Carriers provide location (dis)services to customers

Credit: Ryan Sunada-Wong/ Credit: Ryan Sunada-Wong/

It’s no secret that companies sell consumer data, but what you might not have known is that people can access that data and use it to track your location. On May 16, 2018, that is exactly what Dr. Robert Xiao, then a Ph.D. student in Carnegie Mellon’s Human-Computer Interaction Institute, discovered.

15 minutes into browsing the website for the location aggregator LocationSmart, Dr. Xiao reportedly came across a security vulnerability that granted him access to a cellphone’s real-time location data. Worse yet, it did so without requesting permission from the cellphone user, after Dr. Xiao typed in the user’s cell phone number.

At its core, location aggregators serve to disseminate data. Carriers sell location information to aggregators, who then sell that data to other companies for various purposes: geolocation, marketing, and even emergency assistance. However, this is only if the user has given explicit permission for the recipient to have their data, which you may have seen when installing applications that request location permissions.

So what happens when a hacker can bypass the permission request like Dr. Xiao did? Well, it’s hard to say. At the very least, it is a major violation of privacy. But what’s worse is the potential for malicious individuals to access someone’s location information with minimal difficulty. According to an investigation carried out by Motherboard, bounty hunters can readily find just about anyone’s location by using location aggregators’ data. And, since the data is carrier-based (as opposed to application-based), it is likely impossible to opt-out.

Although the vulnerability was patched the following day on May 17, the fact that it had unknowingly existed for years led the U.S. Federal Communication Commission to open an investigation into LocationSmart. As of the writing of this article, there seems to be no news on the investigation's progress.

To round off last year’s events, the telecommunications companies in question (such as T-Mobile, Sprint, and AT&T) released statements promising that they would cease their sales to location aggregators, except when it would benefit the consumer.

This past Monday, however, the Pittsburgh Post Gazette published a story revealing that carriers still work with data aggregators. In his statement, Richard Young, a representative for Verizon, said, “We…provide location information only with the express consent of our customers.”

However, when the data aggregators in question are still small third-party companies with limited budgets to fund cybersecurity, it is difficult to say if our data is any safer now than it was a year ago.