Some U.S. mobile carriers seem to be providing personal information, such as your name, address and the real-time location of your phone, to mobile authentication companies. Although it is doubtful you willfully agreed to this, you are most likely opted-in, as this is supposedly being done for security \u2014\u00a0for fraud detection purposes.The discovery that mobile phone companies provide API access to personal information was made by software engineer Philip Neustrom. He provided two demo links to mobile authentication companies Danal and Payfone as proof.Had Danal not taken down the link after publication, then visiting https:\/\/bit.ly\/crazymobiledemo on your phone while Wi-Fi was turned off and then inputting your ZIP code would have shown \u201cyour home address, phone number, cell phone contract details, and\u200a \u2014\u200a depending on what kind of cell phone towers you\u2019re currently connected to \u200a\u2014\u200a a latitude and longitude describing the current location of your cell phone.\u201dPayfone\u2019s demo, https:\/\/bit.ly\/mobilescary, which was also taken down, didn\u2019t even require a ZIP code before returning your personal information that is on file at your mobile carrier.Before the companies could yank the demos, thousands of people tested them out and then confirmed it worked via Twitter, Hacker News and other sites.Mobile identity APIs used by AT&T and VerizonNeustrom explained that AT&T launched its Mobile Identity API in 2013, and Verizon followed suit later. The data is available to companies that pay for enterprise contracts with the mobile carriers.\u201cThese services are using your mobile phone\u2019s IP address to look up your phone number, your billing information and possibly your phone\u2019s current location as provided by cell phone towers (no GPS or phone location services required),\u201d wrote Neustrom. \u201cThese services are doing this with the assistance of the telco providers.\u201dPayfone struck a deal with AT&T in December 2013. After publication of Neustrom\u2019s article, Payfone made its API documentation private; an archived version of the previously public API documentation can be found here.Data provided without user consentDid you even consent to that? In some cases, it doesn\u2019t seem to matter. For example, when looking at Payfone\u2019s documentation, the example URL request shows "ConsentStatus":"optedIn" \u2014\u00a0but the description under product certification makes it very plain to understand: \u201cThe consent-based services are always optional, meaning you will still receive data back from the Payfone APIs even if consent is not provided.\u201d The API even allows for batch lookups.Payfone CEO Rodger Desai tried to clarify the process, telling TechCrunch:There is a very rigorous framework of security and data privacy consent. The main issue is that with all the legitimate mobile change events fraudsters get in\u2026 For example, if you download a mobile banking app today, the bank is not sure if it is you on your new phone or someone acting as you \u2014\u00a0the fraudster only needs your bank password. PC techniques like certificates and device printing don\u2019t work well \u2014\u00a0since it is a new phone.Danal and AT&T did a joint presentation showing how it works back in 2014, but after this hit the news, the YouTube video was taken down, too. A live demo during a 2015 AT&T presentation (pdf) provided the link demo.billtomobile.com to show what data can be retrieved, gave a \u201cbrief history\u201d of Danal, and suggested possible use cases that range from risk and fraud detection to checkout autofill to \u201ccovert visits into sales\u201d and \u201creduce chargebacks.\u201dDanal\u2019s legal page states: \u201cThe location service is available only on AT&T, T-Mobile, Sprint, Verizon Wireless and US Cellular.\u201dAfter claiming mobile phone user privacy is \u201cextremely important,\u201d it adds, \u201clocation coordinates for your mobile device are only gathered after the mobile phone user has consented to use of location information. Location coordinates (longitude, latitude, and radius) will be obtained only when we have proper authorization from the user.\u201dBut again, did you actually consent?At least one Twitter user pointed out that AT&T said to opt out under privacy choices, but Neustrom said he did opt out and it did nothing to stop his data from showing up.A commenter on Hacker News claimed, \u201cI have Verizon Wireless and have opted out of all of the options on their account privacy page a long time ago (at least a year), but I still show up in these tests.\u201dAs Neustrom pointed out, we learned in 2003 that AT&T was providing the DEA and other law enforcement agencies with access to real-time phone metadata \u2014\u00a0no warrant required.But what these services show us is even more alarming: US telcos appear to be selling direct, non-anonymized, real-time access to consumer telephone data to third party services\u200a\u2014\u200anot just federal law enforcement officials\u200a\u2014\u200awho are then selling access to that data.Given the trivial \u201cconsent\u201d step required by these services and unlikely audit controls, it appears that these services could be used to track or de-anonymize nearly anyone with a cell phone in the United States with potentially no oversight.