Anyone from bail bondsmen to bounty hunters can easily obtain such information, thanks to a complex network of companies with access to user location data sold by T-Mobile, Sprint, and AT&T.
The process, which doesn’t require a warrant or any special hacking tools, allowed Motherboard to track a T-Mobile phone by paying an anonymous bounty hunter just $300.
The bounty hunter responded with a Google Maps screenshot of the phone’s location with its longitude and latitude coordinates. The location was said to be accurate to within 0.3 miles, or roughly 500 meters. According to Motherboard’s Joseph Cox, the data made its way through six different entities before the bounty hunter was able to determine the phone’s location.
“T-Mobile shares location data with an aggregator called Zumigo, which shares information with Microbilt,” Cox writes. “Microbilt shared that data with a customer using its mobile phone tracking product. The bounty hunter then shared this information with a bail industry source, who shared it with Motherboard.”
Industry guidelines state that companies and individuals must gain consent from phone users before pinpointing their location. Such tracking is often used legally by roadside assistance firms in order to find stranded customers as well as financial companies looking to detect fraud.
“Microbilt buys access to location data from an aggregator called Zumigo and then sells it to a dizzying number of sectors, including landlords to scope out potential renters; motor vehicle salesmen, and others who are conducting credit checks,” Cox adds. “Armed with just a phone number, Microbilt’s ‘Mobile Device Verify’ product can return a target’s full name and address, geolocate a phone in an individual instance, or operate as a continuous tracking service.”
Motherboard was quoted roughly several hundred dollars when asking for location data from the bounty hunter, but the cost became increasingly cheaper higher up the chain. When Motherboard posed as a potential customer to Microbilt, the company revealed that “locating a phone can cost as little as $4.95 each if searching for a low number of devices.”
A Microbilt spokesperson responded to the story by stating that the company requires all its customers to obtain consent prior to using their services.
Zumigo, the company which provided the location data to Microbilt, stated that “illegal access to data is an unfortunate occurrence” in many industries. Zumigo also said it ceased its business relationship with Microbilt in light of the story.
T-Mobile, the CEO of which pledged last year not to sell customer location data “to shady middlemen,” stated that it has since “blocked access to device location data for any request submitted by Zumigo on behalf of Microbilt.” AT&T and Sprint provided similar statements, while Verizon did not respond to requests for comment.
A bail industry source claimed that bounty hunters have used the services for personal reasons, like tracking the location of their girlfriends.
Sen. Ron Wyden (D-Ore.), a vocal champion of digital privacy rights, weighed in on the story by highlighting legislation to protect consumer data.
Major carriers pledged to end these practices, but it appears to have been more empty promises to consumers. It’s time for Congress to take action by passing my bill to safeguard consumer data and hold companies accountable. https://t.co/CKQJ04C3XX
— Ron Wyden (@RonWyden) January 8, 2019