There’s a lot of hand-wringing over the amount of data Google and Facebook have on us, but mobile carriers have been flying under the radar. The fact is, they know roughly where you are all the time, and a new report claims they’ve been selling access to that information without the proper privacy safeguards in place. You can thank the shady world of data aggregators for this potentially egregious violation of your privacy.
A former Missouri sheriff has been charged with using an online service operated by law enforcement contractor Securus to track cell phones illegally, according to The New York Times. Prosecutors claim Cory Hutcheson used the system at least 11 times between 2014 and 2017 to track the phones of a judge, members of the state highway patrol, and others.
Securus mainly operates private telephone services for prisons and jails, but cell phone tracking is a “value-add” option in this lucrative and highly competitive market. The location data comes from a third-party called LocationSmart, which claims to have a direct connection to all four big US carriers, as well as several in Canada. The nature of this connection is unclear, but it would appear carriers are not getting the appropriate location consent before providing data to LocationSmart.
This location data isn’t anything new — your carrier always knows where you are based on network access, and that’s necessary to ensure you’re connected to the right towers. This network location data is not as accurate as GPS on your phone, but it usually pinpoints you within a few city blocks. LocationSmart even has a try-before-you-buy demo online where you can opt a phone number into the test and locate it in seconds. I tested it with a throwaway SIM, and it did indeed get close to my actual location.
From a legal perspective, accessing a phone’s network location may or may not be illegal depending on where you live. Some states require warrants to track phones, but in others you only need that for real-time tracking. In a few places, this data requires no warrant at all. Us Senator Ron Wyden has sent a letter to the FCC seeking an investigation of Securus and LocationSmart, but the agency has not replied yet.
Carriers seem caught off guard by this report. They all have privacy policies that seem to prohibit this sort of sharing without consent, but Hutcheson was allegedly able to use Securus’ connection to LocationSmart to spy on multiple phones for years without anyone knowing. We’ve reached out to the big four US carriers to see if we can get updated statements on what, if anything, they are doing as a result of the New York Times report.