Four of the biggest U.S mobile carriers, T-Mobile, Sprint, AT&T, and Verizon were found selling real-time location information of customers to third party partners who then further sell the information to other companies and unregulated markets. Theses unregulated markets can include salesmen, property managers, bail bondsmen, or bounty hunters.
Last year, LocationSmart was found selling and leaking real time location information of customers after mobile carriers sold it to them. Although, the major mobile carriers promised to step selling customer information after the incident they never did. Instead, carriers failed to protect customer privacy and have continued selling real-time locations of customers.
A Motherboard reporter, Joseph Cox, went uncover and was able to pay a bounty hunter $300 to track a target using just his cell phone location. Location data of is tracked through several entities beginning with the cell phone carriers. Cox found that six entities were used to track the location of the target’s cell phone. Beginning with T-Mobile who sold the information to a vendor partner Zumigo. The vendor then gave the information to another company, Microbilt. Further, Microbilt gave the location information to the bounty hunter, who then shared the information with a bail industry source. Finally, this source sold the location information to the Motherboard reporter. All the reporter did was pay the bounty hunter $300 and provide the cell phone number of the target.
Location accuracy was pretty spot on, just 500m within the target. The target was found in a Queens neighborhood; a few blocks from what the map indicated.
Senator Mark Warner commented:
“This is just another example that of how unwitting consumers are to the ways in which their data is collected, sold or shared, and commercialized. It’s not that people ‘don’t care about privacy,’ as some have argued—it’s that customers, along with policymakers, have been kept in the dark for years about data collection and commercialization practices”
As location information trickles down from each entity, each entity becomes smaller and more unregulated. Smaller companies like Microbilt are unregulated and areable to get away with selling customer information.
Commissioner of the FCC Jessica Rosenworcel has also commented on this saying:
It shouldn’t be that you pay a few hundred dollars to a bounty hunter and then they can tell you in real time where a phone is within a few hundred metres. That’s not right. This entire ecosystem needs some oversight
Many senators have called out the cell phone carriers and said that the FCC needs to investigate into this issue.
Senator Kamala Harris has said:
“The American people have an absolute right to the privacy of their data, which is why I’m extraordinarily troubled by reports of this system of repackaging and reselling location data to unregulated third-party services for potentially nefarious purposes. If true, this practice represents a legitimate threat to our personal and national security”
The selling and reselling of location information violates customer privacy and consent. It is time regulations be put in place to protect customers.
If you have an experienced an cyber incident contact LIFARS immediately.