Last year, four of the largest U.S. cell carriers were caught selling and sending real-time location data of their customers to shady companies that sold it on to big spenders, who would use the data to track anyone “within seconds” for whatever reason they wanted.
At first, little-known company LocationSmart was obtaining (and leaking) real-time location data from AT&T, Verizon, T-Mobile and Sprint and selling access through another company, 3Cinteractive, to Securus, a prison technology company, which tracked phone owners without asking for their permission. This game of telephone with people’s private information was discovered, and the cell carriers, facing heavy rebuke from Sen. Ron Wyden, a privacy-minded lawmaker, buckled under the public pressure and said they’d stop selling and sharing customers’ locations.
And that would’ve been that — until it wasn’t.
Now, new reporting by Motherboard shows that while LocationSmart faced the brunt of the criticism, few focused on the other big player in the location-tracking business, Zumigo. A payment of $300 and a phone number was enough for a bounty hunter to track down the participating reporter by obtaining his location using Zumigo’s location data, which was continuing to pay for access from most of the carriers.
Worse, Zumigo sold that data on — like LocationSmart did with Securus — to other companies, like Microbilt, a Georgia-based credit reporting company, which in turn sells that data on to other firms that want that data. In this case, it was a bail bond company, whose bounty hunter was paid by Motherboard to track down the reporter — with his permission.
Everyone seemed to drop the ball. Microbilt said the bounty hunter shouldn’t have used the location data to track the Motherboard reporter. Zumigo said it didn’t mind location data ending up in the hands of the bounty hunter, but still cut Microbilt’s access.
But nobody quite dropped the ball like the carriers, which said they would not to share location data again.
T-Mobile, at the center of the latest location-selling revelations for passing the reporter’s location to the bounty hunter, said last year in the midst of the Securus scandal that it “reviewed” its real-time location data sharing program and found appropriate controls in place. To appease even the skeptical, T-Mobile chief executive John Legere tweeted at the time that he “personally evaluated the issue” and promised that the company “will not sell customer location data to shady middlemen.”
It’s hard to see how that isn’t, in hindsight, a downright lie.
This time around, T-Mobile said it “does not have a direct relationship” with Microbilt but admitted one with Zumigo, which, given the story and the similarities to last year’s Securus scandal, could be considered one of many “shady middlemen” still obtaining location data from cell carriers.
Legere later said in a tweet late Wednesday that the company “is completely ending” its relationships with location aggregators in March, almost a year after the company was first implicated in the first location-sharing scandal.
It wasn’t just T-Mobile. Other carriers were also still selling and sharing their customers’ data.
AT&T said in last year’s letter it would “protect customer data” and “shut down” Securus’ access to its real-time store of customer location data. Most saw that as a swift move to prevent third-parties accessing customer location data. Now, AT&T seemed to renege on that year-ago pledge, saying it will “only permit the sharing of location” in limited cases, including when required by law.
Verizon, the parent company of TechCrunch, wasn’t explicitly cleared from sharing location data with third-parties in Motherboard’s report — only that the bounty hunter refused to search for a Verizon number. (We’ve asked Verizon if it wants to clarify its position — so far, we’ve had nothing back.)
In a letter sent last year when the Securus scandal blew up, Verizon said it would “take steps to stop” sharing data with two firms — Zumigo and LocationSmart, an intermediary that passed on obtained location data to Securus. But that doesn’t mean it’s off the hook. It was still sharing location data with anyone who wanted to pay in the first place, putting its customers at risk from hackers, stalkers — or worse.