Telcos Sell Phone Location Data to Aggregators | Avast

An alarming investigative probe conducted by tech site Motherboard led to some shocking revelations. A Motherboard reporter stashed his phone somewhere in New York, then hired a bounty hunter to find it. The bounty hunter only needed the phone number and $300. Within minutes, he had the location pinpointed to a neighborhood in Queens, which was in fact where the reporter had hidden the phone. What was most surprising about this process is that the bounty hunter did not need to use any sort of hacking tool to find the phone. He simply used data purchased from telcos AT&T, Sprint, and T-Mobile.

Digging further, the reporter found himself in a complicated web of data companies, phone companies, grey areas, and questionably legal information sharing. He found that a line of information service companies called “location aggregators” purchase phone data from the big telecommunication companies, and then sell that info…to anyone, not just law enforcement. Employers can track their employees, suspicious spouses can track their partners, anyone can track anyone.

“This is a clear violation of people’s privacy,” comments Luis Corrons, security evangelist at Avast. “If this were to happen in the EU, for example, where legislation does a much better job protecting consumers, the companies involved would be facing millions of dollars in fines.”

And of course, this phone geolocation data has leaked onto the dark web, where morality surrounding the uses of the info can dip even lower. As to the phone companies themselves, all three avow that in order for a phone to be tracked, the user must first give consent (in the form of replying to a text, for example), but this investigation proves that policy is not necessarily followed.

It must be noted, the data in question is purely for location tracking. It consists of the unique mobile identity number of the phone and pinging. No text messages, photos, or wallet data are involved.

As the data in question is coming from the telcos themselves, cybersecurity software will not block this kind of tracking. If you’re a member of any of the three aforementioned phone companies, know that your IMSI (international mobile subscriber identity) may be on a data list being bought and sold around the web. No harm may come of it, but it’s important to know. As of the publishing of the Motherboard article, one of the location aggregators already began removing elements from their site. We will be monitoring this trend moving forward.

*** This is a Security Bloggers Network syndicated blog from Blog | Avast EN authored by Avast Blog. Read the original post at: