Phone location data is sold on black market, Motherboard investigation finds.

A person's hand holding a smartphone that is displaying a map.

In June 2018, all four major US wireless carriers pledged to stop selling their mobile customers’ location information to third-party data brokers. The carriers were pressured into making the change after a security problem leaked the real-time location of US cell phone users.

But an investigation by Motherboard found that “T-Mobile, Sprint, and AT&T are [still] selling access to their customers’ location data and that data is ending up in the hands of bounty hunters and others not authorized to possess it, letting them track most phones in the country.”

The Motherboard report, published today, is extensive and worth reading in full. Motherboard reporter Joseph Cox gave a real T-Mobile phone number to a “bounty hunter,” who was able to locate the phone to within a few hundred meters.

This was accomplished with a “tracking tool [that] relies on real-time location data sold to bounty hunters that ultimately originated from the telcos themselves, including T-Mobile, AT&T, and Sprint,” Motherboard wrote.

A credit-reporting company called MicroBilt “is selling phone geolocation services with little oversight to a spread of different private industries, ranging from car salesmen and property managers to bail bondsmen and bounty hunters,” the article continued. “Compounding that already highly questionable business practice, this spying capability is also being resold to others on the black market who are not licensed by the company to use it, including me, seemingly without MicroBilt’s knowledge.”

Motherboard described how the data is passed along a chain of private companies. “In the case of the phone we tracked, six different entities had potential access to the phone’s data,” the report said. “T-Mobile shares location data with an aggregator called Zumigo, which shares information with MicroBilt. MicroBilt shared that data with a customer using its mobile phone tracking product. The bounty hunter then shared this information with a bail industry source, who shared it with Motherboard.”

The middleman charged $300 to find the phone—”a sizeable markup on the usual MicroBilt price,” Motherboard wrote.

It’s not clear whether Verizon location data can also be purchased in this way. “MicroBilt’s product documentation suggests the phone-location service works on all mobile networks, however the middleman was unable or unwilling to conduct a search for a Verizon device,” Motherboard also wrote.

MicroBilt told Motherboard that customers using its service for fraud prevention must obtain consent from phone users, the news site wrote.

But when Motherboard arranged for a phone to be located, “the target phone received no warning it was being tracked,” the news site wrote. (The phone’s owner had given consent to Motherboard for the experiment.)

MicroBilt investigated the case and found that a private bail-bond company made the request for the phone’s location, according to Motherboard.

“MicroBilt was unaware that its terms of use were being violated by the rogue individual that submitted the request under false pretenses, does not approve of such use cases, and has a clear policy that such violations will result in loss of access to all MicroBilt services and termination of the requesting party’s end-user agreement,” MicroBilt told Motherboard. “Upon investigating the alleged abuse and learning of the violation of our contract, we terminated the customer’s access to our products, and they will not be eligible for reinstatement based on this violation.”

Carriers made “empty promises to consumers”

Of course, mobile carriers themselves could prevent such privacy problems by not selling their customers’ location data in the first place.

Carriers were pressured into changing their policies last year after it was revealed that prison phone company Securus offers a service enabling law enforcement officers to locate most American cell phones within seconds. Securus’ service relies on data from LocationSmart. It was also reported that a LocationSmart bug could have allowed anyone to surreptitiously track the real-time whereabouts of cell phone users.

At the time, US Sen. Ron Wyden (D-Ore.) urged all four major carriers to stop selling their customers’ location data. They all said that they would, with limited exceptions: for example, AT&T said it would “be ending our work with aggregators” but continue to allow “important, potential lifesaving services like emergency roadside assistance.”

Today, Wyden said he’s disappointed that carriers are apparently still selling location data to data brokers.

“Major carriers pledged to end these practices, but it appears to have been more empty promises to consumers,” Wyden wrote on Twitter. “It’s time for Congress to take action by passing my bill to safeguard consumer data and hold companies accountable.” Wyden’s proposed privacy law could issue steep fines to companies and send their top executives to prison for up to 20 years if they violate Americans’ privacy.

AT&T told Ars that it has “shut down access for MicroBilt as we investigate these allegations.”

“We only permit sharing of location when a customer gives permission for cases like fraud prevention or emergency roadside assistance or when required by law,” AT&T also said. “Over the past few months, as we committed to do, we have been shutting down everything else.”

We also contacted T-Mobile and Sprint about the Motherboard article today and will update this story with any responses we get.

Sprint told Motherboard that it “does not have a direct relationship with MicroBilt” and “will take appropriate action” if it determines that any customers violated contractual requirements. (UPDATE: Sprint told Ars, “Protecting our customers’ privacy and security is a top priority, and we are transparent about that in our Privacy Policy. We do not knowingly share personally identifiable geo-location information except with customer consent or in response to a lawful request such as a validated court order from law enforcement. We are investigating this matter and it would be inappropriate to comment further until that process is complete.”

T-Mobile told Motherboard that it “will not tolerate any misuse of our customers’ data. While T-Mobile does not have a direct relationship with MicroBilt, our vendor Zumigo was working with them and has confirmed with us that they have already shut down all transmission of T-Mobile data. T-Mobile has also blocked access to device location data for any request submitted by Zumigo on behalf of MicroBilt as an additional precaution.” (UPDATE: T-Mobile CEO John Legere wrote on Twitter that “T-Mobile IS completely ending location aggregator work. We’re doing it the right way to avoid impacting consumers who use these types of services for things like emergency assistance. It will end in March, as planned and promised.” A T-Mobile spokesperson told Ars that “We have previously stated that we are terminating the agreements we have with third-party data aggregators and we are nearly finished with that process.”