At this point if the news that your phone company has been selling customer location data to bounty hunters surprises you, you may need to catch up on the last few years of privacy revelations. If you’re just generally suspicious of places that collect your data, congratulations on being right (again). AT&T, Sprint, T-Mobile, and Verizon are currently being sued for selling customer location data to third parties known as data brokers, who then sell the data to other people with an interest in finding you – especially the “kinda-sorta” officials like bail bondsmen and bounty hunters.
The short story
The Maryland-based ZLaw Firm filed a class action suit against the four big US mobile providers on May 2nd, 2019. They’re suing in the names of the company’s customers who were affected. Essentially, their lawsuit accuses these companies of providing access to real-time location data to companies that shouldn’t have had access. The suit covers a roughly four-year period from 2015 through 2019, though that doesn’t necessarily mean the activity was limited by these years.
You may or may not be at peace with knowing the NSA can track you whenever they want, but it’s even creepier when you discover that some guy with a taser and a laptop can also do it. That’s exactly what Vice’s Motherboard, responsible for breaking this story, did: paid $300 to a bounty hunter to locate their phone, which he did by taking advantage of a chain of data services and brokers passing along the data from the phone company.
Since it’s a class action lawsuit, affected individuals may be entitled to compensation, though more details on this will be forthcoming. The real goal here, however, is to get the big phone companies to stop selling sensitive customer information – or at least to be more careful with it.
What exactly has been going on?
Back in 2018 there was another scandal where it came out that Securus, a prison technology company, was giving low-level law enforcement officers access to the location of pretty much every phone on all of the major carriers. That level of surveillance usually requires a warrant in the US, but Securus was using an intermediary company called LocationSmart, which pretty much anyone could sign up for, even on a free trial account, to get access to the location of most cell phones being used in the U.S.
Generally, the data in question here isn’t your GPS data – it’s your approximate location as determined by the strength of different cell tower signals, which is something phone companies really need in order to provide service. However, some of the data available to bounty hunters was occasionally from GPS, meaning they could get your location down to a few meters.
A lot of other stuff happened around the 2018 location issue (including Securus being hacked, meaning access to their real-time tracking tools could have been in anyone’s hands for a while), but the reason it’s important to this story is that every carrier involved promised to fix these sorts of loopholes and stop giving sensitive data to sketchy third parties. That apparently hasn’t been going so well, since Motherboard was actually able to identify the general path the data took.
Here’s how the process seems to have been working:
- A data aggregator (Zumigo, in this case) buys customer data from a telecom company. They then use this data for any number of things, including fraud prevention and possibly marketing.
- Zumigo then sells off your data to other services, including, in this case, a company called Microbilt, which uses the access it buys from Zumigo to sell services, like background or credit check, or tracking people who might break their bail. Microbilt actually maintains price lists for services like these.
- Whoever is using the service, like bounty hunters or landlords, pays for your cell phone data and gets to use it.
If all that seems a little Byzantine, it is, but though your data is bouncing through a lot of different companies, it’s all coming straight from the phone provider at the center. If they close off access to third parties who are misusing this data, there won’t be a problem anymore – but it seems like they aren’t.
Bounty hunters aren’t out to get me, why should I worry?
Okay, you’re not Han Solo, and your location data probably isn’t being pulled by anyone in particular, even though you did shoot first. There have been cases, though, of people with access to these tools using them for more off-the-clock activities, such as tracking girlfriends. That’s not something that’s likely to affect the general public, but the fact remains that we now have tools that allow certain people to find you pretty much anywhere, whether it’s a potential employer checking how often you visit a psychiatrist or a marketing company trying to build a better profile on you.
It’s not just tracking individual movements, either: location data that is gathered and analyzed in bulk can help identify trends in how people move. When anonymously gathered and properly used, this type of data can be very helpful in designing better systems, but when it’s firehosed out without much consideration as to whose hands it ends up in, it’s a breach of trust and just generally a bad idea.
Image credits: Sierpiński Pyramid from Above