Last year, a large number of U.S. carriers were under fire for selling live location data to third-party companies, including LocationSmart and Securus. These companies then sold that data to other companies, and so on and so forth. As you might expect, the bad publicity hasn't stopped carriers from working with those companies, as evidenced by a recent article from Motherboard.

Motherboard reporter Joseph Cox wrote, "I gave a bounty hunter a phone number. He had offered to geolocate a phone for me, using a shady, overlooked service intended not for the cops, but for private individuals and businesses. [...] The contact responded with a screenshot of Google Maps, containing a blue circle indicating the phone’s current location, approximate to a few hundred metres."

Cox explained that this was possible because T-Mobile was partnered with data aggregate company Zumingo, which then sold location data to Microbilt, then to a bail bond company, then to the source who found the phone's location. Microbilt is known to sell phone data to countless types of businesses, including landlords and car salesmen. Motherboard posed as a potential customer in Microbilt customer support, where the company said that locating a phone can cost as little as $4.95 each. Obtaining real-time updates can reportedly cost around $12.95.

According to Motherboard, Microbilt removed documents related to mobile phone tracking from its website while the article was being written. The company provided a statement to Motherboard:

"The request came through a licensed state agency that writes in approximately $100 million in bonds per year and passed all up front credentialing under the pretense that location was being verified to mitigate financial exposure related to a bond loan being considered for the submitted consumer.

As a result, MicroBilt was unaware that its terms of use were being violated by the rogue individual that submitted the request under false pretenses, does not approve of such use cases, and has a clear policy that such violations will result in loss of access to all MicroBilt services and termination of the requesting party’s end-user agreement. Upon investigating the alleged abuse and learning of the violation of our contract, we terminated the customer’s access to our products and they will not be eligible for reinstatement based on this violation."

Motherboard also reached out to Zumigo, the company who sold T-Mobile user data to Microbilt in the first place. Zumingo responded with the following unapologetic statement, after cutting off Microbilt from accessing its data:

"Illegal access to data is an unfortunate occurrence across virtually every industry that deals in consumer or employee data, and it is impossible to detect a fraudster, or rogue customer, who requests location data of his or her own mobile devices when the required consent is provided. However, Zumigo takes steps to protect privacy by providing a measure of distance (approx. 0.5-1.0 mile) from an actual address."

Finally, T-Mobile sent the following statement to Motherboard:

"We take the privacy and security of our customers’ information very seriously and will not tolerate any misuse of our customers’ data. While T-Mobile does not have a direct relationship with Microbilt, our vendor Zumigo was working with them and has confirmed with us that they have already shut down all transmission of T-Mobile data. T-Mobile has also blocked access to device location data for any request submitted by Zumigo on behalf of Microbilt as an additional precaution."

All of this comes after Verizon, T-Mobile, and AT&T promised to end its contracts with aggregation companies. T-Mobile CEO John Legere even made the pledge on Twitter.

Until carriers cut ties with data aggregation companies like Zumigo, or until the United States introduces legislation that prevents the selling of this data, this harmful practice will likely continue as usual. As a result of the ongoing partial shutdown of the U.S. federal government, the FTC was unable to provide a statement.

UPDATE: 2019/01/10 2:02pm PST BY STEPHEN SCHENCK

In the wake of Motherboard's report, carriers are scrambling to perform some damage control. T-Mobile CEO John Legere reached out to author Ron Wyden to reaffirm his carrier's commitment to putting this practice to rest, once and for all. Legere defends his company's seemingly slow response to the controversy as being rooted in the desire to avoid impacting organizations using this data legitimately.

Following last year's story, T-Mobile terminated data access to Securus and announced it was working to shut down location aggregation agreements across the board. We sure assumed we'd be dealing with a significantly shorter timetable than the one Legere references here, but better late than never.

Sprint has ended its relationship with Zumigo (and correspondingly, Microbilt) while pledging not to provide personally identifiable location data outside of situations where it is legally required to do so.

Verizon's already been working towards revoking location-data access to these outside companies, and Zumigo was previously cut off. While some uses are still permitted, such as companies offering their customers roadside assistance, Verizon's planning to stop this practice, as well.

UPDATE: 2019/02/08 9:51am PST BY RYNE HAGER

Motherboard has further revealed that the phone tracking episode described was not a fluke and "far from an isolated incident," as some companies tried to claim during the post-tracking damage control. The report alleges that 250 bounty hunters and related businesses had access to the location data from AT&T, T-Mobile, and Sprint. One individual firm used the service over 18,000 times, and some of the information gathered was even more sensitive than what Motherboard originally got.

Motherboards sources also confirm that some of the bounty hunters that purchased the data then resold it to others.

For the full details, check out Motherboard's story, but this saga keeps getting worse and worse.

Source: Motherboard, The Verge