T-Mobile, Sprint, and AT&T Caught Selling Location Data to Bounty Hunters
An investigation by Motherboard into the privacy practices of companies like T-Mobile, AT&T, and Sprint has demonstrated that these companies are all perfectly happy to sell your personal data, including your real-time location information, to virtually anyone who wants it.
In June 2018, all four cellular providers in the United States agreed to stop selling location to data brokers that would then resell the data to others. They did not, however, pledge to leave the location data-selling business themselves, and they gave no time frame for when they would leave the market. Motherboard tested the status quo by paying a bounty hunter a $300 fee to find a phone — in real time — using nothing more than the phone number. There was no hacking involved and no database security to penetrate, just a reseller and a fee to pay. The police were not involved and no warrant was generated.
Instead, a third-party company named Microbilt:
is selling phone geolocation services with little oversight to a spread of different private industries, ranging from car salesmen and property managers to bail bondsmen and bounty hunters, according to sources familiar with the company’s products and company documents obtained by Motherboard. Compounding that already highly questionable business practice, this spying capability is also being resold to others on the black market who are not licensed by the company to use it, including me, seemingly without Microbilt’s knowledge.
It’s generally known that your cell phone doubles as a spy device that can be used to track your (or at least, its) location in real-time. Less well-known is that the same cell companies that provide your service are allowed to resell this data to others with few restrictions. Those resellers then resell the data to other companies in turn. There is no oversight or monitoring of these transactions beyond what the companies in question may have put in place themselves. There is no monitoring to ensure that either the seller or buyer have secured the data and prevented it from being accessed inappropriately. One company, Securus, was found last year to be providing phone tracking services to the police without requiring those pesky warrants demanded by due process of law, because who has time for constitutionally mandated legal rights these days?
The major cellular providers continue to lie about the nature of these business arrangements and the degree to which they’ve been wound down. An AT&T spokesperson first claimed that the company only shared location data with customer consent “for cases like fraud prevention or emergency roadside assistance” before stating to the Verge that “We have shut down access for MicroBilt as we investigate these allegations.”
So AT&T — a company which pledged to stop dealing with third-party data brokers in June 2018 — just shut down access to a third-party data broker when its relationship to said company became public knowledge.
According to Motherboard, Microbilt sells data to landlords who want to find out about renters, car salesmen, and companies conducting credit checks. Armed with your phone number, the service will return your full name and address, real-time geolocation, or operate in a continuous tracking mode. All without a warrant, without a court order, and without any kind of legal regulation whatsoever. Microbilt customers themselves operate on a black market to sell the data access that they have to the highest bidder, which is how Motherboard was able to conduct its own tests in the first place.
I often want to laugh when I hear people dismiss security and privacy issues like this with a statement like “If you aren’t paying for the product, you are the product.” It’s hilariously out of date.
Today, you’re the product whether you pay for the product or not. Companies write comforting privacy statements filled with meaningless verbiage like “Trusted partners” and “only with your consent,” without ever disclosing the complete lack of verification and validation in the first phrase or anything like an honest accounting of what you are consenting to. Few people buy a phone thinking they are agreeing to be stalked by anyone who wants to spend the money to stalk or track them. Yet that’s the situation we find ourselves in, partly due to our own unwillingness to confront the true depth and severity of these problems, and partly courtesy of a Congress far more interested in destroying protections for user privacy than protecting them.
It’s time to stop pretending, once and for all, like the responsibility for how our data is being bought and used rests with end users. It does not. There is no meaningful way for end users to control how their data is chopped up, bought, and sold, in no small part because no one ever actually agreed to be treated this way in the first place. It is both logically and ethically wrong to hold someone responsible for the bad faith actions of the other party in a contract negotiation. The fact that this bad-faith scenario is legal in the first place is a scathing indictment of how willing both state and federal governments have been to kowtow to corporate interests.
Even if refusing to carry a cell phone was an option — and for many people, it isn’t, for a variety of professional and personal reasons — it would do nothing to stop the wholesale corporate feeding frenzy on data. Short of going completely off-grid, the corporate data feeding frenzy has made it impossible to opt-out of collection.