Between 2012 and 2017, a nefarious company named CerCareOne leveraged real-time location data from telecom companies to sell information to bail bond companies, according to an investigative report in Motherboard.
The location data from carriers, including T-Mobile, AT&T and Sprint, was captured by a so-called location aggregator called Locaid (later renamed LocationSmart), which then sold that data to a number of different companies, including CerCareOne.
In turn, CerCareOne sold the data to bounty hunters and bail bondsmen, enabling them to find the real-time location of mobile phones. The company would sometimes charge up to $1,100 per phone location, according to a Motherboard source.
The news outlet first broke this story in January. And in response, telecom companies said that the abuse was limited to a few fringe cases.
But this week, Motherboard reported that around 250 bounty hunters and related businesses had access to AT&T, T-Mobile, and Sprint customer location data, with one bail bond firm using the phone location service more than 18,000 times.
In addition to providing GPS data, CerCareOne also provided assisted-GPS (A-GPS) data, which can hone in on a person’s exact location within a building.
The FCC does require that cellphones be GPS-enabled to provide customers with 911 service. Customers also want the GPS capability for applications such as GPS maps and ride-sharing services.
It’s unclear whether Sprint, AT&T or T-Mobile ever sold GPS data to LocationSmart. None of the companies specifically denied that they had sold GPS data that ended up in the hands of bounty hunters.
However, all three companies have recently issued statements saying they have decided to end their arrangements with data aggregators.
“We only permit sharing of location when a customer gives permission for cases like fraud prevention or emergency roadside assistance, or when required by law," AT&T said. "Over the past few months, as we committed to do, we have been shutting down everything else. We have decided to eliminate all location aggregation services—even those with clear consumer benefits. We are immediately eliminating the remaining services and will be done in March.”
But at this point, the carriers’ commitments are completely voluntary.
Sen. Ron Wyden, D-Ore., introduced a discussion bill in November 2018. The Consumer Data Protection Act would allow consumers to control the sale and sharing of their data and give the Federal Trade Commission authority to render stiffer penalties when companies are found to be out of compliance.
California is in the process of implementing the California Consumer Privacy Act of 2018. Starting in 2020, it will give Californians the right to opt out of data sharing.