Carriers respond] U.S. carriers under fire for continuing to sell phone location data to third parties

X Scalper

Last year, a large number of U.S. carriers were under fire for selling live location data to third-party companies, including LocationSmart and Securus. These companies then sold that data to other companies, and so on and so forth. As you might expect, the bad publicity hasn’t stopped carriers from working with those companies, as evidenced by a recent article from Motherboard.

Motherboard reporter Joseph Cox wrote, “I gave a bounty hunter a phone number. He had offered to geolocate a phone for me, using a shady, overlooked service intended not for the cops, but for private individuals and businesses. […] The contact responded with a screenshot of Google Maps, containing a blue circle indicating the phone’s current location, approximate to a few hundred metres.”

Cox explained that this was possible because T-Mobile was partnered with data aggregate company Zumingo, which then sold location data to Microbilt, then to a bail bond company, then to the source who found the phone’s location. Microbilt is known to sell phone data to countless types of businesses, including landlords and car salesmen. Motherboard posed as a potential customer in Microbilt customer support, where the company said that locating a phone can cost as little as $4.95 each. Obtaining real-time updates can reportedly cost around $12.95.

According to Motherboard, Microbilt removed documents related to mobile phone tracking from its website while the article was being written. The company provided a statement to Motherboard:

“The request came through a licensed state agency that writes in approximately $100 million in bonds per year and passed all up front credentialing under the pretense that location was being verified to mitigate financial exposure related to a bond loan being considered for the submitted consumer.

As a result, MicroBilt was unaware that its terms of use were being violated by the rogue individual that submitted the request under false pretenses, does not approve of such use cases, and has a clear policy that such violations will result in loss of access to all MicroBilt services and termination of the requesting party’s end-user agreement. Upon investigating the alleged abuse and learning of the violation of our contract, we terminated the customer’s access to our products and they will not be eligible for reinstatement based on this violation.”

Motherboard also reached out to Zumigo, the company who sold T-Mobile user data to Microbilt in the first place. Zumingo responded with the following unapologetic statement, after cutting off Microbilt from accessing its data:

“Illegal access to data is an unfortunate occurrence across virtually every industry that deals in consumer or employee data, and it is impossible to detect a fraudster, or rogue customer, who requests location data of his or her own mobile devices when the required consent is provided. However, Zumigo takes steps to protect privacy by providing a measure of distance (approx. 0.5-1.0 mile) from an actual address.”

Finally, T-Mobile sent the following statement to Motherboard:

“We take the privacy and security of our customers’ information very seriously and will not tolerate any misuse of our customers’ data. While T-Mobile does not have a direct relationship with Microbilt, our vendor Zumigo was working with them and has confirmed with us that they have already shut down all transmission of T-Mobile data. T-Mobile has also blocked access to device location data for any request submitted by Zumigo on behalf of Microbilt as an additional precaution.”

All of this comes after Verizon, T-Mobile, and AT&T promised to end its contracts with aggregation companies. T-Mobile CEO John Legere even made the pledge on Twitter.

Until carriers cut ties with data aggregation companies like Zumigo, or until the United States introduces legislation that prevents the selling of this data, this harmful practice will likely continue as usual. As a result of the ongoing partial shutdown of the U.S. federal government, the FTC was unable to provide a statement.

Following last year’s story, T-Mobile terminated data access to Securus and announced it was working to shut down location aggregation agreements across the board. We sure assumed we’d be dealing with a significantly shorter timetable than the one Legere references here, but better late than never.

Sprint has ended its relationship with Zumigo (and correspondingly, Microbilt) while pledging not to provide personally identifiable location data outside of situations where it is legally required to do so.

Verizon’s already been working towards revoking location-data access to these outside companies, and Zumigo was previously cut off. While some uses are still permitted, such as companies offering their customers roadside assistance, Verizon’s planning to stop this practice, as well.

Be the first to comment

Leave a Reply

Your email address will not be published.