Since January, Motherboard has reported on a series of abuses with phone location data from major US telecommunications companies. Most recently, we reported how stalkers and people with a history of domestic violence were tricking telecom companies into providing location data by simply impersonating US law enforcement officials on the phone or over email.
Now, in response to questions from Senator Ron Wyden, T-Mobile has revealed another case of abuse, in which a “bad actor” acquired location information without consumer consent, according to a letter from T-Mobile to Wyden and obtained by Motherboard.
“It is now abundantly clear that you have failed to be good stewards of your customers’ private location information,” Senator Wyden wrote in another letter Wednesday addressed to all of the major telecoms.
In T-Mobile’s February 15 letter, Anthony Russo, vice president of Federal Legislative Affairs at T-Mobile US, wrote that “T-Mobile is aware of five instances of alleged misuse of T-Mobile customer location information under the location aggregator program.”
In the newly revealed incident, in August 2014 LocAid—a company that aggregated location data from the telecoms and then sold it onto other clients—informed T-Mobile it was suspending the account of a particular customer called Freedom Telecare. This was “due to an identified vulnerability in the consent mechanism,” Russo’s letter adds.
“There was suspicion that a bad actor, who was a paying customer of Freedom Telecare, had acquired location information without customer consent, but review of the evidence could not confirm improper disclosure of location data,” the letter reads. The vulnerability was fixed and then the service re-enabled, it adds.
Motherboard previously reported that AT&T, T-Mobile, and Sprint have been selling their customers’ real-time location data, which trickled down through a network of middlemen and data brokers before arriving in the hands of bounty hunters. But some people don’t even pay for this data at all. Instead, bounty hunters and people with histories of domestic violence have managed to trick telecommunications companies into providing real-time location data by simply impersonating US officials over the phone and email, according to court records and multiple sources familiar with the technique.
Three of the four major wireless carriers have been accused of breaking US law by selling 911 location data to third parties. "Telecom giants broke the law by selling detailed location data" that was "meant for use only by emergency services," consumer advocacy group Public Knowledge said last week in a blog post that urged the Federal Communications Commission to punish the carriers.
In January, Motherboard revealed that AT&T, T-Mobile, and Sprint were selling their customers’ real-time location data, which trickled down through a complex network of companies until eventually ending up in the hands of at least one bounty hunter. Motherboard was also able to purchase the real-time location of a T-Mobile phone on the black market from a bounty hunter source for $300. In response, telecom companies said that this abuse was a fringe case. In reality, it was far from an isolated incident.
Around 250 bounty hunters and related businesses had access to AT&T, T-Mobile, and Sprint customer location data, according to documents obtained by Motherboard. The documents also show that telecom companies sold data intended to be used by 911 operators and first responders to data aggregators, who sold it to bounty hunters. The data was in some cases so accurate that a user could be tracked to specific spots inside a building.
After Motherboard gave a bounty hunter a phone number and a few hundred bucks, their contact responded with a screenshot of Google Maps, containing a highlighted circle indicating the phone’s exact location.
This week, Joseph Cox at Motherboard dropped yet another bombshell report on this subject, noting how he was easily able to pay a bounty hunter $300 to obtain the (supposedly) private location data collected by his cellular provider (T-Mobile). Much like the Securus scandal, the problem once again is the countless location data brokers and third party vendors which are being sold this data, then doing pretty much whatever they'd like with it.
American telecommunications giants are selling access to their customers’ location data, leaving them exposed to being tracked by bounty hunters and others, a disturbing report by Motherboard has revealed.T-Mobile, Sprint, and AT&T are reportedly among the companies whose data is being used to track phone locations, leaving mobile network users exposed without their knowledge.
Our IP Address: