US operators have been reselling the location data they accumulate about their subscribers and have been slow to deliver on promises to stop.

This practice was already well-known by the time it was highlighted in an expose at the start of this year. At the time operators were quick to stress that they’re pulling out all the stops to protect their customers’ personal data but Federal Communications Commissioner Jessica Rosenworcel was apparently skeptical. Frustrated by their deafening silence on the matter she wrote to the four US MNOs at the start of the month to ask them what they were playing at.

Rosenworcel received relatively prompt responses from those operators and decided to publish them alongside a mea culpa that was probably directed more at other FCC Commissioners than herself. “The FCC has been totally silent about press reports that for a few hundred dollars shady middlemen can sell your location within a few hundred meters based on your wireless phone data. That’s unacceptable,” she said.

“I don’t recall consenting to this surveillance when I signed up for wireless service—and I bet neither do you. This is an issue that affects the privacy and security of every American with a wireless phone. It is chilling to think what a black market for this data could mean in the hands of criminals, stalkers, and those who wish to do us harm. I will continue to press this agency to make public what it knows about what happened. But I do not believe consumers should be kept in the dark. That is why I am making these letters available today.”

You can read the contrite and exculpatory responses here, but in case you can’t be bothered here’s a summary. AT&T said it started phasing out this sort of thing in June 2018, while still making location data available in emergencies. Additionally the letter attempted to distance AT&T from the reports in question and said it had stopped sharing and data with location aggregators and LBS providers on 29 March 2019.

Sprint said it current works with just one LBS (location based services) provider but will pack that in by the end of this month. T-Mobile said it had terminated all contracts with LBS types by 9 March 2019 and went on at considerable length to correct what it considers to be flawed reporting on how it used to handle this sort of thing. Verizon said it had terminated all location deals by the end of March 2019.

So that would appear to be that. All the operators have said they don’t deal with location data aggregators anymore and presumably Rosenworcel is a happy Commissioner. But the fact that they’ve only just stopped reselling their customer’s personal data, and even then only after persistent nagging and bad publicity, is a further illustration of how cavalier the tech industry has been with personal data to date.