Leak reveals that hundreds of bounty hunters have had access to super-fine-grained mobile location data for years

After a blockbuster report in Motherboard revealed that bounty hunters were able to buy realtime location data that originated with three of the four major cellular carriers (the exception is Verizon), the carriers scrambled to spin the news, insisting that the bounty hunter access represented a recent, small-scale aberration, but a new set of leaks reported on in Motherboard reveals that the practice has gone on for years, at industrial scale, and that the resellers who supplied bail bondsmen and other unsavory types in secret have changed names, but are still in business.

Motherboard's Joseph Cox reports on a trove of internal documents from a defunct company called Cercareone, who sold cheap access to bounty hunters for years, allowing some firms to make tens of thousands of requests for their targets' location. The data Cercareone sold included so-called "A-GPS data," which can identify targets to a much finer detree than mere cell-tower location, zeroing in on specific locations within houses and other structures. This data is exclusively available through cellular carriers, hinting at a second, even-more-compromising data-sales market never before revealed.

Cercareone's data was supplied by a "location aggregator" called Locaid, which dealt direct with the carriers. Locaid was sold to Locationsmart in 2015, which continued to supply data to Cercareone until 2017. Cercareone claimed that every person tracked with its data had signed a "privacy waiver," though this appears to have been a lie.

Bounty hunters who contracted with Cercareone were required to sign a confidentiality agreement promising to keep the company's existence a secret.

Nominally, Cercareone is out of business, but it shared a server and other infrastructure with a company called Locateurcell, which is still operating, selling access to location data under the rubric of locating elderly relatives and other less sinister purposes.

Even if CerCareOne is no longer operational, it still provides vital context on how American cell phone users’ data has been sold and traded without their knowledge or proper consent.

“This is an issue of national and personal security,” Jessica Rosenworcel, a commissioner at the Federal Communications Commission told Motherboard in an email. “The FCC needs to act with urgency. There have been press reports calling out the sale of consumer location data since May. I’ve asked for the letters of inquiry that typically kick off an investigation like this. They have not yet provided them.”

Geoffrey Starks, another recently appointed commissioner of the FCC, told Motherboard in an email that “the for-profit location data industry has flourished in the shadows without any government oversight. The lights are starting to come on, and I believe that the FCC should use its authority to stop this practice, safeguard the public, and hold those responsible for this outrageous conduct accountable.”

Hundreds of Bounty Hunters Had Access to AT&T, T-Mobile, and Sprint Customer Location Data for Years [Joseph Cox/Motherboard]