Hundreds of bounty hunters had access to location data from AT & T, T-Mobile and Sprint customers for years

In January, Motherboard had revealed that AT & T, T-Mobile and Sprint were selling the real-time location data of their customers, which ended up in a complex network of companies until finally find in the hands of at least one bounty hunter. Motherboard has also been able to purchase the real-time location of a T-Mobile phone on the black market from a source of bounty hunters for $ 300. In response, the telecommunications companies said that this abuse was a marginal affair.

In reality, it was far from an isolated incident.

Approximately 250 bounty hunters and badociated companies had access to AT & T, T-Mobile and Sprint customer location data, a surety company that had used telephone locator over 18,000 times, and others using it thousands or tens of thousands of times, according to internal documents obtained by the motherboard from a company called CerCareOne, a now obsolete location data vendor that has worked up to 2017. The documents list not only the companies having access to the data, but also the specific telephone numbers cited by these companies.

In some cases, the data sold is more sensitive than that offered by the service used by Motherboard last month, which estimated a location based on cell towers to which a phone was connected. CerCareOne sold mobile phone tower data, but also sold extremely sensitive and accurate GPS data to bounty hunters; An unprecedented gesture that allows users to locate a person with such precision to see where she is inside a building. This company has operated in almost total secrecy for over 5 years by forcing its customers to "preserve the confidentiality of CerCareOne.com", according to a Terms of Use document obtained by Motherboard.

Some of these bounty hunters then resold location data to unauthorized individuals for processing, according to two independent sources familiar with CerCareOne's activities.

The news shows how sensitive US location data was widely available to bounty hunters. This ease of access greatly increased the risk of abuse.

"This scandal continues to worsen. The carriers badured their customers that violations of location of violations were isolated incidents. It now seems that hundreds of people could follow our phone and have been doing it for years before anyone in wireless companies takes action, "said Oregon Sen. Ron Wyden in a statement. emailed after presenting the findings of the motherboard. "It's more than an oversight – a blatant and deliberate disregard for the safety of Americans."

From at least 2012 to the end of 2017, CerCareOne enabled bounty hunters, surety agents and surety agents to search for mobile phone locations in real time. The company sometimes charged up to $ 1,100 per phone location, according to a source close to the company. In this article, Motherboard has granted a number of sources anonymity to provide details of a controversial industry practice.

As with the companies involved in Motherboard's previous survey, CerCareOne's real-time location data was first transmitted by the telecommunications companies and then to a so-called location aggregator called Locaid. From there, Locaid sold this access to a number of companies, including CerCareOne, which then sold it to its own customers. Locaid was bought by a company called LocationSmart in 2015 . The documents obtained from the motherboard indicate that LocationSmart continued to sell data to CerCareOne after obtaining Locaid, and LocationSmart confirmed it to Motherboard.

Often, CerCareOne's telephone localization service – known in the industry as a phone ping – used data from cell towers and provided a Google Maps-like interface to the bounty hunter about the approximate location of the device.

Some of the data available to CerCareOne customers included "badisted GPS" or A-GPS data from a phone, based on documents and screenshots of the service in action provided by two independent sources. A-GPS relies intrinsically on the information of a telecommunication company: it uses the GPS chip of a telephone in conjunction with the information collected on the telecommunication network to locate a phone. It is used to locate cell phones that make up the 911 in an emergency and runs faster than a phone's GPS chip, which can sometimes take a few minutes to connect to a satellite, according to information provided by the Commission Federal Telecommunications Communication. Telecommunications companies have access to this data, according to the letters and documents of telecommunications lawyers to FCC:

"Operators and public safety have been working on the development of technologies and standards that offer the best estimate of the location possible," a T-Mobile lawyer wrote in a letter to the FCC in 2013. "The A-GPS system is reasonably the foundation of wireless technology. [emergency] 911 for indoor and outdoor locations. "

"Often, the A-GPS system provides information on the location of a person. inside a buildingLaura Moy, executive director of the Center on Privacy & Technology at Georgetown University Law Center, told Motherboard in an email.

Blake Reid, an badociate clinical professor at Colorado Law, said in an email to Motherboard that "with badisted GPS, your position can be triangulated in just a few meters. This allows you to build a detailed record of all your trips. "

"The only The reason we give carriers access to this information is to make sure first responders can locate us in an emergency, "said Reid. "If carriers turn around and use this access to sell information to bounty hunters or anyone, it's a shocking abuse of the trust the public places in them to protect privacy while protecting public safety." . "

Reid and Moy both said that it was the first case of a telecom company selling A-GPS data that they had heard about.

A LocationSmart spokesperson told the motherboard in an email: "LocationSmart's location services are based on a variety of technologies, based on the implementation of each carrier's location infrastructure. This could include AGPS, cell tower, cell sector or cell site trilateration. Although there is no explicit indicator as to the technology used to provide an operator specific location response, each response includes an estimate of the accuracy that can be used to deduce the technology used. "

A Sprint spokesperson did not directly answer the question of whether the company had already sold A-GPS data.

"The chips are inserted by the device manufacturers and each major operator offers devices with chips included. In fact, the FCC requires that the devices be GPS compatible, "the company said in an email. "This is a necessary step to provide customers with services such as carpool services, GPS enabled maps, roadside badistance and a 9-1-1 location service."

When asked if T-Mobile had sold A-GPS data, a company spokeswoman told Motherboard in an email: "We have nothing else to add at this point. "AT & T has not responded to a request to specify whether it sells or has ever sold A-GPS data.

None of the telecommunication companies specifically denied having sold A-GPS data.

SCALE HUNTING

The CerCareOne telephone tracking service was not a unique tool for bounty hunters and bail agents. The list of phone pings from a given customer obtained by the motherboard expands about 450 pages, with over 18,000 individual phone location requests in just over one year. year of activity. The bonding company that initiated the pings did not answer questions asking if she had obtained her consent to locate the phones or what the pings were for.

Another set of data is over 250 pages long and covers about 10,000 phone pings. Another list of different Bounty Hunter activities includes almost 1,000 phone location requests in less than a year; a third details more than 4,500 pings.

Location requests extend from 2012 to 2017, with some phones quickly located several times in minutes, hours, and days, depending on the timestamps included in the documents.

"The scale of this abuse is outrageous," Eva Galperin, director of the Electronic Frontier Foundation's Cyber ​​Security Campaign Group, said in an email.

Security agents included in a list of CerCareOne customers obtained by the motherboard defended their use of phone location data.

"This guy [of] the information is only used and extremely useful in locating and tracking wanted fugitives who have jumped bail and who are also wanted by law enforcement to escape justice, "Charles Rhea Shaw III , a bail agent in Georgia whose information was included in the customer list, said the motherboard in an email.

William Munck, another bail agent whose information appeared in the CerCareOne data, wrote in an e-mail: "All our contracts stipulate that, in the event of forfeiture, we are authorized to use the services of telephone localization" . In some cases, agents will ask a person on bail to sign a contract stating that if they do not pay back their bail, they have the power to follow them. Munck said he did not remember if he had used CerCareOne services.

CerCareOne's terms and conditions indicated that the company had audited its systems to monitor abuse.

Both agents said that their clients, in their surety bonding agreements, were using telephone tracking services – Munck said they had to provide documentation to CerCareOne stating that they had permission the owner of the phone to locate them; Shaw said that they had always "executed a waiver of privacy."

A copy of the CerCareOne Terms of Use obtained by the motherboard indicates that users are required to obtain the written consent of those they wish to follow.

Do you have a tip? You can contact this reporter safely on Signal at +44 20 8133 5190, on the OTR chat on [email protected] or by email at [email protected].

Two sources indicated that the target phones had not received any text messages warning that they were being tracked. This leaves the possibility of tracking the phones without the consent of the target.

Telecommunication companies and location aggregators previously told Motherboard that they were asking customers to obtain the consent of the people they wanted to follow. Sprint also indicated that aggregators must obtain permission to share their clients' data with another company; LocationSmart did not get that, Sprint said.

"We require by contract that location aggregators obtain Sprint's prior written consent 60 days prior to the use of a sub-aggregator, and we have not received any such requests." about CerCareOne, "wrote a Sprint spokesperson in an email.

THE SECRET OF THE BOUNTY HUNTER

The existence of CerCareOne was a well-kept secret among the community of bounty hunters and bail.

"Subscriber agrees to keep the existence of CerCareOne.com confidential by not disclosing any information about it in any way whatsoever, and will not attempt to [sic] to make the site known to the public or to the companies, under any circumstances, or access will be terminated without notice ", indicates a copy of CerCareOne's Terms of Use, obtained by Motherboard.

Visiting the CerCareOne domain at the time of writing brings up a message on the site under construction; this post has been on the landing page since at least 2013, according to the online archive. However, visiting another specific URL reveals a login portal for the service.

Despite the secrecy of CerCareOne, the company seems to come from a much more public and almost shameless phone localization service.

The motherboard found that the CerCareOne website is hosted on the same IP address as another phone ping service. Located at the same time as CerCareOne, LocateUrCell.com proposed using telecom data to find phones for a variety of purposes, including finding lost parents and older children, finding a lost phone, or monitoring employees.

In a 2011 local report by the Naples Daily NewsLocateUrCell CEO Frank Rabbito said he used the service to help a woman find her lost phone in a supermarket car park. According to this article, LocateURCell also worked with AT & T, T-Mobile and Sprint phones.

"With AT & T, Sprint and T-Mobile phones, LocateURcell.com uses GPS technology to track registered cell phones up to a few feet from their location," reads in the article. "With Verizon, they use a less accurate cell triangulation technology."

Rabbito has not responded to a request for comment sent by AshleyNorman, a debt collection and prosecution service (search for premiums) that he co-founded and on which he is still working.

Munck, one of the bonding agents in CerCareOne data, told the motherboard that it "a long time ago, it was much easier to access this type of data."

LocationSmart told the motherboard that she had broken her links with CerCareOne in 2017. Two independent sources said CerCareOne was no longer operational.

It seems likely that Locaid, the forerunner of LocationSmart, knew what CerCareOne was doing with mobile phone location data. The CerCareOne customer list provided by the motherboard includes Locaid email addresses, which could have been used to audit the service. When asked, LocationSmart did not dispute the speculation on the motherboard that these accounts could have been used for audit purposes, and stated that the theory is correct. But this raises more questions about why CerCareOne has been allowed to operate for so many years.

A LocationSmart spokesperson told the motherboard in an email that this story "related to a customer relationship inherited from Locaid. LocationSmart acquired Locaid in 2015. In 2017, the client did not comply with the terms of the LocationSmart Master Services Agreement and the contract was terminated. When asked why the contract had been terminated, the spokesperson did not answer.

After Motherboard's initial investigation, AT & T, T-Mobile and Sprint all announced that they were going to break off their relationship with location aggregators. In a statement, an AT & T spokesperson attempted to downplay the importance of CerCareOne.

"We are not aware of any misuse of this service that ended two years ago," wrote an AT & T spokesperson in an email after Motherboard had explicitly stated that the data was provided to bounty hunters. "We have already decided to eliminate all site aggregation services, including those with clear consumer benefits, after reporting misuses of other location services involving aggregators."

Sprint's statement added: "As we had previously announced, we […] are terminating our contracts with data aggregators for location-based services. "

T-Mobile declined to provide a new statement, but pointed to the one it had previously provided, stating that it was terminating its relationship with the aggregators of places.

"If carriers turn around and use this access to sell information to bounty hunters or anyone, it's a shocking abuse of the trust the public places in them to protect privacy while protecting public safety." . "

Even though CerCareOne is no longer operational, it still provides a vital context on how data from US cell phone users was sold and exchanged without their knowledge and consent.

"It's a national and personal security issue," Jessica Rosenworcel, Commissioner of the Federal Communications Commission, told Motherboard. "The FCC must act urgently. News articles have announced the sale of consumer location data since May. I asked for the survey letters that usually launch an investigation like this. They have not yet provided them.

Geoffrey Starks, another recently appointed FCC commissioner, told Motherboard in an e-mail that "the for-profit locator data industry has thrived in the shadows without any government oversight. The lights are starting to turn on and I think the FCC should use its authority to stop this practice, protect the public and hold those responsible for this scandalous behavior accountable. "

Friday, a spokeswoman for the House Committee on Energy and Commerce told the motherboard that the committee had met with the FCC on this.

"In a bipartisan briefing with the FCC [on Friday], Committee staff reiterated its serious concerns regarding the unauthorized disclosure of real-time location data by mobile operators and urged the FCC to conduct its investigation expeditiously and thoroughly, "wrote the say in a statement.

After the initial investigation of the motherboard, 15 senators asked the FCC and the Federal Trade Commission to investigate how consumer location data were in the hands of bounty hunters.

The FCC declined to say whether it was aware of CerCareOne and whether it knew that CerCareOne was selling location data to bounty hunters.

"We are investigating the processing of location information by operators, and we can not comment on the facts that we discovered during an active investigation," an FCC spokeswoman told Motherboard in an email.

"The magnitude of this abuse is outrageous."

A spokeswoman for the Federal Trade Commission (FTC) said in an email to Motherboard that she "can not comment on the practices of some companies. And we do not usually specify whether we are investigating a particular company. "

Senator Mark Warner, exposed to the new findings of the motherboard, said in a statement that "we have a systemic problem in the digital economy, where consumers remain totally unaware of how their data is collected, sold or shared, and marketed ".

"That it is a major smartphone operating system monitoring every user movement or weather application selling user location data to hedge funds, or mobile providers that allow intermediaries to sell smartphone location data to bounty hunters, we regularly see companies abusing consumer confidence and we see a total failure on the part of the agencies involved – the FCC and the FTC – to remedy these practices, "he added.

EFF's Galperin said she was "happy that the company is closed, but it just leaves me wondering how many more CerCareOnes we have on the market".

Subscribe to our new cybersecurity podcast, CYBER.