Telecom & Communications Data

How your phone carrier sells you out

Your Carrier Is the Original Data Broker

Your wireless carrier knows more about you than almost any other company. They know where you are at every moment, who you call, who you text, what websites you visit, and what apps you use. For years, AT&T, Verizon, T-Mobile, and Sprint quietly sold this data to a chain of aggregators, middlemen, and end users — including bounty hunters, stalkers, and bail bondsmen — with virtually no oversight or meaningful consent.

The carrier location data scandal, which resulted in nearly $200 million in FCC fines, is one of the most significant data broker revelations in US history. It exposed how all four major wireless carriers treated your real-time location as a product to be monetized, with consent obligations offloaded to downstream buyers who never bothered to obtain it.

The Carrier Location Data Scandal

The carrier location data scandal involved all four major US wireless carriers selling real-time customer location data through aggregators without consent. The data chain worked like this: carriers sold location data to aggregators (LocationSmart and Zumigo), who sold to middlemen (3Cinteractive, Microbilt), who sold to end users — including bounty hunters, landlords, bail bondsmen, and stalkers. At no point in this chain was meaningful customer consent obtained.

Timeline:

Pre-2018: AT&T, Verizon, T-Mobile, and Sprint sold access to customer location data to aggregators. The carriers attempted to offload consent obligations to downstream recipients, none of whom actually verified consent.

May 2018: Senator Ron Wyden revealed that Securus Technologies had been selling location data to law enforcement.^[8] Simultaneously, Carnegie Mellon Ph.D. student Robert Xiao discovered that LocationSmart’s free online demo could be exploited by anyone to track virtually any phone in North America.^[6]

January 2019: Motherboard/Vice paid a bounty hunter $300 to locate a T-Mobile phone in real time, pinpointing it to a specific neighborhood in Queens, New York.^[13] A follow-up investigation revealed approximately 250 bounty hunters and bail bond organizations had access to carrier location data, with one bail bond firm using the tracking service more than 18,000 times.^[14]

June 2018–2019: Major carriers began pledging to cut ties with location data aggregators. Investigations revealed data was still being sold through Zumigo to companies like Microbilt, which resold it to landlords and bail bondsmen.

February 28, 2020: FCC issued Notices of Apparent Liability proposing fines totaling over $200 million against all four carriers.^[3]

April 2024: FCC finalized fines totaling nearly $200 million.^[1]

The fines:

T-Mobile / Sprint: $92 million combined ($80 million for T-Mobile + $12 million for Sprint, consolidated after the 2020 merger) — the largest individual carrier fine.^[1]

AT&T: $57 million

Verizon: $47 million

The appeals (2025): All three remaining carriers appealed. The D.C. Circuit upheld T-Mobile/Sprint’s $92 million fine in August 2025.^[4] However, the Fifth Circuit vacated AT&T’s $57 million fine on April 17, 2025, ruling that the FCC’s in-house enforcement process — where the agency acted as “prosecutor, jury, and judge” — violated AT&T’s Seventh Amendment right to a jury trial under the Supreme Court’s 2024 decision in SEC v. Jarkesy.^[5] Verizon’s appeal remains pending in the Second Circuit. Both the FCC and Verizon have filed petitions for Supreme Court review, setting up a potential landmark ruling on agency enforcement powers.

LocationSmart

What they sold: Real-time mobile phone location data for all major US carrier customers. LocationSmart provided location-based services to businesses, ostensibly for fleet tracking and fraud prevention, but had access to location data of virtually every mobile phone customer in the United States and Canada through agreements with all major carriers.

The bug that exposed everything: On May 16, 2018, Carnegie Mellon Ph.D. student Robert Xiao discovered a vulnerability in LocationSmart’s free online demo — an API that failed to validate consent responses — that allowed anyone to look up the real-time location of any US cellphone to within 100 yards to 1.5 miles. No consent check. No authentication. Xiao was able to access anyone’s phone location after only 15 minutes of exploring the site.^[6] KrebsOnSecurity verified the vulnerability worked across all four major carriers and several smaller providers.^[7]

Aftermath: All major carriers terminated their location aggregation arrangements with LocationSmart. Xiao reported the vulnerability through the CERT Coordination Center and notified the FTC.

Securus Technologies

What they are: One of the largest providers of telephone services to jails and prisons in the US. Securus built an online portal that allowed law enforcement to obtain real-time location data of any cellphone customer — not just prisoners or their contacts. The portal only required checking a box asserting legal authorization. No actual verification was performed.

The abuse: Former Mississippi County, Missouri Sheriff Cory Hutcheson used the Securus portal to track cellphones without a warrant, uploading fake documents he sometimes notarized himself. His targets included state highway patrol officers and Judge David Dolan — not just prisoners’ contacts. Hutcheson was arrested in April 2018 on 18 charges, pleaded guilty to wire fraud and identity theft, and was sentenced to six months in federal prison, reporting to FCI Forrest City on June 20, 2019.^[9]

Other scandals: In November 2015, The Intercept obtained 70 million records of prison phone calls spanning December 2011 through spring 2014 across at least 37 states. The trove included approximately 14,000 recorded conversations between inmates and attorneys — what the ACLU’s National Prison Project director called “the most massive breach of the attorney-client privilege in modern U.S. history.”^[10] A subsequent 2019 breach compromised passwords, personal information, and location data.^[11]

Financial distress: Securus’s parent company, Aventiv Technologies (owned by billionaire Tom Gores’s Platinum Equity), faced near-bankruptcy in 2024–2025 with $1.3 billion in debt after FCC rate caps adopted in July 2024 slashed prison call costs from as much as $11.35 to $0.90 for a 15-minute call. In April 2025, Platinum Equity and financial stakeholders agreed to invest $360 million in exchange for equity, narrowly avoiding a bankruptcy filing.^[19]

Zumigo

What they sold: Real-time mobile phone location data obtained through agreements with T-Mobile and Verizon. Zumigo ostensibly provided location data to banks and financial institutions for fraud prevention, serving approximately 75 customers.

The reality: Investigations revealed that location data flowed from T-Mobile to Zumigo to Microbilt, which sold phone geolocation services to landlords, bail bondsmen, and bounty hunters for as little as $4.95 per lookup.^[12] In late 2017, Zumigo lobbied the FCC to loosen user consent requirements for data sharing.^[12] All major carriers eventually terminated ties with Zumigo following the scandal.

Carrier Advertising & Data Divisions

Beyond location data, the carriers themselves operate advertising divisions that monetize your browsing, app usage, and behavioral data. The location data fines addressed one slice of the problem. The advertising side continues.

T-Mobile Advertising Division

What they sell: Web browsing data, mobile app usage data, and customer behavioral data sold to advertisers. T-Mobile shares information about customers’ online activities for targeted advertising.

Scale: Affects T-Mobile’s entire US customer base of 100+ million subscribers.

The opt-out switch: On April 26, 2021, T-Mobile quietly changed its customer privacy policy to allow selling customer web browsing and app data to advertisers without requiring explicit opt-in consent.^[15] They simply switched to an opt-out model, meaning your data was being sold unless you actively found and toggled the setting off — a multi-step process buried in account settings.

AT&T Data Division

What they sell: Customer location data, browsing data, and behavioral information sold to advertisers and data aggregators.

Scale: Over 120 million wireless subscribers in the US.

The ad-tech gamble: AT&T acquired programmatic advertising platform AppNexus for a reported $1.6 billion in 2018, rebranding it as Xandr and combining it with its TV and digital advertising businesses. The ad-tech business underperformed, and AT&T sold Xandr to Microsoft in June 2022 for a reported $1 billion — a loss of roughly $600 million.^[16] AT&T was separately fined $57 million by the FCC for carrier location data sales, though that fine was vacated on appeal.^[5]

Verizon Media / Oath

What they sold: Customer data monetized through advertising platforms. Verizon acquired AOL for $4.4 billion in 2015 and Yahoo for $4.48 billion in 2017, uniting them under the “Oath” division to build an ad-tech business leveraging customer data.

Scale: Over 147 million wireless connections, plus the combined user bases of AOL and Yahoo properties.

The expensive failure: Verizon wrote down $4.6 billion on Oath at the end of 2018. The division was rebranded as Verizon Media Group. In 2021, Verizon sold the entire media business to Apollo Global Management for $5 billion ($4.25 billion in cash plus a 10% retained stake) — recouping barely half of the roughly $8.9 billion combined acquisition cost.^[17] Part of the reason the business failed was that Verizon’s own recognition of privacy constraints hampered its advertising ambitions.^[18] Verizon was fined $47 million by the FCC for carrier location data sales, currently under appeal.

The Data Chain: How Carrier Data Reached Bounty Hunters

The carrier location data scandal revealed a supply chain designed to obscure accountability:

Step 1 — The Carriers: AT&T, Verizon, T-Mobile, and Sprint sold raw location data to aggregators. The carriers claimed they required aggregators to obtain consent from end users. They did not verify this.^[2]

Step 2 — The Aggregators: LocationSmart and Zumigo received carrier location data and resold it to middlemen. LocationSmart’s demo site was so poorly secured that anyone on the internet could track any phone.^[7] Zumigo lobbied the FCC to weaken consent requirements.^[12]

Step 3 — The Middlemen: Companies like 3Cinteractive and Microbilt purchased location data from aggregators and resold it to end users. Microbilt sold data to landlords and bail bondsmen under the guise of identity verification for as little as $4.95 per lookup.^[13]

Step 4 — The End Users: Bounty hunters, bail bondsmen, landlords, and in at least one documented case, a Missouri sheriff who tracked judges and highway patrol officers. A Vice investigation in January 2019 demonstrated that a reporter could pay a bounty hunter $300 to locate any phone in the United States within minutes.^[13]

At every step, each party pointed to the next as responsible for obtaining consent. Nobody actually obtained it.

Sources & References

[1] Krebs on Security: FCC Fines Major US Carriers (April 2024) – T-Mobile $80M, Sprint $12M, AT&T $57M, Verizon $47M; nearly $200M total.

[2] FCC: Official Enforcement Action (DOC-402213A1, PDF) – Carriers offloaded consent to downstream recipients; no meaningful verification.

[3] Harvard JOLT: FCC Proposes $200M+ in Fines (February 28, 2020) – Notices of Apparent Liability against all four carriers.

[4] Fierce Network: T-Mobile $92M Fine Upheld (August 2025) – D.C. Circuit upheld combined T-Mobile/Sprint fine.

[5] All About Advertising Law: 5th Circuit Vacates AT&T $57M Fine (April 17, 2025) – Seventh Amendment jury trial right under SEC v. Jarkesy.

[6] Carnegie Mellon: Student Uncovers LocationSmart Vulnerability (May 2018) – Robert Xiao; 15 minutes to discover; API failed to validate consent.

[7] Krebs on Security: LocationSmart Leaked Location Data (May 2018) – Verified across all four carriers; 100 yards to 1.5 miles accuracy.

[8] EFF: Senator Wyden Calls for FCC Investigation (May 2018) – Securus revealed selling location data to law enforcement.

[9] Prison Legal News: Former Missouri Sheriff Gets Prison Time (2019) – Cory Hutcheson; six months; fake documents; tracked judges and troopers.

[10] The Intercept: 70 Million Prison Phone Calls Exposed (November 2015) – 37 states; 14,000 attorney-client calls; “most massive breach of attorney-client privilege.”

[11] Prison Legal News: Securus Hacked Again (2019) – Passwords, personal information, and location data compromised.

[12] Vice: Zumigo Sold Phone Location Data and Lobbied FCC – T-Mobile → Zumigo → Microbilt → bounty hunters; $4.95 per lookup.

[13] Vice/Motherboard: I Gave a Bounty Hunter $300 (January 2019) – Reporter located T-Mobile phone in Queens, NY; Microbilt/Zumigo supply chain.

[14] Vice: Hundreds of Bounty Hunters Had Access – ~250 bounty hunters; one firm used service 18,000+ times; AT&T, T-Mobile, Sprint data.

[15] Fortune: T-Mobile Wants to Share Your Data (April 2021) – Opt-out model; browsing and app data sold to advertisers.

[16] AT&T: Completes Sale of Xandr to Microsoft (June 2022) – AppNexus acquired 2018 for $1.6B; sold as Xandr for ~$1B.

[17] CNBC: Verizon Sells Yahoo/AOL to Apollo for $5 Billion (2021) – $4.25B cash + 10% stake; $4.6B Oath writedown in 2018.

[18] Digiday: Verizon’s Privacy Limits Killed Its Media Ambitions – Self-imposed privacy constraints hampered advertising business.

[19] The Appeal: The Slow Death of Securus/Aventiv – $1.3B debt; FCC rate caps July 2024; $360M equity restructuring April 2025.