Last year a story broke out detailing a way to track the location of any cellphone in the US in real time, and all major US carriers – along with Canadian networks – were involved.
The company called LocationSmart obtained location data from the big US carriers (AT&T, Sprint, Verizon, and T-Mobile) and later sold access to Securus, a company that specializes in monitoring calls to inmates.
Another service provided by Securus is providing real-time cellphone location data, which wasn’t limited to inmates’ cellphones.
By using Securus’ tracking service, a former sheriff of Mississippi County tracked locations of police officers and one judge, all without a warrant. The discovery revealed that Securus was capable of locating any cellphone by obtaining location data from cell carriers and this lead to an inquiry from Sen. Ron Wyden, Democratic Senator from Oregon.
The whole thing blew up in carriers’ faces and it ultimately led to Verizon and AT&T pledging that they will stop selling users’ location data. The whole scandal hurt carriers’ image but it didn’t take the companies to court because, while selling user location data was shady and morally ambiguous it wasn’t against the law.
While the Electronic Communications Privacy Act restricts carriers from giving users’ private data to the government it doesn’t restrict them from sharing (for money, in other words selling) the same data to private companies, who then may or may not share the same data with the government. And that was the case with the whole Securus conundrum.
Recent Report from Motherboard
It was hoped that the carriers would from then on refrain from sharing (read selling) users location data to private companies after the last year’s scandal but the recent report from Motherboard revealed that wasn’t the case.
Instead of LocationSmart, the private location data was provided by a company called Zumigo, which continued to buy private user data from major US carriers. Yes, even though Verizon and AT&T (and a bit later, T-Mobile) promised they would stop selling “customer location data to shady middlemen” they continued to do so.
In this particular case, they sold location data to Zumigo, which sold the data to Microbilt, a Georgia-based credit reporting company, which then sold location data to other companies (yes, this chain of selling private phone location data is as scary as it is ridiculous), such as one bail bond company that provided the location data to its employees.
One of those employees was the bounty hunter who tracked the location of the target (a person who gave consent to Motherboard to be tracked) after receiving a couple of hundreds of dollars along with the phone number of the target.
The phone number was on T-Mobile network, meaning the company’s promise of stopping the practice of selling “customer location data to shady middlemen” wasn’t fulfilled. But after the Motherboard article went live, and after Sen. Ron Wyden shared it on Twitter, John Legere, T-Mobile CEO again stated that T-Mobile is stopping the practice of selling location data.
The question arises...
But, you know, they can’t end it right away. Instead, T-Mobile will end the practice in March 2019. The question arises though: why would anyone believe T-Mobile and other carriers because they already broke their promises? Because all of them were selling location data and in some cases, the practice led to massive data leaks basically giving anyone tools to locate pretty much any phone in the US. And it seems they still sell location data because Microbilt’s phone location service works on all mobile networks sans Verizon.
Another year, another data privacy scandal
While T-Mobile and AT&T cut their ties with Microbilt after the release of the story on Motherboard, they didn’t cut their ties to Zumigo. Meaning they are still selling their customers’ data to third parties.
Sen. Ron Wyden perfectly explained the whole situation in his statement to Motherboard.
“It would be bad if this was the first time we learned about it. It’s not. Every major wireless carrier pledged to end this kind of data sharing after I exposed this practice last year. Now it appears these promises were little more than worthless spam in their customers’ inboxes,” said Wyden.
And we agree, promises are broken and they will continue to be broken until the data trading market gets regulated. And Wyden plans on doing just that. We can only hope he ultimately succeeds in his mission.