Major carriers in the U.S., like AT&T, T-Mobile, and Verizon claim they’ve stopped selling user data. They promised to stop in June 2018, although an investigation in January 2019 revealed they lied. But maybe they mean it this time (via ArsTechnica).
It started with an investigation by Motherboard. Joseph Cox found that carriers were selling the location data of potentially everyone to shady third parties like bounty hunters. They promised to stop selling it last year, but they kept doing it for “approved use cases” (AT&T) and used a “detailed process” (Verizon) to clear and screen customers.
Both AT&T and Verizon now say that they stopped selling data by March 2019. Spring said it will end its last deal with a location aggregator on May 31. AT&T also claims that what they were doing wasn’t illegal.
In a letter [PDF] to FCC Commissioner Jessica Rosenworcel, Joan Marsh of AT&T said,
The FCC’s prohibitions on the use of the National Emergency Address Database (“NEAD”) for non-emergency services do not apply to A-GPS because A-GPS is not associated with or stored within NEAD. Instead, the NEAD is being developed to include “MAC address and BT-PDA information of fixed indoor access points (e.g., Wi-Fi and Bluetooth) that will be used to determine the specific indoor location of wireless 911 callers.
That may be true, but another concern is whether carriers violated Section 222 of the Communications Act. This law states that carriers can’t use or disclose customer location data without the express permission of the customer. This applies to Customer Proprietary Network Information (CPNI), and the FCC stated in 2013 that customer location data “clearly qualifies as CPNI.”