As Motherboard investigations have shown, cellular carriers routinely hoover up an ocean of personal user cellular location data that’s then sold to a laundry list of companies with little meaningful oversight. In addition to location data gleaned directly from cell towers, a new Motherboard investigation has revealed that cellular carriers have also been providing access to A-GPS data to data brokers, bounty hunters, and related businesses.

While run of the mill global positioning signal (GPS) data is gleaned specifically via satellite, A-GPS, or “assisted GPS,” utilizes both a phone’s internal GPS chip and data gleaned from wireless carriers cellular towers to accurately determine device location. A-GPS data can help speed up the time-to-first-fix (TTFF) of traditional GPS technology, making determining a user or device’s location both quicker and more accurate than using GPS alone. A-GPS is also utilized in instances where traditional satellite signals are weak or there’s significant interference. For example, the technology has proven to be incredibly useful over the last decade in improving the accuracy and speed of first responder and enhanced 911 services. That’s proven particularly useful in wireless—where structural interference often makes determining a user’s location indoors using traditional GPS problematic. In a 2007 Report and Order, the FCC made it mandatory that cellular carriers provide cell phone location data available to emergency call dispatchers. Government filings by the CTIA (the wireless industry’s chief policy and lobbying organization) show A-GPS technology is capable of determining a device or user’s indoor location anywhere within 50 meters. The use of media access control (MAC) address and Bluetooth Public Device Addresses (BT-PDA) data can help pinpoint a user’s location even more precisely.

While this data is technically most useful in improving the quality of 911 services, the ability to track users indoors in granular detail clearly provides cellular carriers—and a universe of shady middlemen—yet another tempting revenue source. As Motherboard’s investigation notes, this data has wound up in the hands of bounty hunters not authorized to access it. Motherboard’s findings are particularly troubling given the FCC crafted specific rules to prevent exactly this scenario from occurring.

In 2015, the FCC released rules governing the collection of 911-related data and laid the groundwork for an industry “road map” toward complying with those guidelines. The rules declared that such sensitive data should be collected and secured in a National Emergency Address Database (NEAD), and should not be used (or sold) for any purpose other than 911 services or other valid, legal purposes.

That same year, a coalition of consumer groups like the ACLU, EFF, and Public Knowledge specifically warned the FCC in a letter that the FCC’s road map would need to address the potential privacy ramifications of such precise location data collection. “The development of highly-precise location technologies designed to comply with the new regulations will raise a host of privacy concerns that have not been sufficiently addressed in the E911 proceeding,” the groups said. “Public safety should not come at the expense of consumer privacy—nor should it have to.”

The FCC obliged, and in 2017 all major wireless carriers and the FCC agreed to a finalized roadmap and rules clearly prohibiting carriers from selling 911-related data, including A-GPS. “Providers must certify that they will not use the NEAD or associated data for any purpose other than for the purpose of responding to 911 calls, except as required by law,” the FCC said.

Motherboard’s investigation into the collection and sale of A-GPS data found that user A-GPS data was being sold to third parties as recently as 2017. Multiple legal experts consulted by Motherboard confirmed the FCC has full authority to punish carriers and data brokers for attempting to profit from this data.

“The FCC has the ability to impose fines for CPNI (Customer Proprietary Network Information) violations,” Public Knowledge’s Dylan Gilbert told Motherboard in an email. “As the November 2017 order states, the plan commits that personal information submitted by individuals to the NEAD database will not be shared except as required by law,” Gilbert said. “So this appears to be a clear violation of what the FCC required when it approved the NEAD and the general Advanced 911 mandate in 2015.”