The prices are initially low, as well. Microbilt can provide basic location info for $5 per device, and $13 for live tracking. Resellers tend to hike the price in order to turn a profit, but it's still low enough that a determined individual could afford it. In Motherboard's test case, it cost $300 to get information accurate to within a third of a mile.
Many of the companies involved are backing away in light of the privacy breach. Microbilt said it required that clients obtained consent and said the Motherboard incident was an example of abuse it wasn't aware of. It also pulled web documents relating to its mobile location offering. AT&T and T-Mobile, meanwhile cut off Microbilt's access. "We only permit sharing of location when a customer gives permission for cases like fraud prevention or emergency roadside assistance, or when required by law," an AT&T spokesman said. "Over the past few months, as we committed to do, we have been shutting down everything else. We have shut down access for MicroBilt as we investigate these allegation[s]."
Sprint said privacy and security were a "top priority," and stressed that it "does not have a direct relationship" with Microbilt, but didn't outline how its data might end up in Microbilt's hands. Verizon, meanwhile, didn't directly address Microbilt told Engadget that it fixed "similar issues" in the first part of 2018. That might be borne out by Motherboard's experience. Microbilt suggested its service would work for all carriers, but the middleman involved either couldn't or wouldn't search for Verizon users.
The investigation shows that location data isn't all that closely guarded, and that determined people can get that data if they're willing to pay. And it doesn't take much to see why that could be a problem. Never mind bounty hunters -- this could let stalkers know your rough whereabouts, or reveal politicians' travel patterns. Until carriers can guarantee that data won't reach the wrong hands, this represents a glaring privacy hole.