Vice Investigation Reveals Obtaining Real-Time Smartphone Location Data Has Virtually No Oversight

Joseph Cox, Vice:

Nervously, I gave a bounty hunter a phone number. He had offered to geolocate a phone for me, using a shady, overlooked service intended not for the cops, but for private individuals and businesses. Armed with just the number and a few hundred dollars, he said he could find the current location of most phones in the United States.

The bounty hunter sent the number to his own contact, who would track the phone. The contact responded with a screenshot of Google Maps, containing a blue circle indicating the phone’s current location, approximate to a few hundred metres.

Queens, New York. More specifically, the screenshot showed a location in a particular neighborhood — just a couple of blocks from where the target was. The hunter had found the phone (the target gave their consent to Motherboard to be tracked via their T-Mobile phone.)

The bounty hunter did this all without deploying a hacking tool or having any previous knowledge of the phone’s whereabouts. Instead, the tracking tool relies on real-time location data sold to bounty hunters that ultimately originated from the telcos themselves, including T-Mobile, AT&T, and Sprint, a Motherboard investigation has found. These surveillance capabilities are sometimes sold through word-of-mouth networks.

Dell Cameron, Gizmodo:

The story follows reporting last year by the New York Times, which kicked off after Sen. Ron Wyden, a Democrat and privacy hawk of Oregon, revealed the existence of this dubious location-data trade in a letter to the Federal Communications Commission. Through this, we learned about Securus Technologies, a company that profits off inmate phone calls and secretly provided phone-tracking services to low-level law enforcement without so much as a court order.

Securus and other companies, such as those described in Tuesday’s Motherboard story, rely on loose regulations around the aggregation of location data, which can be bought and sold legally for marketing purposes, among other types of services. Numerous companies appear to be exploiting this loophole to quietly offer location services for unsanctioned uses on the cheap, or are otherwise contributing unwittingly through their own negligence to a prosperous underground market.

Let’s set aside the truly diabolical lack of ethics for a moment because there’s something else nagging at me. For the past couple of years, the general public has started to become wise to the privacy nightmare created by companies like Facebook and Google. Frequently, this is expressed by the claim that these companies are “selling users’ data”. That’s wrong — they’re selling advertisements against enormous dossiers of data points — but it has stuck nevertheless as a symbol of how untrustworthy these companies are.

T-Mobile, AT&T, and Sprint apparently want to be more untrustworthy than Facebook and Google when it comes to user data. They’re not just selling ads; they’re selling the location itself. That’s fucked. I read through T-Mobile’s many end-user contracts today and couldn’t find anything that clearly says you give us permission to sell a third-party the location of your phone in association with its number. Maybe it’s buried in there, translated into some abstruse legalese. But can you imagine having an abject lack of ethics that you could think selling user location is totally fine?