US Telcos Are Selling Access To Their Customers' Location Data, and That Data Reaches Bounty Hunters and Others Not Authorized To Possess It

T-Mobile, Sprint, and AT&T are selling access to their customers' location data, and that data is ending up in the hands of bounty hunters and others not authorized to possess it, letting them track most phones in the country, an investigation by news outlet Motherboard has found. From the report: Nervously, I gave a bounty hunter a phone number. He had offered to geolocate a phone for me, using a shady, overlooked service intended not for the cops, but for private individuals and businesses. Armed with just the number and a few hundred dollars, he said he could find the current location of most phones in the United States. The bounty hunter sent the number to his own contact, who would track the phone. The contact responded with a screenshot of Google Maps, containing a blue circle indicating the phone's current location, approximate to a few hundred metres. [...] The bounty hunter did this all without deploying a hacking tool or having any previous knowledge of the phone's whereabouts. Instead, the tracking tool relies on real-time location data sold to bounty hunters that ultimately originated from the telcos themselves, including T-Mobile, AT&T, and Sprint, a Motherboard investigation has found. These surveillance capabilities are sometimes sold through word-of-mouth networks.

[...] Motherboard's investigation shows just how exposed mobile networks and the data they generate are, leaving them open to surveillance by ordinary citizens, stalkers, and criminals, and comes as media and policy makers are paying more attention than ever to how location and other sensitive data is collected and sold. The investigation also shows that a wide variety of companies can access cell phone location data, and that the information trickles down from cell phone providers to a wide array of smaller players, who don't necessarily have the correct safeguards in place to protect that data. "Blade Runner, the iconic sci-fi movie, is set in 2019. And here we are: there's an unregulated black market where bounty-hunters can buy information about where we are, in real time, over time, and come after us. You don't need to be a replicant to be scared of the consequences," Thomas Rid, professor of strategic studies at Johns Hopkins University, told Motherboard.

Ron Wyden, a senator from Oregon, said in a statement, "This is a nightmare for national security and the personal safety of anyone with a phone."

Re:How it's done

[bobbied]

I believe you are mostly correct about the HLR/VLR, but I think the cell company has more information than just what tower you are hitting or which MSC you happen to be in. (BTW, it's really the MSC's VLR that has this information, the HLR is where your handset is registered and it knows what MSC you are in so inbound calls can be routed to the right MSC to be delivered to your handset. The local MSC to your handset has a VLR (Visitor Location Register) which is about where your handset happens to be right now so when that call arrives they know what cell gets the call so they can assign a slot and deliver it to your phone.

These days they have quite a bit more information about the handset's location, including a signal strength and apparent direction from the cell tower, from which they can make a pretty good estimate of your location. They need this information to more accurately transmit and receive from your handset at the higher data rates while not consuming excessive expensive spectrum space. These days cell towers have electronically steerable arrays for antennas, so they can better use their available spectrum space to service more phones at higher data rates.