Throwaway account.<p>I work in location / mapping / geo. Some of us have been waiting for this to blow (which it hasn't yet). The public has zero idea how much personal location data is available.<p>It's not just your cell carrier. Your cell phone chip manufacturer, GPS chip manufacturer, phone manufacturer and then pretty much anyone on the installed OS (android crapware) is getting a copy of your location data. Usually not in software but by contract, one gives gps data to all the others as part of the bill of materials.<p>This is then usually (but not always) "anonymized" by cutting it in to ~5 second chunks. It's easy to put it back together again. We can figure out everything about your day from when you wake up to where you go to when you sleep.<p>This data is sold to whoever wants it. Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go. This isn't fantasy, it's what happens every day.<p>Almost every web/smartphone mapping company is doing it, so is almost everyone that tracks you for some service - "turn the lights on when I get home". The web mapping companies and those that provide SDKs for "free". It's a monetization model for apps which don't need location. That's why Apple is trying hard to restrict it without scaring off consumers.
It's funny that this is coming up now. The other day I was on the phone with Geico's roadside assistance and they wanted to know my location. I told them I didn't have their app downloaded, they said it wasn't a problem and they could get it without it. Sure enough they could. I checked their disclaimers [1] and they purchase the data from my cell carrier. They didn't even have to know which one.<p>[1] <a href="https://www.geico.com/web-and-mobile/mobile-apps/roadside-assistance/" rel="nofollow">https://www.geico.com/web-and-mobile/mobile-apps/roadside-as...</a> (see disclaimers at the bottom)
I believe the relevant T-Mobile privacy policy (that I <i>definitely</i> read before signing up...) is:<p>"With your consent. We may provide location-based services or provide third parties with access to your approximate location to provide services to you." <a href="https://www.t-mobile.com/company/website/privacypolicy.aspx" rel="nofollow">https://www.t-mobile.com/company/website/privacypolicy.aspx</a><p>That is why a text message confirmation is required to get a cell phone's location from <a href="https://www.locationsmart.com/try/" rel="nofollow">https://www.locationsmart.com/try/</a><p>For those on T-Mobile, there are privacy settings that can be adjusted here: <a href="https://my.t-mobile.com/profile/privacy_notifications/advertising" rel="nofollow">https://my.t-mobile.com/profile/privacy_notifications/advert...</a> I already had all of them disabled, and I was still able to get the location of my cell phone from LocationSmart.<p>I chatted with T-Mobile support yesterday to see if I could opt-out of them sharing my data. Not surprisingly, the support agent was less than helpful. "Don't worry, your data is secured"<p>Are there any US carriers that respect privacy and <i>do not</i> share private information with 3rd parties? Or is that a pipe dream?
> Kevin Bankston, director of New America's Open Technology Institute, explained in a phone call that the Electronic Communications Privacy Act only restricts telecom companies from disclosing data to the government. It doesn't restrict disclosure to other companies, who then may disclose that same data to the government.<p>It seems like intelligence services spend a lot of their time dreaming up ways to do an end-run around the law. This is the same reason US intelligence does partnerships with foreign intelligence services.
Carriers have been providing these services to 3rd party providers since at least 2006<p><a href="https://www.theguardian.com/technology/2006/feb/01/news.g2" rel="nofollow">https://www.theguardian.com/technology/2006/feb/01/news.g2</a><p>A few points to note:<p>* Obtaining consent is entirely left to the provider to implement. It does not appear to have any auditing. A provider can query any number they like.<p>* The opt-in process used by many providers is easy to exploit, by spoofing SMS replies or abusing the SMS template so that the surveillance target does not get notified<p>* The providers have are well aware of the potential to exploit this and have been for some time. It has never been resolved in over 10 years.
I am starting to wonder what all have I consented to? Every week I learn I have consented to this and that because of a news article as I never read those contracts or TOS. I wonder if there will be a way to phrase long contracts into bullet list of ideas for someone simple minded like me in the near future.
I was aware the cell phone companies were selling anonymized data for some time (not revealing the numbers and adding some jitter to the location data to avoid identifying users).<p>This is the first I’m hearing that they’re releasing detailed personal tracking by phone number. When I sat in on a recent presentation with Verizon execs they flat out said they were not doing this. Oops.
The most obvious use of the data appears to be by credit card companies to detect fraudulent use of a card and decline those transactions. This is something I'm relatively comfortable with, though it's plainly in the interests of the bank and I only indirectly benefit from the tracking.
Two related stories:<p>I went to a recruiting event in 2013, or 14 perhaps, for a major telecom network in Canada. They were proudly showcasing their ability and interest to analyze people's data. I was shocked, so I spoke to the hiring manager:<p>"You should be concerned about google and Microsoft, they have much more data" he said. They do, but much less sensitive data. And I am paying you! And google gives me free excellent services. You are an expensive oligopoly with not the best customer protection track record.<p>2. I had a free modem from a major network that came with the internet. I used the modem at another location while I was away. I got charged for my usage! The modem was not just a modem, it was sensing more information to their system. That is how they tracked my usage, if that is the only thing they tracked. Their technical customer service avoided any form of discussion. Cancelled my internet line with them, and using VPN for trackable stuff ever since.<p>I am seriously considering cancelling my cell phone until their practices changes.
The way I understood it is that the requester of the location is trusted to have gotten consent from the subject of the query. The providers will answer any queries.<p>So Securus works on the "we're sure our customers are getting consent for their inquiries" presumption. What are the consequences if a company is found to not have gotten consent? Business sense dictates there to be no consequence at all if Securus can avoid it.<p>The way this should work is that the carriers can get permission to share location data with third-parties. They should not do it without having gotten permission from their customer. But then they probably get that when you sign the contract. Or do they just not mention it?
Carriers are also selling your billing records. They offer a service to return the carrier billing address/name based on the mobile number.<p>Not only this but late last year all 4 of the major US carriers are offering APIs to convert mobile IP to a billing record (name/address/phone number).
Previously discussed yesterday, and again two days before that: <a href="https://news.ycombinator.com/item?id=17069459" rel="nofollow">https://news.ycombinator.com/item?id=17069459</a><p>This is one of the reasons I use a public-facing Twilio number, which forwards to a private number which I never hand out.<p>This isn't something that people should have to do to opt-out of tracking like this, but it doesn't seem like there are many other reliable options.
I wondered how the spam callers knew what area code I was in while traveling out of state.<p>I would assume that through clustering analysis (eg coworkers/friends travel together) even fairly coarse position data can allow you to construct relationships. Then they can spam/fish both you end your coworkers with the same fake number. That makes it seem more important to answer and more organic.
Another 'fun' implication of this are the increasingly large number of sites that try to obtain your phone number either through SMS messages during account setup, two factor authentication, or any other number of ways. The accounts you have on those sites link directly to your physical presence. Taking it one small step further, any accounts on other sites you have linked to those accounts are similarly effected. Taking it one step even your dynamic IP address at any given moment can end up working as a physical identifier.<p>The amount of information the NSA has on people is going to be phenomenal. It'd be interesting to be able to glimpse the data just to see how much we all give away. Here's to hoping we never once ever end up putting a 'bad' person in high office because the amount of targeted damage somebody could do with this information is just staggering to even consider.
<i>> the Electronic Communications Privacy Act only restricts telecom companies from disclosing data to the government. It doesn't restrict disclosure to other companies</i><p>Clearly the US has their priorities completely the wrong way.
There was mild discontent when the Data Retention laws [1] were being rolled out across the EU in the early 2010s. This was a legal harmonization of existing collection practices for law enforcement purposes. It did receive a lot of press coverage and some small protests (even though in reality the collection was already widespread).<p>In 2009, Malte Spitz (German Green Party politician) sued his telecom provider for all the information they had stored on him in the last 6 moths. He and others made a good (and spooky) visualization showing how it tracked his entire life [2]. He did a TED talk about it [3], which received a spirited applause and unfortunately minor press coverage.<p>I think many naively bought the idea that all this detailed data was only for LE (maybe a side effect of all the reporting on the Data Retention Laws?), despite constantly seeing clauses in their EULA's saying their data will be shared with third parties.<p>----<p>People only care about these issues once they become evident and widespread, and they personally are affected. I remember the shock my friends had when Google Maps released the location history feature. Up until then, its just a theoretical concern.<p>Good demonstrations, hard hitting expositions and good press coverage are essential.<p>----<p>[1] - <a href="https://en.m.wikipedia.org/wiki/Data_retention" rel="nofollow">https://en.m.wikipedia.org/wiki/Data_retention</a><p>[2] - <a href="https://www.zeit.de/digital/datenschutz/2011-03/data-protection-malte-spitz" rel="nofollow">https://www.zeit.de/digital/datenschutz/2011-03/data-protect...</a><p>[3] - <a href="https://youtu.be/Gv7Y0W0xmYQ" rel="nofollow">https://youtu.be/Gv7Y0W0xmYQ</a>
The individual rights under the Constitution have been deemed, in the U.S., to only apply to government and government institutions.<p>The private companies are exercising their free market rights, unfettered by inconveniences like privacy rights, and thus can (as per the article and the random65... whistleblower user at the top of this thread at the time of this writing) track behavior and sell the data.<p>Therefore, does it follow that government canNOT be the buyer of such data? That police departments or the FBI or others cannot access this data?<p>Is there a Chinese Wall in place to prevent such things from happening. Or...?
> <i>one of the biggest gaps in US privacy law.</i><p>Gaps? How about lack of?<p><a href="https://content.next.westlaw.com/6-502-0467?transitionType=Default&firstPage=true&bhcp=1&contextData=(sc.Default)" rel="nofollow">https://content.next.westlaw.com/6-502-0467?transitionType=D...</a><p>General Laws: Not Applicable.<p>Sectoral Laws: There is no national law.<p>----<p>How outrageous and disgusting that congress can make a big show of questioning facebook over privacy, when they don't have the courage to pass even moderate data privacy laws. How much do you want to bet this location data will be ignored by congress?
I met a high-level executive at Ericsson who told me that he had met with Tim Armstrong (CEO of AOL) could make $5 billion more a year if he had access to location data with <50m accuracy.
So as a private citizen, I can pool some money and get the same level of tracking that American intellignece services have of individual cell hardware?<p>Sounds like a win for the citizens.
> Cook: What would he do if he were Facebook CEO Mark Zuckerberg? His answer: “I wouldn’t be in this situation.”<p>Sounds like one of those situations to me...
It's funny to me that this is news to anyone. This has been going on for quite some time - at least the length of my career. For the longest time it was wide open for anyone to access who had an inkling of knowledge about how mobile devices worked.<p>Did this _never_ come up at defcon or in an issue of 2600? Are people really _that_ focused on web security?
Isn't this covered under CPNI [1]? Something that consumers can opt out?<p>[1] <a href="https://www.wikiwand.com/en/Customer_proprietary_network_information" rel="nofollow">https://www.wikiwand.com/en/Customer_proprietary_network_inf...</a>
This exploits a vulnerability in the SS7/MAP protocols that power mobile networks worldwide; the cooperation of the carrier isn't even required (even if carriers were against this; bad actors can and will get this data anyway).
After reading this post a couple hours ago, I was able to play around with LocationSmart's API. Indeed seems quite powerful/comprenhensive. As of an hour or so, they took down their try/demo webpage and related open API.
Don't banks use this data when you create an account nowadays too? I just created a capital one account and they were actually pretty transparent that they'd be checking the location of my phone via carrier.
I tried location smart website said location accuracy was up to 14 miles off. They were really 4 miles off. So not that accurate. If it was 2 blocks like other poster I'd be worried.
It is very tempting to go full "tin foil hat" at this point. I am seriously considering removing my cell battery and powering it up semi hourly to check for messages.
i havent read all 504 comments, and dont plan to, but this should come as no suprise to anyone, unfortunatly it does. cogress, dc, will not help there is too uch to gain, posting the info in real time of the ones in power, will shine a light on the issue, they will make it look like this has been taken care of-while it continues.
the ONLY solution in my opinion its a revolt-against big data/tech, not a boycott, and exodus to DIY open source tech.
One of these days, most of you will finally understand just how right RMS was and is...<p>It's just a shame so many can't see it, and worse, give those of us who do shit.
It's so strange--I never would have expected the boot of tyranny to come from private corporations, but here we are. And what all this proves is that technology is value-neutral and can wipe us all out, or just make us incredibly miserable, if we let it.<p>Hopefully there will be a way to opt out. Otherwise, I should start selling faraday bags for devices. Probably should anyways.
Very much a tangent, but this song is the perfect soundtrack for privacy / tracking articles like these: <a href="https://www.youtube.com/watch?v=8ttTf8N7Bwg" rel="nofollow">https://www.youtube.com/watch?v=8ttTf8N7Bwg</a><p><i>"The Hymn Of Acxiom"<p>Somebody hears you. you know that. you know that.
Somebody hears you. you know that inside.
Someone is learning the colors of all your moods, to
(say just the right thing and) show that you’re understood.
Here you’re known.<p>Leave your life open. you don’t have. you don’t have.
Leave your life open. you don’t have to hide.
Someone is gathering every crumb you drop, these
(mindless decisions and) moments you long forgot.
Keep them all.<p>Let our formulas find your soul.
We’ll divine your artesian source (in your mind),
Marshal feed and force (our machines will)
To design you a perfect love—
Or (better still) a perfect lust.
O how glorious, glorious: a brand new need is born.<p>Now we possess you. you’ll own that. you’ll own that.
Now we possess you. you’ll own that in time.
Now we will build you an endlessly upward world,
(reach in your pocket) embrace you for all you’re worth.<p>Is that wrong?
Isn’t this what you want?
Amen.</i>
I think that Snowden comment fits here:<p>"Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say,"
I’m shocked that anyone is shocked about this! Transportation departments have been buying this data since the late 90s.<p>More creepy are the planning solutions for commercial development. You can buy datasets that will tell you the average income of drivers on larger highways in hourly buckets.
I've just started using Signal and was surprised by how good the call quality is. For those that aren't aware, Signal calls are encrypted, so you effectively give nothing to the cell carrier when you make a call through it (except that you used some data).