The Electronic Frontier Foundation (EFF) filed a lawsuit (see below) against mobile operator AT&T and two data brokers – LocationSmart and Zumigo – for selling AT&T customers’ real-time location data without their consent. The lawsuit demands, apart from monetary damages, that AT&T stop selling any more customer location data and ensure that any already sold data is destroyed. It represents three AT&T customers based in California who were unaware that the company sold their location data, which they had not consented to. It also states that AT&T violated the Federal Communications Act by not properly protecting customers’ real-time location data; and the California Unfair Competition Law and the California Consumers Legal Remedies Act for misleading its customers around the sale of such data.

The lawsuit reads:

“AT&T has knowingly breached its duties to protect Plaintiffs’ sensitive location data in order to profit from it.”

“Defendants’ practices allow Plaintiffs and other AT&T customers to be tracked and targeted by unknown third parties without their knowledge. AT&T leverages the technology embedded within a customer’s phone and its own network infrastructure to locate its customers without any indication that AT&T is tracking them in order to sell their precise location to third parties for non-911 purposes.”

EFF’s lawsuit against AT&T: points to several instances of abuse

The lawsuit points to several instances of abuse of AT&T data:

  • AT&T sold its data through a location aggregator to Securus in May 2018 according to a New York Times report.
  • Low-level law enforcement then used Securus’ tool to look up phone location information without a warrant or other legal authority.
  • It refers to a report that found out that a company called Captira was selling real-time location data of all major phone carriers to bail bondsman for $7.50 each, including from AT&T.
  • It also noted that a journalist was able to find the real-time location of a phone in Queens, New York, within an accuracy of just a few blocks, by buying location data from Microbilt through a bounty hunter – Microbilt had bought the data from Zumigo which was approved by AT&T.
  • Leaked documents from a secret company called CerCareOne showed hundreds of bounty hunters had access to AT&T, T-Mobile, and Sprint data for years.
  • The lawsuit also highlights AT&T’s privacy policy page which reads: “We will not sell your personal information to anyone, for any purpose. Period.”

Following the lawsuit, an AT&T spokesperson said in a statement that the facts don’t support claims made in the lawsuit and that the company will “fight it”. The statement also said that location-based services like roadside assistance, fraud protection, and medical device alerts have clear and even life-saving benefits. Contradicting the claims made in the lawsuit, the company said, “We only share location data with customer consent. We stopped sharing location data with aggregators after reports of misuse,” it added.