After vowing to end the practice of selling their customers’ location data to “shady middlemen” last summer, we now know that at least there major wireless carriers in the U.S — T-Mobile, AT&T, and Sprint — were completely full of shit. That practice has continued, and Motherboard on Tuesday produced the receipts.
An investigation led by the site found that for a few hundred bucks, it could easily gain access to the location of a specific mobile phone with an accuracy of just under 500 meters. And while in a bustling city, that may not be precise enough to locate a target in his or her apartment, the privacy implications of this type of tracking being available to virtually anyone is clear.
The worst part of it is, when this issue first was brought to light last year, literally nothing happened despite big claims to the contrary. While in May 2018, the FCC claimed to be investigating the matter, here we are, eight months later, with reporters continuing to unearth new and even more damning evidence of big telecom malfeasance.
On Tuesday, Motherboard reported that it had paid a source in the bail industry $421 to track a T-Mobile phone and described in exhaustive detail how that location data was shared by T-Mobile with a series of middlemen until it wound up in the hands of—wait for it—a bounty hunter.
And as it turns out, that $421 was a considerable markup, according to Motherboard, from what one middleman was willing to charge: “[L]ocating a phone can cost as little as $US4.95 [$7] each if searching for a low number of devices. That price gets even cheaper as the customer buys the capability to track more phones. Getting real-time updates on a phone’s location can cost around $US12.95 [$18],” it reported.
The story follows reporting last year by the New York Times, which kicked off after Sen. Ron Wyden, a Democrat and privacy hawk of Oregon, revealed the existence of this dubious location-data trade in a letter to the Federal Communications Commission. Through this, we learned about Securus Technologies, a company that profits off inmate phone calls and secretly provided phone-tracking services to low-level law enforcement without so much as a court order.
Securus and other companies, such as those described in Tuesday’s Motherboard story, rely on loose regulations around the aggregation of location data, which can be bought and sold legally for marketing purposes, among other types of services. Numerous companies appear to be exploiting this loophole to quietly offer location services for unsanctioned uses on the cheap, or are otherwise contributing unwittingly through their own negligence to a prosperous underground market.
The supply chain described by Motherboard involved T-Mobile first providing its location data to an “aggregator” called Zumigo, which reportedly supplies it to, among others, landlords reviewing potential tenants. Zumigo then shared that data with a second firm called Microbilt, which in turn provided it to a bail bond company. From there, the data becomes accessible on a black market for a sizable up-charge.
Particularly damning is the fact that T-Mobile CEO John Legere personally vowed in full view of the public that his company would “not sell customer location data to shady middlemen.” This promise was made in a tweet to Sen. Wyden last June. T-Mobile later clarified that it was ending its relationship with Securus and would “wind down” its location aggregator agreements.
It’s clear now that the company did not actually do this, or at least not in any meaningful way, and there’s no telling whether it ever intended to.
“Major carriers pledged to end these practices, but it appears to have been more empty promises to consumers,” Wyden wrote. “It’s time for Congress to take action by passing my bill to safeguard consumer data and hold companies accountable.”
While one would like to assume that getting caught red-handed for a second time would push T-Mobile to sever ties with its location aggregators completely, the company’s past conduct suggests it will most likely try to weather the storm and then continue with business as usual. If it did care about people like bounty hunters tracking its subscribers, it would already have taken care of this problem—which it could also do today, right now.
The idea that T-Mobile is in any way helpless or a victim in this situation is complete bullshit. It profits from these arrangements, and unless a law such as Wyden’s gets passed, there’s really very little threat to the company. All its customers can do is switch to another carrier—most of which appear to be doing the same thing.
T-Mobile did not respond to questions from Gizmodo.