U.S. wireless carriers know a lot about where their customers are located, and according to letters to the Federal Communications Commission (FCC), they routinely store such data for years, willingly release it to law enforcement if served with a proper subpoena, and say users cannot log out.
FCC Chairwoman Jessica Rosenworcel said in a letter published last week that the 15 largest wireless carriers in the US have responded to letters mailed to you in July request answers about their data retention and disclosure policies.
“Carriers know who we are, who we’re calling and where we are,” Rosenworcel said. This data is a sensitive record of not only an individual’s journey but also their identity, she added, which is why “the FCC takes steps to ensure that this data is protected.”
The news that mobile operators are storing sensitive location data is not surprising given the fact previous actions against AT&T, Verizon, T-Mobile US and Sprint (which have since merged) by the FCC in 2020 for the sale of location data to third parties.
The providers all say in their letters that they no longer sell location data to third parties. They suggest that the same data is still being held, and while data brokers may no longer have a seat at the negotiating table, these records can still be shared with police or civil authorities without — in most cases — notifying the customer.
In the case of AT&T, records containing cellular location data (which can provide customers with an approximate location) are retained for five years, while T-Mobile US retains similar records for two years. Verizon stores location data for one year, while smaller carriers UScellular and C-Spire both store geolocation data for 18 months.
In each case, the providers indicated that they complied with legal subpoenas and they only notify customers in certain circumstances, e.g. B. in civil proceedings.
Verizon and T-Mo provided slightly more detail than their competitors, sharing details of two instances of location data sharing that differ from the others. In Verizon’s case, the company specifically mentioned that law enforcement could request a warrant requiring Verizon to provide “cell tower dumps,” which contain the numbers of all devices connected to a particular tower during a specified period of time.
T-Mobile, on the other hand, agreed to disclose geolocation data “to the extent necessary to protect T-Mobile’s legal interests.”
None of these five mobile network operators allow users to opt out of having this data collected or stored, with all saying it is necessary to operate its network and provide services to customers.
How two-thirds of carriers differ
Rosenworcel’s letters weren’t just aimed at AT&T, C-Spire, T-Mobile, UScellular, and Verizon: 10 other wireless carriers were asked for the same data:
- Best Buy Health (which operates the Lively and Jitterbug cell phone services for seniors),
- consumer cellular,
- Dish (which operates the Boost, Republic, Ting and Gen brands),
- google fi,
- H2O wireless,
- Ultra and Mint Mobile and
- Red bag
Where these 10 differ from the big five mobile network operators (MNOs) is that they all piggyback on one of the MNO networks to operate as virtual mobile network operators (MVNOs).
These companies all had the same response, to varying degrees: Because we don’t manage the network hardware, we don’t need to protect location data.
In the few instances where MVNOs said they retained data from their network partners, the companies said it was in the form of Cell Site Location Data (CSLI) containing limited information about the tower to which a phone was connected, when a call is made.
MVNOs said they collect this data to facilitate billing and improve their service, but don’t treat it the same way as the precise data held by the physical carrier.
“We do not consider this information to be geolocation information because it does not provide information about a subscriber’s precise physical location,” said Locus Telecommunications, which operates H2O Wireless.
In cases of law enforcement or civil authority requests, MVNOs indicated that they typically direct requests to their parent network operators.
Telco coordinates not required
Rosenworcel’s motion and Telekom’s responses come after the US Supreme Court’s Roe v. Wade, which had legalized access to abortion in all 50 US states.
Before reversing a number of US senators has tried Banning data brokers from selling location and health data, but the bill has it sat on the committee since June. Although the law didn’t pass, the Federal Trade Commission filed a lawsuit against data broker Kochava this week, accusing the company Openly sells data that geolocates customers.
But these cases are different.
Lots of big tech companies have been silent about how Roe’s reversal is affecting their businesses, which are also collecting a wealth of data about their customers, but which may differ from the data obtained from cellular networks. Others have quietly embraced the new legal standard, giving authorities the data they wanted, even though it’s accurate location data that can provide the same details as cellphone records.
Earlier this month, Facebook confirmed that it received a warrant from the Nebraska Police Department, which it has complied with. Officers in this case looked for Facebook chats between a teenager and her mother, which they used to frame a criminal case against the couple for helping the teenagers illegal abortion.
App location and other non-cellular data may not be tracked by telcos, but equally, police and civil authorities don’t necessarily need an accurate latitude and longitude to determine if an individual has broken a statewide law.
In the case of MVNOs, who only store the data their host networks provide them with, the records are still sufficient to pinpoint a person to the cell tower their phone was connected to. If the service area of a particular tower is entirely within a state’s borders, this data could be used as evidence of a crime.
Given the recent high profile of such cases, police and other agencies looking for location data may not want to turn to telecom companies, but that’s not necessarily a good thing when the alternative is a data broker.
Fog Data Science is one such data broker and has it There are several agreements with US law enforcement agencies to provide data from mobile apps that contain tracking code. According to a recent EFF report, for less than $10,000, subscribers can get access to Fog’s alleged 15 billion sets of data points collected monthly from 250 million U.S. devices, and all without the need to obtain a search warrant for similar information , which could be gleaned from phone records .
Most letters to the FCC argue that such data is beyond the control of telcos because it is provided by apps not managed by them or their networks.
What can the FCC really do?
In a press release, Rosenworcel said it is asking the FCC Enforcement Bureau to open a new investigation into whether wireless carriers comply with FCC rules, which require carriers to fully disclose how they use and share location data.
To support their work, the FCC said it is also adding a simplified filing system for privacy complaints “so that we may act according to the law.”
Whether fines like those imposed on shippers in 2020 would result from the investigation or consumer complaints is unclear, as is the effectiveness of such an investigation.
In the letters, telecom companies claimed they were doing everything in their power to only share data when required by law. An investigation may well prove that this is the case, or find violations that would hopefully prompt the company to rectify its actions.
In the meantime, all the data any agency would want is already up for sale online, and the FCC may not have the authority to prevent it. ®
https://www.theregister.com/2022/09/02/us_carriers_fcc_data_report/ US telcos admit to storing and sharing location data • The Register