AT&T has announced that it will stop selling customers' location data to third-parties after reports that the data is being auctioned off on the dark web.
A Motherboard investigation showed AT&T, as well as fellow carriers T-Mobile and Sprint, had been selling location data which can then be bought elsewhere for $300, meaning it was possible to work out where people were at any given time.
Federal lawmakers have called for investigations into the carriers in question following the expos which showed a complex chain of information-sharing which led to the data landing in the wrong hands.
AT&T has now announced that all agreements and deals it had to share data with 'location aggregators' will now terminate by March - including those that were beneficial to its customers.
This comes after the company suspended some of its existing agreements last year as a result of a congressional probe which found that Verizon's location data was being misused by US prison officials to spy to the American public.
"In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services - even those with clear consumer benefits," AT&T said in a statement. "We are immediately eliminating the remaining services and will be done in March."
T-Mobile's CEO John Legere tweeted on Tuesday that the carrier would also cease location sharing agreements by March, citing roadside assistance as one of the helpful services the sharing supports.
When the agreements are terminated, users will be required to opt-in to location data sharing in order to carry on benefitting from such services.
So how did the data get in the hands of criminals? Telcos sell location data to aggregators who then sell data to specific clients and industries - a deal which supposedly only happens when a customer has given explicit consent, according to a letter from AT&T to Senator Ron Wyden earlier this year.
Other instances where users don't have to give consent include roadside assistance and bank fraud prevention companies - the organisations that are lawfully allowed to receive such data and use it to carry out their business.
So the data goes from carrier to aggregator and from the aggregator, location data can go to myriad destinations. One of the aggregators involved in the Motherboard investigation allegedly sells data to clients ranging from landlords scoping out potential renters to car salespeople conducting credit checks.
Frederike Kaltheuner, data exploitation programme lead at campaign group Privacy International, said that "it's part of a bigger problem; the US has a completely unregulated data ecosystem."
Reports of location data ending up in the wrong hands also surfaced in May 2018 when aggregator LocationSmart was believed to have sold data to Securus, a company which distributed real-time location data to low-level law enforcement officers such as Sherriff Cory Hutcheson who used the data to spy on judges and other police officers.
Securus was the same company that also sold Verizon's data to prison officials which became the catalyst for the aforementioned congressional probe.
"Securus is neither a judge nor a district attorney, and the responsibility of ensuring the legal adequacy of supporting documentation lies with our law enforcement customers and their counsel," Securus said in a statement issued to the NY Times.
