Motherboard previously reported that AT&T, T-Mobile, and Sprint have been selling their customers’ real-time location data, which trickled down through a network of middlemen and data brokers before arriving in the hands of bounty hunters.
But some people don’t even pay for this data at all.
Instead, bounty hunters and people with histories of domestic violence have managed to trick telecommunications companies into providing real-time location data by simply impersonating US officials over the phone and email, according to court records and multiple sources familiar with the technique. In some cases, these people abuse telecom company policies created to give law enforcement real-time location data without a court order in “exigent circumstances,” such as when there is the imminent threat of physical harm to a victim.
The practice is ongoing according to the sources, and court documents and an audio recording obtained by Motherboard also detail a previously prosecuted case in which one debt collector tricked T-Mobile by fabricating cases of child kidnapping to convince the telco to hand over location data.
“A group of 11 abducted a 7 year child in south Atlanta. This child’s life in obvious danger,” John Letcher Edens wrote to T-Mobile while posing as a US Marshal and trying to locate a vehicle to repossess, according to court records .
The technique highlights another gap in the security of telecom companies, and how they have, at times, exposed sensitive customer data to bounty hunters, stalkers, and other people not authorized to handle it. In some cases, scammers sought out so-called “E911” data intended for first responders, which is highly precise and can in some cases pinpoint a device’s location inside a building.
EFF, in partnership with ACLU chapters in Massachusetts and Maine, is asking the state courts to recognize, as the Supreme Court did in U.S. v Carpenter, that people have a constitutional right to expect privacy in their physical movements, which can be revealed in minute detail by the cell phones they carry.
“So many people are doing that and the telcos have been very stupid about it. They have not done due diligence and called the police [departments] directly to verify the case or vet the identity of the person calling,” Valerie McGilvrey, a skiptracer who said she has bought phone location data from those who obtained access to it, told Motherboard. A skiptracer is someone tasked with finding out where people, typically fugitives on the run or those who owe a debt, are located.
McGilvrey and another bail industry source described separate and previously unreported instances of scammers posing as law enforcement officers to obtain phone location data directly from telecom companies. Motherboard granted the second source in this story anonymity to talk more candidly about a controversial and illegal technique for obtaining phone location data.
Both sources indicated the scam has been done to obtain data on Verizon, T-Mobile, and Sprint customers, with one of the sources saying all telcos were possible. McGilvrey said she believes one person she bought phone location data from had obtained thousands of phones locations.
“I know a lot of people who do this,” the second source said, suggesting impersonating officials is an ongoing technique used today.
Convincing a telecom company to hand over a target’s real-time location data is sometimes not difficult.
McGilvrey provided Motherboard with a 2014 audio recording of her talking to Edens. In the call, Edens boasts of his ability to obtain phone locations by fabricating data request documents that law enforcement often use to obtain information about customers from telecom companies. (Motherboard verified that the recording includes Edens’ voice by comparing it to a television interview Edens previously gave to ABC News. In that interview, Edens goes under the assumed name John Anderson; court filings from the government confirm this alias).
The scheme works by exploiting telecom company procedures for “exigent circumstances,” a legal term for when law enforcement urgently needs access to data, such as during a kidnapping. All telcos provide a mechanism where a law enforcement official can contact them and request real-time location data. Exigent circumstances procedures are separate from more ordinary ways that law enforcement obtain information, such as via a legal search warrant or subpoena.
In the call with McGilvrey, Edens specifically says he made requests to T-Mobile at night, to a particular employee, and he checked who was working before doing so.
“Those are badass pings, is what they are,” Edens says in the audio recording.
McGilvrey asks, “What about Verizon?”
“I can get them too,” Edens replies. “I can do it for all of them.”
An email T-Mobile sent to Edens containing the location of a target phone. The phone number is redacted in the original court record, but Motherboard has added the other redactions of the device's location coordinates to preserve victim privacy. Image: Screenshot
Edens was eventually caught doing this, was arrested, and pleaded guilty to six criminal counts of impersonating a US Officer. He was sentenced to one year in prison in 2016, according to the Department of Justice and court records.
Edens made up several stories of fictitious kidnappings to convince T-Mobile to hand over the location information, court records add.
“[A]n emotionally unstable Houston man has kidnapped a 9 year old child in Georgia. He is armed and dangerous and has plane access,” one of Eden’s messages to T-Mobile in November 2014 read.
The court records mention an email domain—”gafugitivetaskforce1.net”—which Edens used to convince T-Mobile he was a legitimate law enforcement official. In the audio recording, Edens says he also spoofed the area code of this phone number, likely to make T-Mobile believe he was calling from a different part of the country.
In one email from T-Mobile included in the court records, the telco responds to the fake law enforcement officer with a handy Google Maps link of the target’s approximate, real-time location.
With this technique, phone location data has ended up in the hands of people who may abuse it. Edens had a history of domestic violence, stalking, and harassment, according to court records. Specifically, in 2011 Edens was convicted of aggravated stalking and harassing phone calls; in 2006, he was convicted of battery after he caused visible bodily harm to his wife, by kicking her in the shin and grabbing her arms, according to court records.
Around 250 bounty hunters and related businesses had access to AT&T, T-Mobile, and Sprint customer location data, with one bail bond firm using the phone location service more than 18,000 times, and others using it thousands or tens of thousands of times, according to internal documents obtained by Motherboard from a company called CerCareOne, a now-defunct location data seller that operated until 2017.
According to court records from the US Marshals case, Edens impersonated a law enforcement officer in order to locate and repossess cars from people who were late on their payments. In one case, Edens headed to one woman’s home at “all hours of the night” and showed up at her work place, a document filed by government attorneys in the phone location case adds.
“In this case, Defendant not only used the location information to find the victims, but also to harass and threaten at least one victim,” the government filing adds.
Attempts to reach Edens for comment through his lawyer were unsuccessful.
A section of a transcript from Edens' case. Image: Screenshot
While the Edens case shows specific instances of abuse, both McGilvrey and the other industry source told Motherboard that other skip tracers use this technique, and that the abuse is ongoing.
When asked about this specific case and the issue of obtaining location data through impersonation more generally, a T-Mobile spokesperson said in a statement, “At T-Mobile, a dedicated legal team responds to thousands of emergency requests for information each year . Prior to releasing any customer data, they analyze the lawfulness of each request and the identity of the requestor. This process is regularly reviewed and revised as needed. From time to time we have become aware of situations that involve bad actors. Though they are rare we always fully cooperate in investigations and in response will review our process and implement additional safeguards where warranted.”
A Sprint spokesperson wrote in an email “We regularly consult with other carriers to share information on fraud attempts and are constantly working to update our security and detection measures in order to stay ahead of the latest methods used by fraudsters. Regarding the type of situation you outlined, we have taken a number of steps to help safeguard our customers’ information while also complying with lawful requests from law enforcement and 9-1-1 operators.” The spokesperson added that Sprint asks the person for particular pieces of information, such as their operator number and agency call back number, before processing a request.
An AT&T spokesperson told Motherboard in a statement, “When lives are in danger, we are fast and accurate in helping locate kidnapping victims, attempted suicides and others. We have safeguards to protect against fraudulent requests. Saving lives and screening fraud are both priorities. We don’t discuss our anti-fraud efforts publicly for obvious reasons.”
Verizon did not respond to a request for comment.
Subscribe to our new cybersecurity podcast, CYBER .