Tech

Data Broker That Sold Phone Locations Used by Bounty Hunters Lobbied FCC to Scrap User Consent

People being tracked

Earlier this month Motherboard showed how T-Mobile, AT&T, and Sprint were selling cell phone users’ location data that ultimately ended up in the hands of bounty hunters and people unauthorized to handle it. That data trickled down from the telecommunications giants through a complex network of middlemen and data brokers. One of those third parties was Zumigo, a company that gets location data access directly from the telcos and then sells it for a profit.

Motherboard has now unearthed a presentation that Zumigo gave to the Federal Communications Commission (FCC) in late 2017 in which it asked the agency to place even fewer restrictions on how some of the data it sells can be used, and specifically asked for the agency to loosen user consent requirements for data sharing.

Videos by VICE

“As breaches become more prevalent and as consumers rely more on mobile phones, there is a tipping point where financial and personal protections begin to equal, or outweigh, privacy concerns,” one of the slides reads.

Another slide titled “solutions” suggests that the FCC loosen current consent requirements that are included in cell phone providers’ terms of service, allowing carriers to use vaguer, “more flexible” language.

“Remove the consent requirement of stating that information is being released by the ‘carrier.’ Instead, allow more flexible language, such as:—‘You authorize the bank and its service providers to use your mobile account for verifying your identity and protecting you from fraud,’” the slide reads. “Make the release of carrier data opt-out, rather than opt-in, when it is being used to prevent fraud and identity theft.”

The news signals the mentality of some of the companies in this data trading space, explicitly preferring to scrap the idea of consent for the sake of convenience, even if that means that cell phone users may be ultimately unaware of how their data is being used.

Zumigo_slide
A section of the Zumigo presentation, suggesting the FCC should remove consent requirements around carrier data. Image: Screenshot.

“The FCC said we should work with Congress. It will take a while, whatever proposals we do,” Chirag Bakshi, Zumigo’s CEO, told Motherboard in a phone interview. Bakshi told Motherboard it was not decided at the time of the meeting whether this consent removal should apply to consumers’ phone location information, but Zumigo is a company heavily focused on selling that specific type of data—its tagline reads “Zumigo is the leading provider of authoritative mobile identity and location information.”

Zumigo pitches itself as a fraud prevention company that uses cell phone location data to determine, for example, whether a credit card transaction should be labeled as fraudulent. But at a conference called Money20/20 in 2013, Bakshi mentioned that the company also wanted to use location data for marketing. Motherboard’s investigation showed that Zumigo was also selling data to Microbilt, a company that helps bounty hunters and debt collectors “skip trace” or locate people.

“Today you will see a solution for transaction validation, device authentication, and KYC or know your customer,” Bakshi said at Money20/20. “But I’d be remiss if I didn’t mention the power of our location data for marketing … Our unique patent pending technology makes it the only solution that can locate a phone anywhere globally, no matter where it is roaming.”

“Remove the consent requirement of stating that information is being released by the ‘carrier.’”

A source pointed Motherboard to the publicly available, December 2017 slide deck created by Zumigo for a meeting with the FCC. In that document, Zumigo lamented about the length of time it can take institutions to be approved to handle data from telcos; in one case, it took a bank 8 months. But the document also discusses how Zumigo sees consumer consent as a “major issue.”

“The consent requirements are far more burdensome for carrier data compared to other kinds of data that are much more sensitive,” one of the slides reads, and points to a sample of the sort of language carriers may use in their privacy policies or similar documents, which lay out in detail that a consumer’s location may be tracked (typically, this language is buried in terms of service agreements.)

As well as selling on data access to other companies Zumigo offers a fraud prevention platform. This relies on a variety of data sources, including information from the telcos.

“What we do is—is the phone owned by that consumer, and is the phone near the address?” Bakshi told Motherboard when asked how the fraud platform works. “What we do is we provide a distance, saying the phone is so far; is it near the address or not?” This sort of system may be used to stop hackers breaking into online accounts or opening fraudulent ones, for instance.

Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Another slide adds, “We strongly believe that if consumers understood the vulnerabilities they face, and their carrier’s ability to help prevent it, they would want the carrier data to be shared in order to keep them safe.”

A spokesperson for campaign group Privacy International told Motherboard in an email that “It’s a very popular industry strategy to play security against privacy. Their argument is that privacy rules (especially requirements to seek consumer consent) make it harder for them to protect people from identity theft and fraud.”

Zumigo also suggests making the release of telco carrier data opt-out, rather than opt-in, when it is being used to prevent fraud and identity theft. In other words, consumers would give up, by default, the ability to have their personal data used and shared for this sort of purpose, rather than giving consent each time. Another Zumigo idea is to make a national registry of numbers where users can say whether they’ve opted-in or opted-out. Bakshi told Motherboard the FCC asked if Zumigo could host this database.

In an email exchange with Motherboard on Tuesday, FCC Chairman Ajit Pai said the FCC does not intend to make these changes.

“The FCC has no interest in removing consent requirements around the sharing of personal data,” he wrote. In response to a follow-up question, he added “The FCC’s position is that we have no interest in removing consent requirements around the sharing of personal data, and that extends to having no interest in working with Congress to remove any of those requirements.”

The Privacy International spokesperson added “People need to have a genuine choice with regards to how their data is used and shared, especially when it comes to services that we all rely on and can hardly avoid.”

After Motherboard’s investigation, AT&T, T-Mobile, and Sprint all said they were stopping the sale of phone location data to third parties and data aggregators, including Zumigo.

Subscribe to our new cybersecurity podcast, CYBER.