The Colorado Public Safety Task Force contacted T-Mobile with an urgent situation: A man was suicidal and they needed real-time updates of his mobile phone location to save his life. T-Mobile handed over GPS data for the phone, and the task force reported it found the man in a field outside of an apartment complex. Verizon and Sprint received similar requests about different customers from the Task Force, which appeared to have spent months trying to prevent suicides all over the state.
There were a couple of problems with this scenario, though.
The task force, court papers allege, was an invention of a Longmont bail bondsman named Matthew Marre. And the people he was asking about weren’t suicidal; they were bail jumpers he wanted to catch.
Over and over again, prosecutors say, Marre used the suicide hoax to con some of the largest mobile providers into providing information about its customers to a stranger.
Ultimately, the Colorado Public Safety Task Force was shut down by a real one—law enforcement agents from the FBI’s Rocky Mountain Safe Streets Task Force. But the case highlights a growing problem in the digital era—the security of the large amounts of sensitive customer information held by mobile providers.
The Marre case suggests that in a handful of instances, all that stood between customers’ personal data and a bad actor was a plausible cop impersonation.
Sen. Ron Wyden (D-OR) has criticized the wireless industry over previous failures to protect customers’ location data. In a statement to The Daily Beast, Wyden said “If true, these allegations would mark a new low in the ongoing scandal of wireless carriers sharing Americans’ location data without our knowledge or consent.”
Under federal law, it is illegal makes it illegal to provide fraudulent statements or documents to telecommunications providers in order to get customers’ private data.
A grand jury charged Marre in April with eight counts of fraud for allegedly obtaining confidential phone records information. An alleged accomplice, Ryan Medhurst, was charged with one count in a superseding indictment filed in early August.
Marre pleaded not guilty; Medhurst has not yet been arraigned. Neither Marre nor Medhurst’s attorneys responded to requests for comment from The Daily Beast.
Search warrants filed in the case allege that Marre was able to obtain location data on customers at least five times from Verizon employees between June and November of 2018. In total, police said they believed Marre was able to illegally obtain phone data from Verizon, Sprint, and T-mobile at least 16 times since the beginning of 2018.
The warrant alleges that Marre called up Verizon’s law enforcement help center and represented himself alternately as an investigator for the Colorado Department of Public Safety and the Colorado Task Force. Investigators claim that he falsely told employees at Verizon’s help center that his request involved “exigent circumstances by claiming the targets of the requests were suicidal.”
Under federal law, mobile providers are allowed to disclose certain customer information to government agencies if the agency “believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay.”
It’s not hard to see why mobile company employees may have thought Marre worked for law enforcement. In some cases, according to court papers, he faxed forms to mobile providers with a six-pointed star badge and the title “Colorado Public Safety Fugitive Recovery Agent” on the cover letter.
Marre also registered a website and used an associated email account to communicate with mobile service providers. The URL, COTF.us, bears a strong similarity to the fictitious “Colorado Task Force” name Marre allegedly used to convince mobile companies that he was a law enforcement officer.
When The Daily Beast called a phone number listed in a search warrant as one used by Marre to contact mobile companies, the voicemail message welcomed callers to “Colorado Public Safety” and offered a directory of options including “non emergency dispatch,” administration, records, and a general mailbox.
The alleged ruse collapsed thanks to the suspicions of a Verizon employee referred to in a warrant as “JF,” who started to have doubts about Marre after his fifth attempt to obtain location data from the company. When the employee called a contact number Marre had allegedly left, an unknown person answered the phone and told the employee that they hadn’t reached a law enforcement agency.
At that point, Verizon reached out to the FBI and informed them that they believed the company had been the victim of wire fraud, kicking off an investigation that led to the federal charges against Marre.
When Marre was arrested, an Aurora police officer found screenshots on his phone that “appeared to show Marre attempting to get exigent data from the Facebook social media company,” according to a separate warrant obtained by law enforcement. Facebook could identify no such requests from Marre.
The warrant claimed that Marre identified himself in that instance as a “lieutenant” with the Longmont Emergency Unit, a non-governmental non-profit organization, which describes itself as an “all-volunteer technical search and rescue team serving Boulder County and the surrounding communities.” The organization did not respond to questions from The Daily Beast in time for publication and it’s unclear what, if any, association Marre had but a 2017 news article identified Marre as an “LEU lieutenant.”
At no point during the course of the alleged data requests did Marre work for law enforcement. As a previously convicted felon, he couldn’t. In 2011, Marre pleaded guilty to stealing over $100,000 worth of optical equipment and grips from the 19th Special Forces Group while he worked as a civilian parachute rigger for the Colorado Army National Guard. A federal court sentenced Marre to five years of probation for the offense.
Marre’s case is part of a broader pattern of growing interest by law enforcement and the bail bond industry in location data held by mobile service providers.
Verizon and other large mobile companies recently said that they would stop selling customer location data to third-party vendors after a New York Times report on how low-level law enforcement had broad, often warrantless access to data for millions of phones.
In June, Vice’s Motherboard found that the bail bond industry used location-finding services similar to those offered by companies in the Times story. Vice has also documented similar cases in which stalkers and bounty hunters obtained location data from mobile carriers by pretending to be law enforcement officials responding to emergencies.
In a March 2019 letter to mobile providers, Wyden criticized the telecom industry for its “atrocious track record protecting location data” and expressed skepticism about promises to improve the security and privacy. “Given their track record,” Wyden said in a recent speech at the DEFCON cyber security conference, “I am not giving them any benefit of the doubt, and neither should you.”
“The big wireless companies have shown over and over and over again that they couldn’t care less about protecting us.”
— Sen. Ron Wyden
In a statement to The Daily Beast about the Marre case, Wyden said “it is outrageous that six months after carriers claimed they would clean up sharing of location data, these massive corporations apparently were hoodwinked by a pair of bounty hunters into sharing incredibly sensitive real-time location information.”
“Despite repeatedly promising to protect their customers’ privacy, the big wireless companies have shown over and over and over again that they couldn’t care less about protecting us,” Wyden added.
Verizon, T-Mobile, and Sprint did not respond to requests for comment.
As for Marre, after his arrest, a detention report was filed with the court that included a statement from his probation officer saying she “feared that [Marre] was following her and spotted vehicles outside of her home with equipment similar to equipment she saw on vehicles maintained by” him.
Law enforcement was ultimately able to confirm many of the details of Marre’s alleged con by using a tried-and-true technique with a touch of irony: They legally tracked Marre’s cell phone data and cross-referenced it with the calls to the mobile providers.