WASHINGTON, August 29, 2022 – Advocacy groups are coming out in support of the Federal Communications Commission’s decision to release to the public information about how the top mobile carriers store and distribute customer geolocation data.
On Thursday, FCC Chairwoman Jessica Rosenworcel publicly released pertinent letters that were submitted by America’s top 15 mobile telephone carriers in response to an FCC request issued last July. The group of respondents includes telecom giants AT&T, Comcast, Spectrum Mobile, T-Mobile, Verizon, and Google.
“The FCC has a responsibility to make sure that carrier privacy protection practices continue to evolve with the technology,” said Harold Feld, senior vice president at Public Knowledge, in a statement. “These letters show that…carrier geolocation data practices are all over the map.
“The FCC has said it will continue to investigate whether carrier practices have broken any laws,” Feld added, “but the FCC can and should do more.”
Justin Brookman, director of technology policy at Consumer Reports, said he believes that government oversight of mobile carriers is necessary: “People have no choice but to share very sensitive data like geolocation with mobile carriers just for those products to work. There should be substantive constraints on what they do with that information and for how long they keep it.”
Is your mobile carrier sharing your data with third parties?
In its response to the FCC, Google states: “Google Fi does not share data with third parties that are not law enforcement without subscriber consent, unless necessary to provide Google Fi services or required by law.” Google’s privacy policy, however, demonstrates a broad definition of “necessary to provide Google Fi services.”
The policy states that Google regularly shares customer data – including location data – with “trusted” third parties to improve its services. And although Google doesn’t provide an example of how location data is distributed, it provides other examples of third-party access to personal user information.
“We also use service providers to help review YouTube video content for public safety and analyze and listen to samples of saved user audio to help improve Google’s audio recognition technologies,” the policy says.
Most other responding carriers said they do not provide location data to third-party entities (excluding law enforcement) under any circumstances. AT&T, however, shares user information – including location data – with third-party advertisers on an opt-out basis. AT&T customers can also opt in to “Enhanced Relevant Advertising,” which sends more extensive data to third parties.
And neither is Verizon fully withholding customers’ information, it said. The carrier attested to using data “…to help [Verizon] and other companies wireless customer actions in aggregate.” Customers can, however, opt out of this data sharing initiative.
Carriers’ collection and storage of data
There are commonalities in carriers’ methods of collecting and storing data, according to an analysis of the letters. Most stressed their commitment to user privacy, detailing security measures including extensive employee training and data encryption. Many carriers’ responses also linked to publicly available privacy policies.
Carriers that operate on their own mobile networks collect geolocation data from cell towers. Such collection is necessary to route cell signals and perform basic cellular functions like calling and texting. Some carriers – including AT&T, Verizon, and Google – also collect geolocation data from proprietary apps or other software.
Mobile virtual network operators – e.g., Lively, Xfinity, Spectrum Mobile – do not have their own networks. MVNOs use the networks of partner providers. Comcast’s Xfinity, for instance, utilizes Verizon’s cell towers, as does Spectrum Mobile.
Unlike mobile network operators, the MVNOs said that they receive only non-specific location data that is necessary to their core operations. From the response of Red Pocket Mobile’s CEO, Joshua Gordon: “Such generalized data provides no insight into a customer’s precise geolocation, and is generally not considered to be “geolocation data” in the telecommunications industry.”
Once geolocation and non-specific location data are collected, they are generally stored for a period of one to two years, varying by carrier. Notably, AT&T said it retains certain non–location specific cell-tower data for a period of five years. Another outlier is Consumer Cellular, which, according to its response, stores data online for four months, and then transfers the data into an offline database in which they are stored indefinitely.
The letters come after the House Energy and Commerce committee last month passed federal privacy legislation, known as the American Data Privacy and Protection Act, which would establish a data privacy framework and enforcement mechanisms for it. Verizon applauded the legislation in its submission to the FCC.