Mon Jan 1, 0001

Cell Phone Carriers: Data Collection and Sharing

Data Collected by Major US Carriers (Verizon, AT&T, T-Mobile)

  • Call detail records (CDRs): numbers dialed, duration, timestamps
  • Cell site location information (CSLI) from tower connections
  • SMS metadata
  • Mobile browsing history (via DNS queries; historically deep packet inspection)
  • App usage data
  • Device identifiers (IMEI, IMSI)

CDRs triangulate location to ~50-300 meters in urban areas. Retention: 1-2 years (AT&T reportedly up to 7 years for call records).

Verizon “Supercookie” (2014-2016)

Verizon injected X-UIDH tracking header into all unencrypted HTTP traffic from mobile customers. Enabled persistent cross-site tracking without user consent, no opt-out available. FCC fine: $1.35 million (March 2016).

Carrier Location Data Sales (2018-2019)

May 2018 NYT report: Verizon, AT&T, T-Mobile, Sprint sold real-time phone location data to aggregators (LocationSmart, Zumigo) who resold downstream.

January 2019 (Motherboard, Joseph Cox): bounty hunter located any US phone for ~$300 via T-Mobile data chain through third-party intermediaries.

All four carriers pledged to stop after congressional pressure. FCC proposed $200M+ in combined fines (2020), finalized at reduced amounts (2024).

Securus Technologies / LocationSmart

Securus (prison telecom company) obtained real-time location data from all major carriers via LocationSmart. NYT (2018): former Missouri sheriff Cory Hutcheson used Securus portal to track judges, fellow officers, and a personal acquaintance without warrants, at least 11 times.

LocationSmart had unauthenticated API vulnerability (discovered May 2018 by researcher Robert Xiao) exposing real-time location of virtually any US phone.

Carrier Advertising Programs

  • Verizon Custom Experience / Custom Experience Plus: browsing history, app usage, location for ad targeting. Customers enrolled by default.
  • AT&T: charged $29/month extra to opt OUT of ad-supported browsing inspection on fiber service (2013-2016, discontinued).

Stingray / IMSI Catchers

Cell-site simulators (StingRay, Harris Corporation) mimic cell towers, force nearby phones to connect, reveal IMSI numbers, location, and in some configurations call/SMS content. ACLU documents: at least 75 agencies in 27+ states. DOJ warrant policy for federal use (2015). Local police often used pen register orders or no court authorization. Harris Corp NDAs instructed police to conceal use from courts; agencies sometimes dropped cases rather than reveal the technology.

Law Enforcement Access

Pre-Carpenter: historical CSLI obtained via Stored Communications Act court order (lower than warrant standard). Post-Carpenter (2018): warrant required for 7+ days historical CSLI. Carriers still honor emergency requests without warrants. 2022 Senate inquiry: carriers approved vast majority of emergency requests, including some fraudulent ones (hackers using compromised law enforcement email accounts).

Sources

  • FCC enforcement actions (2016, 2020-2024)
  • Carpenter v. United States, 585 U.S. 296 (2018)
  • Motherboard/Vice, Joseph Cox (January 2019)
  • NYT on Securus (May 2018)
  • ACLU Stingray tracking: aclu.org/issues/privacy-technology/surveillance-technologies/stingray-tracking-devices
  • Carrier privacy policies (Verizon, AT&T, T-Mobile)