Why telcos 'handed over' people's GPS coords to a bounty hunter: He just had to ask nicely
Privacy slip allegations dog US cellular network giants... while FCC twiddles its thumbs
All this comes after 18 months of intense criticism of mobile operators for making location data easily available.
Back in October 2017, a security researcher discovered that US mobile phone companies were selling their customers' private data – including their full name, phone number, contract details, home zip code and current location - to two mobile authentication companies called Danal and Payfone, who were then selling that information on to anyone that paid them.
There were seemingly no checks that the companies that bought access to that personal data didn’t sell that information on, and the service became a trade secret within the bounty hunting trade. Bounty hunters were found to be paying $1,000 a time to get a location search on a specific mobile phone – which was a good investment since they can typically expect to make $10,000 for arresting and returning someone who has skipped bail.
The resulting outrage saw mobile operators revoke those companies' access and promise to do more to protect the personal data. But just six months later, in May 2018, it was discovered that another company was harvesting and selling the exact same location data to the police, with no oversight.
That case led to Senator Ron Wyden (D-OR) formally asking America's comms watchdog, the Federal Communications Commission (FCC) and mobile operators to investigate how Securus Technologies had been allowed to buy records and sell them through an online portal.
In response, the mobile operators said, again, that they would stop the practice and properly review and audit the provision of the data. Verizon cut off access to another two companies - LocationSmart and Zumigo – that bypassed the extremely lax data protection systems by simply saying they had user permission to provide the information. They didn't, and the mobile operators didn't check either.
And then, six months later, the exact same issue arose again. In January this year, a reporter was able to pay a bounty hunter just $300 to have a T-Mobile number tracked, using the same system that had twice been exposed and mobile operators had twice promised to fix.
Again, Senators called for an investigation. Again, the FCC under chair Ajit Pai stonewalled and, again, the mobile operators promised they would fix it. And then, literally a month later, the same thing happened all over again. Another journalistic investigation revealed that bounty hunters had already worked around the new protections that the mobile operators had put in place and were again buying and selling location data.
Cue another series of letters from furious lawmakers to the mobile operators as well as repeat demands of the FCC and the Federal Trade Commission (FTC) to open an investigation into the issue. The FTC finally obliged and ordered the seven American providers of mobile broadband service to provide details about how they deal with customer and device data.
Meanwhile the FCC has continued to ignore calls for a full investigation, further highlighting the extraordinary willingness of its chair to act in the mobile operators' interests. The federal regulator even put out a new proposal that would require more accurate location data to be stored and provided by those operators but didn't even mentioned the issue of privacy, causing fury among those who want to see the sale of location data investigated.
Last week, in response to continued pressure from FCC Commissioner Jessica Rosenworcel asking for details about what they were doing about the sale of location data, the mobile operators sent a series of letters to the FCC in which they promised – for a FOURTH time that they would stop the practice.
"The FCC has been totally silent about reports that show for a few hundred dollars shady middlemen can sell your location within a few hundred meters using wireless carrier data," Rosenworcel tweeted as she published the letters she had received. "This is unacceptable. The public deserves to know just what is going on," she concluded.
This new case – where a bounty hunter is being prosecuted for gaining access to location information by implying he was a police officer – only serves to further highlight exceptionally poor data protection efforts on the part of mobile operators and should increase calls for a full, independent investigation. ®