Tech by VICE

15 Senators Call on FCC and FTC to Investigate How AT&T, T-Mobile, Sprint Sold Phone Locations to Bounty Hunters

After Motherboard’s article, a large group of senators wants two government departments to fully investigate the business dealings of telcos and their data sharing arrangements.

by Joseph Cox
Jan 24 2019, 6:11pm

Image: Phil Roeder/Wikimedia Commons

Earlier this month Motherboard revealed that AT&T, T-Mobile, and Sprint had been selling real-time location of customers’ cell phones that ultimately ended up in the hands of bounty hunters and people unauthorized to handle the data. To verify this, Motherboard paid a bounty hunter source $300 to locate a T-Mobile phone, which successfully pinpointed the device to a specific part of Queens, New York.

Now, a group of 15 senators is calling on the Federal Communications Commission (FCC) and Federal Trade Commission (FTC) to investigate how telecommunications companies share their customers’ location data.

“A recent investigation published by Motherboard […] demonstrated not only that the wireless carriers are still failing to protect their customers’ private information, but also that location data can be purchased by stalkers, domestic abusers, and others,” the senators wrote in a letter today published by the office of Senator Ron Wyden.

The other Senators are Chuck Schumer, D-N.Y., Ed Markey, D-Mass., Richard Blumenthal, D-Conn., Kamala Harris, D-Calif., Patrick Leahy, D-Vt., Jeff Merkley, D-Ore., Ben Cardin, D-Md., Sheldon Whitehouse, D-R.I., Amy Klobuchar, D-Minn., Kirsten Gillibrand, D-N.Y., Cory Booker, D-N.J., Jack Reed, D-R.I., Tina Smith, D-Minn., and Bernie Sanders, I-Vt.

“It is clear that these wireless carriers have failed to regulate themselves or police the practices of its business partners, and, in failing to do so, have needlessly exposed American consumers to serious harm,” the letter added.

Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

When Motherboard purchased the location of a T-Mobile phone on the black market, that data access had trickled through a complex network of resellers and middlemen companies. T-Mobile sold the access to a so-called location aggregator called Zumigo. Zumigo then provided it to a company called Microbilt, which caters to property owners, used car salesmen, and the bail bondsman industry. Microbilt sold the location of the phone to a particular bounty hunter company, who then sold it to our source. The source then provided a Google Maps style interface of the phone’s location, accurate to a range of around 500m.

Wyden, Harris, and Senator Mark Warner previously called on the FCC to investigate the issue.

After Motherboard's investigation, AT&T, T-Mobile, and Sprint all said they were stopping the sale of phone location data to third parties and data aggregators, including Zumigo.

The group of Senators’ letter added “To that end, we urge the FTC and the FCC to conduct broad investigations, as appropriate, into the business partnerships between wireless carriers and location aggregators, including resellers and all downstream buyers of location data.”

Ajit Pai, the chairman of the FCC, told Motherboard in an email that "The FCC already has been investigating this issue. Unfortunately, the investigation had to be suspended because of the partial government shutdown. It will resume once the shutdown has ended." That investigation, however, is likely to be focused on a previous case of cell phone location data sharing. Last year The New York Times and Wyden revealed that telcos had been selling data that landed in the hands of abusive, low level enforcement who located phones without a warrant.

The FTC press office said it was unable to provide a statement due to the government shutdown.

“Americans expect that their location data will be protected. The wireless industry has repeatedly demonstrated a blatant disregard for its customers’ privacy. It is therefore vital that regulators take swift action to ensure that consumers are protected,” the letter added.

Update: This piece has been updated to include comment from Ajit Pai, chairman of the FCC, as well as the FTC's response to a request for comment.

Subscribe to our new cybersecurity podcast, CYBER.