icon bookmark-bicon bookmarkicon cameraicon checkicon chevron downicon chevron lefticon chevron righticon chevron upicon closeicon v-compressicon downloadicon editicon v-expandicon fbicon fileicon filtericon flag ruicon full chevron downicon full chevron lefticon full chevron righticon full chevron upicon gpicon insicon mailicon moveicon-musicicon mutedicon nomutedicon okicon v-pauseicon v-playicon searchicon shareicon sign inicon sign upicon stepbackicon stepforicon swipe downicon tagicon tagsicon tgicon trashicon twicon vkicon yticon wticon fm
7 Feb, 2019 05:06

US telecoms sold precise user location data to bounty hunters & others for YEARS – report

US telecoms sold precise user location data to bounty hunters & others for YEARS – report

Telecom companies have been selling user location data for years, with some of their 'clients' making tens of thousands of requests, documents obtained by Motherboard show – far from the isolated incidents previously portrayed.

About 250 bounty hunters and similar companies purchased extremely accurate customer location data from Sprint, AT&T and T-Mobile, some of them using the service tens of thousands of times – a system that operated for more than five years in total secrecy, allowing trackers to see where their target was down to the room they occupied inside a building, according to internal documents obtained from location data seller CerCareOne.

Some of the bounty hunters then resold the location data to unauthorized third parties, according to multiple independent sources familiar with the company, which survived by keeping itself a trade secret among the bail bondsman and bounty hunter community. 

Also on rt.com US telecoms ‘selling cellphone data showing user locations in real time’

When Vice first exposed telecoms' sale of user data to bounty hunters last month, the telecoms scrambled to frame such abuses as isolated incidents, claiming they ended their relationships with the aggregators when they learned of unauthorized data use, rather than viewing it as standard operating procedure.  CerCareOne, however, sold not just cell phone tower data but also highly accurate assisted-GPS (A-GPS) data for five years – from 2012 until the company closed its doors in 2017. Five years of unrestricted data-dealing were enabled by an agreement to "keep the existence of CerCareOne.com confidential," internal documents show.

Charging up to $1,100 per phone location, CerCareOne supplied real-time GPS locations to bail bondsmen, bail agents, and bounty hunters. The company obtained the data from a location aggregator, which received it directly from the various telecoms carriers and packaged it for resale.

If the carriers are turning around and using that access to sell information to bounty hunters or whomever else, it is a shocking abuse of the trust that the public places in them to safeguard privacy while protecting public safety," said Blake Reid, associate clinical professor at Colorado Law. Reid and Georgetown University Law Center privacy expert Laura Moy both said they had never before heard of a telecom selling A-GPS data.

Also on rt.com Federal law enforcement agencies sued for keeping Americans in the dark about hacking activities

None of the telecoms denied selling users’ location data when asked, nor would the bail bonds firms listed in the documents disclose whether they had consent to track the phones of users some of them pinged over 18,000 times in one year, though a few bail agents claimed their clients had signed contracts authorizing the agents to track them electronically if they jumped bail. CerCareOne's terms of use claims users must obtain written consent from those they track, but multiple sources claim individuals who were tracked were never notified, and Sprint claims CerCareOne never requested consent to use or resell its customer data.

After the initial revelations last month, over a dozen senators wrote to the telecoms and location aggregators and demanded an FCC hearing on the subject, which FCC director Ajit Pai refused to grant, citing the government shutdown. All three phone companies named in the investigation promised to stop selling location data to aggregators within two months. 

Senator Mark Warner blamed the FCC and FTC for their “failure” to address the problem of “companies abusing consumer trust,” while Senator Ron Wyden accused the telecoms of “flagrant, willful disregard for the safety and security of Americans.”

"The FCC needs to act with urgency," said FCC commissioner Jessica Rosenworcel, calling the rampant misuse of cell phone customers' data "an issue of national and personal security" and expressing worry that the agency was dragging its feet in launching an investigation.

The scale of this abuse is outrageous.

"[I'm] glad that the company is shut down, but that just leaves me to wonder how many more CerCareOnes we have out there," said Eva Galperin, director of cybersecurity at digital rights group the Electronic Frontier Foundation.

Think your friends would be interested? Share this story!

Podcasts
0:00
28:18
0:00
25:17