On Tuesday, Motherboard revealed that T-Mobile, AT&T, and Sprint were all selling their customers’ phone location data that ultimately ended up in the hands of bounty hunters, as well as people unauthorized to handle it at all. We found this by purchasing the capability to locate a phone from the black market for just $300. In response, several senators called for the Federal Communications Commission (FCC) to investigate, and brought up the prospect of greater regulation of the telecommunications industry.
Now, AT&T says it is stopping the sale of all location data to so-called location aggregators, companies that sit in the supply chain between the telcos and clients, and which play a vital role in having that data trickle down to end users.
"Last year we stopped most location aggregation services while maintaining some that protect our customers, such as roadside assistance and fraud prevention. In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services—even those with clear consumer benefits,” an AT&T spokesman told CNET in a statement.
AT&T did not respond to Motherboard’s request to elaborate on why it has decided to block those data uses as well. But it may be due to how difficult this industry has proven to police: several parts of the data supply chain were all unaware of the particular case of abuse taking place before Motherboard informed them. Clearly, there is an issue with companies keeping tabs on how customers’ location data is being used, and who it is ending up with.
Some companies do use location data for more legitimate purposes, such as roadside assistance firms to find stranded customers, or financial companies to detect fraud. But AT&T’s new stance will cut those off as well.
In Motherboard’s investigation, the phone we located was on the T-Mobile network. That data access travelled through a complex chain of different companies, starting with T-Mobile, before going to a location aggregator called Zumigo. Zumigo then sold it to a company called Microbilt, which provides the access to a variety of industries, including bounty hunters. A bounty hunter then sold it to a source, and that source finally provided the phone’s location to Motherboard.
In several different tweets posted after Motherboard’s investigation, T-Mobile CEO John Legere reiterated that the company is also going to cut off all location aggregators.
"T-Mobile [...] is completely ending locations aggregation work in March as planned and promised," a T-Mobile spokesperson told Motherboard in an email.
Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on email@example.com, or email firstname.lastname@example.org.
“MicroBilt suspended delivery of its mobile device geolocation verification service while we work with the wireless carriers and relevant technology partners to mitigate fraud risks," Microbilt, the company in the supply chain that sold location data access to a bail bondsman company, told Motherboard in a statement. "We also look forward to cooperating with governmental authorities to insure [sic] that these types of breaches do not occur again.”
Zumigo and LocationSmart, another location aggregator, did not immediately respond to a request for comment.
Senator Ron Wyden, who along with the New York Times previously revealed other instances abuse of phone location data last year, remained somewhat skeptical on the telcos’ announcements.
“For the second time in six months, carriers are pledging to stop sharing American’s location with middlemen without their knowledge. I’ll believe it when I see it. Carriers are always responsible for who ends up with their customers data—it’s not enough to lay the blame for misuse on downstream companies,” Wyden said in a statement.
He added “The time for taking these companies at their word is long past—Congress needs to pass strong legislation to protect Americans’ privacy and finally hold corporations accountable when they put your safety at risk by letting stalkers and criminals track your phone on the dark web.”
Update: This piece has been updated to include additional comment from T-Mobile and Microbilt.
Subscribe to our new cybersecurity podcast, CYBER.