Ray et al v. T-Mobile US, Inc.
Filing
1
COMPLAINT against T-Mobile US, Inc. ( Filing fee $ 400 receipt number 0416-7988309.), filed by Kantice Joyner, Shawnay Ray. (Attachments: #1 Civil Cover Sheet, #2 Summons, #3 Exhibit A, #4 Exhibit B, #5 Exhibit C, #6 Exhibit D, #7 Exhibit E, #8 Exhibit F, #9 Exhibit G, #10 Exhibit H, #11 Exhibit I)(Zajdel, Cory) Modified on 5/3/2019 (kw2s, Deputy Clerk).
June 15, 2018
The Honorable Ron Wyden
United States Senate
221 Dirksen Senate Office Building
Washington, DC 20510
Re:
Response to the Letter Dated May 8, 2018
Dear Senator Wyden,
We write in response to your letter, dated May 8, 2018, regarding access to customers’
private information. T-Mobile takes the privacy and security of our customers’ data very
seriously and we do not tolerate any misuse of our customers’ data. We, therefore, were
troubled to read the allegations in your letter and subsequent press coverage regarding
Securus’s alleged misuse of customer location information without customer consent. The
use described in your letter was never approved by T-Mobile and we quickly shut down any
transmission of our customers’ location data to Securus. We have also reviewed the program
more broadly and, while we believe the program has appropriate controls already in place,
we are working with our location aggregators and will be taking additional steps to help
ensure that an incident like this one does not happen in the future.
Our location aggregator program, which is similar to programs offered by other national
carriers, provides two qualified aggregator partners with access to customer location data
derived from our network operations. In turn, these aggregator partners provide such
location data to approved third party service providers who use such location data in
providing various services. Each such service provider, and its proposed use of location
data, must be pre-approved by T-Mobile. Each individual location query must be
accompanied by records of verifiable and informed consent of the end user.
The program provides our customers with valuable location-based services. Although the
program is relatively small, it delivers numerous societal and consumer benefits, including
through services like roadside assistance, medical emergency alert services, and bank fraud
prevention. Because other national carriers provide similar programs, these valuable
services are available to the vast majority of U.S. mobile wireless consumers.
T-Mobile’s location aggregator program involves multiple checks and balances to help
ensure our customers’ data is safeguarded. Our contracts have important provisions that
serve to protect our customers’ information, including, as noted above, requiring service
providers, via a location aggregator, to seek approval from T-Mobile for each data use, and
requiring customer consent before location data is shared. This program is also periodically
assessed and reviewed to ensure these protections and safeguards are working properly.
T-Mobile USA, Inc. 601 Pennsylvania Avenue NW, North Building, Suite 800, Washington, DC 20004
For example, T-Mobile started one of our periodic reviews several months ago and selected
a third party to assess this program. The review seeks to confirm, among other things, that
the program’s qualified service providers use the information as required, with verifiable
informed customer consent, and that records of consent are provided to the location
aggregators before any location information is shared.
In addition to providing our customers with control over their data, transparency is also a
priority at T-Mobile. Our privacy policy and other privacy resources available on our
website explain to our customers how their location information is shared, and service
providers are also required to provide meaningful notice before obtaining a customer’s
consent.
Below, we provide answers to the specific questions posed in your May 8 letter.
1. Please identify the third parties with which your company shares or has shared
customer information, including location data, at any time during the past five
years. For each third party with which you share information directly, please also
include a list of the ultimate end users of that information, as well as all
intermediaries.
T-Mobile partners with two location aggregators, LocationSmart and Zumigo. The
aggregators then partner with service providers, who have a direct relationship with the
consumers and offer them specific location-based services. The service providers offer
various services that our customers find useful and valuable. Below, we list the different
types of services provided. As mentioned above, service providers, uses, and consent
methods are approved by T-Mobile, and each service provider must obtain end user consent
to collect a consumer’s location data.
Type of Service
Emergency Roadside
Assistance
Description
Customers’ location information is used so that they can
receive emergency roadside assistance wherever they are
located more quickly
Emergency Medical
Customers’ location information is used so that they can
Assistance
receive emergency medical assistance more quickly wherever
they are located
Bank Fraud Prevention
Customers’ location information is used to help ensure that
no one is impersonating them when opening a bank account
or conducting a financial transaction
Workforce/Employee
Location information is used to assist with employee or fleet
Management/Fleet Tracking monitoring -- for example, managing large fleets or for
payroll purposes (with employee/user knowledge and
consent)
Charitable giving
Customers can learn of local charities based on their location,
to facilitate charitable contributions
T-Mobile USA, Inc. 601 Pennsylvania Avenue NW, North Building, Suite 800, Washington, DC 20004
Type of Service
Law Enforcement/House
Arrest Monitoring
Store Locator
Concierge, Travel and
Other Personal Services
Proximity Marketing
Cross-carrier Location
Aggregation
Product Delivery Services
Mobile Gaming
Description
Customers’ location information is used to verify that
consenting users sentenced to home incarceration are located
at their specified address; determines called party location on
outbound calls from inmates in correctional facilities to
determine call rates pursuant to FCC regulations (with
knowledge and consent of end user)
Customers’ location information is used to help customers
seeking to find particular stores near them
Customers’ location information is used by service providers
offering concierge or other travel-related features to users
interested in such personalized services -- for example,
learning about events in a customer’s area
Customers’ location information is used to deliver nearby
marketing deals/offers for users interested in coupons and
other discounts
Location information is used to test phones and devices; used
in the business context, where whitelisted business devices
are used to test coverage
Customers’ location information is used to streamline
delivery of consumer products/services and help reduce costs
Customers’ location information is used to determine whether
mobile gaming is legally permitted in customer’s state or
locality
2. For each of the third parties identified in response to question one, please detail
the types of customer information provided to them and the number of customers
whose info was shared. For each of these, please detail whether the third party
provided proof of customer consent, and if so, how the third party demonstrated
that they had obtained customer consent.
In response to a specific service provider request, via a location aggregator, we share cell
tower location information for the customer’s phone number that was associated with the
request (i.e., the number provided to us in connection with the request). As discussed
above, records of customer consent must be provided to the location aggregator (including
the time the consent was provided) before the location aggregator provides the service
provider with the requested location information. Customer consent is obtained by the
service provider in a variety of ways, and these consent methods are approved by T-Mobile
when it approves each use and service provider before location data is shared. One example
of consent is through Interactive Voice Response (IVR), where the customer says “one” or
presses 1 on the keypad at the beginning of a phone call to affirmatively provide consent.
Another example is where an SMS is sent to the customer’s device and they respond
affirmatively.
T-Mobile USA, Inc. 601 Pennsylvania Avenue NW, North Building, Suite 800, Washington, DC 20004
3. Please describe in full your process, if any, for determining that each third party
identified in response to question one has obtained appropriate consent before
your company shared that customer’s information with them. Specifically, please
describe what criteria and processes your company uses to review claims and
evidence that a third party has obtained consent.
Our location aggregators are required by contract to obtain and maintain records of consent
from each customer who has provided such consent to partake in a location-based service.
These records must be maintained for T-Mobile’s review, and they are reviewed as part of
periodic assessments that T-Mobile and its location aggregators perform.
4. Please describe any incidents known to your company or uncovered during your
responses to the above in which a third party with which your company shared
customer data misrepresented that they had customer consent.
As discussed above, as soon as we learned of the allegations in your May 8 letter, we
quickly terminated any transmission of data to Securus, because the use described in your
letter was not approved by T-Mobile. T-Mobile requires internal approval of every service
provider and use, including the mechanism by which the service provider will obtain
customer consent before any location information is shared with partners and service
providers. To the extent that a company deviates from protocol, T-Mobile will take action,
as it did with Securus.
****
T-Mobile recognizes that, while our customers enjoy numerous benefits from location-based
services, we must simultaneously be diligent in ensuring that the privacy and security of our
customers’ data is protected at all times. That is why T-Mobile and its location aggregators
take numerous precautions (including periodic reviews of our program and compliance with
CTIA’s Location-Based Services Guidelines) to ensure that our customers’ location data is
not misused in any way. And that is also why T-Mobile acted swiftly to terminate Securus’s
access to our location aggregator program after we received your May 8 letter. Going
forward, we will continue to monitor our program and take appropriate steps to ensure that
our customers can receive the location-based services they desire in a manner that is
consistent with applicable law, their privacy expectations and our high standards for service
to our customers.
Sincerely,
Anthony Russo
Vice President, Federal Legislative Affairs
T-Mobile US, Inc.
T-Mobile USA, Inc. 601 Pennsylvania Avenue NW, North Building, Suite 800, Washington, DC 20004
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?