A report claiming that AT&T, T-Mobile and Sprint sell customers' location data is prompting new calls for action by the federal government.
On Tuesday, Motherboard reported it was able to pay a “bounty hunter” $300 to track a phone's location to neighborhood in Queens, New York. The only information provided to the bounty hunter was the phone number; the carrier was T-Mobile.
“The bounty hunter did this all without deploying a hacking tool or having any previous knowledge of the phone’s whereabouts,” Motherboard wrote. “Instead, the tracking tool relies on real-time location data sold to bounty hunters that ultimately originated from the telcos themselves, including T-Mobile, AT&T, and Sprint.”
Motherboard reports that six different entities potentially had access to the location data. “T-Mobile shares location data with an aggregator called Zumigo, which shares information with Microbilt. Microbilt shared that data with a customer using its mobile phone tracking product. The bounty hunter then shared this information with a bail industry source, who shared it with Motherboard.”
Senator Ron Wyden (D-Oregon), who recently unveiled a draft privacy bill, said the report shows the need for new privacy legislation.
“This is a nightmare for national security and the personal safety of anyone with a phone,” he said on Twitter. “Major carriers pledged to end these practices, but it appears to have been more empty promises to consumers. It’s time for Congress to take action by passing my bill to safeguard consumer data and hold companies accountable.”
Federal Communications Commissioner Jessica Rosenworcel called for her agency to conduct an immediate probe. “The @fcc needs to investigate. Stat,” she tweeted.
Last year, Wyden called on the FCC to investigate the practices of the company Securus, which was helping law enforcement officials track people's locations -- without court orders. Wyden also urged the carriers to stop sharing their customers' information, absent court orders or other legal authority.
In 2016, the FCC passed a set of broadband privacy regulations that would have prohibited carriers from sharing a host of data about customers without their explicit consent. Those rules were revoked by Congress in 2017.