- In response to questions by the Federal Communications Commission (FCC), top mobile carriers in the US admit to tracking and retaining sensitive data about their consumers.
- Telecom companies point to legal requirements for holding on to these details for years.
- The FCC isn’t impressed and has called for an inquiry into the practice.
Our phones know where we've been, but it'd be a gross violation of our privacy if this information was available to someone else without our knowledge.
Yet this is exactly what our mobile carriers have been doing. Thanks to responses published by the Federal Communications Commission (FCC), we now know that not only are some of the country’s top telecom operators, including AT&T, T-Mobile, US Cellular, Verizon, and others, privy to our phone’s location information, many hold on to this, and other, rather private data, for years on end.
“Our mobile phones know a lot about us,” FCC Chairwoman Jessica Rosenworcel said in the press release about the responses. “That means carriers know who we are, who we call, and where we are at any given moment. This information and geolocation data is really sensitive. That’s why the FCC is taking steps to ensure this data is protected.”
A Necessary Evil?
The FCC is primarily interested in the collection and retention of geolocation data, which is the bit of information phones collect to help telecom operators narrow down the physical location of the device, and by extension, people who own them.
The agency was forced to act and seek information from the carriers in July in light of concerns stemming from the recent overturning of a landmark judgment by the Supreme Court. Privacy advocates alleged the new ruling could lead to a new wave of privacy violations driven primarily by the geolocation data tracked and captured by our phones.
“It should scare all of us that 10 of 15 carriers admitted that they collect and store geolocation data on their users [which is] the most intimate and sensitive information our phones track,” Aron Solomon, chief legal analyst at Esquire Digital, told Lifewire over email. “That this has been done for years under a haze of secrecy, with no user notification and no opt-outs is an egregious breach of trust.”
In their response, the carriers almost unanimously cited their need to comply with law enforcement requests as the primary reason for not allowing people to opt-out of this collection and retention.
Showing distrust at this argument, the FCC used this opportunity to call for an investigation into whether the mobile carriers are complying with the agency's geolocation data regulations.
Solomon believes the call for an investigation is a clear indication that the FCC chairwoman wasn't impressed with "intentionally oblique responses" from the carriers.
"For consumers, none of this strikes as fair play; as chairwoman Rosenworcel notes, 'our phones know a lot about us,' yet we aren't anywhere near as equally privileged in having a window into what happens to and with our data," said Solomon.
Service providers should be more forthcoming in detailing exactly what data they collect, the reasons they collect it, and their data retention policies.
The responses also provided insight into data retention practices, which ranged from two months to five years for certain types of data. This gets even more worrisome as not all of the companies explicitly mentioned the use of encryption to protect the data they horde for years.
Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, isn’t surprised with phone carriers tracking and collecting massive amounts of data about their customers.
"Of course, this is the type of data that threat actors seek because it has such high value within shadow markets," Shadabi told Lifewire over email.
Shadabi acknowledged that these carriers invest in sophisticated IT infrastructures, and perimeter protections to safeguard against intentional hacks and unintentional data access. Despite this, he said data breaches at telecommunications companies weren’t unheard of, with a recent one at T-Mobile last year allegedly impacting millions of customers.
"Service providers should be more forthcoming in detailing exactly what data they collect, the reasons they collect it, and their data retention policies," said Shadabi. "Providing more details will help to create a better collective culture of data privacy and security, and incidentally nurtures public trust."
Solomon, though, wants to see some stern action against offending companies that are found to be flouting the rules.
"I also think that ultimately the penalties for carrier non-compliance needs to be loss of their license," said Solomon. "It's that simple. Play by the rules, or you don't play."