AT&T, T-Mobile, and Sprint sold their customers’ real-time location data to a bounty hunter, as reported by Motherboard in January. As per the reports, Motherboard was even able to purchase the real-time location of a T-Mobile phone from a bounty hunter source on the black market for $300. Telecom companies responded that this abuse was a fringe case.
However, in reality, around 250 bounty hunters and related businesses had access to AT&T, T-Mobile, and Sprint customer location data. As per the documents by CerCareOne, a location data seller that operated until 2017, one of the bail bond firms was using the phone location service more than 18,000 times, and others were using it thousands or tens of thousands of times. These documents include the list of companies that had access to the data and also the phone numbers that were pinged by those companies.
According to the documents, the location requests stretch from 2012 up to 2017, with some of the phones being located multiple times over minutes, hours, and days.
The company allowed bounty hunters, bail bondsmen, and bail agents to find the real-time location of mobile phones and it would sometimes charge up to $1,100 per phone location.
Oregon Senator Ron Wyden said in an emailed statement after presented with Motherboard’s findings, “This scandal keeps getting worse. Carriers assured customers location tracking abuses were isolated incidents. Now it appears that hundreds of people could track our phones, and they were doing it for years before anyone at the wireless companies took action. That’s more than an oversight hat’s flagrant, willful disregard for the safety and security of Americans.”
In an email to Motherboard, Eva Galperin, director of cybersecurity at campaign group the Electronic Frontier Foundation said, “The scale of this abuse is outrageous.”
The target phones received no text message warning that they were being tracked. Previously telecom companies and location aggregators have told Motherboard that they require clients to obtain consent from people they wish to track. A Sprint spokesperson wrote in an email, “We contractually require location aggregators to obtain prior written consent from Sprint 60 days before the use of any sub-aggregator, and we received no such request related to CerCareOne,”
15 senators called on the FCC and Federal Trade Commission for investigating as to how consumers location data ended up in the hands of bounty hunters. An FCC spokesperson told Motherboard in an email, “We are investigating carriers’ handling of location information, and we can’t comment on what facts we have uncovered in the middle of an active investigation.”
Senator Mark Warner, presented with Motherboard’s new findings, said in a statement that “we have a systemic problem across the digital economy, where consumers remain totally in the dark about how their data is collected, sold or shared, and commercialized.”
To know more, check out Motherboard’s post.