What’s going on here?

In December of 2013, AT&T announced their “Mobile Identity API”, available only through an enterprise contract with AT&T. Verizon later announced something similar. It looks like both Danal and Payfone are paying for access to these enterprise telco APIs[1], [2].

These services are using your mobile phone’s IP address to look up your phone number, your billing information and possibly your phone’s current location as provided by cell phone towers (no GPS or phone location services required). These services are doing this with the assistance of the telco providers.

These services claim to help detect fraud by cross-referencing user provided billing or phone number information with the cell phone provider’s information. Or, in the case of cell phone location, cross referencing phone-provided GPS location with the location of the phone as provided by cell phone towers.

While the two demos above require the lookup IP address to be the same as the requesting IP address, such safeguards may not be in place if you purchase contracts from these companies. For instance, the payfone.com API appears to allow customers to look up cell phone information just by saying the user has consented. Their API also allows batch lookups.

In 2013, news came to light that AT&T was providing the DEA and other law enforcement agencies with no-court-warrant-required access to real time cell phone metadata. This was a pretty big deal at the time.

But what these services show us is even more alarming: US telcos appear to be selling direct, non-anonymized, real-time access to consumer telephone data to third party services — not just federal law enforcement officials — who are then selling access to that data.

Given the trivial “consent” step required by these services and unlikely audit controls, it appears that these services could be used to track or de-anonymize nearly anyone with a cell phone in the United States with potentially no oversight.