Why you can trust us

Engadget has been testing and reviewing consumer tech since 2004. Our stories may include affiliate links; if you buy something through a link, we may earn a commission. Read more about how we evaluate products.

It's way too easy for bounty hunters to get your phone location data

Carriers don't have as tight a control over privacy as you might think.

Wireless carriers are supposed to keep a tight leash on your location information, but that's not the case in practice. Motherboard has learned that network location data is reaching bounty hunters and others who aren't supposed to have it. Effectively, it's the result of a flawed data chain. Carriers like AT&T, Sprint and T-Mobile (more on Engadget's parent Verizon in a bit) are relatively strict, passing their info to data aggregators like Zumigo and requiring consent before those aggregators' clients are allowed to use that data. However, things quickly get out of hand. Third parties like Microbilt have sold that data to everyone from bail bond companies to landlords, and those companies promptly use or resell it without telling the affected people.

The prices are initially low, as well. Microbilt can provide basic location info for $5 per device, and $13 for live tracking. Resellers tend to hike the price in order to turn a profit, but it's still low enough that a determined individual could afford it. In Motherboard's test case, it cost $300 to get information accurate to within a third of a mile.

Many of the companies involved are backing away in light of the privacy breach. Microbilt said it required that clients obtained consent and said the Motherboard incident was an example of abuse it wasn't aware of. It also pulled web documents relating to its mobile location offering. AT&T and T-Mobile, meanwhile cut off Microbilt's access. "We only permit sharing of location when a customer gives permission for cases like fraud prevention or emergency roadside assistance, or when required by law," an AT&T spokesman said. "Over the past few months, as we committed to do, we have been shutting down everything else. We have shut down access for MicroBilt as we investigate these allegation[s]."

Sprint said privacy and security were a "top priority," and stressed that it "does not have a direct relationship" with Microbilt, but didn't outline how its data might end up in Microbilt's hands. Verizon, meanwhile, didn't directly address Microbilt told Engadget that it fixed "similar issues" in the first part of 2018. That might be borne out by Motherboard's experience. Microbilt suggested its service would work for all carriers, but the middleman involved either couldn't or wouldn't search for Verizon users.

The investigation shows that location data isn't all that closely guarded, and that determined people can get that data if they're willing to pay. And it doesn't take much to see why that could be a problem. Never mind bounty hunters -- this could let stalkers know your rough whereabouts, or reveal politicians' travel patterns. Until carriers can guarantee that data won't reach the wrong hands, this represents a glaring privacy hole.