Privacy advocates list protections needed in AT&T's planned location-based service to prevent credit-card fraud
AT&T's plans for a location-based service that would track a mobile phone user to prevent credit-card fraud has raised concerns among privacy advocates who want strict rules on the use of the data.
The service would let credit-card companies confirm when a cardholder lands in a foreign country to avoid wrongly denying credit. From half to 80 percent of denied transactions are legitimate, according to Mastercard, and services like AT&T's is seen as a way of lowering that percentage.
Cardholders would have to op-in to the service, which AT&T plans to start testing this summer. It would be part of AT&T's Location Information Services sold to businesses who want to track employees or provide services to customers based on the whereabouts of their mobile devices.
While reducing credit-card fraud would be beneficial to consumers, privacy advocates want written guarantees that the collected data will only be used for that purpose.
"AT&T has to be crystal clear about whether there's any other use of the data," John Simpson, director of the privacy project at Consumer Watchdog, said.
If the data was also made available to third parties for marketing without permission, then "that would be unconscionable and wrong," Simpson said.
The problem of preventing location data from being misused is real. Two studies involving 14 mobile industry companies and 10 in-car navigation providers found that the businesses did not have "consistently implemented practices to protect consumers' location privacy," the U.S. Government Accountability Office reported Wednesday to a Senate subcommittee on privacy and technology.
"For example, all of the companies examined in both reports used privacy policies or other disclosures to inform consumers about the collection of location data and other information," the GAO said. "However, companies did not consistently or clearly disclose to consumers what the companies do with these data or the third parties with which they might share the data, leaving consumers unable to effectively judge whether such uses of their location data might violate their privacy."
Before people opt-in to the AT&T service, the carrier should guarantee that all data collected would be deleted, if cardholders opt-out later, privacy consultant Rebecca Herold said. In addition, AT&T should disclose retention standards and practices.
"They shouldn't need to retain the data any longer than necessary for the purpose for which they originally collected the data," Herold said.
AT&T should also have an independent third-party perform a privacy assessment that is provided to cardholders and published on the carrier's website.
Other privacy advocates were against any type of carrier-provided location services.
"They tend to cement the perception of legitimacy of having your carrier know where you are," Seth Schoen, senior staff technologist for the Electronic Frontier Foundation, said.
As an alternative to having the carrier provide location data, credit-card companies could offer cardholders an app that gathers the information directly from the phone.
"This is the best technical basis from a privacy point of view for any location-based service, because it leaves open the possibility that the user exercises control over who knows where they are and when," Schoen said.