One mobile data industry executive told NBC News, "The third parties that have this stuff are happy to sell it to anyone."
Recent revelations about companies that traffic in personal location data — and how easy that information can be acquired for a few hundred dollars — have led to renewed calls for the regulation of the collection and sale of such data.
The calls come after reports fromThe New York Times and Vice that provided an alarming look at just how much location data is quietly collected through smartphones, and how that data can be accessed by third parties.
"Our wireless companies are selling it to location aggregators who in turn sell it to shady middlemen," Jessica Rosenworcel, the lone Democrat on the Federal Communications Commission, said Wednesday on MSNBC. "The FCC needs to investigate. ... This entire ecosystem needs oversight."
Vice's Motherboard, which reports on technology and the internet, said it was able to pay a bounty hunter $300 to get a cellphone's real-time location. The bounty hunter received the triangulated cellphone tower data through his bail-bond company, which was able to buy it from a third-party vendor for as little as $12.95 per number. That vendor bought the data from a fraud prevention data provider, which bought it from T-Mobile.
The Vice story said the data was accurate within a radius of about 1,500 feet.
"This is a nightmare for national security and the personal safety of anyone with a phone," tweeted Sen. Ron Wyden, D-Ore., about Vice's report.
Wireless providers say plans have already been set in motion to crack down on the unauthorized resale of data and to make sure that the data is used only for legitimate purposes.
A T-Mobile spokesperson said the company takes customer privacy and security "very seriously and will not tolerate any misuse of our customers' data."
AT&T spokesman Jim Greer told NBC News said the company allows the sharing of location data "when a customer gives permission for cases like fraud prevention or emergency roadside assistance, or when required by law,"
"Over the past few months, as we committed to do, we have been shutting down everything else," Greer said.
Wireless providers say they've cut off the data for the providers mentioned in the Vice story and are investigating. But a mobile data industry executive, who spoke on condition of anonymity to protect confidential business relationships, told NBC News that while many cellphone companies sell real-time geolocation data to preferred partners, there are "dozens or more" of such companies buying data from the cellphone companies. Those companies in turn may repackage and resell it to "over a hundred" other companies.
"Location is arguably the biggest threat to personal privacy that exists today. It needs to be reigned in," the executive said. "Nobody polices or even cares what happens after that data is sold. The third parties that have this stuff are happy to sell it to anyone."
The executive said the industry was rife with "privacy violations on violations."
"Billions of devices are having their location data leaked by ad servers every day," the executive said. "No consent. No transparency."
While a growing number of politicians have publicly called for new legislation around data privacy, regulation remains scant. Some states have taken the initiative to bolster privacy laws, with a new California consumer privacy law going into effect in 2020 that allows consumers to opt out of having their data resold to third parties.
Gigi Sohn, a former lawyer at the FCC who is now a fellow at the Georgetown Law Institute for Technology, Law and Policy, said she was not optimistic that the FCC, which is led by three Republicans (the fifth seat is vacant), would taken action on the issue.
"I don't expect this FCC, which has done just about everything that AT&T and Verizon has asked for, will engage in a serious enforcement action here," she said.