Selling 911 location data is illegal—US carriers reportedly did it anyway

Three of the four major wireless carriers have been accused of breaking US law by selling 911 location data to third parties.

“Telecom giants broke the law by selling detailed location data” that was “meant for use only by emergency services,” consumer advocacy group Public Knowledge said last week in a blog post that urged the Federal Communications Commission to punish the carriers.

Public Knowledge’s statement came in response to a Motherboard article last week that provided new details about how carriers collect location data from customers and sell it to third parties.

“Around 250 bounty hunters and related businesses had access to AT&T, T-Mobile, and Sprint customer location data, according to documents obtained by Motherboard,” the article said. “The documents also show that telecom companies sold data intended to be used by 911 operators and first responders to data aggregators, who sold it to bounty hunters. The data was in some cases so accurate that a user could be tracked to specific spots inside a building.”

This included assisted GPS (A-GPS) data, which T-Mobile once described as “the foundation of wireless E911 location for both indoor and outdoor locations.”

“Between at least 2012 until it closed in late 2017, a now-defunct data seller called CerCareOne allowed bounty hunters, bail bondsmen, and bail agents to find the real-time location of AT&T, T-Mobile, and Sprint mobile phones,” Motherboard wrote. “The company would sometimes charge up to $1,100 per phone location, according to a source familiar with the company.”

Selling 911 location data is outlawed

Public Knowledge explained that carriers misusing this data is a violation of US law, which requires telecommunications companies to protect Customer Proprietary Network Information (CPNI).

“The Motherboard investigation has uncovered what appears to be a clear violation of what the FCC required” in orders released in 2015 and 2017, Public Knowledge Policy Fellow Dylan Gilbert wrote. The 2017 order refers to data in the National Emergency Address Database (NEAD), saying that “the data in the NEAD and any data associated with the NEAD may not be used for any non-911 purpose, except as otherwise required by law.”

In order to use that database, mobile carriers “must certify that they will not use the NEAD or associated data for any purpose other than for the purpose of responding to 911 calls, except as required by law,” the FCC’s 2015 order states.

Section 222 of the Communications Act is the US law that requires carriers to protect CPNI, and it says that carriers may not use or disclose location information “without the express prior authorization of the customer.”

“The location of a customer’s use of a telecommunications service also clearly qualifies as CPNI,” the FCC said in a 2013 declaratory ruling.

“The Federal Communications Commission, led by Chairman Ajit Pai, needs to act immediately to enforce what appears to be a clear violation of the FCC’s rules against the selling of A-GPS data with third parties,” Gilbert wrote.

“Unquestionably illegal”

Carriers pledged to stop selling their mobile customers’ location information to third-party data brokers in June 2018 after a security breach, but a Motherboard investigation last month found that T-Mobile, Sprint, and AT&T were still doing so. In response, carriers again pledged to stop the practice—this time, for real.

The carriers’ sale of location data “is unquestionably illegal and the carriers knew it,” Colorado Law professor Blake Reid wrote on Twitter. “The only question left is how widespread the practice was.”

Besides the CPNI rules, Reid wrote that carriers breaking their privacy promises is a violation of Section 5 of the Federal Trade Commission Act, which outlaws “unfair or deceptive acts or practices in or affecting commerce.”

“The carriers solemnly promised, repeatedly, they wouldn’t do this,” Reid wrote. “This is one of the most egregious examples of corporate malfeasance I’ve ever seen.”

We asked T-Mobile, Sprint, and AT&T yesterday whether they dispute the accusation that they violated FCC rules and whether they have completely stopped the data sales. None of the three carriers disputed the accusation.

“We take our customers’ privacy and security seriously and were the first wireless provider to make the commitment to end these services,” T-Mobile told Ars. “We have been transparent that we are ending all of our location aggregator services, and we are almost done with that process.”

Sprint told Ars that it has “nothing to share on this at the moment.” We’re still waiting for a response from AT&T.

FCC can fine carriers

Under US law, the FCC can issue fines of up to “$160,000 for each violation or each day of a continuing violation,” up to “a total of $1,575,000 for any single act or failure to act.”

Under former Chairman Tom Wheeler, the FCC “seriously fined the crap out of companies for CPNI violations,” Public Knowledge Senior VP Harold Feld told Ars.

In 2014, Wheeler’s FCC proposed a $10 million fine after finding that TerraCom and YourTel America violated CPNI rules. Pai—who was a commissioner at the time and has been FCC chairman since January 2017—dissented from that decision. TerraCom and YourTel eventually agreed to pay a civil penalty of $3.5 million.