A report highlighting the sale of mobile location data by third-party data aggregators prompted T-Mobile US Inc. and AT&T Inc. to cut ties with MicroBilt Corp., a company found to have sold such data from consumer devices to a wide range of companies.
The Jan. 8 report detailed an investigation by Vice Media's Motherboard, in which the publication's reporter was able to pay a bounty hunter to geolocate a device when given its phone number. The hired bounty hunter provided the reporter with a Google Maps screenshot of a location identifying the phone's whereabouts within a few hundred meters. Motherboard found that MicroBilt was selling phone location information to car salesmen, property managers, bail bondsmen and others with little oversight and in ways that led to the data being resold on the black market. The report quickly sparked new calls for investigation into the way phone location data is stored and shared, including from the U.S. Federal Communications Commission's Jessica Rosenworcel.
A woman walks past storefronts of T-Mobile and Sprint.
"T-Mobile, Sprint [Corp.], and AT&T are selling access to their customers' location data, and that data is ending up in the hands of bounty hunters and others not authorized to possess it, letting them track most phones in the country," wrote Motherboard.
An AT&T spokesperson said that the company is in the process of shutting down third-party access to customer location data discovered outside of cases where a customer gives consent or when the company is legally compelled to do so.
"We only permit sharing of location when a customer gives permission for cases like fraud prevention or emergency roadside assistance, or when required by law," said the spokesperson. "Over the past few months, as we committed to do, we have been shutting down everything else. We have shut down access for MicroBilt as we investigate these allegations."
T-Mobile in a statement said it has been terminating all agreements with third-party data aggregators, a process that is nearly complete. The carrier said that while it does not have a direct relationship with MicroBilt, a vendor that was working with MicroBilt has shut down all transmission of T-Mobile data to the company. T-Mobile CEO John Legere said in a Jan. 8 tweet that the company will end all location aggregator work in March.
A Sprint spokesperson also confirmed on Jan. 9 that the company had terminated a contract with Zumigo, a third-party aggregator believed to have sold customer location data to MicroBilt.
MicroBilt representatives were not able to be reached for comment for this story.
The issue of major telecommunications carriers providing customer location data to third-party companies also arose last year, when all four major U.S. carriers disclosed in letters to Sen. Ron Wyden, D-Ore., in June 2018 that they have allowed some third-party companies to access customer location data for "location-based services" when a customer consents to the disclosure. For example, the carriers said they have provided customer location data to third-party "aggregators" for purposes such as bank fraud detection or roadside assistance for companies looking to locate stranded motorists. Additionally, carriers also disclose location data in instances where laws or regulation require or authorize access.
In the June 2018 letters, the U.S. carriers vowed to either stop or limit customer location data sharing practices to third-party data companies.