Image: xavierarnau via Getty Images
A company headquartered in Los Angeles recently advertised the sale of real-time phone location data for devices in the United States, Canada, India, and said it would soon offer the same service in the Philippines. The company, TeleSign, removed the advertisement after enquiries from Motherboard.
Although the news does not indicate abuse of location data, and the company is focused on using its products to prevent fraud, it does highlight how the sale of phone location data is not restricted to the United States but occurs in other countries as well.
TeleSign offers enterprises several different services, such as giving companies the option to provide SMS-based two-factor authentication to their customers, or using machine learning and other tools on a phone number so companies can be more sure that it is controlled by the legitimate customer and not a scammer. TeleSign caters to various industries, and includes Salesforce, Blizzard, Evernote, and Alibaba among its customers, according to its website.
In January, TeleSign's website advertised a product called "current location plus."
Around 250 bounty hunters and related businesses had access to AT&T, T-Mobile, and Sprint customer location data, with one bail bond firm using the phone location service more than 18,000 times, and others using it thousands or tens of thousands of times, according to internal documents obtained by Motherboard from a company called CerCareOne, a now-defunct location data seller that operated until 2017.
"Provide end-user phone number and receive current proximity location information (cell tower latitude/longitude or triangulated location) to prevent fraudulent transactions, KYC (know your customer), and strengthen identities," a PDF that was hosted on TeleSign's website describing the product reads.
Do you know anything else about the sale or use of location data? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on [email protected], or email [email protected]
TeleSign's website provided a world map of where services were available. Specifically for the location data product, the map highlighted the United States, Canada, and India, and marked them as "Services Available." The Philippines was flagged as "Coming Soon."
When Motherboard approached TeleSign for comment and asked about the sources for its international phone location data access, the company removed the product from its website.
"TeleSign did not access the location data in the U.S. and does not have any customers using this type of data. We are no longer commercializing this product," a TeleSign spokesperson wrote in an email. "This product is not available for any market and no location data in any geographies was accessed by any customers."
A screenshot of TeleSign's coverage of the "current location plus" product. Image: Motherboard
Even if TeleSign itself did not have customers for this data, the advertisement still indicates phone location data may be sold elsewhere around the world. The spokesperson said, "we put it on our website previously while we were intending to utilize it for fraud prevention use cases."
In Canada, domestic telcos have their own joint venture to sell customers' location data called EnStream. Although there is no indication of abuse of Canadian location data, EnStream works with a data aggregator called LocationSmart, which has been linked to several cases of data abuse and mishandling.
In the United States AT&T, T-Mobile, and Sprint stopped selling their customers' location data to third parties after a Motherboard investigation found data from those telcos was ending up in the hands of bounty hunters.
Subscribe to our new cybersecurity podcast,CYBER.