I worked for a "household name" towing insurance company years ago. Often times people calling in don't actually know where they are, because it's on a highway somewhere unfamiliar. We integrated with a service provider to be able to get the GPS through the phone. It worked largely like you suggest, we hit an API, it asks them permission, they grant it, we get GPS.
Would that be Geico? They were mentioned doing that in the comment here¹:
“It's funny that this is coming up now. The other day I was on the phone with Geico's roadside assistance and they wanted to know my location. I told them I didn't have their app downloaded, they said it wasn't a problem and they could get it without it. Sure enough they could. I checked their disclaimers [1] and they purchase the data from my cell carrier. They didn't even have to know which one.
One I called 911 to report someone driving on the wrong side of a freeway. I was half sleep in the passenger seat and didn't notice we were on another interstate already. When i said "on highway A" the operator corrected me "don't you mean highway B?" and she was right. I did not get any GPS alert on my phone or confirmation, which given the service I was calling I think it was fine.
It is definitely based entirely on inferred data from cell tower usage. No gps involved whatsoever.
Well, most of the clients of this service are law enforcement. "The FBI is requesting permission to track your location, reply YES to allow"? Yeah, that's not going to happen.
But as I read the article, the location data is only at the resolution of which cell tower they're connected to. Doesn't 911 get better location info than that?
I'm not certain what the actual product uses, but the LocationSmart demo posted here last week had three data sourcing options: "[Cell Tower], AGPS, Best Available"
What if law enforcement knew? What if this was an intentional backdoor for law enforcement to abuse? I know, you can apply that on any vulnerability (what if X knew), "don't assume malice [...]", merely hypothetical but still.
And provide a straightforward mechanism of checking what has had access, what still has access, and a way to revoke it.