On Tuesday, Motherboard revealed that major American telcos T-Mobile, AT&T, and Sprint are selling customer location data of users in an unregulated market that trickles down to bounty hunters and people not authorized to handle such information. In our investigation, we purchased the real-time location of a cell phone from a bail industry source for $300, pinpointing it to a specific part of Queens, New York.
The issue potentially impacts hundreds of millions of cell phone users in the United States, with customers likely unaware that their location data is being sold and resold through multiple companies, with even the telcos sometimes having little idea where it ends up and how it is used.
Now, senators and a commissioner for the Federal Communications Commission (FCC) have urged government bodies to investigate, with some calling for regulation that would ensure customers are properly made aware of how their data is being sold.
“The American people have an absolute right to the privacy of their data, which is why I’m extraordinarily troubled by reports of this system of repackaging and reselling location data to unregulated third party services for potentially nefarious purposes. If true, this practice represents a legitimate threat to our personal and national security,” Senator Kamala Harris told Motherboard in a statement.
The phone Motherboard paid to locate was on the T-Mobile network. That data access traveled through a complex series of companies and resellers, starting with T-Mobile, before moving to a another company called Zumigo, a so-called ‘location aggregator’. Zumigo then provided the access to Microbilt, which offers phone location services to the bail bondsman industry. In turn, a bounty hunter sold it to a source, and that source sent the phone’s location to Motherboard.
There are more legitimate uses for this data, such as financial companies detecting fraud, or roadside assistance firms finding stranded customers. But there is space for abuse: T-Mobile, Zumigo, and Microbilt only became aware of the unauthorized resale of the data access on the black market once Motherboard informed them.
The location itself was presented in a Google Maps interface, with the accuracy being around 500m. The phone received no warning, such as a text message, it was being tracked.
“This is just another example that of how unwitting consumers are to the ways in which their data is collected, sold or shared, and commercialized. It’s not that people ‘don’t care about privacy,’ as some have argued—it’s that customers, along with policymakers, have been kept in the dark for years about data collection and commercialization practices,” Senator Mark Warner told Motherboard in a statement.
Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on email@example.com, or email firstname.lastname@example.org.
Harris explicitly called on the FCC to investigate the issue.
“The FCC needs to immediately investigate these serious security concerns and take the necessary steps to protect the privacy of American consumers,” she said.
The FCC may already have that in mind. On Tuesday, commissioner of the FCC Jessica Rosenworcel tweeted “The FCC needs to investigate. Stat.”
“It shouldn’t be that you pay a few hundred dollars to a bounty hunter and then they can tell you in real time where a phone is within a few hundred metres. That’s not right. This entire ecosystem needs some oversight,” she added on MSNBC’s Velshi & Ruhle show on Wednesday.
“I think we’ve got to get to this fast,” she added. Because of the ongoing government shutdown, it is unclear when an investigation, if it went ahead, would start.
Multiple senators are calling on regulation that could curb this unauthorized use and sale of phone location data.
“Responsible federal agencies and the U.S. Congress should continue to hold hearings to shine a light on these practices, and look at regulations to ensure companies are actually upfront with consumers about whether and how their sensitive data is being used and sold,” Warner’s statement added.
Senator Ron Wyden recently proposed a bill designed to safeguard personal data.
“The industry has failed again and again to protect Americans’ information. It’s time for Congress to step in and pass strong privacy legislation, like my bill, to safeguard our data and hold companies accountable when they fail,” Wyden told Motherboard in a statement.
Beyond the tracking itself, and any potential legislation or investigations, is ultimately an issue of consent.
“I haven’t consented to this, and I bet you haven’t either,” Rosenworcel added in her MSNBC interview.
Subscribe to our new cybersecurity podcast, CYBER .