Wireless Carriers Busted Sharing User 911 Location Data
from the bottomless-well-of-dysfunction dept
Recent scandals involving companies like Securus and LocationSmart made it clear that cellular carriers are collecting and selling an ocean of user location data without any meaningful oversight. Several reports have highlighted how that data is then being routinely abused by everybody from ethically dubious local Sheriffs to bounty hunters. Subsequent investigations have shown how easy it is for bounty hunters and others to access this data, and how the FCC under several administrations has failed utterly to hold cellular carriers and data brokers accountable for any of it.
This week, Motherboard exposed another location data scandal with a report highlighting how cellular carriers are also selling private user A-GPS data with companies that aren't supposed to have access to it. A-GPS, or assisted GPS, involves using a device's onboard GPS chip as well as cellular network data to more quickly and precisely determine a user's location. Wireless industry filings with the government indicate this data can pinpoint a user's location indoors up to 50 meters; more precisely if a device's MAC and Bluetooth data are also utilized.
Motherboard's investigation focused specifically on a now-defunct location data broker by the name of CerCareOne, which had been selling cellular user location data -- including A-GPS data-- as recently as 2017. As with the other scandals, this scandal involves a universe of shady middlemen who buy and sell an ocean of such data, often without carriers understanding (or bothering to understand) how widespread the practice had become:
"Like with the companies involved in Motherboard’s previous investigation, CerCareOne’s real-time location data trickled down first from telecom companies, and then to a so-called location aggregator called Locaid. From there, Locaid sold that data access to a number of different companies, including CerCareOne, which in turn sold it to its own clients. Locaid was purchased by a company called LocationSmart in 2015 . The documents Motherboard obtained indicate that LocationSmart continued to sell data to CerCareOne after it obtained Locaid, and LocationSmart confirmed that to Motherboard."
The scale of the data collection was... not subtle:
"CerCareOne’s phone tracking service was not a one-off tool for bounty hunters and bail agents. A list of a particular customer’s phone pings obtained by Motherboard stretches on for around 450 pages, with more than 18,000 individual phone location requests in just over a year of activity. The bail bonds firm that initiated the pings did not respond to questions asking whether they obtained consent for locating the phones, or what the pings were for.
Another set of data is more than 250 pages long and covers around 10,000 phone pings. Another list of a different bounty hunter’s activity includes nearly 1,000 phone location requests in less than a year; a third details more than 4,500 pings."
The irony in this instance is that the FCC had crafted rules to specifically address this problem. Back in 2015 as the FCC was contemplating some new rules for enhanced 911 services, a coalition of privacy and consumer groups (including Public Knowledge, the EFF, and the ACLU) had written the agency warning that A-GPS and other granular data specifically used to aid in pinpointing 911 caller location (especially indoors) created the potential for some major privacy issues:
"The development of highly-precise location technologies designed to comply with the new regulations will raise a host of privacy concerns that have not been sufficiently addressed in the E911 proceeding. Public safety should not come at the expense of consumer privacy—nor should it have to."
The FCC obliged, and in 2017 finalized rules with carrier approval that specifically stated that this kind of A-GPS data should never be used for any purpose other than tracking user location for emergency services:
"CMRS providers must certify that they will not use the NEAD or associated data for any non-911 purpose, except as otherwise required by law."
Many carriers claim to have completely stopped sharing this and other forms of location data entirely with data brokers or anybody else. But it's going to take a comprehensive investigation to not only confirm that, but also to confirm that they're not currently engaging in even worse behavior. Especially since every time we think we've gotten to the bottom of this scandal, the floor drops out revealing countless additional layers beneath.
Even with Ajit Pai's efforts to neuter FCC authority over ISPs, I've spoken to at least four telecom and privacy experts who say the FCC very clearly has the authority and responsibility to stop this sharing of private data, they've just chosen not to -- despite the fact the agency had the foresight to craft rules specifically designed to stop this from happening.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 911, a-gps, bounty hunters, e-911, enforcement, fcc, location data, privacy
Companies: cercareone
Reader Comments
Subscribe: RSS
View by: Time | Thread
Nothing to hide, nothing to fear.
[ link to this | view in chronology ]
Re:
Says the Anonymous Coward...... Why you hiding bro?
[ link to this | view in chronology ]
Re: Re:
Not hiding from anyone, just not advertising.
I don't use TOR or VPN.
[ link to this | view in chronology ]
Re: Re: Re:
Not advertising, just spamming.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Nothing to hide, nothing to fear.
You think you have nothing to fear, but all it takes is a single instance of abuse of access to change that. Just one. And abuse happens frequently. So, yes. You have something to fear, even if you have nothing to hide.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
You go ahead and fear that.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
You go ahead and be an idiot.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Is this the part where you insist that metadata isn't valuable?
[ link to this | view in chronology ]
How hard will it be to verify?
Just try to go buy some from a broker
[ link to this | view in chronology ]
These people don't know when to stop. Seriously, what does sharing 911 calls achieve? Are they going to offer weapons to the victims so they can defend themselves or something?
Advertising and tracking has gone completely out of control.
[ link to this | view in chronology ]
Re:
You must have misunderstood. This is about sharing data that was supposed to be used for 911 calls, with anyone who's willing to pay for it, for reasons completely unrelated to 911. (Oh, and also collecting and storing the location data forever, not just while people are making 911 calls.)
[ link to this | view in chronology ]
if the data being shared was of the hierarchy at the various telecoms companies, for example, Pai would be falling over himself to stop it from happening! like he was told last week, he is obviously and deliberately favoring these and other companies over the public instead of doing his job of protecting the public! he needs to not only be sacked but held accountable for what he has done/is doing and then taken to court!
[ link to this | view in chronology ]
Well my only hope when the entire FCC Pai incident is over it that he can only find some minimum wage job somewhere as no one will trust him.
[ link to this | view in chronology ]
They can tell if you're in the shower or on the toilet
Wherever did the article get the idea that cell phone GPS is accurate to 50 meters? This article published in 2017 says "one foot" (30 cm)...starting last year.
[ link to this | view in chronology ]
Re: They can tell if you're in the shower or on the toilet
Depending on the structure you are in the GPS may not have a lock on enough satellites to get an accurate position, it's not uncommon that the accuracy drops to several hundred meters if not more.
If they use information from WiFi and Bluetooth to complement the GPS you can increase the accuracy to around 50 meters in those cases.
Outdoors with a good lock on several satellites the accuracy is can be around 30 cm.
The article wasn't real clear about the caveats surrounding the figures.
[ link to this | view in chronology ]
FCC is broken
Legislators are saying the FCC should put a stop to this. But we all know the FCC is currently broken. Don't let your legislators off the hook by letting them point to the FCC — telling you that it's up to that disfunctional agency.
Congress has the authority, and it's up to Congress to use it.
We need some law to get results.
Call your representatives. Write your senators. It's time to quit trying to pass the buck. It's time to quit pointing the finger at the broken FCC. Congress needs to act on this.
[ link to this | view in chronology ]
Re: FCC is broken
You get that the two things aren't mutually exclusive, yes? It's possible to point out the dysfunction of the FCC and press Congress for reform.
[ link to this | view in chronology ]
Re: Re: FCC is broken
What might light a fire under the asses of our representatives is letting them know how their locations can be tracked as well. Oh wait, well probably get a nasty visit from the FBI if we do that.
[ link to this | view in chronology ]
Re: FCC is broken
And which agency do they get to enforce any laws that they make?
[ link to this | view in chronology ]
Re: Re: FCC is broken
Department of Justice and Bureau of Prisons.
[ link to this | view in chronology ]
Re: FCC is broken
The telecoms think it's working great.
[ link to this | view in chronology ]
They're going to keep doing it.
Until we regulate what data can be shared, make it hurt when they share data illicitly and make it likely sharing will be discovered, they're going to keep doing this.
[ link to this | view in chronology ]
Storage
They could have been more explicit about storage requirements, i.e., deletion requirements. It's hard for me to see how a record of my movements for the last year, with half-hour granularity, could be relevant to an "emergency".
[ link to this | view in chronology ]