Since January, Motherboard has reported on a series of abuses with phone location data from major US telecommunications companies. Most recently, we reported how stalkers and people with a history of domestic violence were tricking telecom companies into providing location data by simply impersonating US law enforcement officials on the phone or over email.
Now, in response to questions from Senator Ron Wyden, T-Mobile has revealed another case of abuse, in which a “bad actor” acquired location information without consumer consent, according to a letter from T-Mobile to Wyden and obtained by Motherboard.
“It is now abundantly clear that you have failed to be good stewards of your customers’ private location information,” Senator Wyden wrote in another letter Wednesday addressed to all of the major telecoms.
In T-Mobile’s February 15 letter, Anthony Russo, vice president of Federal Legislative Affairs at T-Mobile US, wrote that “T-Mobile is aware of five instances of alleged misuse of T-Mobile customer location information under the location aggregator program.”
In the newly revealed incident, in August 2014 LocAid—a company that aggregated location data from the telecoms and then sold it onto other clients—informed T-Mobile it was suspending the account of a particular customer called Freedom Telecare. This was “due to an identified vulnerability in the consent mechanism,” Russo’s letter adds.
“There was suspicion that a bad actor, who was a paying customer of Freedom Telecare, had acquired location information without customer consent, but review of the evidence could not confirm improper disclosure of location data,” the letter reads. The vulnerability was fixed and then the service re-enabled, it adds.
T-Mobile’s letter does not explicitly state which of Freedom Telecare’s products were implicated in the abuse of location data, but the company offers a service called Timesheet Mobile, which includes an employee tracking feature that uses location data.
Freedom Telecare did not immediately respond to a request for comment. Neither did LocationSmart, the company that acquired LocAid in 2015.
The other four location data incidents in Russo’s letter been previously reported: The New York Times and Wyden’s discovery of a company called Securus providing cell phone location information to low level law enforcement without a warrant; a company called Captira selling location data of all the major telecoms to bail bondsman for $7.50 a piece that Motherboard reported last year; the chain of companies that allowed Motherboard to buy the location of a mobile phone on the black market for $300; and finally the case of CerCareOne and its 250 bail industry clients, which Motherboard revealed in February.
But while T-Mobile in response to direct questions on abuse acknowledged this series of incidents, including the case of 250 bounty hunters having access to their customers’ data, AT&T and Sprint did not mention that case at all.
AT&T responded that, beyond the Securus incident, “AT&T has not identified any use of location information where the location aggregator or another third party obtained AT&T location information without prior customer consent.” In its letter, AT&T said its investigation was ongoing.
Sprint had a similar response, writing that the company is “not aware of any incidents in the last two years responsive to this request.”
AT&T and Sprint may not be aware of specific instances in which CerCareOne was used to locate devices on their networks. But included in a list of phones geolocated with the CerCareOne service that Motherboard obtained are multiple examples of both Sprint and AT&T phones, and CerCareOne was manufactured in such a way so as to track phones without targets’ consent. Motherboard determined which carrier the numbers belonged to by running them through a ‘carrier lookup’ service; an online tool that shows what telecom provider a certain number is registered to.
Some bounty hunters used the CerCareOne service tens of thousands of times to locate phones, according to internal CerCareOne documents obtained by Motherboard. Although some CerCareOne customers told Motherboard they obtained consent before using the service—potentially by asking those on bail to sign a form saying they consented to be tracked—two sources in the original CerCareOne investigation said targeted devices never received a text message asking for their consent.
Valerie McGilvrey is a skiptracer; someone who is tasked with finding where people are located, and has used phone location services. Last week she told Motherboard that on top of the lack of text message verification, CerCareOne was also setup in such a way so as to fabricate that consent had been obtained, with users spoofing phone numbers to make it appear they from phoning from the device to be located, opting-in to be monitored. A second source familiar with CerCareOne’s operations said some people did use this approach. Motherboard granted the source anonymity to speak more candidly about an illegal practice.
“The telcos may not be aware they were scammed but they were indeed scammed,” McGilvrey said.
“It is now abundantly clear that you have failed to be good stewards of your customers’ private location information.”
An AT&T spokesperson told Motherboard in an email, “Our response to Senator Wyden’s questions about our work with location aggregators and their customers is still accurate.”
A Sprint spokesperson wrote in an email, “We stand by the response in our letter to Sen. Wyden.”
In his letter Wednesday, Wyden asked AT&T, Sprint, T-Mobile, and Verizon to list all incidents since January 1, 2010, in which a third party fraudulently obtained location data. He also asked the telecoms to confirm whether they had reported each of these incidents through the Federal Communications Commission (FCC) Data Breach Reporting Portal, which they are required to by law.
In the wake of Motherboard’s reporting, AT&T, T-Mobile, and Sprint said they were stopping the sale of phone location data to third parties and data aggregators altogether. 15 senators also called on the FCC and Federal Trade Commission (FTC) to investigate how the telecoms sold phone location data to bounty hunters. In its most recent statement to Motherboard sent last week, the FCC wrote in an email, “we’re investigating carrier practices regarding location information data can’t otherwise comment on that investigation.”
Update: This piece has been updated to include a response from Sprint.
Subscribe to our new cybersecurity podcast, CYBER.