• by Wendy Davis  @wendyndavis, October 12, 2020

AT&T wireless customers still face a risk that their location data could end up in other people's hands, even though the carrier says it no longer sells location information to aggregators, the digital rights group Electronic Frontier Foundation argues.

The organization makes the claim as part of its effort to convince U.S. District Court Judge Sallie Kim in the Northern District of California to allow a lawsuit against the wireless company to proceed in court.

Last July, the digital rights group sued AT&T on behalf of three California residents -- Katherine Scott, Carolyn Jewel and George Pontis -- who alleged the company violated the privacy provisions of the Federal Communications Act by disclosing location data, and sought an injunction against the company.

The suit came several months after the publication Motherboard reported that the major carriers were selling customers' location data to third parties. It also emerged in 2018 that an aggregator was selling location data obtained from carriers to law-enforcement authorities who lacked warrants. 

The four major U.S. carriers have said they no longer sell location data.

AT&T contends the case should be dismissed, arguing that Scott and the others can't show an imminent threat of injury.

But the digital rights group says AT&T's practices could still lead to disclosure of private information.

“The totality of AT&T’s location data system, polices, and practices -- and its public representations regarding the same -- remain unchanged, but for its voluntarily decision to end sales to aggregators,” the Electronic Frontier Foundation writes in papers filed late last week.

"Plaintiffs face an ongoing risk that their location data will be accessed by third parties without their authorization or legal authority -- and continue to overpay for their mobile service -- due to AT&T’s failure to implement sufficient safeguards of their data," the group adds.

In February, the Federal Communications Commission proposed fining AT&T $57 million over its alleged prior practices.

The FCC alleged in the paperwork in that matter that AT&T sold data to aggregators, and also “contracted directly” with five location-based service providers.

The Electronic Frontier Foundation is now calling Kim's attention to that FCC allegation.

“As the complaint makes clear, the issue is not AT&T’s sale to the aggregators, per se, but rather its practice of 'selling its customers’ real-time location data to . . . third parties without the required customer consent and without any legal authority,'” the watchdog argues in a passage referencing the FCC's allegation.

An AT&T spokesperson says the company doesn't allow third parties “to purchase a lookup of geolocation information, or otherwise allow them access to a consumer’s specific location.”

Last year, AT&T filed a separate motion arguing the case should be sent to arbitration, because its wireless service contracts provide for arbitration of all disputes.

The Electronic Frontier Foundation countered that courts in California don't enforce arbitration agreements when consumers seek an injunction that could benefit other members of the public.

The judge hasn't yet ruled on whether the arbitration agreement applies to the case.