Your location data may have landed in the hands of bounty hunters and the black market

A disturbing report published Tuesday on Motherboard revealed that the location data US carriers collected from users and sold to legitimate companies might easily land in the hands of bounty hunters and the black market where it could be used for nefarious purposes.

The investigative article by Joseph Cox says major US telcos like AT&T, Sprint and T-Mobile sell bulk location data to location aggregators who then sell it to specific clients and industries.

Sometimes, the data ends up in the wrong hands, to put it mildly.

Last year, one location aggregator called LocationSmart faced harsh criticism for selling data that ultimately ended up in the hands of Securus, a company which provided phone tracking to low level enforcement without requiring a warrant. LocationSmart also exposed the very data it was selling through a buggy website panel, meaning anyone could geolocate nearly any phone in the United States at a click of a mouse.

As if that weren’t enough, this:

Motherboard’s investigation shows just how exposed mobile networks and the data they generate are, leaving them open to surveillance by ordinary citizens, stalkers and criminals, and comes as media and policy makers are paying more attention than ever to how location and other sensitive data is collected and sold.

The investigation also shows that a wide variety of companies can access cell phone location data and that the information trickles down from cell phone providers to a wide array of smaller players who don’t necessarily have the correct safeguards in place to protect that data.

It gets even worse than that!

At least one company, called Microbilt, is selling phone geolocation services with little oversight to a spread of different private industries, ranging from car salesmen and property managers to bail bondsmen and bounty hunters, according to sources familiar with the company’s products and company documents obtained by Motherboard.

Compounding that already highly questionable business practice, this spying capability is also being resold to others on the black market who are not licensed by the company to use it, including me, seemingly without Microbilt’s knowledge.

To test his theories, the author paid a bounty hunter $300 to locate his phone using a shady service intended not for the cops, but for private individuals and businesses.

The bounty hunter sent the number to his own contact, who was able to track the phone and take a screenshot of Google Maps containing a blue circle indicating the phone’s current location, approximate to a few hundred meters.

More specifically, the screenshot showed a location in a particular neighborhood—just a couple of blocks from where the target was. The hunter had found the phone. The target gave their consent to Motherboard to be tracked via their T-Mobile phone.

The worst part: this kind of surveillance “just works”

The bounty hunter did this all without deploying a hacking tool or having any previous knowledge of the phone’s whereabouts. Instead, the tracking tool relies on real-time location data sold to bounty hunters that ultimately originated from the telcos themselves, including T-Mobile, AT&T and Sprint, a Motherboard investigation has found. These surveillance capabilities are sometimes sold through word-of-mouth networks.

The person assured the writer that he could find the current location of most phones in the United States just by their users’ phone numbers. Curiously, Microbilt’s documentation hints that its phone-location service works on all mobile networks but the article states that the “middleman was unable or unwilling to conduct a search for a Verizon device.”

Microbit’s price list: getting real-time updates on a phone’s location costs around $12.95

Motherboard’s fascinating investigative write-up opines that major wireless carriers in the United States may be potentially unaware of how the location data of American cell phone customers is being used, or even whose hands it lands in, and that’s a disturbing thought.

“Telecom companies and data aggregators that Motherboard spoke to said that they require their clients to get consent from the people they want to track, but it’s clear that this is not always happening,” the article acknowledges.

For those not in the know, it’s impossible to completely stop location tracking.

Because your device moves from one cell tower to another, not even completely disabling Location Services in iOS and revoking location permission given to apps such as Facebook and Google Maps will prevent your geolocation from being tracked and recorded by a carrier.

Your mobile phone is constantly communicating with nearby cell phone towers, so your telecom provider knows where to route calls and texts. From this, telecom companies also work out the phone’s approximate location based on its proximity to those towers.

Your carrier knows precise locations of all those cell towers and, using triangulation, pinpoints your location with good-enough precision. This anonymized location data is then sold to other companies that use it mostly for legitimate purposes until they don’t.

This infographic depicts how the location data trickled down from T-Mobile to Motherboard

For instance, your carrier sells these location databases to financial institutions and credit card issuers who may use it for statistical purposes, to improve fraud prevention and more.

Following the publication of the Motherboard story, representatives for both AT&T and T-Mobile said in a statement that their partner Zumigo has stopped working with Microbilt while Sprint acknowledged that it does not have a direct relationship with Microbilt.

If what the Motherboard investigation has alleged eventually proves to be true, we the people should treat their findings and this whole saga as a privacy scandal of the highest degree. Nobody asked to be tracked by their carrier, let alone consented to having their location data handed over to rogue companies with little to no oversight as to how it’s going to be used.

This is privacy intrusion, wouldn’t you say so?