US Senator Ron Wyden has blasted US wireless carriers for continuing to sell their users' location data after they promised to end the practice last June.
Wyden renewed calls for Senate to adopt his legislation to ban carriers from selling mobile subscribers' location data after a Motherboard report revealed that T-Mobile, AT&T, and Sprint continue to sell location data to third-party aggregators that are allowing the data to be resold on the black market to anyone willing to pay.
To illustrate the ongoing problem, Motherboard journalist Joseph Cox paid a bounty hunter $300 to pinpoint the location of a specific phone.
The bounty hunter sent the number to his own contact, who quickly responded with a screenshot of Google Maps with the phone's current location to within a few hundred meters.
In this case, the target had a T-Mobile phone that the bounty hunter located using a tracking tool from US credit risk and reporting firm MicroBilt. AT&T and Sprint data was used in this tracking service.
MicroBilt provides software to a range of businesses, including so-called 'skip tracers', such as bounty hunters or bail-bond officers. The company boasts on its website that its software 'Mobile Device Verify' can help any business "know the who, what, when and where of all 240 million smartphones in the US". To access a device's location, all that's needed is a phone number.
While the company openly admits it sells tracking software to skip tracers, Cox reports that "this spying capability is also being resold to others on the black market who are not licensed by the company to use it, including me, seemingly without Microbilt's knowledge".
SEE: IT pro's guide to the evolution and impact of 5G technology (free PDF)
A bail-industry worker said "people are reselling to the wrong people". The abuse is made possible because wireless carriers sell subscriber information to location aggregators, but often don't know who it's being sold on to or how it's being used.
The finding flies in the face of a promise all four major carriers made to Wyden last June that they would stop selling user location data to data aggregators. He's proposing to give the Federal Trade Commission tough new powers to enforce consumer data protection.
"This information could be obtained by anyone: a stalker, an ex, or a child predator. It's time for the @FCC to get its act together," wrote Wyden.
T-Mobile was selling location info to data-aggregator Zumigo, which provided access to MicroBilt. T-Mobile confirmed its relationship with Zumigo and, following Cox's enquiries, said it blocked all future requests that Zumigo could make on behalf of MicroBilt.
AT&T told the publication that it had cut access to MicroBilt as it investigates, while Sprint said it didn't have a direct relationship with MicroBilt.
The four major US wireless carriers in June vowed to stop selling subscribers' location data after a researcher found a flaw in one aggregator's website exposed user location data it was on-selling from carriers.
Wyden on Tuesday blasted the carriers for giving him and consumers "empty promises" and said this was a "nightmare for national security and the personal safety of anyone with a phone".
"Major carriers pledged to end these practices, but it appears to have been more empty promises to consumers. It's time for Congress to take action by passing my bill to safeguard consumer data and hold companies accountable," wrote Wyden.
T-Mobile CEO John Legere replied, stating that T-Mobile is "completely ending location aggregator work", but the practice won't end until March.
"We're doing it the right way to avoid impacting consumers who use these types of services for things like emergency assistance. It will end in March, as planned and promised," he wrote.
Previous and related coverage
Company execs could face up to 20 years in prison if they lie in privacy reports submitted to the FTC.
New security measure is meant to protect sensitive Senate data on stolen Senate laptops and computers.
Senators tackle AT&T, Verizon, Sprint, and T-Mobile for answers about alleged video traffic throttling.
Federal Communications Commission chairman Ajit Pai takes a swipe at California's net-neutrality protections.
California's net-neutrality bill passes into law and gets an immediate challenge from the federal government.
California IoT security bill criticized by security researcher. Expert says bill "is based upon an obviously superficial understanding of the problem."
Right to repair: California will become the 18th state to introduce legislation so you can fix your electronics yourself.
Google services on Android and iPhone still track users even if privacy settings instruct it not to.
It's come back from being gutted to winning approval in an assembly committee meeting.