It's legal because this in the United States, it's considered the carrier's data, not your data. And they can sell their data however the hell they please.
So for example, if dreadful foreign hackers would establish a fake marketing company, sign agreement with LocationSmart (or telecoms directly) and spy on government and military officials to gather compromising information for the next election cycle, this would be legal too? Sounds nice for foreign hackers.
When journalists, or American political parties do this, we call it journalism, or campaigning, so... I'm not sure what the problem is. Is it the fact that's done by a foreigner?
Yet, we allow American branches of multinationals, or domestic companies owned by foreigners to directly influence politics and politicians, so I'm still not sure where the issue is.
If you don't want embarrassing scandals from your preferred political party sinking their chances at winning elections, perhaps it should stop having embarrassing scandals? No, surely, the fault is in the people publicizing them...
It is supposed to only occur with explicit user consent. You have to opt in. That is kind of the whole point of this thread. The researcher, who has been active in this thread, found a way to bypass the consent feature.
Do we need to opt-in with our Carrier, or with LocationSmart?
The first one would make more sense than the second.
What is going on here doesn't make any sense. Basically the carriers give access to the data of EVERYONE and the latest link of the chain is the one supposed to check the "opt-in"? Meaning everyone on the chain in between got access ?
Carrier. LocationSmart must respect user preference from carrier. It is the carrier/consumers data, ultimately, so it is between the consumer and the carrier. LocationSmart is down stream and must respect the privacy wishes of the consumer/carrier. There are two layers of problems here. (1) carrier could just /never/ provide data to LS if user did not opt in. (2) LS could not have terrible bugs. Problem (1) is hard. So carriers just give companies like LS full access to location data long with the users preferences and LS agrees to respect users wishes.
I think the carriers carry way more blame in this whole thing than people are acknowledging in this whole thread. Users that didn't opt in are still having their data made available to these third parties cause it's easier to implement. It reminds me of the legal fiction the NSA uses. They collect ALL the data / traffic. But they can only ACCESSS the data with a warrant. In this case the virtual firewall leaks horribly between the carrier and LS and the incentive to make it strong does not exist. Totally different situation but the parallels are there.
It is the same thing as if a bank would sell their customers' bank card numbers and SSNs.