The largest US wireless providers have been selling your location data to data aggregators for years. If you’ve received calls from salespeople, or often get targeted by marketers, or you’ve used roadside assistance or emergency response, it is very likely that they obtained your contact and location details through a local data aggregator.
Local data aggregators do not purchase information directly from the wireless carriers but go through cloud location service providers instead. Those cloud location service providers are active members of the aggregator programs offered by wireless carriers. LocationSmart is a good example – it acts as the middleman between carriers and local data aggregators. LocationSmart sells your real-time location to everyone willing to pay the price. You can purchase access to real-time location data from such companies, as long as you agree always to gain customers’ consent when using it. All major wireless carriers claim to have processes for periodically auditing consent practices. However, recent events showed that even though aggregators have been kept under control on papers, not everyone has been playing by the rules. Wireless carriers and middlemen-companies are not always fully aware how the data is being used and do not have an effective way to monitor if consents are obtained.
You would expect that most of the clients of the carriers would be marketers, advertising and roadside assistance companies. However, this is proving to be wrong as the aggregators have been selling the real-time location to everyone, including prison officers and law enforcement. It is more convenient for companies to work with aggregators instead of dealing directly with the carriers. Wireless companies are not allowed to release such information without a court order, but aggregators have not been as strict.
Security is also an issue. While most wireless carriers have advanced cybersecurity practices on place, their aggregators sometimes fail to meet to the expectations to always keep the information safe. Last month a vulnerability in LocationSmart’s website left exposed the real-time location of all users of Verizon, AT&T, Sprint, and T-Mobile. The exposure in API granted hackers with access to the real-time location of the customers of the biggest US wireless carriers. Hackers might have been able to pinpoint the precise location of every cell number holder connected to the networks of the wireless carriers. Such privileges are usually possible only when there is a court order, or there is consent from the user. The user base of the four carriers’ go over 300 million people, with the majority of it being US residents.
Even though LocationSmart fixed the issue immediately, Verizon instantly issued a statement confirming that they will stop doing business with LocationSmart and confirmed that moving forward they will be more cautious when selling location data to third parties. AT&T and Sprint followed the example, and T-Mobile was the last one to pledge to be more careful when providing third parties with access to the location data information of its user base.
How does this affect you?
Unfortunately, police officers and marketing professionals are not the only ones interested in your location data. Currently, roughly 95% percent of the US population own cellphones. Due to the cyber breach, the instant location of more than 300 million US residents might have been left readily available for hackers on LocationSmart’s website. As we’ve previously covered, it is not that hard to dig out the cell number of nearly every American resident. It is currently unknown for how long and if the hackers have been able to take advantage of the loophole. Here are a few examples of what they might have done;
- Foreign states might have been able to track politicians, police officers and military personnel in real-time.
- Burglars might have been able to identify when homeowners are away.
- Sexual predators might have used the information to determine when and where a specific woman lives.
- Blackmailers might have been able to see if someone goes to a psychiatrist or is having an affair.
- Stalkers might have been able to determine the precise location of their victims.
This is just yet another painful reminder that companies of all sizes are susceptible to hacking and poor cybersecurity practices may end up costing a lot to everyone, with the final victim always being the end user. There are VPN solutions that prevent some of the ways hackers and marketers use to track people in real time.