Phones Are the World's Ablest Spies

Robert Hackett
Updated

Last week’s column admonished IBM’s The Weather Company for being unclear about the way The Weather Channel app, its weather forecasting service, uses people’s location data. The infraction seems meager in comparison to the abuses that plague location aggregator services—and their downstream clients—which source data from mobile carriers.

These aggregators, barnacles of the telecom industry, depend on cellular giants, like AT&T, Verizon, Sprint, and T-Mobile, for their livelihood. They sell data access to other companies, which sell them to others still. Phone holders have no choice but to opt-in. People’s devices beacon out to cell towers at all times, triangulating their positions, simply by virtue of being on the grid. There is no hiding; everyone’s back bears a target.

For a small fee, anyone with the right connections can hire an unscrupulous marksman to find a person’s phone through a chain of relationships that extends back to these aggregators. Joseph Cox, a reporter at Vice Motherboard, knew a guy who knew a guy, as they say. In an investigation published this week, Cox exposed the underground market for pinpointing handsets. He paid a bounty hunter $300 to geolocate a phone within a few hundred meters, providing nothing more than its phone number.

Cox’s investigation delivers a near-fatal blow to a market segment that has been on life support since the New York Times exposed one particularly egregious offender last year. After that report revealed how a network of data misuse enabled a tool from a company called Securus to track just about anyone’s phone in the country, mobile carriers began unwinding their relationships with aggregators. At the time, Verizon said it would end its relationships, save for a few exceptions, including for fraud prevention and call routing purposes. AT&T similarly said it would limit its relationships to areas such as credit risk assessment and roadside assistance. Sprint and T-Mobile said they were reviewing and canceling contracts with aggregators too.

In light of the latest breach of conduct uncovered by Motherboard, even these reduced relationships face the chopping block. AT&T said it will end all relationships with aggregators by March—even in cases where these ties might have benefited people. (Your car breaks down.) Sprint said it terminated its relationship with Zumigo, the aggregator that provided data to another company, Microbilt, in the Motherboard example, which then sold it on to others, like bail bondsmen and bounty hunters. A Sprint spokesperson declined to reveal whether the company would end all relationships, following AT&T’s lead. Verizon and T-Mobile did not respond to Fortune’s requests for inquiry.

Cox’s exposé serves as a reminder that phones are the world’s ablest spies. As telecom companies either reject or clamp down on aggregators, the potential for location-tracking abuses diminishes—but does not disappear entirely. Risk shifts upstream to the carriers themselves.

Let’s hope for greater oversight at the top.

A version of this article first appeared in Cyber Saturday, the weekend edition of Fortune’s tech newsletter Data Sheet. Sign up here.