Report: Bounty hunters bought carrier user data by the tens-of-thousands
- There is new evidence suggesting it is easy to purchase the location data for a user from a wireless carrier.
- Similar revelations came forth earlier this year, but now it appears the problem is much bigger than anticipated.
- So far, Sprint has responded to state that it will end its arrangements with data aggregators.
In January, Motherboard posted a bombshell article which described how bounty hunters are able to easily gain location data of a smartphone user by purchasing the information from nefarious sources. Those sources, in turn, get their information directly from three of the four biggest wireless carriers in the nation.
In that article, a Motherboard journalist details how they paid a bounty hunter $300 to find their phone, which the hunter did very easily.
Wireless carriers, in response to this flagrant disregard for user privacy, said that these situations are uncommon and represent a fringe issue.
Now, a month later, Motherboard has posted a new article about the same topic, this time making it clear that this problem is much, much bigger than we originally thought.
There were hundreds of people buying user data by the tens-of-thousands for relatively low prices.
According to the report, hundreds of bounty hunters and bail bonds organizations used a company called CerCareOne to buy location data for wireless customers on Sprint, AT&T, and T-Mobile. Some of these bounty hunters used the service tens-of-thousands of times, with one bail bond firm using the service no less than 18,000 times.
The evidence for this stems from CerCareOne’s own internal documentation. The company shut down in 2017.
The chain of sources for obtaining user location data wasn’t that long. A data aggregator company called Locaid (later LocationSmart, which we’ve written about before when it comes to mishandling of user data) obtains access to user location data from wireless carriers legally. Companies like Locaid sell access to that data to other companies that want to keep track of their employees. In order to get this access, companies like Locaid have to agree to not use the location data for any other purpose.
CerCareOne obtained access to Locaid’s data anyway and then resold it directly to bounty hunters and bail bonds firms. In the contract a bounty hunter would sign to obtain data on an individual, a clause clearly states that they are to keep the very existence of CerCareOne a secret.
Bounty hunters would pay prices as high as $1,100 for user location data.
In some cases, buyers had access to precise GPS data for a user, not just cell tower connection data.
To be clear, this isn’t just information about the possible whereabouts of a person based on their connections to various cell towers. In some cases, bounty hunters had access to GPS data, enabling them to know the nearly-exact location a person was at any given time.
We reached out to AT&T, T-Mobile, and Sprint about this new information. Only Sprint got back to us so far, with a very brief statement proclaiming that the company has decided to end its arrangements with data aggregators like Locaid/LocationSmart. However, we’ve heard that before.
We will update this article should we hear back from any of the other wireless carriers implicated in this scandal.
NEXT: Google sued over Location History scandal, case could receive class-action status
from Android Authority http://bit.ly/2BrWmZl
Comments
Post a Comment