If mobile phone owners were told that their wireless carriers were selling data about their real-time movements most people would be surprised if not horrified. Never mind that the official line in the industry is that all this data is “aggregated and anonymized.”
Carriers are just one source of location data among many in the larger ecosystem. But AT&T, Verizon and Sprint (but not T-Mobile) have now vowed to suspend or discontinue selling user location data to third parties after a serious data leak from location data provider LocationSmart, which obtains data from carriers among others. Brian Krebs broke the news.
LocationSmart’s location intelligence demo had a bug that allowed anyone with technical savvy to exploit it and get real-time location information about virtually any mobile phone owner’s physical location in the US. Upon discovering the problem, LocationSmart shut down the demo and is investigating. However, the system was insufficiently secure according to Carnegie Mellon University PhD student Robert Xiao, who was the one to discover the flaw initially.
Location data can be constructed and used in a “privacy complaint” and anonymous way but, as this example illustrates, there are weaknesses (and consent problems) in the system. The Krebs story points out that there’s no way for users to opt-out of location sharing with their own carriers for multiple reasons. And there are legitimate carrier uses of location to improve services.
However, carriers sell location data because they’ve largely been left out of the mobile advertising boom and this is one of the few mobile monetization streams they have available other than subscriber fees. Verizon has gotten back into the game through its acquisitions of AOL and Yahoo and is likely sharing carrier location with those divisions independent of any decision to stop selling it to third parties.
There’s also third party demand for accurate location and carriers are one source of relatively good user-location data. Indeed, location data is extremely valuable for a growing number of use cases, which I’ve discussed at length in other contexts. It can also be sourced and used in a way that doesn’t make individuals vulnerable to hackers, stalking or illegal surveillance by law enforcement. But many firms in the industry have been lax and sloppy and taken a paternalistic “trust us” attitude.
There has also been a resistance to educating the public and bringing more transparency to the process of collecting and using location. In Europe this is changing radically because of GDPR. However, there’s no comparable national legislation pending in the US, despite myriad data scandals, hacking episodes and the outrage of individual legislators.
Congressional paralysis, a black box approach to data collection and lack of direct discussion with consumers is resulting in a number of grass-roots and state-level efforts to protect consumer privacy, such as the California Consumer Privacy Act of 2018 ballot initiative. The act is strongly opposed by many big technology companies. It would give consumers new power and the ability to opt out of data collection and usage.
Well crafted national legislation is preferable to a piecemeal state-by-state patchwork approach. But given the vacuum that is Washington, these local efforts have arisen to fill the void.
Location data is “personal data” under GDPR and is also a very sensitive area for many consumers in the US. While surveys have shown that users will share their location for clear benefits or tangible value exchange, others reflect fundamental discomfort with location data capture.