Telecom companies have been selling user location data for years, with some of their ‘clients’ making tens of thousands of requests, documents obtained by Motherboard show – far from the isolated incidents previously portrayed.
About 250 bounty hunters and similar companies purchased extremely accurate customer location data from Sprint, AT&T and T-Mobile, some of them using the service tens of thousands of times – a system that operated for more than five years in total secrecy, allowing trackers to see where their target was down to the room they occupied inside a building, according to internal documents obtained from location data seller CerCareOne.
Some of the bounty hunters then resold the location data to unauthorized third parties, according to multiple independent sources familiar with the company, which survived by keeping itself a trade secret among the bail bondsman and bounty hunter community.
When Vice first exposed telecoms’ sale of user data to bounty hunters last month, the telecoms scrambled to frame such abuses as isolated incidents, claiming they ended their relationships with the aggregators when they learned of unauthorized data use, rather than viewing it as standard operating procedure. CerCareOne, however, sold not just cell phone tower data but also highly accurate assisted-GPS (A-GPS) data for five years – from 2012 until the company closed its doors in 2017. Five years of unrestricted data-dealing were enabled by an agreement to “keep the existence of CerCareOne.com confidential,” internal documents show.
Charging up to $1,100 per phone location, CerCareOne supplied real-time GPS locations to bail bondsmen, bail agents, and bounty hunters. The company obtained the data from a location aggregator, which received it directly from the various telecoms carriers and packaged it for resale.
“If the carriers are turning around and using that access to sell information to bounty hunters or whomever else, it is a shocking abuse of the trust that the public places in them to safeguard privacy while protecting public safety,” said Blake Reid, associate clinical professor at Colorado Law. Reid and Georgetown University Law Center privacy expert Laura Moy both said they had never before heard of a telecom selling A-GPS data.
After the initial revelations last month, over a dozen senators wrote to the telecoms and location aggregators and demanded an FCC hearing on the subject, which FCC director Ajit Pai refused to grant, citing the government shutdown. All three phone companies named in the investigation promised to stop selling location data to aggregators within two months.
Senator Mark Warner blamed the FCC and FTC for their “failure” to address the problem of “companies abusing consumer trust,” while Senator Ron Wyden accused the telecoms of “flagrant, willful disregard for the safety and security of Americans.”
This scandal keeps getting worse. Carriers assured customers location tracking abuses were isolated incidents. New evidence shows that hundreds of people could track our phones, and they were doing it for years before anyone at the wireless companies took action. https://t.co/I6ITUBYgeH
— Ron Wyden (@RonWyden) February 6, 2019
“The FCC needs to act with urgency,” said FCC commissioner Jessica Rosenworcel, calling the rampant misuse of cell phone customers’ data “an issue of national and personal security” and expressing worry that the agency was dragging its feet in launching an investigation.
The scale of this abuse is outrageous.
“[I’m] glad that the company is shut down, but that just leaves me to wonder how many more CerCareOnes we have out there,” said Eva Galperin, director of cybersecurity at digital rights group the Electronic Frontier Foundation.
Think your friends would be interested? Share this story!