Mobile carrier customer privacy protection is slowly improving

Mobile carriers know who we are, who we call, and where we are at any given moment, every day. If the carriers take steps to protect this information and don't keep it forever, maybe there's no problem. That hasn't been the norm, but maybe it will be soon.

In July, Federal Communications Commission Chairwoman Jessica Rosenworcel sent letters to the 15 largest mobile carriers asking them for details about their data retention and data privacy policies. The responses were largely unhelpful, so in August Rosenworcel directed the FCC's Enforcement Bureau to open an investigation.

Mobile carriers' dubious handling of personal data, particularly geolocation data collected from customers, has been well known for years. In 2018, press reports revealed that all of the major carriers were making a handsome profit selling location data to third party aggregators such as Securus, Microbilt, LocationSmart and Zumingo with no oversight. For a few hundred dollars, a wide range of people, including car salesmen, property managers, bail bondsmen and bounty hunters could obtain real-time location data on practically anyone.

The carriers all vowed to stop such data sales. But a year later, in January, 2019, Motherboard published an article detailing how a reporter was able to obtain the precise location of certain cell phones from a bounty hunter. For $300, the reporter obtained a screenshot from Google Maps with a blue circle indicating the cell phone user's location. The price was even less if a requestor had high volume.

In the wake of these disclosures, members of Congress pressed the FCC to do something to protect consumers from these practices. After a year of silence from former FCC Chairman Ajit Pai, Rosenworcel (who at that time was a commissioner, not chairwoman) took matters into her own hands and sent a letter to the four major cellular carriers asking them to confirm that they no longer were selling location data without customer consent.

Three years later, here we are again, but this time Rosenworcel is the Chairwoman and appears to be serious about forcing carriers to improve their practices for using and storing sensitive customer data. It's pretty clear that without FCC action, major carriers won't improve.

Take Verizon's response to Rosenworcel's inquiry as an example. Verizon acknowledges that it collects geolocation data, but was far from detailed regarding how it uses or stores the data. Verizon said it collects geolocation data "as needed to develop, provide, and improve our services and experiences for our customers," and keeps it "for the period for which it is needed for business purpose."

AT&T was equally vague in identifying exactly how it uses geolocation data. "AT&T Mobility uses location information to ensure that its networks "are operating effectively, to troubleshoot networks, and to improve products and services." It provided no explanation of how it uses highly sensitive geolocation data to "improve products and services." AT&T also stated that it uses location data to market its own products and services (its so-called "Relevant Advertising" program) and that customers cannot opt out. It also uses data for "Enhanced Relevant Advertising," with no detail as to what that means.

Of significant note, the mobile carriers did reveal for the first time how long they maintain customer data. AT&T told Rosenworcel that it retains information that identifies the current or past location of a specific individual's device for no more than 13 months, historical call detail records, which include cell site location information, for five years. Verizon stated that it maintains network information regarding cell site and sector for up to one year, though its "Hum" application, which monitors an extensive set of vehicle movements and functions, for five years.

T-Mobile detailed the types of data it collects and its data deletion policy, likely because it was burned by a hack that exposed personal data it retained from current and prospective customers dating back to the 1990s. It cost T-Mobile $500 million to settle the resulting lawsuit.

T-Mobile stated that it retains cell site location information, which includes the street address, longitude, and latitude of the cellular tower that carries a particular voice call, SMS message, or data session for two years, and historical data on the latitude and longitude location of a handset for 90 days. T-Mobile told Rosenworcel that it "further limits the privacy risks associated with Geolocation Data by retaining customer Geolocation Data only for as long as we have a legitimate business purpose or legal need or as applicable laws, regulations, or government orders require." Seems like T-Mobile finally figured out that holding onto sensitive customer data is a liability.

Rosenworcel did not detail exactly what the FCC investigators will be examining, but hopefully regulatory scrutiny will prompt the mobile carriers to improve their data handling processes. It's worth noting that despite the carriers' cavalier attitude about geolocation data, the U.S. Supreme Court held in 2018 that such data is entitled to Fourth Amendment protection, and therefore a warrant is required for law enforcement to obtain such data. Carpenter v. United States (2018) ___U.S.___ [138 S.Ct. 2206, 201 L.Ed.2d 507].) Justice Roberts noted that such information is "detailed, encyclopedic, and effortlessly compiled" and that it provides a detailed window into a person's life, revealing his or her movements and related familial, political, professional, religious, and sexual associations. Id., at 2209.

The wheels at the Federal Communications Commission turn slowly on customer privacy protection, but at least they're turning.