
Mobile customer location data is ending up in the hands of bounty hunters - petethomas
https://motherboard.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile
======
40acres
I think we need to reassess how we treat data generated by users via phones,
devices and our digital activities. We had the concept of private and public
property long before intellectual property became codified by law. I believe
that we are entering a new phase which may require the development of a new
type of jurisprudence around things like location data.

I'm definitely not a lawyer, but I'm starting to believe there is an argument
that despite the fact that mobile phones and devices facilitate the generation
of location data, that does not necessarily mean that the device manufacture
'owns' that data and can transact with it as they please.

This may all be moot because most of us agree to Privacy Policy contacts, but
maybe a mind shift in treating data you generate as a type of property that is
covered by property law is required to change behavior.

~~~
dogma1138
How about we start with not allowing people to legally kidnap individuals?

I never understood the whole concept of “bounty hunters” in the US it’s not
the Wild West anymore.

The problem here is that “fugitive recovery” doesn’t need to meet any of the
standards normal law enforcement does and unless they kill someone or injure
bystanders there likely won’t be an investigation into their conduct and even
if there is one the result is often that at worse that could happen is then
loosing their license. Criminal investigations against fugitive recovery
agents are pretty darn rare and there is no internal affairs or any body that
really investigates their conduct on a regular basis.

I’m pretty sure that a large amount of these people violate much more than the
privacy of their targets on a regular basis.

~~~
zorga
> How about we start with not allowing people to legally kidnap individuals?

Then you'd have to give up being able to afford bail; without bounty hunters,
bondsman would have no recourse when you didn't show up to court and thus not
much incentive to loan you bail money. You're not being legally kidnapped, you
agreed to those terms when you borrowed the bond money for bail.

~~~
dogma1138
The bail system itself is abhorrent if there isn’t a reason to lock you up
until trial then you shouldn’t be locked up, if there is you shouldn’t be able
to buy your way out.

Most other countries have figured out how to serve justice without a system
that discriminates against the poor.

Too many people can’t afford the down payment or can offer a collateral to get
a bail financed those who can end up being indebted to them you are advocating
for the legalization of loan sharks.

~~~
zorga
Most other countries don't have our intractable political system; bondsman
solve a problem, they let people get out of jail when the government is being
absurd.

~~~
dogma1138
And do you think the bondsmen don’t have an incentive to keep the status quo?

It’s a multi billion dollar industry which effectively taxes the poor.

Make bounties illegal and it fill fall, once it falls the entire bail system
in the US will have to be rethought as there isn’t a way to lock so many
people up, more judges will release them until trial without setting a bail
which they can already legally do and do so for minor offenses.

~~~
zorga
You're putting the cart before the horse; until you change the government and
thus the bail system, we need bondsman. Making bounties illegal won't stop
judges from setting bails people can't afford and is thus not a valid
solution.

~~~
dingoegret
Very dumb argument. There is no cart and there is no horse. Eliminate the bail
system and something has to fill the void.

~~~
Klover
I remember seeing one in LA. I thought it was fake! Like a tourist attraction.

------
jonahhorowitz
It should be illegal to sell people's data without a wet ink signature. That's
really the end of the story.

~~~
jonahhorowitz
Adding: You should still be able to use services, without consenting to them
selling your data, like you can under the GDPR.

~~~
chii
Would your tune change if by not agreeing to sell your own data, the service
charges you money?

~~~
icebraining
If we're talking about the GDPR, the service can ask you to sell your data,
and it can charge you, but it can't force you to choose between the two. Data
ain't currency.

~~~
matte_black
And what is the answer if we're not talking about GDPR?

------
mlindner
Amazing chain of data transfer there. Likely with each one obeying their
individual terms but the terms being lessened at each step of the line.

AT&T/Verizon/T-Mobile --> Zumigo --> Microbilt --> Bail bond company -->
Bounty Hunter --> Motherboard

------
guelo
This is outrageous. In the last congress Republicans voted to strip what
little privacy protections we had from network providers.

------
21
Are we gonna talk about the Silicon Valley VC's investing in these shady
companies?

> _Zumigo is a pioneer of mobile services providing _deeper insights_ into
> consumer behavior to help secure transactions, devices and identities._

[https://www.crunchbase.com/organization/zumigo](https://www.crunchbase.com/organization/zumigo)

> Intel Capital

> Aligned Partners

~~~
Whitestrake
Investors are gonna invest, right? They're there to make money. Presumably
they believe the company's operations are legal and likely to provide returns.

~~~
kevincrane
VCs have a choice in whether or not to invest in unethical things. If they pay
money to an unethical cause, that's them supporting it.

------
closeparen
Criminal investigations have to stand up to court scrutiny. Fugitive
recoveries do not. I expect there’s a lot more misconduct where this came
from.

~~~
jopsen
The whole bounty hunter system sounds like something out of a bad movie..

I would be very surprised if it wasn't full of abuse stories.

~~~
closeparen
Professional law enforcement agencies are a recent development historically,
and for a long time were resisted as something out of an authoritarian
dystopia. Policing was the job of amateurs and freelancers for much longer
than it’s been a civil service bureaucracy. Even death investigation was,
until recently, a side gig for the town doctor.

~~~
jopsen
How is this relevant?

Human rights is a recent development, that does make them a bad idea? Or
justify violations :)

The concept of a professional trained police force is well proven by now, I
see no reason to question it :)

~~~
closeparen
Parent said bounty hunting something out of a bad movie. So did institutional
policing, at the time.

------
brohee
I wonder if any of those companies had access to, and sold, roaming European
users location data. The GDPR may possibly be weaponized if it was the case...

~~~
astura
The GDPR doesn't apply to "roaming European users."

~~~
lol768
What's your reasoning for this assertion? If the user is a European citizen, I
was under the impression that GDPR was applicable. The location at which the
user is at does not matter one iota.

US companies need to understand this, or risk losing trading abilities with
citizens and organisations in EU member states.

~~~
astura
No, Youre wrong, citizenship doesn't matter, the application dependeds on
physical location. If youre an American in Europe the GDPR applies to you, if
youre a European in America the GDPR does not

[https://www.compliancejunction.com/does-gdpr-apply-to-eu-
cit...](https://www.compliancejunction.com/does-gdpr-apply-to-eu-citizens-in-
the-united-states/)

[https://ec.europa.eu/info/law/law-topic/data-
protection/refo...](https://ec.europa.eu/info/law/law-topic/data-
protection/reform/rules-business-and-organisations/application-regulation/who-
does-data-protection-law-apply_en)

~~~
lol768
>the application dependeds on physical location

Thanks for the correction.

------
guitarbill
> “The allegation here would violate our contract and Privacy Policy,” an AT&T
> spokesperson told Motherboard in an email.

That pretty much sums up how much carriers care about this. But it is nice to
see Senator Ron Wyden is still doing good work, almost restores my faith in
politics.

~~~
Spooky23
This is why utilities need to be heavily regulated.

Selling real time location data to wholesalers in the bail bonds industry? Who
would think there would be abuse?

Only license actions and criminal penalties will stop this kind of abuse.

~~~
ams6110
Do we think skipping out on a bond is OK?

If you are really wanting to do that, don't carry a phone around with you.

~~~
Spooky23
I think that’s a scummy business known for not following the letter of the
law.

~~~
cc439
It's a scummy business but without it bail bonds wouldn't exist, or at least
be as widely available as they are today. Maybe there are better systems for
ensuring compliance with orders to appesr in court than that of Bail but as
long as the concept of Bail exists, private Bail Bonds will have to be a
necessary part of the system lest lower/no-income individuals find themselves
with no recourse.

~~~
dragonwriter
> It's a scummy business but without it bail bonds wouldn't exist, or at least
> be as widely available as they are today.

And...is that bad? The availability of bonds factors in to the level at which
bail in a money bail system is set to give reasonable assurance of compliance,
so the main effect of available bail bonds is to make purchasing a bond
instead of paying cash necessary by driving up money bail prices.

> Maybe there are better systems for ensuring compliance with orders to appesr
> in court than that of Bail

Certainly there are better ideas than money bail structured to support a
commercial bond industry.

> but as long as the concept of Bail exists, private Bail Bonds will have to
> be a necessary part of the system

No, because bail systems outside of the US and the Phillipines (as well as
D.C. and California in the US) are not money bail systems.

~~~
cc439
I wasn't aware that California eliminated the cash bail shstem last year but
my cursory review of its replacement leaves me thinking its lacking in its
ability to both accurately identify those who pose a risk to society or a
general flight risk. Replacing a system that allows anyone granted the right
of bail to obtain it (via bail bonds) with enforcement carried out via the
threat of physical apprehension with one that tries to predict the risk before
release leaves enormous room for error/gaps/all-other-flaws.

It sounds good on paper but how does it account for a citizen of "good"
character per the algorithm being charged with a major felony or violent
crime? If they are innocent, there is a meaningful likelihood they are denied
release, thus ruining their life. If they are guilty, there is a meaningful
likelihood they aren't reputable enough to ignore the chance to cut off their
ankle bracelet and go underground.

Are there any systems that allow for something akin to "bail" (as in a way to
be releaswd from custody while awaiting trial while also holding the
individual accountable to return) that rely on things asids from cash or trust
in an "algorithm"? I'm currently doing some reading on the subject so don't
jump down my throat, I'm just skeptical of any other system's ability to
balance availability with accountability for those with few to no assets.

~~~
geggam
Innocent until proven guilty is still a thing. If the judge is inclined to
permit bail then the accused is likely not a danger to society. Bail is
nothing more than incentive for the state to prosecute people for money.

------
robrenaud
Perhaps this is a good reason to use Google Voice and not give anyone the
underlying real phone number with cell service.

~~~
twerkable
any reason to think google doesn't sell your data

~~~
gruez
google _monetizes_ your data (targeting), but doesn't sell it to others.

~~~
onetimemanytime
#1 Reason: no one can monetize that data better than Google

#2 They'd be helping their rivals with such data

#3 Sharing might kill the golden goose (bad press etc)

...

~~~
cc439
Reason #1 sort of invalidates Reason #2. If Google is reasonably confident
that they have an unmatchable (in the short term) advantage in interpreting
and monetizing your data and can also generate additional revenue by selling
it to firms that can't extract the same value from it, what incentive is
stopping them? If competitors start to catch up in the areas jn which they
have the clear advantage, they can simply shut off the faucet and the revenue
generated by selling information jn the here and now helps fund initiatives to
keep them ahead in the first place.

------
Sephr
LocationSmart advertised themselves to bounty hunters[1]. This kind of
unethical/illegal location sharing from other location brokers like Zumigo is
unsurprising.

1\.
[https://twitter.com/sephr/status/1082711937257893888](https://twitter.com/sephr/status/1082711937257893888)

~~~
roywiggins
They're the same folks who accidentally left an API public that let literally
anyone do it:

[https://krebsonsecurity.com/2018/05/tracking-firm-
locationsm...](https://krebsonsecurity.com/2018/05/tracking-firm-
locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-
carriers-in-real-time-via-its-web-site/)

------
sneak
It would appear that sometimes even paying for the service doesn’t mean you
won’t end up as the product anyway.

How can one avoid this kind of aggregated location tracking?

~~~
h0mEDw
You guys need (something like) GDPR in the US. I believe it's a necessity.

~~~
StreamBright
There are lots of things needed in the US.

~~~
r00fus
Meaning, GDRP will be a result of other (political) changes? I'd concur.

~~~
StreamBright
Yes. Instead of focusing on corporate profits the US should focus on quality
of service (in every aspect of life) for citizens.

------
andrewxhill
The barrier to access for many people's location data is simply effort. If you
want it you can probably find someplace to buy it. We need new ways to get
control of our digital shadow.

------
onetimemanytime
>“The allegation here would violate our contract and Privacy Policy,” an AT&T
spokesperson told Motherboard in an email.

Probably now AT&T execs are looking at increasing prices on such data. This is
very valuable to be sold so cheap.

------
Johnny555
5G microcells will make this data much more accurate.

~~~
Jolter
The network operator already has more detailed info, but the article says they
are fuzzing it before selling it. Presumably this is to prevent pinpointing
users too precisely. If radio cells are smaller, they get higher resolution in
the source data, but we can't know what resolution data they would resell.

------
maloneyg
That is really not a good news for all of us. The big brands have to stop
selling customers’ location data to anyone. There should be some law or act
for this.

------
wybiral
With this many companies of questionable security owning the data I think it's
safe to say that this data is getting leaked.

------
intea
Reporting on bad privacy practices while having an atrocious consent dialog...

------
ezoe
That's why I will never own a phone.

~~~
tpxl
Real question: How do you communicate when on the road etc.?

~~~
ezoe
I don't. I don't want to be disturbed most of the time.

------
h0mEDw
For EU folks: anyone tried a GDPR request to their phone provider to figure
out what do they collect and what do they store? I'm thinking any of the
following are within the realm of possibilities:

    
    
      - Call history, including metadata and potentially also contents;
      - Text messages, same as with calls: metadata and potentially the contents;
      - Location history;
      - Data connection activity, again: metadata and potentially the contents;
      - IMEIs of the devices I used.
    

Basically I want
[http://myactivity.google.com/](http://myactivity.google.com/), but for my
mobile subscription.

I submitted a GDPR request to my GSM provider a few days ago, but I'm not
fluent in legalese, so may not reach as far as someone fluent in it. Still
awaiting initial response.

~~~
StreamBright
Great idea, not sure how they implement this though. They can just email it to
you because GDPR does not specify the delivery means.

~~~
icebraining
Just because the user is the one asking for the data doesn't mean the rest of
the GDPR stops applying. They're still required to have appropriate
safeguards, which means they certainly can't email it to you (at least not in
plaintext).

Also, more specifically about the Right to Access, Recital 63 says: "Where
possible, the controller should be able to provide remote access to a _secure
system_ which would provide the data subject with direct access to his or her
personal data". (emphasis mine)

------
StreamBright
Change title please and add "in the USA"

~~~
danso
The title doesn’t assert that this necessarily exists worldwide.

edit: I mention this downstream, but it's worth correcting myself. The article
prominently features a company named Zumigo, which provides mobile device
location data in India as well as North America. So adding "in the U.S." to
the (already altered) post title is not needed, especially since it could
obfuscate the fact that these location companies do operate internationally.

[0] [https://zumigo.com/zumigo-introduces-breakthrough-mobile-
loc...](https://zumigo.com/zumigo-introduces-breakthrough-mobile-location-
technology-for-securing-and-enabling-payment-transactions-in-india/)

~~~
StreamBright
Yet mobile customers exist worldwide and I opened the article to see how they
circumvent GDPR because I though it applies to Europeans too.

~~~
Beldin
As a European, having "bounty hunters" in the title implied that already.

I was unaware of bounty hunters being aserious profession in any particular EU
country. Then again, i don't know any EU country where an accused can bail
themselves out of jail till the court case.

~~~
Xylakant
> Then again, i don't know any EU country where an accused can bail themselves
> out of jail till the court case.

Germany (1), UK (See Assange) I’d assume that most European Countries have a
similar system. However, it’s comparatively rare that bail is set in Germany.
If I follow the US bail reform debait correctly I get the impression that jail
before trial (Untersuchungshaft) is comparatively rare in Germany and requires
specific reasons (2) while it’s comparatively normal in the US.

Both might be contributing reasons why the bail system is not commercialized
as in the US. Generally, the European Systems frown upon private law
enforcement much more, that might be another reason for the nonexistence of
bounty hunters.

(1) §116 StPO [https://www.gesetze-im-
internet.de/stpo/__116.html](https://www.gesetze-im-
internet.de/stpo/__116.html)

(2) mostly Fluchtgefahr (Danger the accused may flee and leave the country,
Verdunklungsgefahr (The accused might hide evidence, the danger of repeating
the offense on violent offenses) §112 StPO [https://www.gesetze-im-
internet.de/stpo/__112.html](https://www.gesetze-im-
internet.de/stpo/__112.html)

