A bounty hunter was able to get the live location of a number of different individuals from American cellphone networks through a single phone call, it is claimed.
Matthew Marre was charged [PDF] last month with allegedly obtaining "confidential phone record information ... by making false and fraudulent statements and representations." It is claimed he called a hotline run by various mobile networks, and asked for the GPS location of specific cellphones – all of which belonged to people that were wanted for skipping bail.
The ruse was apparently extremely successful, according to Colorado federal court documents that have subsequently been restricted from public view. The paperwork, submitted by prosecutors, alleged that, last year, he successfully persuaded T-Mobile USA to hand over location data for six phone numbers, and as a result he collared three people who were using the numbers.
In one extraordinary tale, Marre allegedly contacted the police when he believed one person he was tracking was breaking into a house. The cops turned up but were unable to find the suspect, so Marre returned to his laptop, updated the GPS tracking on the suspect's phone, and apparently found the person hiding in bushes at the back of the property.
The same ruse also seemingly worked with Verizon and Sprint, leaving only AT&T as a company that did not hand over highly confidential information on the basis of a single phone call – and that may only be because none of the people Marre was tracking used AT&T. The now-restricted court filing was noticed and discussed publicly earlier today by terrorism expert and PACER-whisperer Seamus Hughes.
But while the story is fascinating, Marre's apparent ability to obtain the data has put a further spotlight on the sharing of location data by mobile operators: an issue that privacy groups and an FCC Commissioner are calling for a full investigation into.
What is remarkable is that Marre was seemingly able to get the information at all. As the prosecutors' court doc notes, every mobile network operator has "24-hour law enforcement assistance operators that are available to assist in emergencies across the US to aid any law enforcement agency that is involved in an emergency that potentially involves death or serious bodily injury."
The police are required to follow a "legal court process compelling the companies to assist law enforcement" i.e. get a warrant before mobile operators are supposed to hand over location data. But there is an exception for emergencies.
"In an emergency, without legal process if the situation potentially involves death or serious bodily injury that could occur without immediate action," then operators are allowed to forego the normal legal process. This, in theory, is the bar that Marre should have jumped: an emergency that involved potential death. But it would appear that Marre didn’t even give a solid representation that he was a police officer, let alone one in the midst of a life-threatening situation.
The prosecution's court doc indicates that one mobile operator, in explaining its decision to hand over location data, said that "a male who identified himself as a Matthew Marre, claiming to be an investigator for the 'Colorado Department of Public Safety' and the 'Colorado Task Force'," contacted them and asked for the information, which they then handed over.
Senator Wyden goes ballistic after US telcos caught selling people's location data yet againREAD MORE
When Marre was interviewed following the bush-tracking incident, he told a police officer that he was the owner of "Colorado PSC LLC" and had been contracted by a bail bond company to track the man in question.
We haven't been able to find a limited liability company called "Colorado PSC" but it is possible that Marre simply implied he was a police officer by saying he was from "Colorado PSC" and was given the information by the mobile operator. It is notable that he used his real name rather than a pseudonym.
The indictment against him also claims that he "provided a document… knowing such document was false and fraudulent." It's not clear what that is in reference to and it may be a further check run by mobile operators before approving location data, but it is not clear at this stage since neither law enforcement nor mobile operators want their verification processes to become public knowledge.
Either way, Marre was apparently able to get hold of information that should been restricted only to law enforcement officers in an emergency situation – and was able to do so repeatedly with three of the four mobile operators, suggesting at the very least that those companies have lax data protection systems in place.