On Thursday, AT & T announced the sale of its customers' real-time address data to all third parties, in response to a motherboard survey showing how data from AT&T, T-Mobile and Sprint was lowered through a complex network of companies until finally Landing hands of bounty hunters and people unauthorized to handle it. To verify the existence of this trade, the motherboard paid $ 300 on the black market to successfully find a phone.
Google, whose Google Fi program offers telephone, text and data services using the T-Mobile and Sprint network infrastructure in the United Kingdom, told the parent company that it did not ask the companies to share their customers' location data with third parties.
"We never sold Fi subscribers location information", a Google spokesman told the motherboard in a statement late Thursday. "Google Fi is an MVNO (mobile virtual network operator) and not an operator, but as soon as we heard about this practice, we demanded that our network partners shut it down as soon as possible." Google did not say when it made this a requirement.
An MVNO is essentially a company that provides regular telecommunication services such as calls and texts, but uses infrastructure from a telco operator. Fi was launched in 201
In the motherboard's survey, the phone we paid was to locate on the T-Mobile network. The data availability went via a web page of various companies, starting with T-Mobile, which was sold to a so-called site unit called Zumigo. Zumigo then sold the access to Microbilt, a company offering telephone placement services to the bounty hunter industry and other sectors. A Microbilt customer then offered a phone lookup to a source, and that source provided the motherboard with a Google Maps screenshot showing the location of the phone itself. Location data was accurate to an area of about 500m, enough to properly point to a particular area in Queens, New York.
T-Mobile had previously said it was cutting its relationships with site aggregators. In the tweets published in response to the motherboard's history T-Mobile's CEO John Legere repeated that the company continues to ramp down all its construction contracts and plans to get it finished in March.
Sprint has not responded to the motherboard's request to comment on whether it plans to reflect the actions of T-Mobile and AT & T and turn off all location aggregate access. Google suggested that telecoms could do some action: Google told the motherboard, its partners, namely T-Mobile and Sprint, have already stopped training or planned to do so in the coming months (Google clarified to the motherboard that the company told T-Mobile and Sprint to close the sale of Fi customers' data, rather than the telecom customers to a greater extent.]
Did you get a tip? You can contact Joseph Cox safely on Signal at +44 20 8133 5190, OTR chat at firstname.lastname@example.org, or email email@example.com.
This is not the first time telecoms have said they will take action against location devices. Last year, Ron Wyden and New York Times later reported that an aggregator, called LocationSmart, provided data access that ultimately allowed low law enforcement to track phones without delay. In response, AT&T, Verizon, T-Mobile and Sprint responded to access to Securus, the company that served as intermediary between LocationSmart and the end users. Since then, telecoms have continued to provide site data access for other purposes, such as road office companies for locating stranded customers for anti-fraud purposes.
On Thursday, Verizon declared the Washington Post it winds its own four remaining space contract contracts, all of which are with road companies. After that, customers must give Verizon permission to share their location with the companies. Verizon has not responded to the motherboard's several requests for comments in the past week.
The motherboard survey showed that there is still room for abuse with site generators. These new steps will, T-Mobile and AT & T, see that they cut down the sales of site data to all third parties. Several senators asked the Federal Communications Commission (FCC) to investigate the issue on Wednesday.
"For the second time in six months, carriers promise to stop sharing the US site with middlemen without their knowledge," Wyden announced the motherboard Thursday. "I believe in it when I see it. Carriers are always responsible for who ends up with their customer data – it is not enough to put the blame for abuse on downstream companies."
Subscribe to our new cyber security podcast, CYBER.