Everyone who has a cell phone essentially has a geo-tracking device on them at all times. Cell phone companies have the ability to track their users both through cell tower tracking and through precise GPS tracking. They have legal access to this data so they can pass it along to 911 in case of an emergency. But cell providers have been doing more than that -- they've also been selling this data to third parties, who then sell it to other third parties. This data can be used to track a phone in real time and even put together patterns of when a person is at home, when they're at work, and so on.
This week, privacy watchdog Electronic Frontier Foundation (EFF) filed a lawsuit in California, challenging these practices. Here's what you need to know.
Your cell phone company is stalking you
This lawsuit comes after investigative reporting uncovered tens of thousands of AT&T, Sprint, and T-Mobile customers whose data was sold to aggregators and then sold by aggregators to additional third parties. As detailed by Motherboard ,
The lawsuit points to several instances of abuse of AT&T data. In May 2018, The New York Times reported AT&T sold its data through a location aggregator to Securus. Low level law enforcement then used Securus' tool to look up phone location information without a warrant or other legal authority. Motherboard then reported that a company called Captira was selling real-time location data of all major phone carriers to bail bondsmen for $7.50 each. Then earlier this year, Motherboard bought the location data of a phone in Queens, New York, showing AT&T and others were still selling their customers' data, despite promises to stop. Finally, a cache of leaked documents from a secret company called CerCareOne showed hundreds of bounty hunters had access to AT&T, T-Mobile, and Sprint data for years. The lawsuit also points to Motherboard's reporting which showed telecoms companies were selling access not just to cell phone tower data, but highly precise A-GPS location information.
A-GPS data is so precise that it can even be used to pinpoint where a person is within a building .
A-GPS inherently relies on telecom company information—it uses a phone's GPS chip in conjunction with information gleaned from the telecom network to locate a phone. It is used to locate cell phones that dial 911 in an emergency and it operates faster than a phone's GPS chip alone , which can sometimes take minutes to connect to a satellite, according to telecom filings with the Federal Communications Commission.
Blake Reid, associate clinical professor at Colorado Law, told Motherboard in an email that "with assisted GPS, your location can be triangulated within just a few meters. This allows constructing a detailed record of everywhere you travel."
And sketchy bounty hunters aren't the only people who were able to get access to this data. Some aggregators sell their data to a number of "different private industries, ranging from car salesmen and property managers to bail bondsmen and bounty hunters[.]"
In one case, a Motherboard reporter was able to track a cell phone in Queens for $300, raising the question of how many times these services have been used by stalkers, domestic abusers, and jealous significant others.
The lawsuit
EFF filed a class action lawsuit in California earlier this week against AT&T for its role in selling users' data to third parties. The lawsuit alleges that AT&T violated not only its own privacy policy, but also state and federal laws:
This class action arises from AT&T's knowing, systematic, and unauthorized sale of its wireless phone customers' sensitive location data. Despite vowing to its customers that it does not "sell [their] Personal Information to anyone for any purpose," AT&T has been selling its customers' real-time location data to credit agencies, bail bondsmen, and countless other third parties without the required customer consent and without any legal authority. AT&T's practice is an egregious and dangerous breach of Plaintiffs' and all AT&T customers' privacy, as well as a violation of state and federal law.
It goes on.
Defendants' practices allow Plaintiffs and other AT&T customers to be tracked and targeted by unknown third parties without their knowledge. AT&T leverages the technology embedded within a customer's phone and its own network infrastructure to locate its customers without any indication that AT&T is tracking them in order to sell their precise location to third parties for non-911 purposes. Indeed, AT&T's practices were only publicly exposed after an FBI investigation revealed that a sheriff in Missouri had used carrier location data to stalk a Circuit Court Judge and fellow law enforcement officers without their knowledge or consent and without any legal authority to do so. This highly sensitive data has also been used to harass AT&T customers and bypass the rights afforded by the Fourth Amendment.
The lawsuit also names several of the data aggregators as defendants. One aggregator, Securus, was hacked, exposing the data of thousands of cell phone users. Another aggregator, LocationSmart, had a flaw built into its website that allowed virtually anyone to obtain real-time tracking information on an untold number of phones for over a year.
LocationSmart had a free demonstration on its website for potential customers (such as Securus) to try out its location targeting technology. LocationSmart claimed it could provide the precise location of almost any cell phone in the United States using location data from major cellphone carriers, including AT&T. 44 The demo, which was available to the public through LocationSmart's website, was supposed to seek consent from the targeted cell phone user via text message before supplying the location data.
However, LocationSmart failed to properly protect the data used in the demo, thereby allowing "[a]nyone with a modicum of knowledge about how Web sites work [to] abuse the LocationSmart demo site to figure out how to conduct mobile number location lookups at will, all without ever having to supply a password or other credentials." With "minimal effort," Mr. Xiao was able to bypass the demo's text message consent structure, unlocking the ability to obtain any AT&T customer's location data without the customer's consent or knowledge. This unsecured demo had been publicly accessible on LocationSmart's website for approximately 16 or 17 months.
LocationSmart also bragged that it could access the location for 360 million phones and could provide access to tracking information on nearly 90 percent of cell phones and landlines nationwide.
Microbilt, another aggregator, told potential customers that their service could be used to "return a target's full name and address, geolocate a phone in an individual instance, or operate as a continuous tracking service." It also bragged that "[y]ou can set up monitoring with control over the weeks, days and even hours that location on a device is checked as well as the start and end dates of monitoring."
The lawsuit alleges that this information is accessible because AT&T sold these companies direct access to its users' information.
What happens next?
This is not the only lawsuit that has been filed against cell phone companies for selling users' location data. Similar suits have been filed against Verizon, Sprint, and T-Mobile, and there is another case currently pending against AT&T. In all of those cases, the telecom companies have argued that , no matter what they have done or how many laws they have violated, their customers have no right to sue them. That's because all of these companies include a mandatory arbitration clause in their contracts.
If you have ever had a cell phone, internet, or cable contract, or if you've ever downloaded software or purchased a game on your phone, you have probably agreed to binding arbitration -- whether you know it or not. Arbitration clauses seek to insulate major corporations from lawsuits by requiring each person they wrong to go not to court, but to a (typically business-friendly) arbitrator. These clauses also ban class actions, forcing each person who is harmed to arbitrate individually.
Arbitration is a quasi-legal proceeding with almost no government oversight. It's presided over not by a judge or jury, but an arbitrator, who probably has a background in corporate defense . Claimants are statistically less likely to prevail in arbitration -- and when they do win, their payouts are much lower. According to the Economic Policy Institute , "consumers obtain relief regarding their claims in just 9 percent of disputes, while arbitrators grant companies relief in 93 percent of their claims." And by barring class actions, these companies also take away the ability to demand systemic change when they have done wrong.
The outcome of these lawsuits may turn on whether or not surreptitiously selling users' locations -- without their knowledge or consent -- is covered by an arbitration clause. These companies have been saying since 2018 that they had cut ties with shady aggregators, but Motherboard was able to track that T-Mobile phone for $300 earlier this year . And without a court ordering them to end these practices, we can only guess how long they will continue.
Ron Swanson probably had it right when he smashed his phone with a hammer.
[ Motherboard / Motherboard again / Complaint / EPI ]
Wonkette is ad-free and funded ONLY by YOU! Help us pay the writers, and all the things!
Stop criticizing my gloriousness!
I still buy from Sears cuz fuck Amazon. Sears ain't what it used to be but its not a behemoth tracking my life and enticing me with Chinese shit either.