As government scrutiny heightens over the handling of consumers’ private information, AT&T faces a proposed class action lawsuit in which the telecommunications company is accused of failing to protect customers’ geolocation data from unauthorized use by third parties.
Filed in Maryland federal court, the lawsuit says AT&T sells customer data to third parties, such as data aggregators, with little to no oversight of how that data is to be used. The result, the case says, is that customers’ private location information is negligently passed down by AT&T into the hands of “literally anybody who is looking.”
The issue first came to light, according to the complaint, in May 2018 when Senator Ron Wyden (D-OR) warned in a letter to AT&T that correctional facility telephone service provider Securus Technologies had been collecting real-time location information about AT&T customers and storing it in a web portal that was accessible to the government. The fact that Securus had access to this private information concerned the senator, the lawsuit says, and suggested that AT&T “does not sufficiently control access to [its] customers’ private information.”
The lawsuit explains that Securus had purchased the information from a third-party data aggregator that had a commercial relationship with major wireless carriers such as AT&T.
In a reply letter, AT&T, among other defenses, maintained that it only shares customer data when the customer consents to such disclosure, and that it had not authorized Securus’s use of the collected customer information for storage in a web portal.
The case then delves into a January 2019 Motherboardarticle in which the news outlet investigated the geolocation data sharing of major telecommunications companies like AT&T. As part of the investigation, a journalist paid a bounty hunter $300 to locate a cell phone, the suit says, and he “did just that” with the help of location data originally provided by wireless carriers. According to the article, “a wide variety of companies” and “smaller players” can access customers’ geolocation data through third parties, such as data aggregator MicroBilt, that sell the information with little oversight. The data eventually ends up in the hands of a variety of private parties “ranging from car salesmen and property managers to bail bondsmen and bounty hunters,” the suit reads.
“In essence, AT&T was relying on the end user of the location data not to abuse the data, or not to obtain the data under false pretenses,” the complaint reads. “In practice, the end users exercised no oversight over the process whatsoever.”
The lawsuit argues that AT&T owes a duty to its customers to protect their data from such unauthorized use by extending more oversight over the companies to which it sells customer data.
The company is currently being investigated by the Federal Communication Commissions (FCC) and Federal Trade Commission.