Update #2, February 8, 2019 (10:15 AM ET): We heard from AT&T this morning about the location data scandal described below. AT&T also says it is ending all associations with location aggregator services:
We are not aware of any misuse of this service which ended two years ago. We’ve already decided to eliminate all location aggregation services—including those with clear consumer benefits—after reports of misuse by other location services involving aggregators.
Continue on to read T-Mobile’s statement as well as Sprint’s statement towards the bottom of the original article. Verizon is not implicated in Motherboard’s research.
Update #1, February 7, 2019 (7:19 PM ET): We received a response from a T-Mobile representative related to the scandal described below. That means two of the three implicated carriers issued responses to Android Authority (Sprint earlier told us it was ending its associations with data aggregators, see below).
Here is T-Mobile’s statement in full:
We have been transparent that we are ending all of our location aggregator services and we are almost done with that process. We have been working to wind it down in a responsible way that won’t impact customers who use these services for things like emergency assistance. We take our customers’ privacy and security seriously and were the first wireless provider to make the commitment to end these services by March.
We will add a second update to this article should we hear back from AT&T.
Original Article, February 7, 2019 (06:01 PM ET): In January, Motherboard posted a bombshell article which described how bounty hunters are able to easily gain location data of a smartphone user by purchasing the information from nefarious sources. Those sources, in turn, get their information directly from three of the four biggest wireless carriers in the nation.
In that article, a Motherboard journalist details how they paid a bounty hunter $300 to find their phone, which the hunter did very easily.
Wireless carriers, in response to this flagrant disregard for user privacy, said that these situations are uncommon and represent a fringe issue.
Now, a month later, Motherboard has posted a new article about the same topic, this time making it clear that this problem is much, much bigger than we originally thought.
There were hundreds of people buying user data by the tens-of-thousands for relatively low prices.
According to the report, hundreds of bounty hunters and bail bonds organizations used a company called CerCareOne to buy location data for wireless customers on Sprint, AT&T, and T-Mobile. Some of these bounty hunters used the service tens-of-thousands of times, with one bail bond firm using the service no less than 18,000 times.
The evidence for this stems from CerCareOne’s own internal documentation. The company shut down in 2017.
The chain of sources for obtaining user location data wasn’t that long. A data aggregator company called Locaid (later LocationSmart, which we’ve written about before when it comes to mishandling of user data) obtains access to user location data from wireless carriers legally. Companies like Locaid sell access to that data to other companies that want to keep track of their employees. In order to get this access, companies like Locaid have to agree to not use the location data for any other purpose.
CerCareOne obtained access to Locaid’s data anyway and then resold it directly to bounty hunters and bail bonds firms. In the contract a bounty hunter would sign to obtain data on an individual, a clause clearly states that they are to keep the very existence of CerCareOne a secret.
Bounty hunters would pay prices as high as $1,100 for user location data.
In some cases, buyers had access to precise GPS data for a user, not just cell tower connection data.
To be clear, this isn’t just information about the possible whereabouts of a person based on their connections to various cell towers. In some cases, bounty hunters had access to GPS data, enabling them to know the nearly-exact location a person was at any given time.
We reached out to AT&T, T-Mobile, and Sprint about this new information. Only Sprint got back to us so far, with a very brief statement proclaiming that the company has decided to end its arrangements with data aggregators like Locaid/LocationSmart. However, we’ve heard that before.
We will update this article should we hear back from any of the other wireless carriers implicated in this scandal.