SAN FRANCISCO (CN) – Despite assurances to the contrary, AT&T has been selling its customers’ location data to creditors, bounty hunters, landlords, prison officials, and all sorts of third parties, according to data privacy watchdog Electronic Frontier Foundation in a federal class action filed Tuesday.
AT&T is the second largest wireless carrier in the United States, with more than 153 million subscribers.
The class action led by customers Katherine Scott, Carolyn Jewel and George Pontis also names aggregators LocationSmart and Zumigo, which bought location and network information from AT&T and sold it down a chain of third parties for commercial purposes.
In a statement, attorney Abbye Klamann Ognibene with Los Angeles firm Pierce Bainbridge said location data is both highly specific and very valuable to anyone wanting to know the most personal details about someone. Location data has also been used to stalk and harass people: The complaint cites the FBI investigation of former Missouri sheriff Corey Hutcheson, who used location data AT&T and LocationSmart sold to a company called Securus Technologies to track Scott County Judge David Dolan and five state troopers.
“The location data AT&T offered up for sale is extremely precise and can locate any of its wireless subscribers in real time, providing a window into the intimate details of their lives: where they go to the doctor, where they worship, where they live, and much more,” Ognibene said.
A Securus data breach in May 2018 revealed AT&T customers’ location data had been exposed to countless third parties, the plaintiffs say in their complaint. On the same day, a security researcher at Carnegie Mellon found LocationSmart’s product demo contained a flaw that allowed literally anyone to obtain the real-time location any AT&T customer.
AT&T then falsely stated it had suspended Securus’ and other aggregators’ access to customer data, the plaintiffs say, but just a few days later, a Motherboard article reported the carrier was selling customers’ phone locations to car salesmen, bail bondsmen, landlords and bounty hunters for as little as $7.50.
“In sum, between May 2018 and March 2019, media reports revealed the existence of a vast, illegal market for the real-time location data of AT&T customers,” the complaint says. “AT&T granted direct access to this data to the aggregator defendants, who in turn sold such access to hundreds of third parties – including bounty hunters, bail bondsmen, landlords, and law enforcement – with AT&T’s consent. This system allowed the precise, real-time location data of millions of Americans to be bought and sold by unknowable third parties for years without customer consent or knowledge and without valid legal authority. Despite numerous representations by AT&T that it would end the aggregator defendants’ access to this data, the practice – and the risks it created – continued without consequence.”
The plaintiffs say data supplied by AT&T’s enhanced 911 technology, which allows 911 responders to locate a customer’s phone in case of emergency, is also sold to location tracking companies without AT&T customers’ knowledge or consent.
The Federal Communications Commission first raised privacy red flags back in 2010 regarding indoor 911 calls. In February 2015, the FCC adopted privacy rules that required the carrier to certify that it would not use information in the National Emergency Address Database or associated data “for any purpose other than for the purpose of responding to 911 calls, except as required by law.”
AT&T vowed it would not.
However, the plaintiffs say AT&T began providing customers’ GPS data to the aggregators and their downstream customers, which publicly advertise their ability to pinpoint a person’s location using the same technology as emergency personnel.
“AT&T and data aggregators have systematically violated the location privacy rights of tens of millions of AT&T customers,” EFF Staff Attorney Aaron Mackey said in a statement. “Consumers must stand up to protect their privacy and shut down this illegal market. That’s why we filed this lawsuit today.”
The proposed class wants a judge to determine whether AT&T and the data aggregators violated the Federal Communications Act and intentionally disregarded customers’ privacy rights.
AT&T spokesman Jim Greer called the allegations false.
“The facts don’t support this lawsuit, and we will fight it,” Greer said in an email. “Location-based services like roadside assistance, fraud protection, and medical device alerts have clear and even life-saving benefits. We only share location data with customer consent. We stopped sharing location data with aggregators after reports of misuse.”