T-Mobile US
Inc.


TMUS 1.53%

and

AT&T
Inc.


T 1.55%

said they would stop feeding individual customers’ real-time locations to data middlemen, after a report suggested the sensitive information is easy to pull without users’ consent.

Tech website Motherboard reported this week that it paid a bounty hunter $300 to locate a T-Mobile handset by tapping into a real-time feed that the carrier provided to an aggregator called Zumigo Inc.

T-Mobile Chief Executive John Legeresaid in a tweetearlier this week that the company is “completely ending location aggregator work” in March but will need time to “do it the right way to avoid impacting consumers who use these types of services for things like emergency assistance.”

AT&T also said this week it would cut off data aggregators’ access to the information by March. The company said it wound down most location sharing last year while still providing companies with customer information for services such as roadside assistance.

“In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services—even those with clear consumer benefits,” the company said.

A spokesman for Verizon Communications Inc., which late last year added restrictions on its relationship with location-data brokers, said the carrier plans to end its remaining agreements with four roadside-assistance companies by the end of March.  “We have terminated all other such arrangements,” he said.

A Sprint Corp. spokeswoman said the company told Zumigo this week that it was terminating its contract. Sprint “determined that Zumigo violated the terms of our contract by not sufficiently protecting Sprint customer data in its relationship with MicroBilt,” a credit-reporting company used in the bounty hunter example to pinpoint a phone.

Zumigo CEO Chirag Bakshi said his company cut off MicroBilt’s access to all cellphone locations after the Motherboard article published. “The incident that occurred was an illegal use of the data,” Mr. Bakshi said in an interview. “MicroBilt was supposed to be for lending…for a financial use case which was misused.”

MicroBilt said its contracts with clients require a customer’s explicit consent to access location data. “Upon learning of the breach of contract in this instance, MicroBilt immediately terminated the customer’s account and suspended delivery of its mobile device geolocation verification service to all customers,” marketing chief Sean Albert said.

Sprint continues to share what it says are non-personally identifiable location data with Pinsight Media, the mobile data and advertising company it sold to InMobi last year, the spokeswoman said. It continues to share data with some other third parties.

Cellphone companies made similar promises to protect user data six months ago after reports of lax oversight prompted Sen. Ron Wyden (D., Ore.) to write the carriers seeking more information about their practices. The companies at the time said they shared device locations with users’ consent by outsourcing the work to aggregators like Zumigo. Those aggregators shared the information with dozens of other companies that provide services such as freight tracking, roadside assistance and bank fraud protection.

Wireless companies say they still collect and share groups of customers’ location histories for advertising after stripping away data that could identify individuals. That information is gathered through a separate process from the real-time pinpointing used when a customer would like to be found by a tow-truck company, for instance.

Carriers can’t provide wireless service without knowing their customers’ rough whereabouts, which are determined by measuring the distance to nearby cell towers. Mobile apps often get more precise location information through GPS, Wi-Fi and Bluetooth signals, though customers can toggle the sharing of some of that information on their smartphones.

Mr. Bakshi said his company will probably continue serving clients like banks by reporting users’ locations through app-based data collection and that users confirm their willingness to share that information by responding to text message requests. He said most Zumigo clients already seek consent through text messages.

In an interview Friday, Sen. Wyden said the recent reports show the need for a new federal privacy law to head off “a national security and personal-safety nightmare.” He said the carriers have pledged to improve their practices before and fallen short of their promises.

“I’ll believe it when I see it,” he said. “I got the promises again yesterday, but I got the promises in 2018. I don’t want to be back in 2020 listening to the same wash, rinse and repeat.”

Write to Drew FitzGerald at andrew.fitzgerald@wsj.com and Sarah Krouse at sarah.krouse@wsj.com





Source link