The recent uproar over location tracking in smartphones has gotten ugly and fingers are bound to be pointed. But in the spirit of transparency, the four major carriers have outlined and detailed their location tracking applications s well as what exactly that data is being used for.
The honesty does come as a response to the revelation that iPhones, Android devices, and Windows Phone 7 units are tracking user location. Earlier this year, concerned Congressmen Edward Markey and Joe Barton contacted T-Mobile, Sprint, AT&T, and Verizon. The politicians, reasonably, felt that the networks’ customer proprietary network information (CPNI) and location data collection needed clarification. All four major carriers responded, and here’s what they had to say.
T-Mobile
According to its response, the carrier does not “use, disclose, or permit” access to subscribers information without customer approval unless it’s for valid legal reasons. T-Mobile also revealed that it collects personal data (i.e. billing, credit card information, etc) when customers sign up, which is to be expected. When smartphone users employ a browser on T-Mobile phones, the carrier is automatically sent IP addresses, browser type, date and times, and Web page content.
According to T-Mobile all of this customer information stays in-house, meaning it’s used to analyze consumers’ habits for marketing purposes and future products and “internal business decisions.” It says customers are always able to opt-out of any resulting marketing communications from the carrier, and most importantly affirms it in no way distributes this information to outside parties. T-Mobile didn’t clarify exactly how long it holds on to the information though, saying only “as long as we have a business need, or as applicable laws, regulations, or government orders require.” When asked how it informs customers in the case of collecting data, the carrier says its privacy policy details this.
Sprint
Like T-Mobile, Sprint claims it does not disclose CPNI without customer approval except in causes of valid legal reasons. The carrier also makes it clear that any of its location tracking features are opt-in, like its Sprint navigation and Family Locator services. Users can choose to “allow” or “don’t allow” such applications, and if they do allow it to track their location the resulting information will be stored on the handset’s operating system.
Sprint says it obtains all personally identifiable information through two methods: when it’s provided by customers, and customer use of its “device and services.” This data includes contact information, social security number, birth date, billing information, location information, device information, and usage information. Some of this is used to evaluate its own service (i.e., signal strength in certain locations) as well as to offer new Sprint products to customers and largely for marketing purposes. It also uses it “to respond to legal process and emergencies.” None of this data is disclosed to third parties unless customer approval is given – meaning apps, largely. If a user installs an app that requires information provided to Sprint, installing the app is equivalent to your consent.
All information is encrypted (when possible) and uses Internet firewalls to protect users’ mobile Web usage. Access to customer data operates on a “need to know” basis. Information is generally stored for “the life of the account plus three years.” Requests for location data from applications or installed services are kept for two years in an unreadable format, but do not include latitude/longitude coordinates.
AT&T
“AT&T does not use, disclose or permit access to individually identifiable call location information,” says the carrier. It also explains some third party apps request location data, but customers opt-in to these services. “In these cases, AT&T has no control over or involvement in providing either the application or the location used by the application.”
AT&T collects customers’ contact info, social security number, and financial account numbers when users sign up. Location info is collected when users operate location based services, and is used to evaluate the carrier’s performance. Like all the providers, all personal information is used for marketing purposes. Data AT&T deems sensitive – location coordinates, ISDN, identity, etc – is encrypted. Employees are required to follow legal requirements handling this information and they receive security training.
Information is kept depending on business, tax, or legal reasons require – and according to AT&T that could be for several days or five years. When users employ location based services through apps, the carrier uses the information to evaluate network performance. AT&T also claims it “will provide specific notice about the collection of location information…when we believe that additional, separate notice and consent is appropriate for the type of application involved.”
Verizon
Verizon also claims to collect location data to evaluate network performance and only discloses information if prompted by a valid court order or similar legal process (i.e. assisting police in 9-1-1 calls). The carriers VZ Navigator and Family Locator services use location, which require user consent. VZ Navigator has an opt-out option as well.
Like its fellow providers, Verizon uses this information – including location – for marketing purposes. The company also insists its phones location based services are shipped with the feature turned off, so that customers can opt to turn it on themselves, which gives Verizon applications and third party applications access to their location. And soon, phones will ship with the sticker warning seen below, informing customers their phones have the ability to track their locations:
The sign-up process and use of Verizon applications mean the carrier has the normal slew of personally identifiable information. This data stays at Verizon, but it does mention that “in the event we decide in the future to share such information, it would only be with customers’ meaningful consent that takes into consideration the particular use and form of the information at the point when it would be shared with a third party.” All sensitive material is encrypted and outside data storage centers must provide valid credentials. What Verizon considers extremely sensitive information (social security numbers, birth dates, drive license numbers, credit card info) is available to a “limited subset” of its own staff on a need-to-know basis. In general, customer account and billing information is stored for seven years for business purposes, and is then shredded or made unreadable, depending on its form.