In December of 2013, AT&T announced their “Mobile Identity API”. This API would only be available through an enterprise contract with AT&T. Not long after Verizon announced the same form of API. Danal and Payfone have been known to pay for access to these enterprise telco APIs.
So what does it do?
These APIs use your mobile phone’s IP address to look up your phone number, billing information, and sometimes even your phones location. This is achievable through the assistance of telco providers.
The general story for these functionalities is that this will help detect fraud by cross-referencing user provided billing/phone number information.
In order for theses services to be accessed and the information to be gathered about a specific phone/individual the IP address must be the same for the lookup address and the requesting IP address. However such safeguards are not always in place, for example if you purchase contracts from these companies, such safeguards will not be present. An example would be the payfone.com API, which appears to allow customers to look up cell phone information just by saying the user has consented. Obviously it would be easy to falsify that claim. Their APIs also allow batch look-ups.
In 2013 AT&T was providing the DEA and other law enforcement agencies with no-court-warrant-required access to real time cell phone metadata.
So what should we be worried about? US telcos appear to be selling direct, non-anonymized, real-time access to consumer telephone data to third party services. There isn’t a restriction of this information to law enforcement officials, and actually they have been known to sell access to the data afterwards. The lack of security to access this information allows nearly anyone to track and de-anonymize most anyone with a cellphone in the US with little to no oversight.