A shocking new report has found hundreds of bounty hunters had access to highly sensitive user data – and it was sold to them by almost every major U.S. wireless carrier.
The practice was first revealed last month and, at the time, telecom firms claimed they were isolated incidents.
However, a Motherboard investigation has since discovered that’s far from the case. About 250 bounty hunters were able to access users’ precise location data.
In one case, a bail bond firm requested location data some 18,000 times.
AT&T, T-Mobile and Sprint sold the sensitive data, which was meant for user by 911 operators and emergency services, to location aggregators, who then sold it to bounty hunters, according to Motherboard.
The companies pledged last month to stop selling users’ location data to aggregators.
Location aggregators collect and sell user location data, sometimes to power services like bank fraud prevention and emergency roadside assistance, as well as online ads and marketing deals, which depend on knowing your whereabouts.
Motherboard discovered last month that bounty hunters were using the data to estimate a user’s location by looking at ‘pings’ sent from phones to nearby cell towers.
But it appears that the data was even more detailed than previously thought.
CerCareOne, a shadowy company that sold location data to bounty hunters, even claimed to collect assisted-GPS, or A-GPS, data.
This A-GPS data was able to pinpoint a person’s device so accurately that it see where they are in a building.
Telecom companies began collecting this data in order to give 911 operators a more approximate location for users when they’re both indoors and outdoors.
Instead, it was being sold to aggregators, who then sold it to bail bondsmen, bounty hunters, landlords and other groups.
A bail agent in Georgia told Motherboard it was ‘solely used’ to locate ‘fugitives who have jumped bond.’
Neither AT&T, T-Mobile nor Sprint explicitly denied selling A-GPS data, according to Motherboard.
CerCareOne was essentially cloaked in secrecy when it operated between 2012 and 2017, requiring its customers to agree to ‘keep the existence of CerCareOne.com confidential,’ Motherboard said.
The company often charged up to $1,100 every time a customer requested a user’s location data.
CerCareOne said it required clients to obtain written consent if they wanted to track a user, but Motherboard found that several users received no warning they were being tracked, resulting in the practice often occurring without their knowledge or agreement.
While CerCareOne is no longer operational, its prior use and existence by location aggregators raises serious concerns about how users’ data is being utilized by these companies.
AT&T and other telecoms sought to minimize the use of CerCareOne.
‘We are not aware of any misuse of this service which ended two years ago,’ the firm told Motherboard.
‘We’ve already decided to eliminate all location aggregation services—including those with clear consumer benefits—after reports of misuse by other location services involving aggregators.’
At least 15 U.S. senators have urged the FCC and the FTC to take action on shadowy data broker businesses, according to Motherboard.
‘This scandal keeps getting worse,’ Democratic U.S. Senator Ron Wyden told Motherboard.
‘Carriers assured customers location tracking abuses were isolated incidents. Now it appears that hundreds of people could track our phones, and they were doing it for years before anyone at the wireless companies took action.
‘That’s more than an oversight — that’s flagrant, wilful disregard for the safety and security of Americans,’ he added.