Remember that story that came out last month about T-Mobile, AT&T, and Sprint customer location data being bought by bounty hunters? Turns out that the issue may have been bigger than originally thought.

A new report has shed more light on the situation involving the location data of major U.S. carriers being sold and trickling down to bounty hunters, including some people who accessed this data thousands of times. Motherboard explains that around 250 bounty hunters and related businesses had access to location data of T-Mobile, AT&T, and Sprint customers, with one bail bond firm using the phone location service more than 18,000 times, while another bounty hunter made more than 1,000 phone location requests in a year of use.

The report includes info on a company called CerCareOne, which sold cellphone tower data and assisted GPS (A-GPS) data, which is typically used to locate cellphones that dial 911. CerCareOne operated between at least 2012 and late 2017 and was largely kept secret because its terms of use required customers to keep quiet about its existence. The company would charge up to $1,100 for a phone’s location, which would gather data from cell towers and give the phone’s approximate location on a Google Maps-like interface.

A couple of bail agents were interviewed for this report and defended their use of wireless customer location data. ““This type [of] information is solely used for and extremely beneficial in locating and tracking wanted fugitives who have jumped bond and are also wanted by law enforcement for absconding from justice,” said Charles Rhea Shaw III from Georgia. Both he and another bail agent say they had permission from their clients in their bail recovery contracts to use location services.

This user location data originated from T-Mobile, AT&T, and Sprint, who sold it to location aggregators like Locaid, which was eventually bought by LocationSmart, a company involved in a location data scandal of its own in 2018. Locaid and LocationSmart then sold data access to other companies, including CerCareOne, which then sold that access to its own customers.

When asked if it’s sold A-GPS data, T-Mobile said to Motherboard, “We don’t have anything further to add at this stage.” T-Mo did provide a new statement based on the information in today’s report, instead pointing to the statement it gave last month in which it said that it’s completely ending location aggregator work.

This whole matter is unsettling, especially with this latest info regarding A-GPS data and how accurate those details can be. “Oftentimes A-GPS provides location information about where someone is inside a building,” said Laura Moy, executive director at the Center on Privacy & Technology at Georgetown University Law Center. T-Mobile has said that it’s ending all location aggregator work in March. In the mean time, you can get a lot more info on this whole situation by reading the full report at the link below.

Source: Motherboard