Carriers face class actions for sale of real-time phone locations to data brokers.

A person's hand holding a smartphone that is displaying a map.


The four major US wireless carriers are facing proposed class-action lawsuits accusing them of violating federal law by selling their customers’ real-time location data to third parties.

The complaints seeking class action status and financial damages were filed last week against AT&T, Verizon, T-Mobile, and Sprint in US District Court for the District of Maryland. The four suits, filed on behalf of customers by lawyers from the Z Law firm in Maryland, all begin with text nearly identical to this intro found in the suit against AT&T:

This action arises out of Defendant’s collection of geolocation data and the unauthorized dissemination to third-parties of the geolocation data collected from its users’ cell phones. AT&T admittedly sells customer geolocation data to third-parties, including but not limited to data aggregators, who in turn, are able to use or resell the geolocation data with little or no oversight by AT&T. This is an action seeking damages for AT&T gross failure to safeguard highly personal and private consumer geolocation data in violation of federal law.

The proposed classes would include all of the four carriers’ customers in the US between 2015 and 2019. In all, that would be 300 million or more customers, as the lawsuits say the proposed classes consist of at least 100 million customers each for AT&T and Verizon and at least 50 million each for Sprint and T-Mobile. Each lawsuit seeks damages for consumers “in an amount to be proven at trial.”

Carriers promised to stop data sales

In June 2018, all four major carriers promised to stop selling their mobile customers’ location information to third-party data brokers after a security problem leaked the real-time location of US cell phone users. The promises came after revelations that prison phone company Securus offered a service enabling law enforcement officers to locate most American cell phones within seconds. Securus’ service relied on data from LocationSmart, a data aggregator that received location information from the carriers.

Despite the carriers’ promises, a Motherboard investigation found in January 2019 that “T-Mobile, Sprint, and AT&T are [still] selling access to their customers’ location data and that data is ending up in the hands of bounty hunters and others not authorized to possess it, letting them track most phones in the country.”

All four lawsuits against the major carriers discuss the Securus case, while the three lawsuits against T-Mobile, Sprint, and AT&T also cite Motherboard’s reporting on the subsequent data sales. The lawsuits reference letters between Sen. Ron Wyden (D-Ore.) and the carriers—Wyden had demanded information from the carriers and pushed them to end their sale of customer data.

The lawsuits accuse the carriers of violating Section 222 of the US Communications Act, which says that carriers may not use or disclose location information “without the express prior authorization of the customer.” The lawsuits also say that each carrier failed to follow its own privacy policy and “profited from the sale and unauthorized dissemination of Plaintiff and Class Members’ [private data].”

While it wasn’t mentioned in the lawsuits, the carriers’ data sales may have also violated Federal Communications Commission rules against misusing data intended for 911 emergency location services.

AT&T vows to fight lawsuit

“The facts don’t support this lawsuit, and we will fight it,” AT&T told Ars today. “Location-based services like roadside assistance, fraud protection, and medical device alerts have clear and even life-saving benefits. We only share location data with customer consent. We stopped sharing location data with aggregators after reports of misuse.”

T-Mobile declined to comment on the lawsuit, but the company told Ars that it “terminated all service provider access to location data as of February 8, 2019.” Sprint said it is “reviewing the legal filing” but declined to make any other comment.

We also contacted Verizon and will update this article if we get a response. UPDATE: Verizon responded to us, but provided no comment on the lawsuit. The company said only that “Verizon has led the industry in doing the right thing for our customers on these issues.”

Separately last week, Federal Communications Commission member Jessica Rosenworcel sent letters to the four carriers asking if they have fulfilled their promises to stop selling real-time location information to data aggregators.

Rosenworcel, one of two Democrats on the Republican-controlled FCC, also blasted the commission’s leadership for inaction. “The Federal Communications Commission has said it is investigating, but—almost a year after this news first broke—the agency has not provided the public with any details,” Rosenworcel’s announcement said. “Nor has it taken any public action to ensure this activity has stopped.”

The Federal Trade Commission in March began investigating the privacy practices of top mobile and home Internet service providers, and the organization ordered ISPs to disclose whether they share user Web browsing histories, device location information, and other sensitive data with third parties.