With just a few hundred bucks and your cell phone number, someone could track the exact location of the smartphone you’re holding right now.
Motherboard recently investigated the practice of telecom firms — like AT&T, Verizon and T-Mobile — selling user location data to third-parties. Worryingly, they found that some of this data may be falling into the wrong hands.
Law enforcement and government entities, of course, can access location data from wireless carriers. But that user location data is also being bought and sold in a complicated market lurking just beneath the surface.
Typically, this user location information is sold to third-party data aggregators, credit card firms, and financial companies. But once it’s sold, there isn’t much stopping that data from trickling down to smaller firms who don’t have the infrastructure to protect it.
Some of that user location data may end up in the hands of criminals and malicious entities, as well as on various black markets. But there are also more gray avenues that someone can track a device’s location, as proven by a test that Motherboard carried out.
Motherboard reporter Joseph Cox attempted to track the location of a T-Mobile customer who agreed to take part in the test.
Cox contacted a bounty hunter and gave him that person’s phone number. After a $300 payment, the bounty hunter was able to geolocate the phone via a “shady, overlooked service not intended for the cops, but for private individuals and businesses.”
“Armed with just the number and a few hundred dollars, he said he could find the current location of most phones in the United States,” Cox wrote.
And this location tracking doesn’t require any fancy know-how or hacking knowledge. All someone needs, in theory, is a phone number.
The report suggests that at least one company is selling phone geolocation services with “little oversight” to a variety of private businesses, like car salesmen and bail bondsmen. But as mentioned earlier, that data can also inadvertently end up on the black market.
In other words, once the data is in the hands of third-parties, there’s little that telecom companies can do to stop it from spreading to darker portions of the web.
Carriers, for their part, maintain that these transactions rely on the fundamental principles of user notice and consent. But as Motherboard points out, it isn’t readily clear if that’s actually the case.
It’s a rather concerning situation with severe privacy and security implications. The full Motherboard report is well worth a read.