American telecommunications giants are selling access to their customers’ location data, leaving them exposed to being tracked by bounty hunters and others, a disturbing report by Motherboard has revealed.
T-Mobile, Sprint, and AT&T are reportedly among the companies whose data is being used to track phone locations, leaving mobile network users exposed without their knowledge.
US telecommunication companies sell user data to aggregator companies who then sell this information in turn to their own customers. The data can then be re-sold on the black market, where it could fall into the hands of criminals, stalkers and others.
Motherboard reporter Joseph Cox paid a bounty hunter to geolocate a target’s T-Mobile phone in his investigation into the location tracking practice. The bounty hunter’s contact was able to track the phone to the correct Queens neighborhood within a few hundred meters of its location. This was done without any hacking or previous knowledge of the owner’s location.
Tracking the target
T-Mobile shared user location data with a data aggregator company called Zumigo, which shares information with another company called Microbilt. Microbilt sells phone geolocation services to a number of private industries, like property managers, bail bondsmen and roadside assistance, company documents and sources revealed to Motherboard.
Using just a phone number, the company’s Mobile Device Verify can bring up the target’s name, address and phone location, either in a specific instance, or as a constant tracking service.
Finding a phone will set you back a mere $4.95, but if you sign up to a package to track more phones the cost per phone will fall. To track someone’s real time location using their phone costs $12.95. In this case, a bounty hunter got a Microbilt customer to find the target’s phone, for $300.
Microbilt customers can sell on the information they pay for to other sources, meaning the data can end up in anyone’s hands. Motherboard reports bounty hunters also use the geolocation to track their own ex’s.
Telcos sell customers’ real time location to one set of companies, that then sell it to an array of different industries: car rental, fraud detection, and yes, bounty hunters. The supply chain is so complex, the telcos don’t even know who has your data https://t.co/0YtKw5LQwGpic.twitter.com/Y6LJvcHvJP
— Joseph Cox (@josephfcox) January 8, 2019
“It’s part of a bigger problem; the US has a completely unregulated data ecosystem,” Frederike Kaltheuner, data exploitation programme lead at campaign group Privacy International, told the publication.
Our cellphones are constantly sending data to cell towers, so providers can send us calls and texts. This information allows the companies to have an idea of a cellphone’s location based on what cell tower it is near.
In many cases, consent is needed to track a phone, such as in the case of roadside assistance, who may send a text to the customer’s phone before they start to track them.
“If there is money to be made they will keep selling the data,” a source told Motherboard.
Microbilt has since removed documents related to its mobile phone location product from its website. A spokesperson said the company requires anyone using its mobile device verification services for fraud prevention to get consumer consent. They also said Microbilt was aware of the instance used to track the phone, and said that upon learning of the case, it terminated that customer’s access to their products.
Meanwhile Zumingo said that “illegal access to data is an unfortunate occurrence across virtually every industry that deals in consumer or employee data,” and that it protects privacy by not providing an exact location.
A spokesperson for T-Mobile said that it has been assured by Zumigo that “they have already shut down all transmission of T-Mobile data.”
“T-Mobile has also blocked access to device location data for any request submitted by Zumigo on behalf of Microbilt as an additional precaution,” they added.
Think your friends would be interested? Share this story!