Timothy P. McKone
Executive Vice President
Federal Relations

AT&T Services, Inc.
1120 20th Street, NW
Suite 800
Washington, DC 20036

T 202.463.4144
tm3703@att.com
att.com

February 15, 2019
The Honorable Ron Wyden
United States Senate
221 Dirksen Senate Office Building
Washington, DC 20510
Dear Senator Wyden:
I am responding to your January 17, 2019 letter to AT&T Chairman and CEO Randall
Stephenson requesting information regarding AT&T’s provision of location-based services.
Your letter refers to a January 9 article published by Motherboard involving a company named
MicroBilt. Although the phone discussed in that article was not an AT&T phone, we
immediately suspended MicroBilt’s access to AT&T location information and began
investigating whether any AT&T customers’ location had been transmitted without consent or
for purposes beyond the limited fraud-prevention use we had authorized for MicroBilt. That
investigation continues, but to date, we are not aware of any such instance.
AT&T has provided location-based services because we recognized the benefits to our
customers.1 Whether it is the towing company receiving the location of a stranded motorist
who does not know the nearest mile marker, a lender thwarting fraud and identify theft, or a
daughter using a medical alert device to get help for an elderly parent, the benefits from these
services are tangible and can be life-saving.
As we detailed in our response to your May 8, 2018 letter we only share location with
customer consent and we maintain strict standards to protect against improper use or disclosure
of that data. For example, before we provide location to any aggregator or service provider, we
investigate them -- i.e., their corporate history, security policies, and privacy policies – as well
as their planned use of the data. We do not share location information with any entity for any
purpose that has not been vetted and approved. If approved, the aggregator or service provider
must provide conspicuous notice to the customer of the intended use of the information and
obtain the customer’s consent to that use, and they are prohibited from using it for any other
purpose. Those entities must provide AT&T with a confirmation of customer consent for each
request for AT&T location data, and we review those records daily.

1

The provision of location-based services has never been a significant source of income to AT&T. In 2017, our
provision of location-based information to aggregators generated a tiny fraction -- about one thousandth of one
percent -- of company revenues.

 The Honorable Ron Wyden
United States Senate
February 15, 2019
Page 2

As we further explained, to facilitate location services, AT&T has contractual
relationships with two third-party location aggregators that allow such aggregators to share
location information with their customers (e.g., roadside-assistance providers) in accordance
with AT&T’s requirements. Those location aggregators are TechnoCom Corporation d/b/a
LocationSmart and Zumigo, Inc.
Notwithstanding the clear benefits of these services, in June 2018, after the Securus
incident, AT&T announced that we were ending our work with location aggregators in a way
that preserved important services like roadside assistance. To be clear, we did not say that we
would stop sharing all location information immediately, but rather “as soon as practical.” We
chose a phased approach rather than a flash-cut to mitigate the impact on location-based
services that offer important public benefits like those described above, and to allow affected
companies an opportunity to transition those services. Since that announcement, we have shut
down access to most of the companies using the services.
As to the remaining fraud-prevention and consumer-safety uses, in light of recent
allegations about the misuse of location services, we have accelerated our phase out plan and
will cease providing location information to all aggregators by the end of March 2019. We
know this means that consumers may no longer benefit from important services until new
methods are developed. This is not a decision that we make lightly, but it is one that we feel is
prudent and appropriate under the circumstances.
Finally, your January 17 letter asks for any known incidents where a third party
misrepresented that they obtained prior customer consent. While our investigation is ongoing,
based on a review going back to January 2016, beyond the allegations of inappropriate use of
location information by Securus Technologies, AT&T has not identified any use of location
information where the location aggregator or another third party obtained AT&T location
information without prior customer consent.
Sincerely,