T-Mobile 'Put My Life in Danger' Says Woman Stalked With Black Market Location Data 79
Joseph Cox, reporting for Motherboard: Ruth Johnson didn't know exactly who rang her phone and threatened her around 20 times in 2014. The person on the other end said he was John Edens from the U.S. Marshals with a warrant for her arrest for stealing a car. She was behind on her payments. It later turned out John Edens didn't have a warrant, nor was he from law enforcement at all. Instead, he was a debt collector with a history of stalking and domestic violence who had managed to get hold of Johnson's phone location data. He did this by pretending to be a U.S. Marshal with the "Georgia Fugitive Task Force" to T-Mobile, which then provided Edens with the location of Johnson's phone in a handy Google Maps interface -- "pinging" the phone, in industry parlance.
"Fearful," is the word Johnson first used to explain the episode in a phone call with Motherboard. "It was very fearful." Motherboard previously reported on Edens' case using court documents and sources in the bounty hunting industry; Edens was sentenced to one year in prison for impersonating a U.S. officer. Now, Johnson explained in an interview what it was like to have her phone tracked. Her story demonstrates the very real human impact that the black market use and sale of phone location data can have. "I was very upset with the phone company, because I was under the impression that you had to get [a] court order in order to get information such as that out," she said. T-Mobile "put my life in danger," she added.
"Fearful," is the word Johnson first used to explain the episode in a phone call with Motherboard. "It was very fearful." Motherboard previously reported on Edens' case using court documents and sources in the bounty hunting industry; Edens was sentenced to one year in prison for impersonating a U.S. officer. Now, Johnson explained in an interview what it was like to have her phone tracked. Her story demonstrates the very real human impact that the black market use and sale of phone location data can have. "I was very upset with the phone company, because I was under the impression that you had to get [a] court order in order to get information such as that out," she said. T-Mobile "put my life in danger," she added.
Re:Bunch of noise about nothing (Score:5, Insightful)
Everyone's location should be public; if you want privacy you should live in the woods without a phone.
lol... good point "Anonymous Coward"
Re: (Score:2, Offtopic)
I'm going to do some doxxing here. Records show that Anonymous Coward lives at Undisclosed Location, Anytown, USA.
Re: (Score:2)
Everyone's location should be public; if you want privacy you should live in the woods without a phone.
...says the "Anonymous Coward".
Well played sir, well played indeed.
Lawsuit (Score:5, Informative)
Sounds like she has good grounds for a lawsuit against her staker and T-mobile. Maybe T-Mobile should have put better security in place and require a court order or a warrant for such information.
Re: (Score:3)
Sounds like she has good grounds for a lawsuit against her staker and T-mobile. Maybe T-Mobile should have put better security in place and require a court order or a warrant for such information.
But requiring warrants just enables criminals! ... and now we have one more example of how not requiring warrants enables criminal activity (which is what I consider police getting access to private information without due process).
Re: Lawsuit (Score:4, Interesting)
I agree that warrants enable criminals.
If judges would stop signing them, the criminals using them wouldnt get a rubberstamp pass on violating citizens' rights.
Re: Lawsuit (Score:1)
Re: (Score:2)
If judges would stop signing them, the criminals using them wouldnt get a rubberstamp pass on violating citizens' rights.
Judges have absolute immunity. Why should they care?
Re: (Score:1)
Enabling Criminals is a problem for the courts. And they're USUALLY pretty good about playing by their own rules and GETTING WARRANTS.
Enabling people who ARE NOT LAW ENFORCEMENT to track your ass down IS JUST FUCKED UP.
Re: (Score:3)
Sounds like she has good grounds for a lawsuit against her staker and T-mobile.
That was her thought as well, probably. The stalker might not have very deep pockets though... but T-Mobile does. Hence the "T-Mobile kills kittens" narrative.
Re: (Score:2)
The stalker might not have very deep pockets though... but T-Mobile does.
It sounds to me that she desperately needs money to pay off her debts.
A cousin of mine is a lawyer, and told me that I never need to worry about being sued. He told me that I don't have enough money to interest a lawyer.
They would somehow sue my employer, because they do have enough money to interest a lawyer.
Re: (Score:2)
That was her thought as well, probably. The stalker might not have very deep pockets though... but T-Mobile does. Hence the "T-Mobile kills kittens" narrative.
We are going to keep seeing data theft until this starts happening. It's just business. If it costs almost nothing to have poor security then businesses will have poor security. You have to make it economically advantageous to have good security.
Re: (Score:1)
Maybe T-Mobile should have put better security in place and require a court order or a warrant for such information.
Do you really want to live in a society where people are not allowed to voluntarily cooperate with the police and can only cooperate when compelled to do so? There is a reason that impersonating a police officer is a serious criminal offence. Unless they were incredibly negligent T-Mobile is as much a victim of this criminal as the woman suing them.
Re:Lawsuit (Score:4, Informative)
This isn't people, this is corporations with privacy information. Access to ANY PII data by law enforcement should be required to have a warrant. Requiring a warrant does not 'enable criminals'. Requiring a warrant is not refusing to cooperate. Requiring a warrant is validating that there is sufficient cause for the request, as deemed by both the police and a judge. That is a very important safe guard, and was a process created to prevent abuses, whether by an external bad actor or an internal one. Any officer who takes issue with using warrants is not an officer you want handling an investigation.
Re: (Score:2)
Access to ANY PII data by law enforcement should be required to have a warrant.
This story comes from 2014.
Security requirements change over time, because bad actors don't immediately leap upon every opening. Remember when it was ok to log in as root? Well, distro suppliers decided that doing that wasn't acceptable anymore because bad guys were finding holes that let them in.
Same with cell phone forensics. When it was new, bad guys hadn't yet latched onto it as a tactic, so requirements to get the data were simpler. Times change.
Note also that this has nothing to do with phone tr
Warrant not solution here (Score:3)
Requiring a warrant is validating that there is sufficient cause for the request, as deemed by both the police and a judge. That is a very important safe guard....
Only if the warrant is genuine. If a criminal is willing to impersonate the police then why would they not be willing to fake a warrant? Requiring a warrant does not add any protection in a case where criminals are committing fraud. The only way to solve this would be for T-Mobile to carefully check credentials before releasing information.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The government needs to set up such a site, ...
Which government is "the" government? You're talking about government at all levels from federal down to township and/or tribal. I don't believe that the feds monitor who is a city cop at all. In Oregon, the DPSST (Dept. of Public Safety Something Training) does issue every student they've had an ID number, but I don't know that every cop in the state has one.
The LEO on the phone can punch his private key into a fob attached to his badge
This doesn't exist.
(which is set up with the same certificate as the fob)
You're talking about managing a national database of individual LEO with thousands of entries. Tens of thousands, probably.
A bett
Re: (Score:2)
LMAO.
How about a call back number for his superior or the headquarters to verify his credentials and statement?
Your next statement will be how would they know that call back number is actually police headquarters.
They are the phone company and can look it up in 1 second.
LMAO build a site, hit a keyfob, magic dust.
Re:Lawsuit (Score:4, Insightful)
Re: (Score:2)
Yes, I want to live in a society where companies can not give my personal data to someone claiming to be law enforcement without presenting the correct paperwork and audit trail of responsibility.
I certainly agree that there should be some reasonable checks before cooperating, commensurate with the degree of cooperation being requested. If there is no checking being done then requiring a warrant offers no protection whatsoever: anyone willing to impersonate the police could also fake a warrant.
Re: (Score:2)
Not the best example (Score:4, Insightful)
Re: (Score:1)
John Edens punishment is 1 year in prison...probably with early parole. This isn't going to be a real deterrent to the limited extent that deterrents work. Their effectiveness is tied more to the likelihood of getting caught than to the severity of the punishment. My guess is that the odds of getting away with it seem pretty good, so even without your example this is pretty much guaranteed.
Why isn't T-Mobile being charged? (Score:2)
Aren't there legal requirements including a certified copy of the warrant that mobile providers must meet before giving out user data? A call and a website is clearly not sufficient validation for release of the user's information.
So, why isn't the T-Mobile employee (and their supervisor) not being charged for not following the law? I just did a quick check on this, it sounds like T-Mobile violated Ms. Johnson's 4th amendment rights by providing this information without a valid warrant (which requires pro
Re: (Score:2)
Where t-mobile is being sued, along with other mobile vendors, is failure to protect that data under various laws and contractual agreements.
https://www.tmonews.com/2019/0... [tmonews.com]
Re: (Score:2)
4th amendment rights apply to placing a limit on the government.
Doesn't this apply just as much to an exclusive licensee of government-owned spectrum using the license to provide common carrier-like service?
Re: (Score:2)
https://constitutioncenter.org... [constitutioncenter.org] may answer it look at the section starting around footnote 84.
Re: (Score:2)
It's probably less straightforward than you'd think. Though I suspect that you're right.
There was a recent case heard at the Supreme Court about something similar: MANHATTAN COMMUNITY ACCESS CORP. ET AL. v. HALLECK ET AL. [supremecourt.gov]. New York City designated a private nonprofit corporation, petitioner Manhattan Neighborhood Network (MNN), to operate the public access channels on Time Warner’s cable system in Manhattan. MNN suspended two presenters after they produced a film critical about MNN, which MNN aired
Re: (Score:2)
it sounds like T-Mobile violated Ms. Johnson's 4th amendment rights by providing this information without a valid warrant (which requires probably cause to a crime).
T-Mobile isn't the government. Ms. Johnson has no 4th amendment rights when it comes to interactions with T-Mobile.
Also, all of your phone data was ruled a regular "business record" in a 1978 Supreme Court decision, so it is not considered private. Now, back then the phones were landlines and so location data wasn't quite so expansive. But the ruling has not been revisited with modern technology.
Re: (Score:3)
Seems like this would be a violation of the Federal Fair Debts Collections Practices Act.
She might have an easier time getting a lawyer to go after her stalkers employer, than she will in getting one to take on T-Mobile
Why
1. Clear violation of the FDCPA. It has clear monetary penalties and a well recognized enforcement mechanism. Slam dunk, easy money for the lawyer
2. Go after T-Mobile, with a new tort claim, no precedent that T-Mobile has a legal duty that they breached to the victim. This is a reach,
Re: (Score:2)
Aren't there legal requirements including a certified copy of the warrant that mobile providers must meet before giving out user data?
The only requirement is that the warrant exist and the only enforcement mechanism is later in court.
Read the Contract ... (Score:1)
"I was very upset with the phone company, because I was under the impression that you had to get [a] court order in order to get information such as that out,"
Ruth Johnson is clearly misinformed. The contract she signed with T-Mobile clearly states that the information will be provided if the company is called-upon to provide that information. It does not specify the exactly what being "called-upon" means. If service of a valid court order to disclose the information was required, then the contract would
“Black Market”? (Score:5, Informative)
I’m not seeing the black market aspect of this story at all, at least going by what’s in the summary.
who is the victim? i am the victim. (Score:1)
Re: (Score:1)
Re: “Black Market”? (Score:2)
That is because you are not thinking criminally. Kids under 21 have been allowed in many states to work at convenience stores that sell beer, so they card their under 21 friends (and other minors who pay them) for the camera so other kids under 21 can buy beer. They could always say they were fooled by fake ID. Here you have a woman supposedly fooled the same way by a man impersonating police, but it was likely a similar deal and she was a paid collaborator, that is how black markets work.
Nothing to see here... (Score:2)
Re:Nothing to see here... (Score:5, Insightful)
Re: (Score:2)
Re:Nothing to see here... (Score:4, Funny)
It's almost like there's a reason that poster included "then verify the warrant with the judge who supposedly issued it."
Re: (Score:2)
Re: (Score:2)
It may have escaped your notice but he'd gone to the trouble of setting up a fake website to cover his fake LEO claims.
This is a major procedural problem inside T-mobile - and one that in the EU would be rectified by the application of fines of $40 million for a gross GDPR breach.
That's the kind of zing that gets attention instead of being written off as a cost of doing business - (and they can easily be higher - up to 10% of gross turnover)
impersonating a cop an crime but say your a bail b (Score:2)
impersonating a cop an crime but say your a bail bonds man is not and the phone systems sold info to bail bonds.
Re: (Score:3)
Fine, but in this example the 'stalker' impersonated a US Marshal. Federal crime.
And did so to aid in debt collection. More federal crimes.
T-Mobile didn't do well in vetting the US Marshall claim, but I have no idea if they would have given the info if they were told the actual nature of the debt collector. I sort of doubt it, but not at all sure of what would have happened.
And no, repo would have been different, they could care where the phone is, they want to know where the car is, and they are fairly goo
Re: (Score:2)
Re: (Score:2)
They don't care -- they're rather bend over backwards to "cooperate with law-enforcement" than be seen as uncooperative with the "heroes" keeping us saaaaafe. In a sane world, they should have demanded to see a warrant, then looked up the judge issuing it online, and called his/her office to verify if they actually created it.
Never assume malice when... All of those steps you mention would be expensive. Why would they do that unless they are required by law to do it?
Re: (Score:2)
"All of those steps you mention would be expensive. Why would they do that unless they are required by law to do it?"
When the cost of not doing so is even more expensive - that's why Europe has such heavy fines in place for GDPR breaches.
Re: (Score:2)
Sorry impersonating a bail bonds, bounty hunter, private investigator, family member, anyone that you are not is all fraud.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Disagree. He was even more at fault than T-mobile. And he's getting off extremely easy for what he did.
(That's assuming:
1. He's already been convicted and sentenced, and the report was accurate, and
2. There are no other charges pending.)
Re: (Score:2)
Re: (Score:2)
I agree with your point of *should*. Are EULAs legally binding? If so, the one that someone above quoted? seems to allow them to give it away for any reason they feel like. And someone else referenced what they said was a court decision that said that phone information counted as not private.
That said, she *should* be able to sue T-mobile for enough to buy an legally approved new identity, and median income for life. But I doubt that the laws work that way.
Re: (Score:2)
Black-market data? (Score:2)
Re: (Score:2)
Why would you think a warrant is necessary? The company has no 4th amendment right or obligation to the customer. The user agreement even states they'll roll over for basically an inference, which is pretty much what happened.
Re: (Score:2)
Re: (Score:2)
This.
All of your call and location metadata belongs to the telco. Bill Clinton signed it away in the 1996 Telecommunications Act [wikipedia.org].
One more thing: I listen to the local police undercover operations on a scanner. From what I can tell, they can trace a subject's phone location in real time and probably without having to interface with telco personnel. "He's moving now. Pulling out of the McDonalds parking lot. Heading North. Just made a right turn ..." Etc.
Typical Collections Behavior (Score:3)
However debt collectors in many states get very specific and very special protections from the law. I was once harassed repeatedly at 3am by collectors for a debt that wasn't supposed to be mine (after some time I eventually got the actual debtor to pay the debt, which made the collectors finally leave me alone). When they call they can use a false name - I had at least one identify himself with the name of a deceased professional baseball player - and that is 100% OK by the law. There are no times they are not allowed to call, and they don't need to start with reasonable times. They can call from blocked numbers as well so you don't know who is calling. They can threaten you with actions they are not actually able to do (such as arresting you) and that is OK too. They can even threaten your family and your pets.
It's no surprise that some power-tripping debt collector would do this. These guys make lawyers and used car salesmen look like upstanding citizens.
Re:Typical Collections Behavior (Score:4, Interesting)
It is not 100% OK.
First of all, you claim they contacted you at 3am. That violates the FDCPA [wikipedia.org] So does the misrepresntation of who they are.
There are several ways to report FDCPA violations, some listed here [thebalance.com].
Re: (Score:3)
What do you suppose the actual number of violations is relative to the number of meaningful enforcement actions?
I've worked with a reasonably ethical collections agency (they only work on behalf of the actual debt holding company that issued the debt) and all the way up the management structure they are compensated on their collections rate.
It only gets worse from there in terms of debt collections companies and compensation strategies, meaning almost everyone has an incentive to do whatever it takes to col
Re: (Score:2)
Or paid a bounty on prosecutions to the complainants.
One of the rules about debt collections in the country I live it in is that if the debt collectors act illegally the debt is voided in court AND damages can be payable to the person they're going after.
This doesn't eliminate the problem of illegal activities (usually lack of evidence is the issue) but it does tend to curb it markedly.
Re: (Score:2)
I think it also helps to have a different cultural attitude towards debt. I think in the US debt default at the consumer level is looked at really as a moral failing, and nobody has much sympathy for somebody who likely got themselves in a jam through self-indulgence, a lack of thrift and industriousness.
I'm not saying those things are right, but culturally I think most Americans think about debt that way at least emotionally and are prone to look at debtors as scammers at some level who deserve whatever i
Re: (Score:2)
https://www.ftc.gov/enforcemen... [ftc.gov]
Without the prior consent of the consumer given directly to the debt collector or the express permission of a court of competent jurisdiction, a debt collector may not communicate with a consumer in connection with the collection of any debt --
at any unusual time or place or a time or place known or which should be known to be inconvenient to the consumer. In the absence of knowledge of circumstances to the contrary, a debt collector shall assume that the convenient time for communicating with a consumer is after 8 o'clock antemeridian and before 9 o'clock postmeridian, local time at the consumer's location;
A debt collector may not engage in any conduct the natural consequence of which is to harass, oppress, or abuse any person in connection with the collection of a debt. Without limiting the general application of the foregoing, the following conduct is a violation of this section:
(1) The use or threat of use of violence or other criminal means to harm the physical person, reputation, or property of any person.
A debt collector may not use any false, deceptive, or misleading representation or means in connection with the collection of any debt. Without limiting the general application of the foregoing, the following conduct is a violation of this section:
The false representation or implication that the debt collector is vouched for, bonded by, or affiliated with the United States or any State, including the use of any badge, uniform, or facsimile thereof.
The representation or implication that nonpayment of any debt will result in the arrest or imprisonment of any person or the seizure, garnishment, attachment, or sale of any property or wages of any person unless such action is lawful and the debt collector or creditor intends to take such action.
The threat to take any action that cannot legally be taken or that is not intended to be taken.
The use of any business, company, or organization name other than the true name of the debt collector's business, company, or organization.
Re: (Score:2)
In that state not only are the collections agents allowed to use false names, they are encouraged to do so (so that the actual and alleged debtors cannot harass them). The agents have to register their alias with the state (and are only allowed to use one alias) but there is no accountability on the registry. Indeed the collections offices themselves often
Re: (Score:2)
Re: (Score:3)
Everything you describe is illegal under federal law, which trumps state law. You were a fool to put up with it.
Doesn't reflect well on T-Mobile (Score:5, Insightful)
Customer service should not be handling legal requests, full stop. They lack any means to properly differentiate fake requests from real ones, they should lack the authority to act on them, and it's outside of the scope of their role: LE isn't the customer. Instead, any legal request of any sort should be routed through the legal team; in most organizations they're reachable at legal@domain.com. Legal has (or should have) the knowledge to know what the company's obligation is under the law and what they need to do to properly vet the request for authenticity.
If it's determined the request is fake, actual law enforcement should be notified because in most places, falsely representing yourself as an officer of the law is itself against the law. If it's determined the request is real but the company isn't obligated to comply, they should just say that. And if it's determined that the request is real and the company is obligated to reply, the details of what needs to be done should be forwarded on to the appropriate technical team for action.
In no universe should anyone be able to call a customer service line, claim to be with law enforcement, and be able to get anything other than a redirect to legal. There's a major failure somewhere here that this was even allowed to happen and T-Mobile should be investigating what went wrong and fixing it. From a consumer perspective (I used to buy T-Mobile's service directly, I now buy it indirectly through an MVNO), this reflects very poorly on T-Mobile's competence.
Re: (Score:2)
The correct procedure for this is so obvious that either T-Mobile's policies are outright stupid, they're not properly communicated to employees, or an employee acted with gross indifference to the policy (which would make them liable).
Or the policy has changed over time so that it is NOW "obvious"* how to proceed, but was more lax before.
* any argument that requires "obvious" usually is not.
Customer service should not be handling legal requests, full stop.
Nothing in TFS says that the criminal called "customer service" to get the info.
in most organizations they're reachable at legal@domain.com.
In most organizations there is a phone number to call. When you're looking for a missing subject you don't want to depend on email.
In no universe should anyone be able to call a customer service line, claim to be with law enforcement, and be able to get anything other than a redirect to legal.
You don't know that this didn't happen here.
this reflects very poorly on T-Mobile's competence.
It's a balance between exigent circumstances and bad guys. What would you tell the family of a
GPDR is starting to sound better all the time (Score:2)
Without some of the more insane clauses the EU implemented, of course. The idea that people should be able to control data about them should not be a radical idea.
Just the beginning (Score:2)