One way telcos monetize location-based services is selling geolocation data to third parties. But are they doing enough to prevent that data from being misused?
Last month, I travelled to the US for a three-week road trip. When I booked the rental car, I also reserved a GPS unit. I was expecting the usual tablet-sized gadget mounted on the dashboard. Instead, the clerk handed me a smartphone.
Specifically, she handed me a “NeverLost Navigator+” – an Honor Android smartphone that connected to T-Mobile, and opened automatically to a navigation app. It worked fine, and the smartphone form factor is actually better than the tablet in terms of ease of use and portability.
Which of course got me to thinking about whether I could perhaps save some money on my next trip by using my own smartphone with Google Maps Driving Mode. (I did test it, and I have to say that’s a real possibility, although the downside is that it may burn through my roaming data plan.)
It also got me thinking about how far mobile has come in the location-based services (LBS) space. Ever since the early days of 3G, mobile operators had been trying to figure out how to monetize their networks’ location-tracking capabilities. Like with almost everything else mobile, most location-based service innovation has happened over the top, with cellcos providing the network data connectivity and geolocation data. Indeed, if cellcos are monetizing their location capabilities today, it’s at least partly by selling their geolocation data to third parties.
Which brings us to the dark side of mobile geolocation.
Last week, Motherboard published an investigation piece claiming that geolocation data sold by US mobile operators is finding its way into the hands of people who shouldn’t have access to it.
In the US (and I presume elsewhere) telcos sell geolocation data to location aggregators, who then resell it to their customers, such as roadside assistance firms or financial companies (who use it to detect fraud), for example. But according to Motherboard, that data is also being sold to car salesmen, property managers and bounty hunters, and is also finding its way to the underground market. In essence, geolocation data is ending up in the hands of people who aren’t being forthright about how they’re using that data, or who they’re allowing access to it.
Stop me if you’ve heard this one before
Responding to Motherboard, the CTIA said they have official guidelines [PDF] for telcos on location data that require users to be notified when they are being tracked, and that they must consent to being tracked. Spokespersons for AT&T, T-Mobile and Sprint, and some data aggregators told Motherboard that they require customers to acquire consent from the target. However, the report indicates that not all customers do that all the time.
Also, this is not the first time US cellcos have had to issue such statements. In May last year, a data aggregator called LocationSmart was found to be leaking geolocation data collected from cellcos from its website. The same month, mobile phone tracking company Securus Technologies was revealed to be enabling a sheriff in Missouri to track phones with no warrants or judicial oversight. That same week, Motherboard reported that someone hacked into Securus’ servers and stole login details for 2,800 authorized users.
Each time, AT&T, Sprint, T-Mobile and/or Verizon (depending on which carriers the aggregator in question bought data from) stated that they take privacy seriously, comply with CTIA guidelines, and will take appropriate action against anyone who violates their policies.
The question is whether that’s enough in a world where consumer data is regularly bought, sold and resold to just about anyone who can pony up the money – and where consumers (and regulators) are increasingly aware if this. It’s one thing to have a policy forbidding customers (or customers of those customers) from abusing data or reselling it to shady middlemen – it’s quite another to be able (or willing) to monitor and enforce that policy.
Location-based services by nature have always had to walk a fine line between usefulness and privacy. There is obvious value in mapping and navigation apps that know exactly where you are – there’s value in the data generated from those apps, and there’s value in giving third parties access to that data. At the same time, many people find the ability to be tracked creepy (for some people, it’s actually dangerous), which is why notification and consent are crucial to engendering trust in those services. But the more complex that ecosystem becomes, abuses become more likely to occur, and they will in turn become harder to prevent.
It may not be reasonable to hold telcos directly responsible for geolocation data abuses further on down the value chain, but with people currently holding Facebook responsible for third-party abuses, telcos can’t quite absolve themselves by simply pointing to a best practices policy. Now would be a good time for telcos to take precautions and review their policies for selling geolocation data – or at the very least be more judicious about who can or can’t purchase it. Offering boilerplate apologies as a stock response to the latest embarrassing headline hasn’t really worked well for Facebook – it’s not likely to work for telcos, either.