Export Compliance Daily is a Warren News publication.
FCC, FBI Notifications Cited

Carriers Dodge Wyden on Location Data Breach Specifics, Describe Safety Benefits

T-Mobile, Verizon and AT&T dodged Sen. Ron Wyden’s request for specifics on customer location data incidents in April 5 letters to the Oregon Democrat obtained by us Thursday. Instead, companies cited the life-saving benefits of sharing data with police and specific examples of customer rescues in emergencies. Verizon and T-Mobile also described generally how companies report location data breaches to the FBI and Secret Service through the FCC.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

A March 13 letter from Wyden cited a March 6 Motherboard report revealing “stalkers and debt collectors” obtained location data directly from companies “by impersonating police” and claiming emergency needs (see 1901220030, 1901180034 and 1901090066). Wyden noted wireless carriers are required by federal law to protect customer proprietary network information (CPNI), including location data, and report breaches to police. Sprint was the only carrier to address Wyden’s request for specific information on breach reporting since January 2010, saying there weren’t any company-related incidents in that span.

Verizon reports CPNI breaches to the Secret Service and FBI through the FCC’s Data Breach Reporting Portal as required by law, Chief Privacy Officer Karen Zacharia said, without listing any specific incidents. Instead she described times the company helped police locate distressed customers. In 2018, Oregon State Police located a stranded woman with her car stuck in the snow after Verizon provided location data. In March, an elderly Oregonian with dementia was located because Verizon provided data to the local sheriff’s office, Zacharia said. The carrier completes “several actions” to verify such law enforcement requests, she said, citing the urgency of incidents like bomb threats, hostage situations, kidnappings and fugitive scenarios.

T-Mobile “promptly” reports CPNI breaches to the FBI and Secret Service through the FCC’s data breach portal, wrote T-Mobile Vice President-Federal Legislative Affairs Anthony Russo, almost mirroring Verizon’s response without listing specific incidents. Russo cited a written certification process the company’s Law Enforcement Relations team does to verify authenticity of such requests. “Lives are often at stake” when police submit emergency, time-sensitive requests for carrier location data, he said. Child abductions, kidnappings, mental health emergencies, suicide threats and other risks of injury and death were among the emergencies he listed.

AT&T has a certification process for validating law enforcement requests, Vice President-Federal Relations Timothy McKone wrote, saying giving specifics would give criminals a “blueprint” for future fraudulent requests. He also addressed the Motherboard report, which describes how a perpetrator impersonated a U.S. marshal in 2014 to gain location information and was eventually prosecuted by DOJ. The incident didn’t involve AT&T, nor were any AT&T-involved incidents cited in the March 6 story, McKone said. He didn’t describe any specific breach incidents since 2010.

Sprint, AT&T and Verizon repeated commitments to ending data aggregation programs. Though T-Mobile’s letter didn’t address that aspect specifically, the company committed in January to ending location sharing with data aggregators. Sprint Privacy Head Maureen Cooney noted the company is still providing services to AAA for roadside assistance and to IGT, which verifies location data to meet requirements for state lotteries that provide government funding. Wyden’s office and the carriers didn’t comment Thursday.