TR Daily FCC to Probe Location Data Aggregator Website Bug
Friday, May 18, 2018

FCC to Probe Location Data Aggregator Website Bug

The FCC’s Enforcement Bureau is going to investigate a situation where LocationSmart, which aggregates real-time location data from mobile phone providers, had a bug on its website that could allow the data to be obtained by anyone without a password or other authentication, an agency spokesman said today.

Brenda Schafer, vice president-product and marketing for LocationSmart, said in a statement today that “LocationSmart provides an enterprise mobility platform that strives to bring secure operational efficiencies to enterprise customers. All disclosure of location data through LocationSmart’s platform relies on consent first being received from the individual subscriber. The vulnerability of the consent mechanism recently identified by Mr. Robert Xiao, a cybersecurity researcher, on our online demo has been resolved and the demo has been disabled. We have further confirmed that the vulnerability was not exploited prior to May 16th and did not result in any customer information being obtained without their permission.

“On that day as many as two dozen subscribers were located by Mr. Xiao through his exploitation of the vulnerability. Based on Mr. Xiao’s public statements, we understand that those subscribers were located only after Mr. Xiao personally obtained their consent,” Ms. Schafer added. “LocationSmart is continuing its efforts to verify that not a single subscriber’s location was accessed without their consent and that no other vulnerabilities exist. LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process.”

The revelation comes after Sen. Ron Wyden(D., Ore.) asked the FCC earlier this month to probe the tracking of cellphone customers’ location information by law enforcement officials who access the data from Securus Technologies, Inc., which provides inmate calling services (ICS) to correctional facilities (TR Daily, May 11). The senator also wrote major wireless carriers to get information on their practices for selling customers’ location information to other parties.

Sen. Wyden today praised the FCC for agreeing to probe the LocationSmart situation.

“The location aggregation industry has operated with essentially no oversight by the Federal Communications Commission. The only real surprise is that it took this long for the public to learn that the wireless carriers and their business partners were demonstrating such a total disregard for Americans’ privacy and safety. I’m pleased the FCC is opening an investigation into the reported data leak by LocationSmart,” Sen. Wyden said. “The negligent attitude toward Americans’ security and privacy by wireless carriers and intermediaries puts every American at risk. I urge the FCC expand the scope of this investigation, and to more broadly probe the practice of third parties buying real-time location data on Americans.”

The lawmaker also said that FCC Chairman Ajit Pai should recuse himself from any probe, saying he has a conflict of interest because he represented Securus in 2012. “Chairman Pai’s past work for Securus makes it untenable for Mr. Pai to lead this investigation. I call on Mr. Pai to do the responsible thing and recuse himself from the investigation,” the senator said.

The FCC spokesman said he had no comment on whether the Enforcement Bureau also planned to investigate Securus. But in response to Sen. Wyden’s recusal call, the spokesman said, “Under the law and applicable rules, there is no reason for Chairman Pai to recuse himself, and he will not be doing so.”

AT&T, Inc., said that it doesn’t “permit sharing of location information without customer consent or a demand from law enforcement. If we learn that a vendor does not adhere to our policy we will take appropriate action.”

“Maintaining customer privacy is a top priority for the company,” Verizon Communications, Inc., said. “We have taken steps to ensure that Securus can no longer access location information about Verizon Wireless customers. We have also initiated a review of this entire issue. We will do what it takes to ensure that private customer location information is protected.” The review includes LocationSmart, Verizon said.

“We take the privacy and security of our customers’ data very seriously. We have addressed issues that were identified with Securus and LocationSmart to ensure that such issues were resolved and our customers’ information is protected. We continue to investigate this,” said T-Mobile US, Inc.

Sprint Corp. said that “protecting our customers’ privacy and security is a top priority, and we are transparent about our Privacy Policy. To be clear, we do not share or sell consumers’ sensitive information to third parties. We do not knowingly share personally identifiable geo-location information except with customer consent or in response to a lawful request such as a validated court order from law enforcement. If we become aware of any of our customers violating the terms of our contract, we will take immediate action.”- Paul Kirby, [email protected]


Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More