Quis custodiet ipsos custodes? —

FCC investigates site that let most US mobile phones’ location be exposed

Wyden: mobile phone companies', contractors' view of security is "negligent."

A man in a suit talks in front of a security camera
Enlarge / Sen. Ron Wyden (D-Oregon), as seen on April 18, 2018.

The Federal Communications Commission has taken preliminary steps to examine the actions of LocationSmart, a southern California company that has suddenly found itself under intense public and government scrutiny for allowing most American cell phones’ locations to be easily accessed.

As Ars reported Thursday, LocationSmart identifies the locations of phones connected to AT&T, Sprint, T-Mobile, or Verizon, often to an accuracy of a few hundred yards, reporter Brian Krebs said. While the firm claims it provides the location-lookup service only for legitimate and authorized purposes, Krebs reported that a demo tool on the LocationSmart website could be used by just about anyone to surreptitiously track the real-time whereabouts of just about anyone else.

"I can confirm the matter has been referred to the Enforcement Bureau," wrote FCC spokesman Neil Grace in a Friday afternoon email to Ars.

LocationSmart has not responded to Ars' direct questions, but it did send a statement saying that the company "strives to bring secure operational efficiencies to enterprise customers."

The demo tool that was once available has been yanked from the company’s public website.

"LocationSmart is continuing its efforts to verify that not a single subscriber's location was accessed without their consent and that no other vulnerabilities exist," Brenda Schafer, a company spokeswoman wrote in an email. "LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process."

LocationSmart is reportedly the vendor that ultimately sold location data to Securus, a prison telecom firm.

Sen. Ron Wyden (D-Ore.), who shared his concerns over the company's actions to The New York Times, said in a statement to Ars on Friday that the "location aggregation industry" has functioned with "essentially no oversight."

He continued:

The only real surprise is that it took this long for the public to learn that the wireless carriers and their business partners were demonstrating such a total disregard for Americans' privacy and safety... I'm pleased the FCC is opening an investigation into the reported data leak by LocationSmart. The negligent attitude toward Americans' security and privacy by wireless carriers and intermediaries puts every American at risk. I urge the FCC to expand the scope of this investigation and to more broadly probe the practice of third parties buying real-time location data on Americans.

He also called on FCC Chairman Ajit Pai, who served as an attorney for Securus in 2012, to recuse himself from any related investigation.

"Chairman Pai's past work for Securus makes it untenable for Mr. Pai to lead this investigation," he said.

Meanwhile, pressure is mounting on mobile carriers to stop selling the real-time location data of their hundreds of millions of customers.

So far, none of the carriers have expressly denied they worked with companies such as LocationSmart in the past or pledged to stop working with them in the future.

Channel Ars Technica