T-Mobile, Sprint, and AT&T have been caught selling tracked phone location data of their users to the third-parties, enabling them to track the smartphones across the US illegally. These shocking news came in last week after vice.com’s Motherboard published an article about a bounty hunter tracking down journalist’s “missing” smartphone.

Third-parties can track your phone location real-time

Motherboard describes in detail how $300 paid to a bounty hunter is enough to track down almost any phone within a few hundred yards. In their test case, it was done without fancy hacking tools or any prior knowledge about the phone’s whereabouts real-time, using only the phone number.

While nobody questions the need for the law enforcement to access such personal data (with a warrant or in case of a 911 emergency, obviously), it all gets problematic when it becomes a business-to-business transaction.

Most mobile carrier clients have no idea they have agreed to allow third-parties to acquire their location data for marketing purposes. It usually happens via a click of a button on a website or an app, without paying much attention to what’s being said in those grey-on-white sentences. But some companies apparently skip the opt-in part as there’s no one to police them, unfortunately.

Mobile carriers are selling your phone location data

It may come as a surprise, but telecom companies have the right and do sell our location information to location aggregators, acting as the wholesalers to smaller companies which go retail. Securus and Microbuilt are two of the many companies that resell real-time location data. The latter provided services to the law enforcement, allowing them to locate phones without a court order immediately.

What’s even worse, LocationSmart, the wholesaler that provided Securus, leaked all its information in May 2018 because of faulty website code. If you thought that’s the end, here’s more. Less than a week after the leak was exposed, Securus had been hacked, with 2800 accounts’ data stolen, most of which belonged to the US law officers.

While law enforcers might be thinking they’re doing this for a greater good, using real-time phone location data to react before it’s too late, the chain of re-sellers runs much further, reaching car salespeople, landlords, creditors, and alike. While it might be strange why a creditor would want to check your location, the usage of this tool becomes more apparent when you realize that in addition to the real-time location, the database also gives the number holder’s full name and address. And when the price of locating a phone is less than $5 at some of the resellers, no wonder why there’s plenty of those taking a chance, especially if there’s someone who really wants to find you.

Once your phone number is entered into the software, it spits out your location within 550 yards. Zumigo, one of the companies in the reseller chain that goes just below T-Mobile, called this proximity “a way of protecting user’s privacy.” While this makes some sense if you’re in the center of a bustling metropolis where even an exact location will not say how many hundred yards above the ground you’re standing, it looks more than creepy in a small town setting. Especially, when none of these monitored users have given their consent to be actively stalked.

Reactions from the telecom providers and Google

Just like after the Securus issue in 2018, all three telecom companies have responded with their promises of shutting down access to any companies that misconduct and assured the privacy of their users is the top concern.

So this gives little faith in seeing the stop of illegal use of customer’s private data in the future, even though AT&T told on January 10 that they’re stopping selling customer’s data to third-parties.

This came only after Motherboard had published the story, which was followed by the federal authorities, including senators and FCC (Federal Communication Commision), demanding for an investigation. T-Mobile and Verizon also informed about their decision to cancel location-sharing agreements, with Sprint yet to make a statement.

Also, Google made a statement after this story broke out that might also shed some more light on how it relates to telecom providers. The tech giant has demanded that T-Mobile and Sprint not share Google’s customer data with third-parties.

The thing is, Google has a mobile virtual network operator named Google Fi that uses the infrastructure of aforementioned carriers to provide its own calling and texting services. Started in 2015, this service is available to US subscribers across 170 countries that use Android and Apple smartphones. This means that up to this point there was no agreement between Google and the telecom companies that would prohibit selling real-time personal data of Google Fi users.

How to stop companies like AT&T selling phone location data

Let’s hope that these eye-opening news will be enough for the Congress and other federal lawmakers to pass the right bills that would prevent telecom companies, such as AT&T selling phone location data of its customers. While the damage has been done already and certainly not every one of us is going to change their phone number now, knowing that at least there’s no longer a way to obtain such information easily would give hope that phone tracking will be opt-in.

Hopefully, this series of unfortunate events would call for a revision of other legal acts that relate to privacy protection and educate us on how our data is being used and what can be done to opt-out from it when possible.

At the moment, mobile carriers are not held accountable for any misuse of phone location data. Therefore only knowing about the legal repercussions can help minimize the number of third-parties being able to track phone location in the future.

How to protect yourself from phone location tracking

The biggest problem with protecting yourself from phone location tracking is that mobile carriers are selling cell tower data. Unlike GPS geolocation, which can be easily switched off, signals between your phone and the towers are in constant exchange.

This means that the only way you cat stop your location data from being transmitted is to turn off the phone and remove the battery. For the majority of us, such a method is unacceptable. Unfortunately, the alternatives are either using a radio signal jammer or a Faraday cage.

There are many cybersecurity threats and leaking your phone location data is only one of them. Protecting your mobile internet data, which is also usually on 24/7 is another important action to be taken. Many of us might be surprised to know that most of our internet connections are unencrypted, meaning the information sent over the network can be easily intercepted and monitored by hackers, your ISP (internet service provider) or the government.

Luckily, it’s easier to prevent mobile internet data leakage compared to the phone location data protection. To secure your internet connection, both mobile and wifi, you need to use a VPN (virtual private network). It creates an encrypted tunnel between you and your destination, shutting down any possibility to see what you’re doing and where you’re actually located. You can find recommendations for some of the top services on our best VPNs list.

The Big Four of the US telecom providers

The United States is the third-largest mobile smartphone user after China and India. There are around 240 million mobile internet users across the country, a number expected to rise to 270 million in the next three years. This gives a perspective on what massive amount of data is readily available to those willing to make such illegal transaction.

AT&T is the second-largest mobile carrier in the US (34%), less than one percent behind Verizon. It’s the company with the highest average revenue generated by the user, which may be even higher considering these yet to be well-documented deals with third parties. Also, along with Verizon, they are the two most valuable mobile carrier brands globally. In 2016, its revenue was $160 million.

T-Mobile has 17.5% market share among US carriers. Its major stakeholder is German telecommunications company Deutsche Telekom. As of Q3 2018, it had almost 80 million clients.

Sprint had a 12% market share in Q3 2018, which makes it the fourth largest US mobile network operator. It’s thought that this will be the year when Sprint finally merges with T-Mobile to compete with Verizon and AT&T as the third telecom behemoth.

Together, T-Mobile, Sprint, and AT&T have been holding almost 64% of market share since 2011.

Verizon has dodged most of the request to comment on selling real-time phone tracking data, but it’s known that it previously had four contracts with the location-aggregators. Founded in 1983, the company had almost $126 billion of revenue in 2016, with more than 70% coming from the wireless services. While it has around 10 million more users, AT&T’s revenue was $160 million.