On Thursday, AT&T announced it was stopping the sale of its customers’ real-time location data to all third parties, in response to a Motherboard investigation showing how data from AT&T, T-Mobile, and Sprint trickled down through a complex network of companies until eventually landing in the hands of bounty hunters and people unauthorized to handle it. To verify the existence of this trade, Motherboard paid $300 on the black market to successfully locate a phone.
Google, whose Google Fi program offers phone, text, and data services that use T-Mobile and Sprint network infrastructure in the United States, told Motherboard that it asked those companies to not share its customers’ location data with third parties.
“We have never sold Fi subscribers' location information,” a Google spokesperson told Motherboard in a statement late on Thursday. “Google Fi is an MVNO (mobile virtual network operator) and not a carrier, but as soon as we heard about this practice, we required our network partners to shut it down as soon as possible.” Google did not say when it made this a requirement.
An MVNO is essentially a company that provides the usual telecommunication services such as calls and texts, but which uses infrastructure from a telco carrier. Launched in 2015, Fi has international coverage in 170 countries and also offers data only SIMs. Google recently announced an expansion of Fi’s availability to more Android devices as well as iPhones.
In Motherboard’s investigation, the phone we paid to locate was on the T-Mobile network. The data access traveled through a web of different companies, starting with T-Mobile which sold to a so-called location aggregator named Zumigo. Zumigo then sold the access to Microbilt, a firm which offers phone location services to the bounty hunter industries as well as other sectors. A Microbilt customer then offered a phone lookup to a source, and that source provided Motherboard with a Google Maps screenshot showing the location of the phone itself. The location data was accurate to a range of around 500m, enough to, in our case, correctly point to a specific area of Queens, New York.
T-Mobile had previously said it was cutting its relationships with location aggregators. In tweets posted in response to Motherboard’s story, T-Mobile CEO John Legere reiterated that the company is continuing to ramp down all of its location aggregator contracts, and plans to have this completed by March.
Sprint has not responded to Motherboard’s request for comment on whether it plans to mirror the actions of T-Mobile and AT&T and shut down all location aggregator access. Google suggested the telco may be taking some action: Google told Motherboard its partners, namely T-Mobile and Sprint, have already stopped the practice or plan to do so in the coming months (Google clarified to Motherboard that the company told T-Mobile and Sprint to shut down the sale of Fi customers’ data, rather than the telcos’ customers more widely.)
Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.
In a previous, more general statement to Motherboard, a Sprint spokesperson said “Protecting our customers’ privacy and security is a top priority, and we are transparent about that in our Privacy Policy. We do not knowingly share personally identifiable geo-location information except with customer consent or in response to a lawful request such as a validated court order from law enforcement.”
This isn’t the first time telcos have said they will take action against location aggregators. Last year Senator Ron Wyden and The New York Times reported that an aggregator called LocationSmart was providing data access that ultimately allowed low level law enforcement to track down phones without a warrant. In response, AT&T, Verizon, T-Mobile, and Sprint cut access to Securus, the company that was acting as a middleman between LocationSmart and the end users. Since then, the telcos have continued to provide location data access for other purposes, such as to roadside assistance firms for locating stranded customers for fraud prevention.
On Thursday Verizon told The Washington Post it is winding down its own four remaining location aggregator contracts, which are all with roadside assistance companies. After that, customers will have to give Verizon permission to share their location with the firms. Verizon has not responded to Motherboard’s multiple requests for comment over the past week.
Motherboard’s investigation showed there is still clear room for abuse with location aggregators. These new steps will, T-Mobile and AT&T say, see them cutting off the sale of location data to all third parties. Multiple senators called for the Federal Communications Commission (FCC) to investigate the issue on Wednesday.
“For the second time in six months, carriers are pledging to stop sharing American’s location with middlemen without their knowledge,” Wyden told Motherboard Thursday. “I’ll believe it when I see it. Carriers are always responsible for who ends up with their customers data—it’s not enough to lay the blame for misuse on downstream companies.”
Subscribe to our new cybersecurity podcast, CYBER.