Cell Phone Carriers Are Secretly Selling Your Real-Time Location Data

Four of the country's largest cellular providers have been selling your real-time location information, allowing a Texas-based prison technology company, Securus, to track any phone "within seconds," without a warrant.  The system uses data sold by AT&T, Sprint, T-Mobile, Verizon and other carriers - who provide it through an intermediary called LocationSmart. 

The service can find the whereabouts of almost any cellphone in the country within seconds. It does this by going through a system typically used by marketers and other companies to get location data from major cellphone carriers, including AT&T, Sprint, T-Mobile and Verizon, documents show. -New York Times

Last week Sen. Ron Wyden (D-OR) sent a letter to the FCC demanding an investigation into Securus, after the New York Times revealed that former Mississippi County sheriff Cory Hutcheson used the service almost a dozen time to track the phones of other officers, and even targeted a judge. 

Between 2014 and 2017, the sheriff, Cory Hutcheson, used the service at least 11 times, prosecutors said. His alleged targets included a judge and members of the State Highway Patrol. Mr. Hutcheson, who was dismissed last year in an unrelated matter, has pleaded not guilty in the surveillance cases. -NYT

Hutcheson has pleaded not guilty to charges of unlawful surveillance. 

How did this happen?

How is it that LocationSmart obtained real time location data on millions of Americans? Moreover, who else has access to that information?

Kevin Blankston, director of New America's Open Technology Institute told ZDNet in a phone call that the Electronic Communications Privacy Act only restricts telecom companies from disclosing data to the government. It does not restrict carriers from disclosing information to other companies - a loophole Blankston calls "one of the biggest gaps in US privacy law.

"The issue doesn't appear to have been directly litigated before, but because of the way that the law only restricts disclosures by these types of companies to government, my fear is that they would argue that they can do a pass-through arrangement like this," he said.

LocationSmart, a California-based technology company, is one of a handful of so-called data aggregators. It claimed to have "direct connections" to cell carrier networks to obtain real-time cell phone location data from nearby cell towers. It's less accurate than using GPS, but cell tower data won't drain a phone battery and doesn't require a user to install an app. Verizon, one of many cell carriers that sells access to its vast amounts of customer location data, counts LocationSmart as a close partner. -ZD Net

LocationSmart boasts coverage of 85 percent of the country due to its relationships with major US carriers - including Virgin, Boost, MetroPCS and US Cellular, along with Canadian providers Rogers, Telus and Bell.

We utilize the same technology used to enable emergency assistance and this includes cell tower and cell sector location, assisted GPS and cell tower trilateration," said a case study on the company's website.

"With these location sources, we are able to locate virtually any US based mobile devices," the company claimed. The precise location of a target can be returned in as little as 15 seconds, according to a different study.

LocationSmart sells its data to companies for all sorts of reasons. In some instances it's used to help local businesses send marketing text messages to customers visiting rival stores. In others, location data can be used by companies to track deliveries or shipments - or allow banks to track fraud if a person is making suspicious transactions within close proximity of each other. 

LocationSmart also said it allows some customers to obtain "implied" consent, used on a case-by-case basis, when "the nature of the service implies that location will be used." The company said one example could be when a stranded motorist calls roadside assistance, and the event implies the person is "calling to be found."

The company says it has access to location data "because privacy is built into its cloud-based platform." That said, Securus was able to return real-time location data on users without a warrant, or even without a user opting-in. 

ZDNet reached out to carriers for comments. What follows is their responses:

Sprint spokesperson Lisa Belot said the company shares personally identifiable location data "only with customer consent or in response to a lawful request such as a validated court order from law enforcement."

The company's privacy policy, which governs customer consent, said third-parties may collect customers' personal data, "including location information."

Sprint said the company's relationship with Securus "does not include data sharing," and is limited "to supporting efforts to curb unlawful use of contraband cell phones in correctional facilities."

When asked the same questions, Verizon spokesperson Rich Young provided a boilerplate response regarding Securus and would not comment further.

"We're still trying to verify their activities, but if this company is, in fact, doing this with our customers' data, we will take steps to stop it," he said.

AT&T spokesperson Jim Greer said in a statement: "We have a best practices approach to handling our customers' data. We are aware of the letter and will provide a response." Our questions were also not answered.

A spokesperson for T-Mobile did not respond by our deadline.

"It's important for us to close off that potential loophole and that can easily be done with one line of legislative language," said Bankston, "which would also have the benefit of making every other company careful about always getting consent before disclosing your data to anyone."

Senator Wyden has called on each carrier to stop sharing data with third parties - arguing that it "skirts wireless carriers' legal obligation to be the sole conduit by which the government may conduct surveillance of Americans' phone records." 

Comments

mkkby hedgeless_horseman Tue, 05/15/2018 - 20:41 Permalink

If you need to avoid officer friendly (aren't they all?), mail your phone someplace far from where you're going.

That would be a good time to use your fake ID with debit/credit cards in that name, plus a never-before-used burner phone purchased with cash.  Now, about those license plate readers we've all heard so much about.

In reply to by hedgeless_horseman

techpriest Arnold Wed, 05/16/2018 - 01:53 Permalink

I've been doing some research on GDPR, and sure enough, that regulation isn't going to protect anyone. It is only going to add a few layers of obligation and bureaucracy onto every company, and unless you go through a fairly extensive process, your data can still be up for sale.

In reply to by Arnold

are we there yet hedgeless_horseman Tue, 05/15/2018 - 20:53 Permalink

When not in use, you can put your cell phone in EM blocking packets that are easy to carry, as well as completely powering off your phone. If you are really worried you can get preprogrammed disposable anonymous phones. Or buy several phones that you rotate with friends or mail to yourself at home or at work. But really, why? Privacy is gone on so many levels that it is like nude body painting on a nude beach. Also, be aware that fake drivers licenses and many other forms of fake identity can be crimes in and of themselves. Another thing to be aware of is that you are just not that important to be watched by expensive trained investigators. Unless you are doing card tricks in las vegas, or you are a felon on the run, or named Jason Bourne, no one cares about your small life in a vast sea of people.

In reply to by hedgeless_horseman

HushHushSweet Ralph Spoilsport Tue, 05/15/2018 - 20:35 Permalink

Your profile already includes a voice print, calling habits, and contacts.

Buying a phone with cash and a fake name (if one is asked for) won't hide you.

The only thing that will hide you is to ditch all devices, avoid being around anyone who has devices, and wear a burka and walk funny when in public (to avoid detection by CCTV cameras and gait printing technology).

Wish I could say "kidding", but I'm not.

In reply to by Ralph Spoilsport

TheEndIsNear espirit Tue, 05/15/2018 - 20:56 Permalink

Actually with a cheap "dumb" TracFone there is a shutdown sequence you can go through that actually powers off the device just as though you had removed the battery. I know this is true, because after going through the power down sequence the battery was still fully charged two months later. Even if it's only receiving and not transmitting it would have used some battery power during those two months of non-use.

In reply to by espirit

I am Groot Tue, 05/15/2018 - 20:22 Permalink

Wrap that POS tracking device in aluminum foil or any kind of metal screen. That will make them think you never leave home or died on the shitter. Fucking nanny state assholes. Pretty soon they'll be tracking how many time I take a crap and what color and consistency it was.

glenlloyd WillyGroper Wed, 05/16/2018 - 12:57 Permalink

cell phones are fine if you just leave the damn things at home.

I expect that there will be a bunch of faux outrage at the congressional level about this and then they will do something legislatively to ban it.

It's just unfortunate that the money changes hands to keep this sort of thing going and then everyone is offended when it comes to light.

Let's put some pressure on this bitch and get the fucker shut down.

In reply to by WillyGroper