AT&T is being sued for selling customers' location data without their consent

Another day, another violation of user privacy by a giant company. This time, instead of computer software, it's telecom conglomerate AT&T that has been hit with a class-action lawsuit for selling user location data to third-parties. The Electronic Frontier Foundation (EFF) is representing clients who claim that AT&T is selling user data to bail bondsmen, law enforcement, and other groups who can use the data to find people within moments — in real time.

The EFF is hoping to halt the collection of location data and destroy whatever already exists. The plaintiffs allege that they didn't know AT&T was selling their data and consider the action to be without their consent; if they had known the company would sell their data, then they wouldn't have signed-up for AT&T's mobile services.

How could this be possible if we all signed a privacy policy that should detail how our information could be used? According to Kevin Litman-Navarro, writer and data journalist, it's easy for it to happen due to "incomprehensible" writing and vague phrasing. In an op-ed for the New York Times, Litman-Navarro explained how privacy policies use unfamiliar industry terms and legal language to give companies room for error. The document, in the end, is used to protect the company rather than to inform the user.

In AT&T's case, the plaintiffs point to various reports by Motherboard that show evidence of telecoms selling user data to a third-party, who then proceeds to sell it to any other party who pays for it. According to Motherboard, this can include law enforcement seeking real-time location data to track individuals without warrants; landlords screening tenants; vehicle sales; and credit checks without user consent or knowledge. Note that the Microbilt webpages — a company received data from AT&T and other telecoms — are 'archived' pages that reflect how their websites used to look. During Motherboard's investigation, the company scrubbed all mention of their 'Mobile Device Verify' service from their pages.

Some of the information was going to bail bondsmen and, in Motherboard's case, bounty hunters who could track down a target's location little difficulty thanks to mobile data. But one hardly needs to be a career sleuth to hunt someone down. Motherboard also reported on spouses and stalkers using mobile data to spy and locate their victims.

The sale of user data can be life-threatening, that much is evident. But it keeps happening. Last year, the New York Times reported on a former sheriff who misused "a system typically used by marketers and other companies to get location data from major cellphone carriers[.]" The carriers included AT&T, Sprint, T-Mobile, and Verizon. Despite the companies' promises to change, Motherboard once again caught them selling user highly accurate GPS data that was intended for first responders.

The EFF hopes to nail AT&T — and two other companies serving as 'data aggregators' that collect user information and pass it onto other third-parties — for its repeated privacy violations, failure to secure user data, and misleading customers. In a statement sent to reporters, an AT&T spokesperson said the claims were false and insisted that the data is only for emergencies.

"Location-based services like roadside assistance, fraud protection, and medical device alerts have clear and even life-saving benefits," the company stated. "We only share location data with customer consent. We stopped sharing location data with aggregators after reports of misuse."

The EFF believes otherwise. In a response to AT&T's defense, the EFF stated that "AT&T and data aggregators have systematically violated the location privacy rights of tens of millions of AT&T customers." They believe this lawsuit makes a stand "to protect [consumer] privacy and shut down this illegal market."

Previous privacy disclosure lawsuits against telecoms, like this one, have been faced with dissolution attempts by the large companies. Just this month, AT&T teamed up with T-Mobile to claim that users have no right to file a class-action lawsuit and must go through arbitration between the company and each individual, instead.

This type of anti-consumer fine print has been nothing but beneficial to giant telecoms with too much power by keeping the claims hidden from the public eye and quietly smothered. 'Forced arbitration' clauses have even caught the eye of U.S. senators, who acknowledge the harm it causes consumers. But whether the courts will finally put a stop to the practice with these latest lawsuits has yet to be seen or hinted at.