Companies are (still) selling your phone location data without consent

February 7, 2019 — And that includes A-GPS data, too

Additional information provided to Motherboard shows that carriers made A-GPS data available through the chain of information resellers and it ended up in the hands of over 250 different bounty hunters and related businesses.

A-GPS (Assisted Global Positioning System) data is accumulated with the assistance of carriers. The regular GPS chip in your phone can take minutes (or longer) to pinpoint your location, and A-GPS was developed to help first responders and 911 operators find a cell phone when the need was urgent. Because it uses far less battery power, it's commonplace and now used by many apps and services on your phone.

Screenshot provided to Motherboard showing a tracking service in action.

Screenshot provided to Motherboard showing a tracking service in action.

The information provided to Motherboard includes screen captures from tracking services showing the data being used. According to Laura Moy, executive director at the Center on Privacy and Technology at Georgetown University Law Center, this is the first instance of A-GPS data being sold wholesale.

When contacted by Motherboard, none of the carriers denied selling A-GPS data.

Your location is worth about $300, according to an in-depth study by Motherboard.

The website followed a tip and after a convoluted series of events and $300 changing hands, it was able to correctly pinpoint a phone's location without asking for any consent, because carriers are still selling your location data to "shady" middlemen who resell it under their own policies. And unlike the debacle in May 2018, when LocationSmart was selling your location to law enforcement, this time it's being sold to private individuals and businesses.

How the whole thing happened

Here's how it worked in the Motherboard case. For your phone — any phone and not one particular model, make, or one that uses a particular OS — to operate correctly, it has to periodically send a signal that cell towers receive, and they, in turn, send one back. That's known as "pinging" cell towers and it's how your phone knows which tower is closest and which to connect with. Your carrier keeps track of these pings, which contain a fairly close approximation of your location.

T-Mobile has an agreement with a company called Zumigo where it sells this location data, complete with a set of rules how it can be used. It so happens that Zumigo is the same company that sold T-Mobile subscriber location data to LocationSmart last May, which caused T-Mobile CEO John Legere to evaluate and pledge to not "sell customer location data to shady middlemen" in response to a Senate inquiry.

See more

Zumigo has a separate contract with other companies that want your location data. One of these companies is Microbilt, which resells it again to other companies and individuals like bounty hunters, debt collectors and even used car salesmen. One of these Microbilt clients obtained the location of the phone in question and then sold it to a private individual, who then sold it again for $300 to Motherboard. If all this makes you dizzy and prone to a headache, you're not alone.

The companies involved all pointed to their own agreements that state how this data is to be used, claiming that the responsibility falls on whoever in the chain sold the data to an "unauthorized" party. And no laws were broken; it is illegal for a carrier in the United States to sell your data directly to law enforcement, but not to any private company.

Used car salesmen can buy your live location for as little as $8.42. What they do with it is anyone's guess.

Posing as potential customers, Motherboard's investigation found evidence of AT&T, Sprint, and T-Mobile selling customer location data to service companies in the business of reselling it. All three defended the practice, pointing to the agreements each holds with these location aggregate businesses, which state how the data can be used. After being contacted by Motherboard, each claims to have cut any and all ties to Microbilt until a full investigation can be completed. When trying to obtain location data for a Verizon number, Microbilt was "unwilling or unable" to search for the data, and Verizon did not respond to a request for comment.

Microbilt offers customer location tracking for as little as $8.42 when purchasing in bulk, according to documents Motherboard was able to obtain while posing as a customer. The relevant pages have been removed from the Microbilt website, but Motherboard posted copies of the originals that you can see at the source link above.

What it all means

This all points to one of the biggest issues facing us in the future, and that's how poorly implemented and insecure your carrier's data privacy measures are. With the current administration at the FCC — which was unable to comment while the offices are closed for the U.S. government shutdown — I don't see any of this getting better.

No matter what steps you take to preserve your privacy, your carrier still gives it to anyone with a fistful of money.

More: Which unlimited plan should you buy?

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • So, in reading this, it seems that Verizon either isn't selling to this one con-pany or they just don't let the sale be visible?
  • Or perhaps the one particular number was an exception, and Motherboard was just "unlucky".
  • The current House should come up with bills to protect consumers. This is ridiculous and inexcusable. I don't need anyone know where I am located for as little as $8.42. Who allowed this to happen? Why is it allowed? Something needs to be done about it.
  • It's allowed because politicians put corporations before citizens.
  • AHAHAHAHAAAAA!!! ever hear of campaign finance laws? "citizens" united?? most of the current, past and more likely than not (unless something drastic happens to change the system) future house--in fact, all of congress--receive campaign donations from--and are lobbied by--pretty much every multi-billion-dollar corporation/industry active in this country. by accepting the donations, said candidate is obligated to (read: owned by) these donors, should they win their seat. once they do, they will be lobbied by all sorts of big corps. from every industry you can think of. these large donors, in essence, actually write legislation via their puppet politicians. this is the way politics works in a GREED society such as ours--and is unlikely to change any time soon--because we, the people, do not have lots of money to lobby congress--and, as always, with greed, money talks and BS walks. and, trust--consumer protection is virtually non-existent in this system--and especially under this administration. do just a little bit of research--even just a search--of, say, the CFPB, and what mick mulvaney is doing to it. consumers don't count for much, especially with current campaign finance laws--which are nothing more than legalized bribery...
  • Don't kid yourself. Both sides are equally crooked.
  • I wonder what they can sell you for $20 :) SSN, bank accounts, nudes :)
  • Lol.... Action would mean gov't regulation.... Elites in government have no interest in consumer protections or privacy.
  • What's alarming is a quick Google search reports all big four carriers pledged to stop selling location data last summer. Verizon was first and others followed, but it seems Verizon may be the only one who actually kept their word.
  • I wouldn't be so sure about that. There is a huge difference between going on record with "we don't sell any customer location data" and didn't provide a comment.
  • Microbilt couldn't get the Verizon data though. What does that have to do with them not commenting?
  • Nothing is shocking anymore.
  • Regulation is a dirty word in Washington. Consumers are left to their own devices to protect themselves against invasions of privacy, changes in policy by carriers, social networks brainwashing, price hikes, oligopolies and monopolies, etc. We need a modern day Teddy Roosevelt to break up the monopolies and oligopolies: Google, Facebook, Amazon, ISPs. We need regulation to protect our privacy.
  • They will sell your data and then raise your bill all at the same time.
  • We can at least try to protect what we can. You should check this new OS for smartphones called /e/. It is focused around privacy and free from the Google bloatware. It doesn’t track you all day and doesn’t scan your phone for your private data. You can still install Android apps like Uber and so on. I’ve been using it on my Samsung Galaxy S9 and I’m not going back to stock Android. Here is their web site:
  • Surprised? Nope. Disappointed? Nope. Way it will always be? Yup.
  • Good thing this didn't go on under previous administrations, right Jerry? Yeah, B*llshit. This has gone on for as long as they have had the capability to do so.