Following press investigations and congressional concern about leaks and improper use of consumer location data provided by mobile network operators, the national carriers have said that they will stop or strictly limit aggregators’ access to such information.

Verizon, AT&T and Sprint have all said that they will start strictly limiting third-party aggregators’ access to network-based location information, and T-Mobile US CEO John Legere tweeted that his company will “not sell customer location data to shady middlemen.”

The New York Times reported last month that Securus Technologies, which utilized data from aggregator LocationSmart, had customers including a former Missouri sheriff charged with improperly using the private service to track the whereabouts of people including other police officers.

In addition, security researcher Brian Krebs reported in mid-May that LocationSmart had been “leaking this information to anyone via a buggy component of its Web site — without the need for any password or other form of authentication or authorization,” (emphasis from KrebsOnSecurity). Although LocationSmart took its service offline, Krebs had already verified that the website “could be used to reveal the location of any AT&T, Sprint, T-Mobile or Verizon phone in the United States to an accuracy of within a few hundred yards.”

As The New York Times reported, “cellphone carriers said that they relied on contracts and audits of companies to ensure that consumers had given consent for the data collected, but that those safeguards had failed to catch Securus’ activity.” In the case of Securus, the Times said that while the company ostensibly required its customers to upload a warrant, affidavit or similar legal document prior to finding a phone’s location, it didn’t check whether those documents were valid.

In response to those press reports, Senator Ron Wyden (D-Oregon) sent inquiries to companies including Verizon, asking about their practices related to data aggregators’ access. Verizon responded by outlining its approach and saying that it has decided to end its relationship with LocationSafe and fellow aggregator Zumigo as soon as possible, although the program will be unwound rather than stopped immediately so that permissable uses of the data are not disrupted.

Anonymized location data has long been seen as particularly valuable information to which carriers have unique access and which can serve as part of new revenue streams focused on monetizing data — although some have pointed out that it’s also important for carriers to properly police and vet the organizations which have access to their data treasure troves.

“Everyone had that as a line item [for]revenue growth,” said analyst Bill Ho of 556 Ventures. “What it’ll do is probably not kill, but kind of delay the business opportunity for those third parties that are being shut out from that information.”

The aggregation of data by third parties, Ho noted, meant that rather than having to request data from each carrier individually, customers could go to aggregators to get a full, national picture.

“The fact that it went up to congressional scrutiny .. speaks to the sensitivity of privacy and security,” Ho said. He posited that if future data-sharing arrangements are made, operators are likely to include contract clauses that require companies to make their websites and systems “bulletproof” to prevent future leaks.
“That’s obviously a liability for everyone. And if there’s liability, everyone pulls out,” Ho said. He added that while the idea of using network data, including location, for commercial purposes “is always going to be very, very hot, it’s a matter of putting some firewalls around the privacy and security of that.
“The industry will figure out what to do and it’ll venture on,” he said.

 

The post Carriers pledge to limit aggregators’ access to customer location data appeared first on RCR Wireless News.