FCC investigates site that let most US mobile phones’ location be exposed

The Federal Communications Commission has taken preliminary steps to examine the actions of LocationSmart, a southern California company that has suddenly found itself under intense public and government scrutiny for allowing most American cell phones’ locations to be easily accessed.

As Ars reported Thursday, LocationSmart identifies the locations of phones connected to AT&T, Sprint, T-Mobile, or Verizon, often to an accuracy of a few hundred yards, reporter Brian Krebs said.

While the firm claims it provides the location-lookup service only for legitimate and authorized purposes, Krebs reported that a demo tool on the LocationSmart website could be used by just about anyone to surreptitiously track the real-time whereabouts of just about anyone else.

“I can confirm the matter has been referred to the Enforcement Bureau,” wrote FCC spokesman Neil Grace in a Friday afternoon email to Ars.

LocationSmart has not responded to Ars’ direct questions, but it did send a statement saying that the company “strives to bring secure operational efficiencies to enterprise customers.”

The demo tool that was once available has been yanked from the company’s public website.

“LocationSmart is continuing its efforts to verify that not a single subscriber’s location was accessed without their consent and that no other vulnerabilities exist,” Brenda Schafer, a company spokeswoman, emailed Ars. “LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process.”

LocationSmart is reportedly the vendor that ultimately sold location data to Securus, a prison telecom firm.

Sen. Ron Wyden (D-Ore.), who shared his concerns over the company’s actions to , said in a statement to Ars on Friday that the “location aggregation industry” has functioned with “essentially no oversight.”

He continued:

The only real surprise is that it took this long for the public to learn that the wireless carriers and their business partners were demonstrating such a total disregard for Americans’ privacy and safety… I’m pleased the FCC is opening an investigation into the reported data leak by LocationSmart. The negligent attitude toward Americans’ security and privacy by wireless carriers and intermediaries puts every American at risk. I urge the FCC to expand the scope of this investigation and to more broadly probe the practice of third parties buying real-time location data on Americans.

He also called on FCC Chairman Ajit Pai, who served as an attorney for Securus in 2012, to recuse himself from any related investigation.

“Chairman Pai’s past work for Securus makes it untenable for Mr. Pai to lead this investigation,” he said.