When Motherboard broke the story of a thriving underground in bounty-hunters and other unsavory sorts buying realtime location data from America's cellular carriers, many were outraged that the carriers had not lived up to their year-old promises to fix that massive hole in our location data.
But it wasn't every carrier: AT&T, Sprint and T-Mobile subscribers were vulnerable to these attacks, but Verizon customers weren't: that's because every time someone queries your location data through Verizon, the company warns you with a text-message (this is discussed in the latest Motherboard Cyber podcast).
It turns out that one of the data-brokers that bounty-hunters use to source our locations from, Zumigo, lobbied the FCC back in 2017 to head off any requirements for consent for location-tracking.
“As breaches become more prevalent and as consumers rely more on mobile phones, there is a tipping point where financial and personal protections begin to equal, or outweigh, privacy concerns,” one of the slides reads.
Another slide titled “solutions” suggests that the FCC loosen current consent requirements that are included in cell phone providers’ terms of service, allowing carriers to use vaguer, “more flexible” language.
“Remove the consent requirement of stating that information is being released by the ‘carrier.’ Instead, allow more flexible language, such as:—‘You authorize the bank and its service providers to use your mobile account for verifying your identity and protecting you from fraud,’” the slide reads. “Make the release of carrier data opt-out, rather than opt-in, when it is being used to prevent fraud and identity theft.”
Data Broker That Sold Phone Locations Used by Bounty Hunters Lobbied FCC to Scrap User Consent [Joseph Cox and Jason Koebler/Motherboard]