A new report from Motherboard today takes a look into the practices of US wireless carriers selling user location data to third-parties. While it’s often credit card and other financial companies buying the location data for fraud detection and more, Motherboard says some rogue third-parties have access to user location data and it’s landing the hands of bounty hunters and the black market.

Update 2/7/19: Motherboard has released a new report that further details the sales of users’ location data over the past several years. While carriers have downplayed the extent to which third-parties like bounty hunters and others have been able to buy users’ location data, documents from one data location seller paints a much more concerning picture.

The numbers from one company, CerCareOne, describe selling AT&T, T-Mobile, and Sprint user location data to around 250 bounty hunters and other parties more than 18,000 times over a period of five years.

Worse yet, some of the those bounty hunters allegedly resold the data that they obtained to others.

Oregon Senator Ron Wyden who has pressed carriers on this issue over the past years shared a statement with Motherboard.

Read up on all the new details of this story at Motherboard.

It’s well-known that law enforcement and other government agencies can access user location data from wireless carriers with a warrant, Motherboard says there’s a more complicated and dangerous market that involves carriers like AT&T, T-Mobile, and Sprint selling location data to third-party location aggregators. The issue is that there seems to be little oversight when it comes to what these companies can do with the purchased data.

Motherboard’s Joseph Cox was able to track the location of a person via their T-Mobile phone number who agreed to be a target for a test. A call to a bounty hunter and $300 did the trick.

Notably, this didn’t involve any hacking or background knowledge about the phone number.

One company that Motherboard says is selling location data to private parties is called Microbilt. The report notes there are several markets buying data from the company:

Complicating this already murky issue is the re-sale of location data on the black market.

It’s this convoluted web of interactions that makes these privacy and security concerns so problematic. It leaves carriers seemingly helpless once the data is in the hands of third-parties.

As for the carriers, the CTIA (Cellular Telecommunications Industry Association) that represents AT&T, T-Mobile, Sprint, and more said that the transmission of location-based user data is reliant on “two fundamental principles: user notice and consent,” however, Motherboard said its investigation proves that’s not working.

In its investigation, Motherboard discovered the user location data passing through six parties:

In a call to Microbilt’s customer support, Motherboard found the company sells user location data for as little at $5.

AT&T responded to Motherboard saying that they have cut ties with Microbilt as they look further into these issues.

Sprint shared a similar statement, but it sounds unknown if they have an indirect relationship with Microbilt:

And T-Mobile did the same and said its partner Zumigo had cut off Microbilt:

Check out the full, in-depth investigative report here.