular location data in the first place? And why are the four largest U.S. wireless carriers selling that information to LocationSmart and other third parties?

The first question is straightforward. Cellphone companies have to collect location data to serve calls and to comply with E911 regulations, which make it easier for emergency dispatchers to know where cellphone users are dialing from. Location data can be retained to help mapping tools, dating apps that match users who frequent similar locations, and that sort of thing. It’s also used liberally for advertising, and sometimes the users’ data becomes the product.

The second question is also easy to answer, but it’s not what you want to hear. Unfortunately, the laws governing electronic records, including the collection and use of location data, are extremely out of date. The Electronic Communications Privacy Act was passed in 1986 and hasn’t been updated since. “Congress actually hasn’t passed a location-specific law in the internet era,” said Chris Calabrese, vice president for policy at the Center for Democracy & Technology. Therefore, regulations on the standards for the collection, retention, and distribution of that data that would make sense in modern times don’t even exist.

Although a Pew Research Center study released in 2016 showed that Americans are sometimes willing to share personal information in exchange for something valuable, there are limits, with survey respondents expressing particular sensitivities about location data tied to their homes and driving habits. It seems clear that few users would prefer to have their location data continuously tracked in real time, especially knowing how long data is retained and how often it is sold—or leaked.

While some people may trust their cellphone carrier to keep their data secure, they don’t have a relationship with the smaller companies their information is siphoned off to. These lesser-known businesses don’t have the same kind of incentives to keep information private—it’s not like you can threaten to take your money elsewhere—or, as we can see, to make sure the security protocols are in place to do that. “Our cellphones are portable tracking devices. Many of us have become comfortable with that trade-off because we have confidence that that information is going to be kept secure and that it’s not going to leak out, “ Calabrese said. “Clearly this example illustrates that that’s not always the case.”

But according to Xiao, it wasn’t just LocationSmart that dropped the ball by having an elementary bug that allowed anyone to receive location information without obtaining consent. The carriers themselves didn’t have mechanisms in place to review claims and evidence to verify that LocationSmart had obtained consent before releasing location data, either. Although relationships with third parties might be lucrative for telecoms, any entity collecting sensitive information like location data has a moral obligation to keep it safe. That includes asking for strong verification to ensure that data being used by third parties is properly safeguarded. “Until these kinds of companies can reasonably assure people that they can really safeguard this information, really keep it properly safe, I’m not sure they should have access to that information,” said Xiao.

Telecom companies are unlikely to solve this problem on their own, but modern-day regulation certainly could help. Users should be required to explicitly opt in to location-data collection by third parties with full knowledge of who has the data, what they’re using it for, how long it’ll be retained, and which end users and intermediaries it will be shared with. Third parties that are cavalier with users’ personal information should be held accountable—along with the telecoms that provided them with that information. Regulation could help, but first people have to demand it.