There’s a hullabaloo in the tech world right now about a Motherboard report that found cell phone companies are still selling your location data even though they “promised” in June of 2018 that they would stop.
The whole situation is a cluster that ends up screwing you, the consumer (of course) six ways to Sunday, but the backstory is important here.
How It All Started
Oregon Sen. Ron Wyden, in a letter to carrier companies last year, explained a pretty disturbing thing going on.
To access this private data [showing real-time location of a given subscriber], correctional officers simply visit Securus’ Web portal, enter any US wireless phone number, and then upload a document purporting to be an official document giving permission to obtain real-time location data,” Wyden wrote in a letter to carriers on May 8. “Senior officials from Securus have confirmed to my office that it never checks the legitimacy of those uploaded documents to determine whether they are, in fact, court orders and has dismissed suggestions that it is obligated to do so.”
Naturally this means that all sorts of people could do the exact same thing by simply creating a “court order” and uploading the fake document. Since no one checks its veracity or verifies that the person sending it is a law enforcement officer with a valid search warrant etc., any person could get your real-time phone data — including actual law enforcement that doesn’t have a court order but wants the data anyway for parallel construction later.
This caused a bit of a ruckus, and the various companies named released statements promising to never do it again. There’s a problem, however, and we can use the most basic of Statement Analysis to see it.
AT&T’s statement said the following:
“Our top priority is to protect our customers’ information, and, to that end, we will be ending our work with aggregators for these services as soon as practical in a way that preserves important, potential lifesaving services like emergency roadside assistance.” [emphasis added]
So, not now, not in the foreseeable future, but “as soon as practical.” Who decides when it’s “practical?” AT&T, of course…the company that’s making a ton of money off the very thing they’re saying they’ll quit doing.
Here’s Sprint’s statement from that time:
“Sprint is beginning the process of terminating its current contracts with data aggregators to whom we provide location data,” Sprint told Ars. “This will take some time in order to unwind services to consumers, such as roadside assistance and fraud prevention services.”
Beginning means just that. Beginning. Not ending, not finishing, not completing. They could have “begun” the process by simply sending out an internal memo saying, “Hey we need to look at how this can be done,” and then letting the idea die in the ether. They began the process, right? It’ll take time, though…how much? Only Sprint can say.
T-Mobile’s response is pretty interesting too. At any rate, they all said OH MY GOODNESS THAT IS TERRIBLE AND WE WILL STOP JUST AS SOON AS WE CAN.
None of them stopped. Fast forward to now…and the Motherboard report.
The Motherboard Report
Titled “I Gave a Bounty Hunter $300. Then He Located Our Phone,” the report is a must-read, and it’s about as damning as it gets. Even seven months after the companies’ assurances that the “bad stuff” would stop, it’s still going, with even more capabilities than ever.
After giving a regular old bounty hunter a few hundred bucks and a phone number, the author watched as it took only a few moments for the bounty hunter to locate that exact phone, in real time, to an accuracy of a few hundred meters. How does this happen? Why does some random bounty hunter guy have access to this when theoretically law enforcement needs a warrant? He explains:
In the case of the phone we tracked, six different entities had potential access to the phone’s data. T-Mobile shares location data with an aggregator called Zumigo, which shares information with Microbilt. Microbilt shared that data with a customer using its mobile phone tracking product. The bounty hunter then shared this information with a bail industry source, who shared it with Motherboard.
Six. Different. Entities. have your location information in real time. It doesn’t matter if you are using some special Blackphone, or if you “never log into anything,” or never text with it, or anything else. By the way, all the companies sell to Zumigo, so we can’t just blame T-Mobile.
How bad is the Microbilt data sharing? This bad.
Microbilt buys access to location data from an aggregator called Zumigo and then sells it to a dizzying number of sectors, including landlords to scope out potential renters; motor vehicle salesmen, and others who are conducting credit checks. Armed with just a phone number, Microbilt’s “Mobile Device Verify” product can return a target’s full name and address, geolocate a phone in an individual instance, or operate as a continuous tracking service.
“You can set up monitoring with control over the weeks, days and even hours that location on a device is checked as well as the start and end dates of monitoring,” a company brochure Motherboard found online reads.
Back in 2018, “after Wyden’s pressure, T-Mobile’s CEO John Legere tweeted in June last year “I’ve personally evaluated this issue & have pledged that @tmobile will not sell customer location data to shady middlemen.”
Do you see the problem in that statement? Sure, he says T-Mobile won’t sell to shady middlemen…but I guess we’ll need Legere to define for us what he considers shady. Obviously it’s not Microbilt or Zumigo, is it? And who said anything about middlemen? Who’s getting the data besides those outlined in the report?
Conveniently, the FCC cited the government shutdown as the reason why it cannot comment on any of this. Perhaps they asked the wrong agency. Follow the money.
- Who funds it?
- Who benefits?
- Who would want that kind of capability?
- Who has the money to pay for research/deployment?