U.S. mobile carriers T-Mobile, Sprint and AT&T have been sharing customers' geolocation information with third-party partners, who go on to sell that data to additional companies until it winds up in the hands of unauthorized individuals.
Citing anonymous sources, a new exposé from Motherboard focuses heavily on the credit reporting company MicroBilt, which is known to purchase carrier geolocation data from so-called "location aggregator" companies and then resell that data to buyers such as bail bondsmen and bounty hunters, car salesmen and property managers.
Such transactions are controversial, the article states, because they are executed with minimal regulatory oversight and also because wireless customers often do not officially consent to having their data sold and resold in this fashion.
Indeed, Motherboard's Joseph Cox reported that a bounty hunter was successfully able to use data indirectly obtained from Microbilt to locate the approximate whereabouts of a test phone whose number the reporter had earlier provided to a source within the bail industry.
The user location data in this particular experiment was passed down a chain of five separate entities before reaching Motherboard. It started with T-Mobile, who sent the data to its mobile identity and location information vendor partner Zumigo, which in turn sold the records to Microbilt. A bounty hunter then used Microbilt's mobile phone tracking product to view the data, then charged the report's bail industry source $300 to acquire it.
"With each data transaction, the potential for the new party to either leak data, fall victim to compromise, or further share the data means that very quickly there's no control or governance," said Ben Johnson, co-founder and CTO at Obsidian Security, in comments emailed to SC Media. "Sadly, most of us assume not only that what we deliberately put on the Internet will fall into unauthorized hands, but data generated by our devices, services and even our human networks will be utilized in various ways we haven't authorized. Every copy of data is a liability, and until those who collect or generate this data have better guiding principles and scrutiny, we must assume that our data and data about us is everywhere."
"While T-Mobile does not have a direct relationship with Microbilt, our vendor Zumigo was working with them and has confirmed with us that they have already shut down all transmission of T-Mobile data," T-Mobile reportedly told Motherboard. "T-Mobile has also blocked access to device location data for any request submitted by Zumigo on behalf of Microbilt as an additional precaution."
According to the report, a Microbilt spokesperson claimed that anyone using its mobile device verification services for fraud prevention must first obtain customer consent.
Also asked for comment, AT&T reportedly told Motherboard that bounty hunters using its customer data constitutes a volition of its contract and privacy policy. And Sprint reportedly said that it "does not have a direct relationship with MicroBilt," adding that "If we determine that any of our customers do and have violated the terms of our contract, we will take appropriate action based on those findings."
