After Motherboard gave a bounty hunter a phone number and a few hundred bucks, their contact responded with a screenshot of Google Maps, containing a highlighted circle indicating the phone’s exact location.
Motherboard then released a report on Tuesday, showing how T-Mobile, Sprint, and AT&T are selling their customers’ location data, and some of that data was ending up in the hands of bounty hunters and unauthorized people, letting them track virtually any phone in the US.
In a swift response to the report, several senators requested the Federal Communications Commission (FCC) to investigate, and demanded greater oversight and regulation of the telecommunications industry.
On Thursday, AT&T released a statement indicating that it is halting the sale of all location data to so-called location aggregators, firms that sit in the supply chain between the telcos and clients.
"In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services - even those with clear consumer benefits," AT&T said in a statement. "We are immediately eliminating the remaining services and will be done in March."
Some companies use the location data service for legitimate purposes, such as roadside assistance to find stranded customers, or financial companies to detect fraud. But, according to AT&T's statement Thursday, "all location aggregation services" will be cut off.
In Motherboard’s report, the smartphone they located was using the T-Mobile network. For Motherboard's staff to receive the location, the data traveled through a complex system of companies, starting with T-Mobile, before going to a location aggregator called Zumigo. Zumigo then sold it to a firm called Microbilt, which provides access to a variety of industries, including bounty hunters. The bounty hunter then sold it to a source, and that source finally sold it to Motherboard.
After the release of Motherboard’s investigation, T-Mobile CEO John Legere tweeted that his company is also going to cut off all location aggregators. Verizon said in a statement Thursday that it, too, will eliminate the service. Sprint has so far not released any comments on the issue.
The announcement from major telcos reflects a significant victory for privacy advocates who have sounded the alarm that corporate America has mishandled consumers' data, often to sell it off for an economic gain.
“Carriers are always responsible for who ends up with their customers' data - it’s not enough to lay the blame for misuse on downstream companies,” said Sen. Ron Wyden (D., Ore.) in a statement. “The time for taking these companies at their word is long past. Congress needs to pass strong legislation to protect Americans' privacy and finally hold corporations accountable when they put your safety at risk by letting stalkers and criminals track your phone on the dark web.”
Other critics said consumers have an "absolute right" to the privacy of their data.
“I’m extraordinarily troubled by reports of this system of repackaging and reselling location data to unregulated third-party services for potentially nefarious purposes,” Sen. Kamala Harris (D., Calif.) said in a statement. “If true, this practice represents a legitimate threat to our personal and national security.”
Harris demanded that the FCC immediately open an investigation.
FCC Commissioner Jessica Rosenworcel tweeted Thursday, "The FCC needs to immediately investigate reports of this system of repackaging and reselling location data to unregulated third party services and take the necessary steps to protect Americans’ privacy."
In another tweet, Rosenworcel added: "It shouldn't be that you pay a few hundred dollars to a bounty hunter and then they can tell you in real time where a phone is within a few hundred meters. That's not right. This entire ecosystem needs oversight."