Senate Democrats called on federal agencies Wednesday to investigate the practice by major telecommunications companies of selling location data generated by subscribers’ mobile devices following an undercover investigation by a security reporter that shed new light on a black market trade.
In a report Tuesday, Motherboard reporter Joseph Cox described the process he had used to acquire the location data of a mobile phone from a source in the bail bond industry. For $419, he was able to acquire the location of the phone with little to no fuss. The data he received reportedly included longitude and latitude coordinates accurate up to roughly 0.3 miles.
According to Cox, the source claimed to have received the data from a firm called Microbit. While posing as a potential customer, he was able to confirm that Microbit was geolocating phones on behalf of bail bondsman. The firm received the data from a location “aggregator” called Zumigo, which had in turn purchased it directly from T-Mobile.
Senators Kamala Harris, Ron Wyden, and Mark Warner called on the appropriate federal agencies to investigate, namely the Federal Communications Commission.
T-Mobile told Gizmodo in response to the story that it had “blocked access to device location data for any request submitted by Zumigo.” The company also stated that it was working to fulfil its promise made last summer to sever ties with third-party data aggregators. “We are nearly finished with that process,” it said.
But those assurances are unlikely to dissuade privacy hawks in Congress who’ve long been critical of the way companies such as T-Mobile, AT&T, and Sprint appear to exert few controls over how private phone data is handled once its sold off in bulk to “middlemen” companies, which serve among others, marketing firms, emergency services, and, apparently, bounty hunters.
Harris, who has served on the Senate’s intelligence and homeland security committees, was quick to frame the issue—“if true”—as a threat to national security.
“The American people have an absolute right to the privacy of their data, which is why I’m extraordinarily troubled by reports of this system of repackaging and reselling location data to unregulated third party services for potentially nefarious purposes,” the junior senator from California said.
Added Harris: “The FCC needs to immediately investigate these serious security concerns and take the necessary steps to protect the privacy of American consumers.”
The commission’s senior Democrat, Jessica Rosenworcel, concurs. She tweeted Tuesday: “The FCC needs to investigate. Stat.”
Warner, the Senate’s top Democrat on intelligence oversight, called on Congress to hold hearings over the teleco’s practices, telling Motherboard that regulators ought to ensure that consumers are better informed about how their data is bought and sold. Warner further averred that policymakers have been for years “kept in the dark” about the commercialization of consumer data.
Wyden, widely regarded as Washington’s leading lawmaker on matters where privacy and security intersect, circulated draft legislation late last year to combat this issue specifically.
The bill, which had little hope of passing in the Republican-controlled body, would’ve imposed stiff fines and even criminal penalties on executives who knowingly misled federal regulators about data-handling practices. In a nod to the Sarbanes-Oxley Act, which requires executive officers to certify and approve company financial reports, the bill would require companies of significant size to produce data protection reports certified by top executives.
It would have further expanded the scope of the Federal Trade Commission’s authority to pursue privacy violators; at present, it can’t even penalise first-time corporate offenders.
Wyden, who urged Senate colleagues on Tuesday to take up the bill, reiterated in a statement to Motherboard: “It’s time for Congress to step in and pass strong privacy legislation, like my bill, to safeguard our data and hold companies accountable when they fail.”
The telecom industry has “failed again and again,” he said, “to protect Americans’ information.”