US Telcos Are Selling Access To Their Customers' Location Data, and That Data Reaches Bounty Hunters and Others Not Authorized To Possess It

T-Mobile, Sprint, and AT&T are selling access to their customers' location data, and that data is ending up in the hands of bounty hunters and others not authorized to possess it, letting them track most phones in the country, an investigation by news outlet Motherboard has found. From the report: Nervously, I gave a bounty hunter a phone number. He had offered to geolocate a phone for me, using a shady, overlooked service intended not for the cops, but for private individuals and businesses. Armed with just the number and a few hundred dollars, he said he could find the current location of most phones in the United States. The bounty hunter sent the number to his own contact, who would track the phone. The contact responded with a screenshot of Google Maps, containing a blue circle indicating the phone's current location, approximate to a few hundred metres. [...] The bounty hunter did this all without deploying a hacking tool or having any previous knowledge of the phone's whereabouts. Instead, the tracking tool relies on real-time location data sold to bounty hunters that ultimately originated from the telcos themselves, including T-Mobile, AT&T, and Sprint, a Motherboard investigation has found. These surveillance capabilities are sometimes sold through word-of-mouth networks.

[...] Motherboard's investigation shows just how exposed mobile networks and the data they generate are, leaving them open to surveillance by ordinary citizens, stalkers, and criminals, and comes as media and policy makers are paying more attention than ever to how location and other sensitive data is collected and sold. The investigation also shows that a wide variety of companies can access cell phone location data, and that the information trickles down from cell phone providers to a wide array of smaller players, who don't necessarily have the correct safeguards in place to protect that data. "Blade Runner, the iconic sci-fi movie, is set in 2019. And here we are: there's an unregulated black market where bounty-hunters can buy information about where we are, in real time, over time, and come after us. You don't need to be a replicant to be scared of the consequences," Thomas Rid, professor of strategic studies at Johns Hopkins University, told Motherboard.

Ron Wyden, a senator from Oregon, said in a statement, "This is a nightmare for national security and the personal safety of anyone with a phone."

I'm not surprised.

[Z00L00K]

Aldous Huxley, George Orwell and even Ray Bradbury predicted the world that we are steaming in to. Even Max Headroom is to some extent surpassed.

Re: I'm not surprised.

Political Rivals, or anyone ever thinking of running for office or holding a public office or with a modicum of influence or power (journalists included).

Just think of the dirt that can be used for influence if money doesnt talk.

Re: I'm not surprised.

It's not even that. It's people using private investigators that are the worst problem. They can do a lot more than just geotracking, they can also remotely access phones without the restrictions regular law enforcement face. So long as they don't get caught red handed, they can and do just about anything they want.

Know someone who went through a nasty divorce and whose spouse is claiming has a lot more money and/or stuff they can sell to raise money, but can't find it? Congratulations, your connection to that spouse means you can and probably will be monitored until such time as the money can be found, or the PI determines its a lost cause. That can be anywhere from six weeks to a couple years.

Know someone who has defaulted on credit. Congratulations, you will be monitored until such time as the credit agency (or the more specifically the collection agency the credit gets sold to) deems you to have no ability to pay anything for them.

In either case it doesn't matter one bit if you have never had so much as a traffic ticket and have never done anything wrong.

Idiots who think that so long as you do nothing wrong, no harm will come to you are going to be rudely awakened when they find out just how insanely wrong they are.

Re:I'm not surprised.

[nehumanuscrede]

How about your boss ?
You know, that day you called in sick so you could go to the ballgame instead ?

How about your insurance company ?
Let's take a look at where you've been eating for the past year. . . .

Re: I'm not surprised.

[farble1670]

Idiots who think that so long as you do nothing wrong, no harm will come to you are going to be rudely awakened when they find out just how insanely wrong they are.

Hiding money during a divorce is wrong.
Defaulting on credit is wrong.

I think your problem may be your understanding of right and wrong.

How it's done

Having worked for one of these Telco's (admitedly before LTE) I can tell you how it's likely done.

Your cell phone must register with a tower, so the "contact" inside the wireless telco looks up the customer's phone number directly in the switching system so that they leave no fingerprints in the CRM system. So the HLR will say where the mobile device is presently located by the tower's id number, and then you cross reference that with the actual geographic location of the tower.

That's how it's done, and customers, pre-smartphones who have had their devices lost or stolen have routinely called in to ask where their device is and at best, the rep can say it's somewhere near X (where the HLR says it was last seen) often by using a tool designed to check if the phone is roaming. If the phone is roaming on another carrier's tower, then the carrier will actually have more information available since the roaming database on the phone will only try to connect to certain towers it's been authorized to. So if your phone is in Dallas, which has a lot of cell sites, its much easier to figure out where someone is because one tower might only serve an area of 300ft, where as a tower out in Anchorage, might literately serve half the city, so the precision is much lower.

The on-device A-GPS is more accurate because it can use multiple cell sites and actual GPS line-of-sight to determine where it is. But this information isn't typically relayed back to the cell carrier unless the carrier provides A-GPS service in the first place. LPP (LTE Positioning Protocol) is some fancy level of A-GPS that utilizes multiple sources. If the carrier has A-GPS, then yes, the carrier knows within 100ft of where the phone is.

The question is how much data does the carrier actually need though? If you turn A-GPS off, which you typically can't do without turning all location services off entirely, then you're stuck.

If you turn location services off, you can still be found as long as the phone is powered on since it's still registered in the HLR. Just it can only be narrowed down to the last tower seen for the most part.

Re:Not seeing an issue here

[bobbied]

It's part of the TOS you sign with your carrier.

If a couple of criminals get burned by their phones' location, I'm not going to cry any rivers.

Until you become a criminal by violating some unfair or unconstitutional law and they track you down....

The problem here is that it's illegal to track down a criminal using this data without a warrant. That folks can do this and bypass the need for a warrant may not be a problem to you now, but the camel's nose is in the tent if we let this happen w/o complaint and you may wish you'd said something.

Testing their boundaries

[Tablizer]

Warning to telecoms: if you don't like being regulated, don't invent reasons to get regulated.

Get together and come up with a mutual industry agreement on when and how to share customer data in a way that's not confusing or misleading to customers. Sign the agreement and hold each other accountable. The alternative is that the gov't will do such for you after you play fast and loose for short-term profits and bungle it one day.

Re:Testing their boundaries

[SirAstral]

Your logic is bad.

If your solution to problems that businesses have is to run to regulators to solve them then you are going to lose. Or have you not looked at the past Century of the FCC itself? One hardly needs to look at only that industry either to see the same effect.

The correct "free-market" control on capitalist monopoly is for the "consumers" to refuse to buy these product and to start up competing businesses... o wait... sorry you effectively prevented that proper "control" by letting the regulators do that for you and subsequently allowed them to be bought off by the industry to put in regulations that make it very difficult for you to challenge incumbents with new services making it difficult for even super rich businesses to compete.

People like you are the exact reason why Google Fiber failed and the problem is that you don't know why or how that is and when you are told how or why you start calling it victim blaming. Well if you help create support an institution that is oppressing you, you are not exactly a victim.... more like someone getting their comeuppance for being taken for a fool. You can't walk off a cliff and legitimately bitch about gravity pulling you to your doom!

In no uncertain terms... They will buy your "regulators" and "own you" as you "grin from ear to ear" thinking you put them in their places with so called "regulation". It has happened so many time they now tell you to your face how they are going to take advantage of you and you don't even believe it! Even if you substitute capitalism for socialism or even communism they will still be ruling over you, no exception, no mistake. The history is there for everyone to see! The poor endlessly whine about the bourgeoisie ruling over them and what is the first thing the poor do when a problem occurs? They run to the bourgeoisie that control their lives over here and ask them to control their lives over there.

Re: Not seeing an issue here

[LazarusQLong]

I lived with a gal for 3 years, came home early from work one day and found her vigoursly giving head to another guy. I gave her the key and said I would be back for my stuff... When I returned she was physically threatening, hitting kicking, yelling, screaming at me for dumping her... You do not have to be the cheater to have a psycho come looking for you.

Easy Manipulation

[forkfail]

If nothing else, this article shows how easy it is to manipulate people's views.

Had this article been about how anyone, such as a connected stalker, could for a few hundred dollars, track your location through your phone, there would have been almost universal outrage in the comments.

But because it is framed in terms of bounty hunters catching bad guys, there are an awful lot of comments in support of this capability. Even if it is illegal and can be used by anyone with the dollars to buy the services.

Does not give hope for the future.