February 7, 2019 — And that includes A-GPS data, too
Additional information provided to Motherboard shows that carriers made A-GPS data available through the chain of information resellers and it ended up in the hands of over 250 different bounty hunters and related businesses.
A-GPS (Assisted Global Positioning System) data is accumulated with the assistance of carriers. The regular GPS chip in your phone can take minutes (or longer) to pinpoint your location, and A-GPS was developed to help first responders and 911 operators find a cell phone when the need was urgent. Because it uses far less battery power, it’s commonplace and now used by many apps and services on your phone.
The information provided to Motherboard includes screen captures from tracking services showing the data being used. According to Laura Moy, executive director at the Center on Privacy and Technology at Georgetown University Law Center, this is the first instance of A-GPS data being sold wholesale.
When contacted by Motherboard, none of the carriers denied selling A-GPS data.
Your location is worth about $300, according to an in-depth study by Motherboard.
The website followed a tip, and after a convoluted series of events and $300 changing hands, it was able to correctly pinpoint a phone’s location without asking for any consent, because carriers are still selling your location data to “shady” middlemen who resell it under their own policies. And unlike the debacle in May 2018, when LocationSmart was selling your location to law enforcement, this time it’s being sold to private individuals and businesses.
How the whole thing happened
Here’s how it worked in the Motherboard case. For your phone — any phone and not one particular model, make, or one that uses a particular OS — to operate correctly, it has to periodically send a signal that cell towers receive, and they, in turn, send one back. That’s known as “pinging” cell towers and it’s how your phone knows which tower is closest and which to connect with. Your carrier keeps track of these pings, which contain a fairly close approximation of your location.
T-Mobile has an agreement with a company called Zumigo where it sells this location data, complete with a set of rules how it can be used. It so happens that Zumigo is the same company that sold T-Mobile subscriber location data to LocationSmart last May, which caused T-Mobile CEO John Legere to evaluate and pledge to not “sell customer location data to shady middlemen” in response to a Senate inquiry.
Zumigo has a separate contract with other companies that want your location data. One of these companies is Microbilt, which resells it again to other companies and individuals like bounty hunters, debt collectors and even used car salesmen. One of these Microbilt clients obtained the location of the phone in question and then sold it to a private individual, who then sold it again for $300 to Motherboard. If all this makes you dizzy and prone to a headache, you’re not alone.
The companies involved all pointed to their own agreements that state how this data is to be used, claiming that the responsibility falls on whoever in the chain sold the data to an “unauthorized” party. And no laws were broken; it is illegal for a carrier in the United States to sell your data directly to law enforcement, but not to any private company.
Posing as potential customers, Motherboard’s investigation found evidence of AT&T, Sprint, and T-Mobile selling customer location data to service companies in the business of reselling it. All three defended the practice, pointing to the agreements each holds with these location aggregate businesses, which state how the data can be used. After being contacted by Motherboard, each claims to have cut any and all ties to Microbilt until a full investigation can be completed. When trying to obtain location data for a Verizon number, Microbilt was “unwilling or unable” to search for the data, and Verizon did not respond to a request for comment.
Microbilt offers customer location tracking for as little as $8.42 when purchasing in bulk, according to documents Motherboard was able to obtain while posing as a customer. The relevant pages have been removed from the Microbilt website, but Motherboard posted copies of the originals that you can see at the source link above.
What it all means
This all points to one of the biggest issues facing us in the future, and that’s how poorly implemented and insecure your carrier’s data privacy measures are. With the current administration at the FCC — which was unable to comment while the offices are closed for the U.S. government shutdown — I don’t see any of this getting better.
No matter what steps you take to preserve your privacy, your carrier still gives it to anyone with a fistful of money.