We Could Easily Stop Location Data Scandals, But We Cower to Lobbyists Instead

If you hadn’t noticed by now, the United States is much like the wild west when in comes to consumer privacy. Outside of a law protecting minors (COPPA), the country has yet to pass a meaningful privacy law for the internet era, despite scandal after scandal after scandal showcasing corporate apathy toward protecting consumers’ personal information. While Facebook has received the lion’s share of public outrage in recent years, it’s the telecom sector that has pioneered privacy apathy on an industrial scale. From Verizon modifying wireless data packets to secretly track users around the internet, to AT&T’s attempts to charge users more to protect their data, the sector’s bad ideas are legendary. But nothing exemplifies our collective failure to protect consumer privacy better than the wireless sector’s cavalier treatment of user location data. Experts say the government could easily fix the problem—even without a new privacy law—were it actually willing to shake off the lobbying influence of the countless sectors generating immense profits from the practice.

As Motherboard’s Joseph Cox illustrated again this week, wireless carriers have long collected your location details and sold that data to a universe of dodgy partners and data brokers, who in turn make little or no real effort to ensure this data is protected. As we saw this week, companies sharing and selling this data then play dumb to the scope of the obvious problem.

Previous scandals for location data clients like Securus and LocationSmart have showcased how this data is routinely misused by law enforcement or for profit, with little regard for consumer consent. Each scandal has percussively highlighted how even mobile carriers have little to no real understanding of how this data is used, abused, or who it’s being shared with.

Despite the often massive scale of these location data breaches, the US government’s general response to the problem has been one of apathy. When regulators have actually attempted to rein in this abuse, lobbyists have ensured those efforts are short lived. For example, the FCC passed privacy rules in 2016 experts say would have given wireless consumers significantly more control over how their personal data is collected and sold. But big telecom lobbied Congress to kill those rules before they could even take effect in 2017.

“The FCC’s 2016 privacy rules would have greatly mitigated this problem, because the rules prohibited carriers from selling or otherwise using sensitive information like geolocation information unless a subscriber specifically opted in to the carrier doing so,” former FCC lawyer Gigi Sohn told Motherboard. An informed, empowered consumer is more likely to opt out of data collection and monetization, costing companies billions. It’s a major reason why Silicon Valley and the telecom sector have increasingly worked hand in hand to scuttle any real reform on this front. This collective, cross-industry lobbying firepower has proven immensely difficult to overcome. Blake Reid, Associate Clinical Professor at Colorado Law, told Motherboard that even with the rules’ repeal, the FCC still has the authority to police the abuse of location data.

“This data is customer proprietary network information (CPNI) subject to Section 222 of the Communications Act,” Reid noted, adding that the agency updated these CPNI guidelines back in 2005 to ensure customer location information would be protected.

Reid also argued that T-Mobile CEO John Legere’s broken Twitter promise not to sell this location data to “shady middlemen” could technically violate Section 5 of the FTC Act, which grants the agency the authority to police “unfair and deceptive” behavior by mobile carriers.

“Both the FCC and FTC can and should address this under their existing authorities—it’s hard to imagine a more egregious case,” Reid said.

Legere, likely aware of this reality, said on Twitter he intends to follow through on his original promise and end the company’s relationships with third party location data aggregators in March:

The problem is that even if the FTC and FCC weren’t currently shut down due to Trump’s quest for some unnecessary metal slats, there’s little interest in consumer protection in the Trump era, leaving consumers powerless until the level of public outrage finally drives real action.

Guarav Laroia, Policy Counsel at consumer advocacy firm Free Press, told Motherboard that a major point of failure in this chain of dysfunction is the wireless industry’s “notice and consent” approach to privacy, which involves throwing a page of complex legalese at users to sign, then aggressively misinterpreting that contract to mean user data can be widely shared.

“The story makes clear and I think people would agree that when they click-through a privacy policy that includes allowing a carrier to share their location data they do not contemplate that information eventually ending up in the hands of bounty hunters,” Laroia said. “Even by the telco's own admission their 'notice and consent' regime totally failed to prevent this kind of abuse.”

Wireless carriers like Verizon have spent the better part of a decade claiming that real privacy rules weren’t necessary because “public shame” would keep the industry honest. But in 2016 it took security researchers the better part of two years before they noticed Verizon was actively modifying user data packets to covertly track users around the internet without consent. The telecom industry had every opportunity over the last decade to avoid government scrutiny by engaging in more ethical business decisions, but as these location data scandals highlight, instead chose to double down on their very worst instincts time and time again.

“This also represents a huge failure of these wireless carriers to police their own contracts and to protect their customers' privacy,” Laroia said. “There's profit to be made in trafficking this kind of information and so long as regulators and Congress turn a blind eye to the problem and wireless companies chase profits at all costs—it will likely continue to happen.”

Motherboard’s investigation did manage to light a fire under regulators like FCC Commissioner Jessica Rosenworcel, who demanded the FCC launch an immediate investigation:

[ ](https://twitter.com/JRosenworcel/status/1082712600390127616)Motherboard’s report also prompted Oregon Senator Ron Wyden to renew calls for new privacy legislation like his recently proposed Consumer Data Protection Act, which would not only beef up FTC authority over privacy violators, but impose up to 20 years in prison and $5 million in fines for executives who knowingly mislead the agency on privacy.

Senators Mark Warner and Kamala Harris also made public statements against this practice following Motherboard's reporting. Whether the solution is a new law or just the enforcement of existing rules, demanding the protection of your private location data is going to require a critical mass of public outrage to drive change. Unfortunately, you’re likely to see more and more scandals like the one Motherboard unearthed this week before the message finally gets through.