Private Location Data Bought and Sold; FCC Fines Possibly Pending - Inside GNSS - Global Navigation Satellite Systems Engineering, Policy, and Design

Private Location Data Bought and Sold; FCC Fines Possibly Pending

Americans by the millions are being tracked through their cell phones, using location data sold both legally and, apparently, illegally. The buyers-users range from marketers and bounty hunters to border enforcement groups within the Department of Homeland Security (DHS).

The data comes from two primary sources: the cellular phone-tower data generated by the operation of the phones as they connect and move through the network, and by the apps within cell phones that determine location, often via the GNSS chip in each phone. The distinction is important because sharing cell tower data is illegal unless the cell user specifically opts in. No such control exists on the data from apps that get location from something other than cell-tower pings.

“There’s a huge gap in federal privacy law when it comes to location information,” said Aaron Mackey, a staff attorney with the Electronic Frontier Foundation (EFF). Congress revised the Communications Act in 1996 to regulate phone carriers and protect cell tower data, he said. But that was well before the surge in cell-phone apps. “Obviously a lot has changed in the 24 years since that law was passed.”

Violation of Federal Law

Federal Communications Commission (FCC) Chairman Ajit Pai said in letters to members of Congress that the FCC’s Enforcement Bureau had recently completed its investigation, concluding that “one of more wireless carriers apparently violated federal law.” He planned to circulate a proposal for fines for the other commissioners to consider.

The matter came to light after the New York Times and the Vice publication Motherboard published stories about law enforcement officers, property managers and bounty hunters buying, via middlemen, location data that came from wireless carriers.

“For more than a year, the FCC was silent after news reports alerted us that for just a few hundred dollars, shady middlemen could sell your location within a few hundred meters based on your wireless phone data,” said FCC Commissioner Jessica Rosenworcel. Her statement appeared January 31 after the finding was announced. “It’s chilling to consider what a black market could do with this data. It puts the safety and privacy of every American with a wireless phone at risk.”

The EFF is a party to a class-action lawsuit seeking recompense from AT&T over the sale of the data.

Open Season on Data from Phone GPS Chips

Other firms are also selling location data, but that data comes from GPS/GNSS chips or other sources. There’s no law against that.

“There’s the legal regime that applies to (wireless) carriers but then there’s’ no analogous legal regime that applies to any other third party that might acquire this information,” said Mackey of the EEF. “So, for example, the New York Times opinion section just ran a large investigation talking about how apps obtaining data on your phone, including GPS data, were basically able to suck that up with out people’s notice and create the sort of large volume — this massive database that was tracking everyone’s movements.”

The Wall Street Journal reported February 7 that the Department of Homeland Security’s Immigration and Customs Enforcement has been using this kind of data “to help identify immigrants who were later arrested.” The data has also been used to find illegal border crossing points including a tunnel under the border.

“The federal government’s use of such data for law enforcement purposes hasn’t previously been reported,” the paper said. Because the government is buying data that is available commercially it appears that use is legal though “though its use hasn’t been tested in court.”

“Only a Small Amount”

DHS’s Customs and Border Protection (CBP), which also uses the data, said it has privacy protections and limits on how it uses the location information. The agency told the Journal that it accesses only a small amount of the location data and that the data it does use is anonymized to protect the privacy of Americans. “While CBP is being provided access to location information, it is important to note that such information doesn’t include cellular phone tower data, is not ingested in bulk and doesn’t include the individual user’s identity,” a CBP spokesman said.

Court Ruling Outflanked

The Supreme Court ruled in 2018 in the case Carpenter v. United States that cell-phone geolocation data is a specially protected class of information because it is so revealing. The judges said that court supervision was required for law enforcement was to get such location data from the wireless carriers. Because the data can be bought, however, government lawyers concluded that ruling doesn’t apply and approved the programs, the Journal said.

The increasing awareness of tracking data, however, and now the use of commercially obtained data by an agency that has been embroiled in some highly controversial actions could put pressure on Congress to act on broad privacy regulations. This could including rules regarding data generated by sources other than cell phones, like cars and devices in the Internet of Things.

Bills now before Congress could address the issue. The Data Privacy Act, for example, would require affirmative consent before geolocation and other sensitive data could be shared. The Privacy Bill of Rights Act would establish regulations over how data, including real-time and historical location data, has to be protected and kept private.

These bills, however, like most privacy legislation, have yet to make it out of committee.

Photo by Robin Worrall on Unsplash.