Ruth Johnson didn't know exactly who rang her phone and threatened her around 20 times in 2014. The person on the other end said he was John Edens from the U.S. Marshals with a warrant for her arrest for stealing a car. She was behind on her payments.
It later turned out John Edens didn't have a warrant, nor was he from law enforcement at all. Instead, he was a debt collector with a history of stalking and domestic violence who had managed to get ahold of Johnson's phone location data. He did this by pretending to be a U.S. Marshal with the "Georgia Fugitive Task Force" to T-Mobile, which then provided Edens with the location of Johnson's phone in a handy Google Maps interface—"pinging" the phone, in industry parlance.
"Fearful," is the word Johnson first used to explain the episode in a phone call with Motherboard. "It was very fearful."
Motherboard previously reported on Edens' case using court documents and sources in the bounty hunting industry; Edens was sentenced to one year in prison for impersonating a U.S. officer. Now, Johnson explained in an interview what it was like to have her phone tracked. Her story demonstrates the very real human impact that the black market use and sale of phone location data can have.
"I was very upset with the phone company, because I was under the impression that you had to get [a] court order in order to get information such as that out," she said. T-Mobile "put my life in danger," she added.
The harassment was relentless. Edens turned up at Johnson's place of work. Someone banged on her home's door at 3 a.m., then Edens turned up on her porch another day. Johnson said her husband had been recently killed and Johnson didn't know if this harasser was somehow connected to his murder, compounding her fear. Her teenage daughter moved 10 hours away to be with her grandmother, just to feel safe.
"You cost me my family," Johnson said, referring to T-Mobile.
Do you work in the location data industry? Did you used to? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
In a panicked rush, Johnson ended up moving to a different neighborhood altogether, she added. She gave the car back to the dealership she owed payments to, wanting to avoid any more trouble.
"I put myself in a very uncomfortable situation to get away because this man knew where I lived at. He was sitting outside my door. I was scared," she said.
Law enforcement who need to access data in an "exigent circumstance," such as a kidnapping, can ask carriers for a phone's location information. As court records show, Edens' scam was somewhat simple. He used a custom domain—"gafugitivetaskforce1.net”—to convince T-Mobile he was a legitimate requester of such data.
"Carriers should check credentials before giving out customers' location data. Failure to do so is irresponsible and puts their customers in danger," Eva Galperin, director of cybersecurity at activist group the Electronic Frontier Foundation, and who has extensively researched stalking through technology, said. "There is no question that it is used to perpetuate abuse."
Johnson's case was not a one-off. Edens obtained phone location data on 14 different T-Mobile phone numbers, according to a sentencing memorandum in his case. And Edens isn't the only person to use this technique to ping phones. In April, prosecutors indicted Matthew Marre for allegedly pinging Verizon, Sprint, and T-Mobile phones throughout 2018 with a similar technique. In a talk presented at the Def Con hacking conference this month, Motherboard published text messages from a third person who allegedly obtained phone location data by pretending to be law enforcement.
And up until recently, AT&T, T-Mobile, Sprint, and Verizon were selling their customers' location data to data brokers, who would in turn provide it to bounty hunters with little oversight. Documents leaked to Motherboard show that one company was providing real-time location data to around 250 bounty hunters, with evidence of tens of thousands of phone pings.
Asked to respond to Johnson's case, a T-Mobile spokesperson told Motherboard in an email that "T-Mobile has a specialized legal team that reviews each emergency request from law enforcement for customer information. In rare cases, we receive unlawful requests. When this happens, we immediately investigate and introduce additional safeguards where needed. We also always cooperate with legitimate law enforcement inquiries and investigations into these cases of fraud. We are completely open about our work in this area in our yearly Transparency Report."
Johnson only discovered her location data had been given out when Valerie McGilvrey, another person who locates those who owe a debt and who Edens confided in about his techniques, told her. McGilvrey recorded one of her conversations with Edens in which he described how he tricked multiple telecoms into handing over location data.
“Those are badass pings, is what they are,” Edens says in the audio recording.
McGilvrey told Motherboard, "the number one reason I turned John Edens in was because he emailed me an Excel spreadsheet of a cell phone account activity that even included location of the device that the target (victim) phone was connected to."
"[T-Mobile] put my life in danger."
Johnson laughed when asked if she has since changed how she uses her phone.
"Yes," she said. "I think somebody is always listening in on conversations; I don't even carry T-Mobile anymore because of that situation. I switched phone companies because of that situation." She said she has lost work because she doesn't deal much with her phone anymore.
"I can understand if it's a crime committed; by all means, use that," Johnson said of phone pinging. "But just give out peoples' information? Absolutely not." She said she is looking for a lawyer to sue T-Mobile.
If she could be tracked, she wondered: "Who's safe? Who's safe?" she said.
Subscribe to our new cybersecurity podcast, CYBER.