Last week, Motherboard revealed that AT&T, T-Mobile, and Sprint had been selling their customers’ real-time location data that ultimately ended up in the hands of bounty hunters and people unauthorized to handle it. Motherboard found this by purchasing the capability to geolocate a phone for $300 on the black market. In response, AT&T and T-Mobile said they were stopping all sales of location data to third parties.
Nearly a week later Sprint has committed to doing the same, in a statement to Motherboard.
“As a result of recent events, we have decided to end our arrangements with data aggregators,” a Sprint spokesperson told Motherboard in an email.
Sprint did not provide a timeline of when this data access selling may end, but T-Mobile and AT&T have previously said their processes will be complete in March.
In Motherboard’s investigation, the phone we located was on the T-Mobile network. The access to location data was sold through a complex network of different companies. T-Mobile sold the access to a so-called location aggregator called Zumigo. Zumigo then sold it to a company called Microbilt, which caters to various clients including bounty hunters. A bounty hunter then sold the phone location data to a source, who then provided it to Motherboard.
Last year The New York Times and Senator Ron Wyden showed how another location aggregator, called LocationSmart, had sold data to Securus, a middleman company which provided phone tracking services to low level law enforcement without a warrant. In response, Verizon, AT&T, Sprint, and T-Mobile all cut off Securus’ access, and vowed to do more to clean up this overlooked side of the telecommunications data industry.
“Last year we decided to end our arrangements with data aggregators, but assessed that the negative impacts to customers for services like roadside assistance and bank fraud alerts/protection that would result required a different approach,” Sprint’s statement continued.
But Sprint’s move, like that of AT&T and T-Mobile, will see it cutting access to location aggregators all together.
An AT&T spokesperson previously told CNET "Last year we stopped most location aggregation services while maintaining some that protect our customers, such as roadside assistance and fraud prevention. In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services—even those with clear consumer benefits.”
A T-Mobile spokesperson previously told Motherboard in an email that the company “is completely ending locations aggregation work in March as planned and promised.”
Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on firstname.lastname@example.org, or email email@example.com.
Last week Verizon told The Washington Post it is closing its own four remaining location aggregator contracts. All of those deal with roadside assistance companies. Once that process is complete, customers will have to give Verizon permission to share their location with the firms.
Verizon has not responded to Motherboard’s multiple requests for comment since starting this investigation.
On Wednesday, House Committee on Energy and Commerce GOP leaders wrote letters to AT&T, T-Mobile, Sprint, and Verizon requesting answers to a variety of questions, including asking the telcos to identify which third parties they have shared location data and information with at any time since 2007. The letters also asked the telcos how they evaluate the efficacy of audit programs to ensure data customers are obtaining consent from those being monitored, and whether they are aware of any other incidents of inappropriate or illegal use of location data through a third party.
After Motherboard’s investigation, several senators called on the Federal Communications Commission to investigate. Frank Pallone, the Chair of the House Committee on Energy and Commerce, asked FCC Chariman Ajit Pai for an emergency briefing on the issue. Pai refused to do so during the ongoing government shutdown.
Jessica Rosenworcel, commissioner of the FCC, tweeted on Monday "Your wireless phone location data is being sold by shady entities that you never gave permission to track you. That’s a personal and national security issue. No law stops the FCC from meeting with Congress to discuss this right now. It needs investigation.”
Update: This piece has been updated to include the newly released letters from the House Committee on Energy and Commerce GOP leaders to the telcos, as well as Zumigo and Microbilt.
Subscribe to our new cybersecurity podcast, CYBER.