On a December afternoon seven years ago, I showed up on the doorstep of Carrier IQ totally unannounced. The controversial company had been accused of providing AT&T, Sprint, and T-Mobile with the means to track users’ phones and log their personal data using a secret app that users couldn’t remove. (I was naïve enough to think that I’d crack that wide open just by showing up.)

At the time, Carrier IQ was a scandal that appeared to be getting resolved by device makers and OS vendors, thanks to pressure from Congress. But now, it seems, we take it for granted that cell carriers know where our phones are, and we merely expect that data to be kept private.

A new report from Motherboard shows that we definitely shouldn’t make that assumption.

Motherboard reports that there is now effectively a black market where unscrupulous bounty hunters can theoretically locate almost any phone in the United States for a fee. The publication says it paid one such bounty hunter a mere $300 to pull up a phone’s real-time location.

According to Motherboard’s story, that’s because our cellular carriers — at least AT&T, T-Mobile, and Sprint — are reselling that data to shady third-party location tracking companies that resell it to other companies that sell it yet again to bail bond bounty hunters who can buy it for the low, low price of $4.95 per phone from a company called Microbilt.

When AT&T was asked about Microbilt, this was the reply:

We only permit sharing of location when a customer gives permission for cases like fraud prevention or emergency roadside assistance, or when required by law. Over the past few months, as we committed to do, we have been shutting down everything else. We have shut down access for MicroBilt as we investigate these allegations.

All four major carriers agreed to stop selling this data to third-parties in June, but apparently at least AT&T and T-Mobile haven’t done so yet. Motherboard was able to track a T-Mobile phone, despite CEO John Legere’s insistence in June that it wasn’t selling location data — he clarified later in the evening that the practice will continue till March, which sounds like something a tech exec might say with a hand in the cookie jar.

If these carriers are indeed still selling the data to unscrupulous third parties despite promises not to, a phrase like “we only permit sharing of location when a customer gives permission” is meaningless.

You can’t dismiss this the same way you might have been able to dismiss the Securus scandal when it turned out that a Missouri sheriff was illegally tracking people without a court order. You can’t say, “Oh, it’s just a way that law enforcement is tracking inmates, and we generally trust law enforcement, but I guess they screwed up” anymore.

We haven't even scratched the surface when it comes to cellular carrier location data privacy problems.



This new report can join the Securus and LocationSmart scandals in a long list of warning signs we've been ignoring. https://t.co/NPLbcKpbqc — Karl Bode (@KarlBode) January 8, 2019

It makes me question why we’re still letting those carriers collect, store, and resell that data at all. Why do we take it for granted that cell carriers have these things in 2019 when we were stunned that they would dare to track our phones seven years ago?

I know that this time, I won’t be taking the vague possibility of some action by Congress as a sign that anything will actually be done because it’s pretty clear that the government is asleep at the wheel. There were congressional investigations and scapegoats when Equifax exposed the personal data of as many as 143 million customers, but there were no actual reforms to our broken credit bureau system. Congress actually repealed Obama-era FCC privacy rules that were designed to stop ISPs from selling your data. And clearly, services like Carrier IQ were allowed to thrive to the point location tracking has been normalized today.

It’s not clear how we might claw back our real-time location data from cellular carriers at this point. But we can start by insisting that it isn’t normal to sell that data to just anyone — and that it isn’t right.

Update, 10:31pm ET: Added that T-Mobile CEO John Legere has clarified that his company’s data practices haven’t yet ended, but will instead end in March.