A new report from Motherboard today takes a look into the practices of US wireless carriers selling user location data to third-parties. While it’s often credit card and other financial companies buying the location data for fraud detection and more, Motherboard says some rogue third-parties have access to user location data and it’s landing the hands of bounty hunters and the black market.
Update 2/7/19: Motherboard has released a new report that further details the sales of users’ location data over the past several years. While carriers have downplayed the extent to which third-parties like bounty hunters and others have been able to buy users’ location data, documents from one data location seller paints a much more concerning picture.
The numbers from one company, CerCareOne, describe selling AT&T, T-Mobile, and Sprint user location data to around 250 bounty hunters and other parties more than 18,000 times over a period of five years.
Around 250 bounty hunters and related businesses had access to AT&T, T-Mobile, and Sprint customer location data, with one bail bond firm using the phone location service more than 18,000 times, and others using it thousands or tens of thousands of times, according to internal documents obtained by Motherboard from a company called CerCareOne, a now-defunct location data seller that operated until 2017. The documents list not only the companies that had access to the data, but specific phone numbers that were pinged by those companies.
Worse yet, some of the those bounty hunters allegedly resold the data that they obtained to others.
Some of these bounty hunters then resold location data to those unauthorized to handle it, according to two independent sources familiar with CerCareOne’s operations.
Oregon Senator Ron Wyden who has pressed carriers on this issue over the past years shared a statement with Motherboard.
“This scandal keeps getting worse. Carriers assured customers location tracking abuses were isolated incidents. Now it appears that hundreds of people could track our phones, and they were doing it for years before anyone at the wireless companies took action,” Oregon Senator Ron Wyden said in an emailed statement after presented with Motherboard’s findings. “That’s more than an oversight—that’s flagrant, wilful disregard for the safety and security of Americans.”
Read up on all the new details of this story at Motherboard.
It’s well-known that law enforcement and other government agencies can access user location data from wireless carriers with a warrant, Motherboard says there’s a more complicated and dangerous market that involves carriers like AT&T, T-Mobile, and Sprint selling location data to third-party location aggregators. The issue is that there seems to be little oversight when it comes to what these companies can do with the purchased data.
The investigation also shows that a wide variety of companies can access cell phone location data, and that the information trickles down from cell phone providers to a wide array of smaller players, who don’t necessarily have the correct safeguards in place to protect that data.
Motherboard’s Joseph Cox was able to track the location of a person via their T-Mobile phone number who agreed to be a target for a test. A call to a bounty hunter and $300 did the trick.
Nervously, I gave a bounty hunter a phone number. He had offered to geolocate a phone for me, using a shady, overlooked service intended not for the cops, but for private individuals and businesses. Armed with just the number and a few hundred dollars, he said he could find the current location of most phones in the United States.
Notably, this didn’t involve any hacking or background knowledge about the phone number.
The bounty hunter did this all without deploying a hacking tool or having any previous knowledge of the phone’s whereabouts. Instead, the tracking tool relies on real-time location data sold to bounty hunters that ultimately originated from the telcos themselves, including T-Mobile, AT&T, and Sprint, a Motherboard investigation has found. These surveillance capabilities are sometimes sold through word-of-mouth networks.
One company that Motherboard says is selling location data to private parties is called Microbilt. The report notes there are several markets buying data from the company:
at least one company, called Microbilt, is selling phone geolocation services with little oversight to a spread of different private industries, ranging from car salesmen and property managers to bail bondsmen and bounty hunters, according to sources familiar with the company’s products and company documents obtained by Motherboard.
Complicating this already murky issue is the re-sale of location data on the black market.
Compounding that already highly questionable business practice, this spying capability is also being resold to others on the black market who are not licensed by the company to use it, including me, seemingly without Microbilt’s knowledge.
It’s this convoluted web of interactions that makes these privacy and security concerns so problematic. It leaves carriers seemingly helpless once the data is in the hands of third-parties.
There’s a complex supply chain that shares some of American cell phone users’ most sensitive data, with the telcos potentially being unaware of how the data is being used by the eventual end user, or even whose hands it lands in.
As for the carriers, the CTIA (Cellular Telecommunications Industry Association) that represents AT&T, T-Mobile, Sprint, and more said that the transmission of location-based user data is reliant on “two fundamental principles: user notice and consent,” however, Motherboard said its investigation proves that’s not working.
Telecom companies and data aggregators that Motherboard spoke to said that they require their clients to get consent from the people they want to track, but it’s clear that this is not always happening.
In its investigation, Motherboard discovered the user location data passing through six parties:
In a call to Microbilt’s customer support, Motherboard found the company sells user location data for as little at $5.
Posing as a potential customer, Motherboard explicitly asked a Microbilt customer support staffer whether the company offered phone geolocation for bail bondsmen. Shortly after, another staffer emailed with a price list—locating a phone can cost as little as $4.95 each if searching for a low number of devices.
AT&T responded to Motherboard saying that they have cut ties with Microbilt as they look further into these issues.
“We only permit the sharing of location when a customer gives permission for cases like fraud prevention or emergency roadside assistance, or when required by law,” the AT&T spokesperson said.
Sprint shared a similar statement, but it sounds unknown if they have an indirect relationship with Microbilt:
Sprint does not have a direct relationship with MicroBilt. If we determine that any of our customers do and have violated the terms of our contract, we will take appropriate action based on those findings.” Sprint would not clarify the contours of its relationship with Microbilt.
And T-Mobile did the same and said its partner Zumigo had cut off Microbilt:
“We take the privacy and security of our customers’ information very seriously and will not tolerate any misuse of our customers’ data,” A T-Mobile spokesperson told Motherboard in an emailed statement. “While T-Mobile does not have a direct relationship with Microbilt, our vendor Zumigo was working with them and has confirmed with us that they have already shut down all transmission of T-Mobile data.
Check out the full, in-depth investigative report here.