Greater Legal Protections Needed for Phone Geolocation Data

Law enforcement has been using location information from mobile phones to investigate and apprehend suspects, and to dispatch emergency assistance for years (although their methods have sometimes been secretive and questionable). The recent Supreme Court decision overturning Roe v. Wade has now opened the door for health services – including but not limited to abortions – to be criminalized in some jurisdictions. This means that law enforcement may be able to obtain location data from a data broker to determine whether someone went to a health clinic or similar location. Beyond law enforcement, some jurisdictions may additionally permit civil liability, meaning third parties unaffiliated with law enforcement could attempt to access geolocation data to bring a lawsuit. In short: the collection and sharing of mobile phone location data with law enforcement and with third parties (e.g. selling location data) has taken on renewed importance for all Americans.

This troubling situation underscores the risks that Americans continue to face because of Congress’ failure to enact a comprehensive federal privacy law. Congress has inquired about the tracking practices of tech companies such as Apple and Google, the Federal Trade Commission (FTC) has signaled its interest in this area, and there are bills in Congress that address both limits on the amount of personal data companies may collect and use (such as the American Data Privacy and Protection Act (ADPPA)) and warrantless access to consumer data by law enforcement (the Fourth Amendment Is Not For Sale Act)—however as of today the United States is woefully still without a law to protect us from this commercial surveillance.

In October 2021, the FTC published a report that addressed the data sharing practices of internet service providers (ISPs), including both broadband and mobile providers (noting that several sold real-time location data derived from provision of their services to third-parties). Regarding mobile carriers specifically, in February 2020 the Federal Communications Commission (FCC) issued a Notice of Apparent Liability to major mobile carriers in light of their involvement in the illegal and dangerous sale of consumer location information resulting in rogue law enforcement officers, bounty hunters, and others obtaining real-time and historical location information. This sale was in violation of the FCC’s rules regarding Consumer Proprietary Network Information (CPNI), which includes when, for how long, and to/from whom a phone subscriber made or received a phone call. There has been no public announcement indicating that these fines have ever been collected by the FCC or by the U.S. Department of Justice.

In July 2022, FCC Chair Jessica Rosenworcel sent Letters of Inquiry (LOIs) to fifteen of the largest mobile carriers about consumer geolocation data, requesting information about their data retention and data privacy policies and practices. Chair Rosenworcel stated in the letters: “the highly sensitive nature of this data—especially when location data is combined with other types of data—and the ways in which this data is stored and shared with third parties is of utmost importance to consumer safety and privacy.” The Chair’s questions addressed issues such as: what data is collected from consumers, for what purpose, for what duration, protected by what security measures, with what consumer notice and opt-out, and under what conditions could that data be shared with law enforcement or with non-law enforcement third parties.

On August 25, Chair Rosenworcel shared the responses the FCC received, and further observed that: “[Mobile] carriers know who we are, who we call, and where we are at any given moment. This information and geolocation data is really sensitive. It’s a record of where we’ve been and who we are.” The Chair indicated that the FCC would be investigating the carriers’ compliance with disclosure rules regarding processing and sharing of phone subscriber geolocation data. That said, absent an emphasis on data minimization and attention to secondary uses of data (recently alluded to by Commissioner Starks in the context of broadcast media), the impact of any FCC investigation into meaningful disclosure to consumers may be minimal. Moreover, evaluating privacy in terms of disclosure to consumers represents a “notice and choice” framework, an obsolete approach to privacy because it places too great a burden on the consumer, and one which the Commission unfortunately seems to continue to rely upon (e.g. the Commission has declined to require more than a link to a provider’s privacy policy in its broadband nutrition labels).

Mobile Carriers’ August 2022 Responses to the FCC

In their responses, roughly half of these carriers explicitly described themselves as a Mobile Network Virtual Operator (MNVO), which is basically a reseller of access to another wireless network (e.g. Charter Communications provides mobile service through Spectrum WiFi and/or Verizon). Generally these MNVOs claimed that they only have access to a consumer’s billing address and to call detail records (CDRs), which could include the location of the cell tower providing service. Some claim access to the device ID, IP address, or other data-points from which a general location could be inferred but which is not on its own as precise or accurate as longitude and latitude. But even so-called “anonymized” geolocation data may be easily re-identified. By analogy, demographic data can be de-anonymized using as few as three data points (e.g. zip code, gender, and date of birth). At least one MNVO claimed to request consent before collecting GPS data (for example, while providing driving directions). Many of these carriers reported that they do not allow consumers to opt-out of this data collection, because the data is necessary for the carrier to provide its service offerings (e.g. to connect calls). Some MNVOs indicated that it is their host carrier or tech vendor for 911 calls who establishes a phone subscriber’s location, or that their host carrier is responsible for compliance with legal requests for data.

Most carriers indicated that they did not retain consumer data for more than two years, however there were some exceptions (one carrier retains CDRs, which includes Cell Site Location Information (CSLI), for five years; another aggregates the data to 300 meters and retains that for an additional three years beyond the initial two years; another retains vehicle monitoring data from one of its mobile apps for five years). Regarding security, some carriers stated that they enacted “reasonable safeguards” or industry-standard practices (without supplying details), some named specific cybersecurity frameworks they complied with (although at least one said that it was “based in part on” or that it “aligns with” the framework), and some listed specific practices, e.g. data encryption, secure servers, employee training, and/or limited employee access.

AT&T, T-Mobile, and Verizon each explicitly noted that they allow consumers to opt-out of some data collection (which occurs by default if the consumer does not opt-out), and that they require consumers to affirmatively opt-in to more invasive data collection (AT&T calls this Enhanced Relevant Ads, Verizon calls it Customer Experience Plus, and T-Mobile does not provide a name but notes that services such as family locating require consumer opt-in).

All of the carriers in some way acknowledged that they share data with law enforcement subject to a lawful search order (e.g. court-ordered warrant). Only a few explicitly noted that they first verify the legitimacy and authenticity of the request (i.e. is it lawful or a rogue officer? is it actually a hacker impersonating the police?) or attempt to narrow its applicability (i.e. is the warrant overly broad?). Some spoke very generally about their data sharing practices with law enforcement (e.g. complying with a “legitimate law enforcement request for information”), which may mean substantially less than a warrant will suffice for the carrier to turn over consumer data.

Regarding third parties, many providers indicated that they do not “sell” or “share” data, but they do comply with subpoenas. Some providers indicated that they sell personally-identifiable information only after obtaining the consumer’s consent, however such a “notice and choice” framework does not protect privacy.

Conclusion

Congress urgently needs to enact laws that safeguard the privacy of Americans’ location data. Mobile carriers have demonstrated that they cannot be trusted to protect it, the FCC has yet to adequately address the problem, and the FTC’s investigative reporting disconnected from enforcement, piecemeal enforcement, and lengthy rulemaking proceedings, while representing actual progress, pale in comparison to what a comprehensive privacy law such as the ADPPA would achieve.

Read more about EPIC’s work in location tracking and communications privacy.