Do you use Verizon, AT&T, Sprint, or T-Mobile? If so, your real-time cell phone location data may have been shared with law enforcement without your knowledge or consent.

How could this happen? Well, a company that provides phone services to jails and prisons has been collecting location information on all Americans and sharing it with law enforcement—with little more than a “pinky promise” from the police that they’ve obtained proper legal process.

This week, Sen. Wyden called out that company, Securus Technologies, in a letter to the FCC demanding the agency investigate Securus’s practices. Wyden also sent letters to the major phone carriers asking for an accounting of all the third parties with which they share their customers’ information as well as what they think constitutes customer consent to that sharing.

Wyden called on the carriers to immediately stop sharing data with any and all third parties that have misrepresented customer consent or abused their access to sensitive customer data like real-time location information.

Securus Improperly Collects Data and Shares it with Law Enforcement

Securus is one of the largest providers of telephone services to jails and prisons throughout the country and its technology enables inmates to make collect and prepaid calls to others outside of the facility—at outrageous, unnecessarily high prices. As part of that provision of service, Securus collects location information on everyone called by a prisoner. Securus has used its ability to collect this information to build an online portal that allows law enforcement to obtain the real-time location data of any customer of the country’s major cellphone carriers—not just people who call or receive calls from a prisoner. Worse, Securus doesn’t even check whether law enforcement requestors actually have legal authority to access the data in the first place, before sharing this private location information.

Securus claims this location information is meant to identify and interdict planned importation of contraband into jails and prisons and coordinated escape attempts, and to respond to amber alerts. But that doesn’t explain why it should be getting access to the real-time location information of virtually anyone with a cellphone.

Securus’s Services Appear Designed to Circumvent Federal Laws that Protect Private Customer Data

Wireless telecommunications carriers are obligated by law to keep call location information so they can provide it in an emergency to first responders or the legal guardian or closest family in an emergency involving the risk of death or serious physical harm. But the same law also requires that every telco must protect the confidentiality of this information from unauthorized disclosure. FCC regulations expressly restrict telcos from sharing location information except where required by law, while providing the service for which the customer information was obtained, or with the express approval of the customer.

The “big four” carriers of cellular wireless services, Verizon, AT&T, T-Mobile and Sprint, partner with and share location data with third-party location data aggregators, like Location Smart and 3CInteractive, so that they don’t have to organize and manage requests for location data themselves. For example, companies like banks may want to verify a customer’s location to verify a customer’s identity when they try to open a new bank account and prevent fraud. Generally, a user would have to provide consent for this kind of disclosure directly to the telco before that information could be released to the bank. But telcos receive so many requests for location information from so many companies, that they contract this out to third-party location data aggregators, who then provide that information to the customers.

Securus appears to be taking advantage of this third-party aggregator system. It buys access to real-time location information through these third-party location data aggregators, which have a commercial relationship with the major wireless carriers, and then shares that information with government agencies for a profit.

Securus confirmed to Sen. Wyden’s office that its web portal enables surveillance of customers of every major U.S. wireless carrier. It also confirmed that, outside of a check box, it does not take any additional steps to verify that documents uploaded by law enforcement agencies provide proper judicial authorization for real-time location surveillance. Nor does Securus conduct any review of surveillance requests. That means it doesn’t matter what a Securus customer uploads to the web portal—it could be a cat video for all we know—they will still get access to the real-time location data of the target of their inquiry by checking the box—without any consequences or accountability for misuse.

Cellphone Location Data Sharing Appears to Trigger FCC Notice Requirements

Such unauthorized location data sharing would appear to trigger notice requirements promulgated by the FCC in a series of rules governing access to Customer Proprietary Network Information (“CPNI”); namely “that carriers should be required to notify a customer whenever a security breach results in that customer’s CPNI being disclosed to a third party without that customer’s authorization.” The FCC’s safeguard rules also require telco carriers to maintain records that track access to customer CPNI records. Specifically, 47 CFR § 64.2009(c) of the Commission’s rules requires carriers to “maintain a record of all instances where CPNI was disclosed or provided to third parties, or where third parties were allowed access to CPNI,” and to maintain such records for a period of at least one year. These records could provide an avenue for tracking whether a customer’s data was shared with a company like Securus.

Data Sharing May Also Violate the Fourth Amendment

This term, the Supreme Court is reviewing a case that will impact the legality of Securus’s practices.

In United States v. Carpenter, the Court is considering whether the Fourth Amendment requires law enforcement to get a warrant to access cell phone location data. We filed an amicus brief in Carpenter and in another case, United States v. Rios, arguing location data is extremely sensitive and must be protected by a warrant supported by probable cause. We carry our cell phones everywhere, and the location data they generate can be used to create a precise and comprehensive record of our everyday movements, such as when we visit the doctor, attend a protest, take a trip, meet with friends, or return home. Law enforcement shouldn’t have unfettered access to this data, whether they get it from Securus or directly from the phone companies. The Supreme Court’s opinion in Carpenter is expected by the end of June this year.

EFF applauds Sen. Wyden and his staff for raising concerns about Securus’ real-time location tracking tool and the potentially unlawful practices of phone carriers that share customer location data with commercial partners without verifying assertions of legal authorization or customer consent. The fact that Securus was able to provide this service in the first place, shows that telcos do not properly control access to their customers’ private information. The FCC should find out what, if any, demonstration of lawful authority or customer consent each wireless telco carrier requires from their partners before they provide access to private, real-time customer location information and other CPNI and implement sanctions to deter telcos from shirking their responsibility for ensuring customer privacy and security in the future.

To learn more about the latest issues in cell phone tracking, visit our Cell Tracking page.