 Hey. So yeah. I'm Joseph Cox, a journalist. I'll elaborate on my affiliations in a bit. But I'm going to be talking about how you can buy 18T, T-Mobile Sprint, and in some cases Verizon data, um, on the black market. So one day I just wake up and I get this rather ominous message. And I've kind of put it verbatim so there are some typos and stuff but there is a new bail bond database company that is geo-tracking people. People are reselling to the wrong people, call me, and obviously I've redacted the sources, um, phone number because they're anonymous source. Um, we hear about government surveillance, geolocation tracking, all that sort of stuff all the time. Here, this is a private company selling a similar capability to private individuals, a particular focus of mine. And of course reselling to the wrong people, I want to know what this is. This source says they're in or around the bounty hunting industry and they're clearly quite familiar with how this technology works. So we start talking. They only really want to discuss it on the phone. They say many people's rights are being violated. As we strike up a conversation, he's using terms like phone ping, which some of you may know is sort of law enforcement or industry parlance for geolocating a phone. Um, source even offers, if you give me a phone number, uh, he will be able to locate it. That is a pretty wild claim. Uh, and I was obviously very skeptical at first, but hell, why not? Um, so I get a US phone number of someone that I know would give consent to be tracked, uh, with their permission, obviously. Uh, but then they say, if you're paying the 300 dollars, now this is the price that a phone ping was going on the black market at the time. We'll go into, uh, other prices a little bit later. Uh, and I say, yeah, I give the phone number, again, I've redacted that. Uh, and when do you think it'll be doable? Uh, just before I kind of, uh, carry on on that, we don't normally pay sources for information because if you start paying someone, they're going to give you stuff kind of irrespective of whether it's true or not, irrespective of its, uh, veracity. So you don't want to do that as a journalist. You only want to do stuff that's in the public interest, but here we want to see, explore or prove whether this is even possible. You know, I mean, we could talk to three, four, five people who says yes, but we want to actually see it and we want to actually geolocate a phone because if I can do that, and I'm not a bounty hunter, I'm not a cop, uh, I'm a journalist, that shouldn't be possible, theoretically, so that's why we took that extra step. Uh, and he says, yeah, I'll, I'll figure it out and get back to you. Shortly after, I get sent a Google Maps, uh, interface. This isn't the exact phone ping, uh, I'm going to show you genuine, real phone locations, uh, from bounty hunting, bounty hunter services later. This is, um, similar to the one we got. Uh, it geolocated to Queens, New York, uh, to where the person was who agreed to be tracked. Uh, and as you can see, it's something like five, six blocks, um, diameter. Uh, but it was pretty accurate. So that's the main story we're going to focus on and it'll, it'll develop from there, but just to elaborate a bit, I'm a journalist from Motherboard, which is like the technology and science section advice. I cover the dish underground, cyber security, hacking, uh, and this kind of, um, you know, brings all of those together. And right up top, if you have more information about location data, that's my signal number and I will pull it, uh, at the end as well. So just a layout, sort of what I'm going to be talking about. Obviously first, it's going to be how my source actually managed to get that data and how we managed to track a phone, um, to Queens, New York. The supply chain of that location data is not as simple as me just going to T-Mobile, buying the data and then getting it there. There are various organizations, companies in sort of a trickle down effect, um, of how this industry actually works. And then I'm going to show that this, it, it wasn't just a one off for us. Like, we didn't get lucky and like, oh, this is one instance of abuse. It is, uh, an endemic problem. Uh, and leaked documents that we got from one company specifically marketing, uh, to bounty hunters, Geolite Co. phones kind of shows the like wider breadth of this, um, issue. But then there's like a short part at the end which shows how you can still do it today with a different method, including for Verizon data, um, as well. And it is worryingly simple to actually get hold of that data. So what actually is the information that's being sold? I mean, as the vast majority of you will know, your cell phones are constantly phoning home, uh, to cell phone towers nearby. So T-Mobile or whoever can say, hey, this is where to root the text messages or where to root, um, the phone calls and the byproduct of that is course the general physical location, depending on, you know, how close you are to the cell towers and that sort of thing. And the one we got, it was a few blocks. Um, in these ones, these are real phone pings from bounty hunter services. The one on the left is quite broad, like that's not super helpful. The one on the right is, I mean, that's more than five or six blocks, right? That is a section of a city. Uh, but if you're a bounty hunter or if you're trying to stalk someone, uh, or anything really, that can still be useful information. So it really, really does vary the quality of the data. But it is not just cell phone tower data. There's also assist GPS or AGPS data. Of course this runs from the GPS chip in your phone. And it's typically reserved for, um, emergency responders or 911 where they need to locate you, uh, for whatever reason, if there's an incident. This is much more precise. It's not really blocks. It's more double digit figures. You know, under 20 meters sometimes. Uh, and sometimes it can show where someone is inside a building. Again, this is a real phone ping. It doesn't show where they are in the building. They could be in the backyard or in the living room or whatever. But they're clearly in that building. And, um, I did blur the outer edge of it because I'm actually not sure if this is a fugitive or if it's someone who's the victim of stalking or abuse. Uh, and that's actually sort of an issue of reporting this because you can't always tell unless you manage to actually talk to, um, a victim, which is, uh, difficult. So how the hell did, um, the person actually managed to locate that phone in Queens, New York, which is of course the first question I, I kind of wanted to answer. I'm gonna give like a skeleton or a template of how it works in general, but then drill down to the, um, specifics. So obviously it starts with the carriers, AT&T, T-Mobile, whoever, who they have this data anyway. They give it to law enforcement if they need it or if they do an overbroad warrant or whatever. Um, but one day the carriers decided we can also sell this data, uh, for various purposes. They then, rather than just selling it straight to people, uh, which would be logistically difficult. There would be a lot of infrastructure involved. They'd have to, you know, set up their own customer support or whatever. They sell, um, access to that data to location aggregators. And I should just say it's not like there's a sequel dump that's being sold from T-Mobile to location aggregators than someone else. It's more like they're selling the capability to look up that data via an API or whatever it may be. Um, and then when you want the data, you'll look it up. It's not like, um, a single dump of information. But the location aggregators, yeah, they act as this bottleneck and there's, they were free. I think there's two now and they purely focus on location data. So they may say we want to prevent fraud with banks. Uh, we'll, we'll be able to check that, hey, if this person is logging in from, I don't know, the Philippines or something, but their phone is actually in the UK. There's some sort of weird discrepancy there and maybe we could block the transaction and there's lots of use, uh, uses for location data. But what they do is the bottleneck then kind of expands out like an hourglass and that data access is sold to data brokers. Now these guys don't focus just on location data. They may do address lookups, maybe phone subscriber information. So you give it a phone, maybe you'll get the IMEI and, you know, the name and address of the person who's using it, uh, sometimes license plate information and they will cater to all sorts of, um, industries, uh, whoever it may be. And then you have the end user clients who are actually, okay, I'm going to do this lookup and now I'm going to find a location of a, um, a T-Mobile phone. And this is where a bounty hunter is going to be or, uh, a property salesman or a used car salesman who also have had access to, um, this sort of data. So the phone we tracked, uh, it just happened to be on the T-Mobile network. When I was talking to my source, uh, they said that you can basically do any phone except Verizon. So, yeah, we found a T-Mobile device and sent that number over. And then the way we figured this out was obviously that source was very knowledgeable about the, uh, industry. I ended up speaking to the location aggregators, to other people who have used the company, other people who have used similar tools. And there's even, you know, PDFs online. They're just sitting out there. This story has kind of been out there in the open. Um, but it kind of required the source proving it could happen to kind of bring it all together. T-Mobile sold the access to Zoomigu, which is one of the two location aggregators. Uh, they're the one that primarily focuses on, you know, we want to prevent fraud and that sort of thing. But to give an idea of the sort of companies that we're dealing with, this is a presentation that the F, uh, sorry, that Zoomigu gave to the FCC, the Federal Communications Commission a few years ago. This PDF was just online on the FCC website. And you'll see the top. It says, with their lobbying to remove the consent requirement of stating that information is being released by the carrier. When phone carriers sell this information, they do it under the prerequisite that whoever is using it is going to seek consent. So you'll push a text message, you'll push a phone call saying, hi, you are about to be tracked by, I don't know, uh, AA, roadside assistance, something like that. Is that okay? Uh, you ex- hopefully explicitly opt in. Uh, and then they can get your location. Here Zoomigu is trying to get rid of that, so you'd have to opt out of, um, having your location tracked at any time by any of the companies in the supply chain. They weren't successful in that, but it does give you an indication of what sort of companies, um, we're dealing with here. Then under that, there's a data, uh, data broker called micro-built. Um, and again, as I mentioned, the data brokers don't just sell location data. These were doing address lookups. They weren't doing license plate. Uh, I seem to remember, but all sorts of other, um, useful information you might want if you're tracking someone. Um, so after the source told me about micro-built, I look around, I go on their website, I find this nice little PDF about a project called Mobile Device Verify. Um, which sounds more innocuous than it actually is because then when you drill down, it's like the geolocation lat long coordinates of the phone, the estimated location accuracy, the proximity of the location, um, to another one. That would be comparing it to an address, something like that. Um, and then I did something else that we don't normally do, as well as paying the source to locate the phone. I also made, to be honest, a rary crap undercover identity, uh, pretending to be a bounty hunter, just made a new email address and contacted micro-built saying, hi, I'm interested in your mobile tracking product. And I explicitly said I am a bail bondsman and I want it for this purpose. They handily reply with a nice little price list. And here you can see there's the location verification, which just be, you pay $4.95, uh, if you're looking between one and two fifty phones. I think that's per lookup, uh, but I'd have to double check. But then underneath, there's the monitoring per device service. So micro-built doesn't just do individual pings, but you could pay to track a phone hourly, uh, daily, weekly, um, and potentially more granular than that if you just pay a little bit more money. Uh, I can't think of many legitimate uses of a private company selling to private individuals a constant monitoring service. The individual ping is almost defensible. I don't quite see, uh, the legitimate use case for a monitoring per device. And as you say, it's like $12.95 there. So it's exceedingly cheap to buy this data from these, um, from these companies. And it's not just bounty hunters. So as I said, micro-built caters to all these different industries, but specifically with the mobile tracking product, they're doing motor vehicle sales, which will be used car salesman, car dealerships, that sort of thing. Um, maybe if they're doing a background check on someone who's buying a very expensive car, or I think, uh, definitely use cases, if someone is behind on their payments and maybe you need to repossess the vehicle, well we'll track their phone and then we'll find out where they are and then we will get a repo man to go get the, um, the car from them. Uh, and then they're also doing for property managers. Uh, you know, just people landlords who are renting out, um, their buildings. Um, I'm not entirely sure on how that data is actually used by them, but micro-built were explicitly advertising to that market and it was explicitly the phone tracking product as well as the other ones as well. And then you get to the bottom of the chain, um, and allegedly the end user was bail integrity solutions. I say allegedly because I don't know. They weren't my source. It's only after our reporting, micro-built did an internal investigation and they found that the, the phone lookup was allegedly from bail integrity solutions. There's an ongoing lawsuit there, you can go look at the public court documents and that's who they name, um, as the sort of bail bondsman or bounty hunter firm that was, um, getting access to this data. Now, I'm not in that supply chain and either is my source, obviously. So this is where sort of the legitimate trade, quote unquote legitimate trade ends and the black market begins. Um, bail integrity solutions then gave that phone ping, the Google Maps interface to my source who gave it to me. Or another way to pull it is that I, motherboard, gave the phone number to my source, who gave the phone number to bail integrity solutions, who then triggered a lookup via the micro-built API, which goes up through Zumigu, two to two T-Mobile, grabs the current location, brings it back down and then it gets, um, sent to me. Uh, and just the stress, uh, obviously I said this higher up, but I should not have been able to get this data. As sketchy as bounty hunters getting it, it's even worse if I, a completely unauthorized party was able to buy and obtain and use this data, uh, on the black market. So that was the one case, um, but as I said is not an isolated incident. So there's a website online, SurcareOne, uh, dot com, I think. You can go look it up now, it is still there. When you visit, it looks like a normal placeholder. Thank you for visiting our site, it's under construction. Okay, there's, there's nothing really to look at here. But you go to a specific section of the site and there's a login portal. Um, that red bit is just my IP address, um, that I, uh, redacted for, for just making these screenshots. Uh, and email address part where you log in. You'll, you'll notice that there's no registration option. I'm not exactly sure how people join this website. Invite only, uh, maybe apply some other way. Um, but you can't just go and sign up for the site, which is because this is a secret website and secret company only for serving bounty hunters. Um, we haven't published these before and I appreciate they are heavily redacted. Uh, but I did of course want to show you some stuff, uh, that we haven't been able to publish before. So, my source as well as, uh, looking up the phone provided me with a cache of documents, various files from inside SurcareOne. From what we can determine, these screenshots were taken with an administrator account of SurcareOne. So you log in with an admin account and you can see a list of all of the users, uh, who are on this website. In all, it was around 250 bounty hunter companies which had their own accounts on this website. So that's 250 bail integrity solutions who may be looking up for their own purposes for professional reasons. Maybe their staff fancy looking up their girlfriend's location, which I have, um, been told happens in this industry. And there's also 250 people who may resell that access to people who aren't supposed to have it, like me. Um, and then it is just like a normal functioning, pretty basic website. You have numbers that you would click, they would show obviously the phone numbers someone's looked up. Um, the activity which I think actually may show the phone pings, I'm not entirely sure on that one. And then the billing, you just top up your account with maybe a thousand dollars and then we can start pinging some phones. It's really, really that simple. So you go and you click on the numbers and, um, including the data was obviously a list of the phone numbers that people have been geolocating. Uh, on the left, those are the numbers. I had to redact them slightly. Then you have the date and the time of the lookup. To the right of that, you have the IP addresses, which will become a bit more important later. Uh, whether it was found or not. And the sort of data that was obtained right at the end. The cell phone tower data or the AGPS data that I mentioned up top. I mean, as you can see again, it does vary wildly. The top one, um, a diameter of 582 meters right down at the bottom to like three and a half kilometers. So it's not super reliable, but if you are a bounty hunter just trying to find if someone's in, I don't know, Minnesota or then a particular city or even like a district of a city, this is still gonna be, um, pretty helpful. And then you can see the AGPS stuff right down to, as I said, double digit, uh, proximity or accuracy. Just 13 meters, uh, you might be able to find someone. So I mentioned that this was a secret website. Um, of course, I'm not talking about any sort of official classification. I just mean that in the terms of conditions of the site that I also got a copy of, um, it says that if you were using the service, you would never reveal the website or the company's existence to anyone. Um, obviously someone broke that those terms of use. Uh, thank you for doing that. But it just goes to show you what pains they went to really, really keep this under wraps as well as the hidden login portal, uh, and the lack of registration and the fact that it's having people to keep it, uh, quiet. So I mentioned the IP addresses and they tell you, when you sign up, give us SirK1, two IPs that we can whitelist. That way, you know, we'll minimize abuse and we'll be able to, you know, keep on top of privacy, uh, and all that sort of thing. And they also tell you to be careful if you use name and password because obviously this is very sensitive data. You go through the information, again the phone numbers, the dates and the IPs, there's more than two IPs there. Six four dot, seven one dot, one three one, eight seven. Um, clearly the two IP rule is not really enforced at SirK1. Uh, leading one of my sources, um, to stipulate and then some supporting evidence as well that this particular administrator of SirK1 was potentially reselling their access to the system on the black market to other people who would want it. Obviously we saw IPs from the US, as you probably would expect, where there were connections from Israel, uh, for Lithuania, various other places. Now obviously some of those could be VPNs, VPSs, whatever, but it still goes to show the sort of lack, the lack of security measures, uh, on this website and just indicative of the sort of secondary market that is going on underneath this. And I didn't mention this earlier when I introduced the website, but when you use SirK1, no text message, there is no phone call, there is no warning to the target device, uh, being pushed. So the target has no idea, um, they're being tracked at all. Uh, and that was according to two sources familiar, um, would have the system worked and who had used it. And then some of it is just a normal, you know, payment website. People are signing up with their personal Gmail addresses. This isn't, you know, at legit, bailbonds.com, it's just some bloke's personal Gmail. Uh, and you can top it up with, um, a couple of grand of credit and you can go and locate some phones as well. So we have, we've never shown this before. This is, uh, a nearly full screenshot of the SirK1, um, system in action. This is what you will see when you will log in, you will look up a phone number and then this is what it will present you. Um, so obviously there, there would be the phone number, the address of what the ping is, the lat long, uh, the type of data, in this case, a GPS, the time, and then the very nice paper ping balance at the bottom for 206, uh, 226 dollars left. Um, the name at the top, Dan Grebel, uh, I believe, he was this administrator of the, um, of the site, uh, of free admins who ran SirK1. He runs a sort of, um, they, they sell telephone services to businesses and that sort of thing. And it appears that he was one of the accounts of may have been reselling access because there are all of these different IPs connecting through his, um, account. Uh, he hasn't responded to requests for comment, but if he wants to chat, I'm happy to. This, and, and, and this particular ping has, um, a story behind it. So in May 2017, two bounty hunters are trying to track a fugitive from Minnesota. They track him somehow to this Nissan dealership just off a highway in Texas. The bounty hunters go in, they lie to the dealership and say, hi, we're, um, U.S. law enforcement. We're trying to apprehend someone dangerous. Can we wait here for the guy to turn up? The dealership not wanting to, you know, interfere with a parent law enforcement investigation, says yes, sure. Uh, the fugitive comes back. They confront him, weapons drawn. Uh, all three men are armed. There's a brief scuffle. Uh, the fugitive's gun falls out of his belt onto a desk, goes to grab it, and then in about six seconds, 20 shots of fire from all three guns at each other. Uh, and all three men die very soon after that. Um, a family, uh, of young children, uh, with young children run away, people scream. You can go watch the, uh, the footage on YouTube. Um, but then, very strangely, just shortly after, um, those killings and the deaths, someone starts using Surcare One to look up the location of their bounty hunter's phones, and that's what this ping is. I don't think it's a coincidence that two bounty hunters are out on a job, and someone starts tracking their phones. And then just before this look up, the same account according to the data is used to look up the location of a phone from Minnesota, which is where the fugitive was on the run from. We couldn't determine, you know, using various tools like people.com or various OSINT tools, we couldn't determine who that phone belonged to, because it looked like it didn't really have any registration information. It seemed to be a relatively new phone, and you can maybe infer from that what you will, but we only publish what we can know, right? So we, we say we, we weren't able to identify that, apart from it being a Minnesota phone, and it was before, um, the shooting. Very shortly before, multiple pings, um, before that. And it was also located after the shootings as well, so that we can't really explain. Um, and even if this is not a case of, um, oh, we're looking up the location necessarily of the fugitive, it is still indicative of the sort of people who are connected to this market of phone location data. That it's two bounty hunters who went in, they didn't take the body armour that was allegedly in their vehicle. They lied about being a US law enforcement. They then go on a shootout and endangered a family of young children. They died and they killed someone as well. Um, it just shows the sort of people that are connected to this, um, this industry. So we had microbuilt, which was the one I bought the ping from, and then a while before we had the Surcare One example I just gave. Uh, and then just before that, and kind of also overlapping of Surcare One, we had a service called locateyourcell.com. That's still online. You can go look it up. And it appears this is one of the earliest examples of, um, private individuals selling the capability to look up, um, phones. So this isn't marketed to bounty hunters or roadside assistance. It's marketed to people who lost their cell phone and they want to find it. Or it's marketed to people who maybe their kid went to the park and they haven't come back and they want to check they're okay. Or maybe they're senior relative with dementia who's a bit confused and they didn't come home or something like that. Um, the owner of this website who, when you actually look into someone who is history and various other connectors is also, uh, linked to Surcare One, uh, a guy called, um, Frank Robito. He is quoted in like some obscure local media report from years and years ago boasting about how he used his company to help a woman find her phone that she left in a supermarket car park. Which is clearly not a, uh, law enforcement use or really a legitimate use of, um, data or capability that is, um, this powerful. The, the system isn't online right now but as I said you can go to the website and you can, I think you can even create an account so I believe I tried to, um, but you can't actually use the look up at the moment because Surcare One, um, was shut down. It's not exactly clear how and it appears this shared the same access or at least similar access. Um, so this is no longer in operation either just at the moment. So you may be wondering where Verizon is in all of this. The micro built example where we pinged a phone as I mentioned it was only AT&T, Sprint and T-Mobile. Um, and then from, from what I understand, Verizon has taken a much stronger stance against this in the other telcos. Um, one bounty hunter told me, sorry, one bounty hunter and one other source told me that Verizon has enforced it so that consent text or that consent call that's supposed to be pushed when you locate a phone, they're now enforcing that at the carrier level. So they're not delegating that responsibility to the location aggregators or the data brokers or the end users. They're like, we'll handle it, we will push the text out when you make an API request and then we will only release it, um, when we get the confirmation of consent which of course is a good thing. But I want to stress something that is kind of being lost in our coverage. Verizon is not innocent in this at all. Um, last year, uh, Senator Ron Wyden's office and the New York Times did a sort of, uh, co-investigation or two, uh, parallel investigations I'm not entirely sure. But it was showing how all of the major carriers were selling the real time location data access to a company called Securus, which would give it to low level law enforcement like prison guards and officials without a warrant. They would log into a Securus portal, upload a pdf of some sort of document that kind of looked legit and then they would just let them, um, do the request and pull the data. Um, they could do that without a warrant, they could do that without a penis, they could do without any sort of court order. Um, and Ron Wyden described it as sort of a pinky promise of ensuring this data is actually being requested properly. So there's that Securus case as well. But then we also found one earlier before that. And this is kind of in between Secur, at SurCare One and Securus, they all have these really similar names. In between that. Um, and as you can see right there, there's a Verizon. Instantly look up the phone, uh, location of basically any phone in the United States. Uh, again, it's cell phone tower triangulation and GPS data if available. You get a nice little Google Maps interface and it's only seven panel, uh, seven dollars fifty, um, a look up. And if it doesn't work, you don't have to pay. It's all good. So this was explicitly marketing to bounty hunters as well. And I actually published this last year, uh, shortly after the Ron Wyden one. And nobody, uh, it didn't, nobody really paid attention to it. I mean, I was glad we got it out because I'd never heard about this before. But it didn't, uh, it didn't get much attention. But this is the story that actually triggered the main phone pinging source at the top of the talk to come forward and say, hey, there's a company that's still doing this. And this isn't just a U.S. problem. Uh, I know a lot of, uh, my articles especially and other people may, may be talked to well are quite U.S. focused. But this is, I mean, it's not global, but it is in other countries. So this is a screenshot from a map that someone sent me, uh, from a company called, I think it's TeleSign. Uh, I may have, or TeleSigns. But they provide, you know, two F.A. solutions. So if you want to implement some sort of turnkey solution for, I need to have SMS to a family website, these guys will help you as far as I know. Uh, they have like Salesforce, um, as clients, that sort of thing. And then you go on their website, you look up their capabilities and their coverage. And then about halfway down there, phone ID, current location plus, which isn't exactly subtle in what it does. Obviously it provides the current location of the phone. Um, and in blue are the places where they have services available. United States, Canada, India, uh, and then coming soon the Philippines. So when a source sent me this, of course, I contacted TeleSign, like, so where'd you get this data? That's, that's pretty interesting. Uh, they immediately took the map offline and replied, we don't sell that data. I don't know why you have a, a map online advertising this data. If you don't sell it, we don't have any clients. But, um, that's allegedly, uh, what they say. Um, so after we did the phone pinging story where we do locate of the phone, um, AT&T, Mobile and Sprint, um, said they were going to stop the sale of location data to all third parties. Um, and as far as we know, that went into effect for all of them in May, uh, as I said Verizon had already done it, but now all the major telcos are not selling, uh, that particular, uh, supply chain of location data, um, to anyone. Uh, it seems. But obviously that is not the end. As I said, there is another section, um, on how this data, uh, can still be obtained, uh, today. So let's say you're an attacker and you want to get hold of some real time location data from a telco. All you really need to do is pose as law enforcement, you phone up the carrier, you send them an email and you get the location data. Obviously this is a massive oversimplification. So, uh, to give a more concrete, um, example, there was an, uh, a case a few years ago, a guy called John Edens. He is a, a debt collector. When someone's behind their payments on their cars, he's tasked by an insurance company or a dealership or whatever. So, can you please go find a person so we can repossess this vehicle? Um, he has a history of domestic violence and stalking, uh, beating his wife, various other, um, charges and prosecutions. He had a habit of posing as, um, U.S. marshals. Um, he would make some spoof email addresses. I think he would spoof phone numbers as well and he would contact in particular T-Mobile. Um, and then with that, T-Mobile would handily, uh, reply with the location data of a number of his choosing. Um, he didn't have to provide, you know, a warrant or anything like that. And obviously he can't because he's not actually law enforcement, but he would provide fake exigent circumstances requests. And this is where, um, law enforcement think there is, you know, there's a threat of life and it's too urgent to go through the normal process of going to a magistrate judge getting a warrant, getting that back and then we get the data. It's like a child has been kidnapped. We need this, um, this data immediately because it's, you know, imminent risk of harm. The FBI have used this, um, in various other ways, uh, in a slight different way to do, you know, deploy malware against, um, child abusers and that sort of thing. So he would contact T-Mobile pretending to be US marshals. He would do it on certain days or certain times of the day. Um, so particular people were working. He would build a rapport with them, you know, normal social engineering wouldn't contact them when it would be, um, you know, maybe there's someone who's quite strict and they're not going to give out the data. He would try to avoid them. Um, but he would get through to the right person. And as you see they would eventually, eventually reply with the, the lat, the long, uh, and the handy Google maps interface. So this is a, I mean, this is a screenshot from one of the documents in his court case. He was caught. He was prosecuted. Um, I think he's out now. Um, the DOJ redacted the phone number, but they didn't redact the GPS coordinates. So I've done that because I think that's quite wild to put a victim of abuses GPS coordinates in the court document, but there you go. Um, you can see there that the date is 2014. So that's obviously a long time ago, but someone else was indicted either two or three months ago for doing the same to Verizon, to doing it to AT&T and T-Mobile. Um, I think and potentially Sprint as well, but basically a selection of the large telcos, including Verizon as far as I know. Um, and people are doing this approach now today and they, they may do it for their own purpose. They may do it like John Edens did where I need to find this person. I need to track where their car is and repossess it. Sure, whatever. But there are people who will do this as a service and then they will sell that data, um, on the black market. And these are text messages, uh, between two people doing just that. So, um, on the left-hand side is the person selling the phone pings. On the right-hand side is the, um, debt collector, the skip tracer saying, hey, here's the phone number, could you look it up? And I think this is on Telegram and you can just see how casual it is. It's, hey, here's the phone numbers for right now. Here's another phone number. They reply with the lat long, um, and the diameter of the look up and then thank you, smiley face. Um, they may do another one, but the powers, the, allegedly the phones turned off so maybe they don't get a reading. Um, and then you also see on the second screenshot, on the right-hand side, on the, you know, the second message down, it says for 11 p.m. PST. Obviously, if you're a bounty hunter, you don't necessarily want to have a look up, um, straight away. If someone's in bed, say at 5 a.m., that's gonna be a pretty good time to get their real-time location data or because then, of course, you can go maybe kick down their door or apprehend them when they're, um, least suspecting it. From what I understand, this person was selling legitimate, real, genuine phone pings through that scamming system I outlined, reselling them. But then when they, um, they lost their capability somehow, I don't know if the telcos caught on or maybe there was a new staff member at the telcos, something like that, um, they wouldn't able, they weren't able to, um, do that any longer. So they started scamming, um, people and saying that they would take numbers, they would allegedly do, allegedly do look-ups and then just send some coordinates and still take only $300, $500. And this has caused, um, a lot of issues in the bounty hunting industry with people scamming each other. And after our coverage where the telcos stopped selling it, um, we've seen a spike of scams where, um, people will do, you know, quite good looking. Here's an order form, a PDF with IT consultants and we will do a look-up for you, um, in India, in the US as well. Um, but they are scammers. It's similar to how, you know, there's almost the unicorn of criminal for a service, SS7 access, which does happen. But when someone says or someone reports, here's a torh in service, you give them 500 bucks and you get SS7 look-up, it's probably going to be a fake, right? And that seems to be the case here, but among the fakes that are people who are still genuinely doing this, um, and if you have the right contact, you could do whatever you want with that data. You, you can stalk someone, you can trace your boyfriend, your girlfriend, whoever, the person, uh, one of the clients for Securus was doing it to look up the position of a judge. Uh, I know people who have, uh, allegedly done it to their ex-wives, uh, and again, John Eden's had a history of domestic violence and when he would track someone, he would turn up at that house, uh, be very violent, be very intimidating and just the risk of abuse here is, um, so great. So that's everything, uh, I wanted to present. Again, if you know anything about location data, who's buying it, who's selling it, um, any sort of capability there, uh, of course it's not just phone carriers, it's apps as well. If anyone can buy that data, that's my signal, my Wicca, my Jabba, my email, and, um, I think actually rushed through that. So if anyone has any questions, I'm happy to ask. If not, uh, if you don't want to talk to an investigative journalist in front of a crowd of, uh, a load of hackers, uh, you can send me a signal message and we can meet later and thank you so much, I appreciate it.