Another Day, Another Massive Cellular Location Data Privacy Scandal We'll Probably Do Nothing About
from the ill-communication dept
We’ve noted a few times now that while Facebook gets a lot of justified heat for its privacy scandals, the stuff going on in the cellular data and app market in regards to location data makes many of Facebook’s privacy issues seem like a grade-school picnic. That’s something that was pretty well highlighted by the recent Securus and LocationSmart scandals, which showcased perfectly how cellular carriers and location data brokers routinely buy and sell your daily travel habits with only a fleeting effort to ensure all of the subsequent buyers and sellers of that data adhere to basic privacy and security standards.
This week, Joseph Cox at Motherboard dropped yet another bombshell report on this subject, noting how he was easily able to pay a bounty hunter $300 to obtain the (supposedly) private location data collected by his cellular provider (T-Mobile). Much like the Securus scandal, the problem once again is the countless location data brokers and third party vendors which are being sold this data, then doing pretty much whatever they’d like with it. In this instance, his data was collected by T-Mobile, shared with brokers and aggregators like Microbilt and Zumingo, then in turn shared with bail bond outfits and private investigators:
“Microbilt buys access to location data from an aggregator called Zumigo and then sells it to a dizzying number of sectors, including landlords to scope out potential renters; motor vehicle salesmen, and others who are conducting credit checks. Armed with just a phone number, Microbilt?s ?Mobile Device Verify? product can return a target?s full name and address, geolocate a phone in an individual instance, or operate as a continuous tracking service.”
Cellular carriers make a small fortune collecting and selling this data, and there’s virtually no oversight of the practice. Consumers often sign one privacy agreement with their cellular provider, which in turn is then broadly interpreted as a green light down a long road of companies which then collect and sell that data in turn. As we saw with the Securus scandal (when a local Sheriff was busted snooping on the private cellular location data of Judges and fellow law enforcement officers), everybody in this chain of dysfunction likes to play stupid when the problem repeatedly comes to light. The same thing occurred here:
?We take the privacy and security of our customers? information very seriously and will not tolerate any misuse of our customers? data,? A T-Mobile spokesperson told Motherboard in an emailed statement. ?While T-Mobile does not have a direct relationship with Microbilt, our vendor Zumigo was working with them and has confirmed with us that they have already shut down all transmission of T-Mobile data. T-Mobile has also blocked access to device location data for any request submitted by Zumigo on behalf of Microbilt as an additional precaution.?
When the NY Times broke the Securus scandal story last year, cellular carriers all played stupid, insisted they’d ceased the sale of such data, and breathlessly assured everybody that this behavior wouldn’t happen again. When Senator Ron Wyden complained, you might recall that T-Mobile CEO John Legere took to Twitter at the time to insist he’d learned the error of his ways:
Sounds like word hasn?t gotten to you, @ronwyden. I?ve personally evaluated this issue & have pledged that @tmobile will not sell customer location data to shady middlemen. Your consumer advocacy is admirable & we remain committed to consumer privacy. https://t.co/UPx3Xjhwog
— John Legere (@JohnLegere) June 19, 2018
Apparently not.
Needless to say, Wyden, who has been pushing new privacy legislation, isn’t particularly impressed:
After I exposed these dangerous practices last year, several carriers, including @tmobile?s CEO @JohnLegere told me point blank that his company would stop selling customer location data to shady third parties. https://t.co/JSASCP2PWH
— Ron Wyden (@RonWyden) January 8, 2019
If you were an industry hoping to avoid government regulation of your business, you’d think you’d be a little more cautious in the way you treat private data. But as we’ve noted countless times, this kind of cavalier treatment of private data is the norm for telecom. From hoovering up your clickstream data to covertly modifying data packets to track you around the internet, telecom has long played fast and loose with consumers’ private data. Some have even flirted with the idea of only seriously respecting your privacy if you pay an additional fee, effectively making consumer privacy a luxury feature.
So while broadband giants will surely whine incessantly during the looming quest to pass some meaningful rules of the road, it’s worth remembering they had ample opportunities, over decades, to avoid stricter government intervention by adopting better, more ethical business practices. It’s also worth reminding folks that ISPs lobbied furiously to convince the GOP to kill some fairly basic privacy protections at the FCC that would have required ISPs clearly inform users who is buying and selling this data, giving users a little more control over how it was shared.
And it’s also worth noting that even without legislation or those rules, the FCC still has Section 222 authority to police this kind of behavior. While the FCC’s privacy rules were killed, mobile carriers are still subject to CPNI rules for voice calls, which were expanded in 2005 to include subscriber location information. The bottom line is that the Ajit Pai FCC could easily address this problem using the authority it has now, they’ve just chosen not to because it might just hurt telecom revenues. The FTC could also probably ding T-Mobile for being “unfair and deceptive” under Section 5 of the FTC act, yet has been similarly mute as carriers bullshit their way around their failures on this front.
All of that said, there’s countless folks who think they’re taking meaningful steps to protect their privacy by deleting Facebook (or on-phone apps), yet are oblivious to the perils of walking around with a stock carrier phone in their pocket. It might be time to stop being quite so collectively naive about US privacy practices if we’re going to have a serious (and undeniably difficult) adult conversation on what privacy rules of the road should look like. One thing we can probably mostly agree upon: this practice of hoovering up your every move and selling it to an ocean of companies with little to no real attempt to protect it is behavior we need to change, one way or another.
Filed Under: bounty hunters, john legere, location data, mobile operators, privacy, ron wyden, selling data
Companies: at&t, microbilt, sprint, t-mobile, verizon, zumingo
Comments on “Another Day, Another Massive Cellular Location Data Privacy Scandal We'll Probably Do Nothing About”
Pessimism is anti-American
If there was one enduring American political principle President Ron Reagan understood down to his bones — Americans adore optimisism in their politicians: America can be a better place.
So quit feeling depressed: It’s a new Congress now. A new day.
Write your congressmen. Call your representatives. Tell them we deserve better. Tell them to right this wrong. Demand that they fix this scandal.
America can be better. No more Carterism! Carter’s malaise is a loser!
Re: Pessimism is anti-American
And all the law enforcement and security agencies will be crying out about risking an increase in the darkness if something is done about this problem.
Re: Pessimism is anti-American
Carter is so last century.
Re: Re: Pessimism is anti-American
Some vocabulary then, for all the kids. From the Merriam-Webster dictionary…
malaise – noun
Re: Pessimism is anti-American
Didn’t Winston Churchill say that Americans can always be counted on to do the right thing… after they’ve tried every other option?
Re: Write your congressperson...
But, as Larry Lessig has statistically proven, the chances your letter (and a few thousand more) will change that representative’s policy without a $1000+ campaign contribution are 0.00%
Optimism is great, but solutions that actually work are what’s needed. Petitioning the government regarding grievances does not.
Re: Re: Write your congressperson...
If the message you get out of Lessig’s work is "don’t even try", then I think you’ve greatly misunderstood his point.
To the best of my knowledge, Lessig hasn’t said anything about my representative — because my representative has only been in office for a week.
Re: Re: Write your congressperson...
Oh, so it was all those kilobuck contributions that defeated SOPA and PIPA? Of course, optimism should always be tempered with a healthy does of realism.
Like Thad, my new representative has only been in office for a week.
Re: Re: Re: Write your congressperson...
Thad, the sentiment don’t even try is not what I got out of it. By all means, do something, but you are going to need more than a lance to take down this giant.
Anonymous Coward, Regarding for SOPA and PIPA, they were killed (well, momentarily routed) by an internet blitz. Feel free to organize one, or, like the SOPA blackouts, find a way to spread your message to 160 million people.
Lessig’s point was that until we get money out of politics, until we have a massive election reform, we can’t rely on our representatives for anything else. Not police reform, not environmental conservation and certainly not telephone privacy.
But yeah, maybe our new representatives have seen the light and have figured out how to campaign without huge benefactors. I think waiting for them to come around is kinda like waiting for Trump to break and pass a budget without wall funding. Unless you’re using a lot of (proverbial) dynamite, you can expect to be disappointed.
Re: Re: Re:2 Write your congressperson...
Which is another way of saying that representatives received a few thousand letters.
But he’s also campaigned to elect people to Congress (and other offices) who are not beholden to special interests. He’s never suggested that working through Congress was a waste of time. And if he’s "statistically proven" that it’s impossible to change a representative’s policy position without paying them, that’s news to me.
Lessig’s point is that financial corruption makes it much harder for individuals to influence their representatives; that much is true. But it wasn’t that we can’t achieve anything at all until we pass campaign finance reform. And if he did say that, he was plainly wrong; there have been positive changes in the government over the past decade (healthcare, ending DADT, reducing sentencing guidelines, a state-by-state push to legalize marijuana — those are off the top of my head), even if they haven’t gone as far as I’d like them to.
Lessig’s point that the American government favors special interests over individuals is a true one. But you’re carrying it to an absurd endpoint. His point was never "Don’t call your representatives; it won’t matter." That’s a sort of lazy fatalism that I would never associate with Lessig.
Ownership
Hey, it’s Sprint’s network. They own it, and can do whatever they want with it, right? Privacy regulations are just big government butting in where it doesn’t belong. /s
Re: Ownership
Don’t feed the trolls.
Especially don’t feed them when they haven’t even shown up yet.
Re: Ownership
I fail to see the similarity.
> Another Massive <fill in the blank> Data Privacy Scandal We’ll Probably Do Nothing About
This will continue as long as people like Masnick screech about how terrible it would be for the “tech” (surveillance) industry and the world if the US ever implemented any kind of law to protect the privacy of its citizens.
After all, we know we can trust massive corporations to “self regulate”, since it has been working so well for Facebook, Google, Comcast, Verizon, AT&T and the rest. Actual laws and accountability might “stop them from ‘innovating'”.
For an example of the many horrors that might come from such a law, just look at all of the poor EU citizens who, thanks to the evil anti-innovation GDPR, can no longer count on Facebook to subject them to algorithmic swatting in order to protect them from killing themselves!
Re: Re:
bullshit. quit conflating different sectors and one’s ability to avoid doing business with them or not. that being said, fb and teh goog and … well everyone else, not just in the “tech” (loose weird grouping of vaguely IT-related businesses) are horrible with privacy. and you are still full of shit if you claim that Mike Masnick has ever indicated he was cool with that. The problem is that laws have to be good laws, not bad ones that actually make things worse for privacy and add in five other awful consequences. The GDPR has good points, but quite apparently also many bad points and is written and executed horribly.
Re: Re:
Yeah, hit that straw.
Re: Re:
“This will continue as long as people like Masnick screech about how terrible it would be for the “tech” (surveillance) industry and the world if the US ever implemented any kind of law to protect the privacy of its citizens.”
When did he say that?
Re: Lead for the lead throne!
Paint for the paint god!
How is this "another" scandal?
Should we really be calling these the Securus scandal, the LocationSmart scandal, the Microbilt scandal, etc.? It’s like we’re going out of our way to call it the T-Mobile, Sprint, AT&T, and Verizon scandal. There’s nothing new here. This is the same scandal, continuing, because they never stopped selling the data. They just stopped selling to certain companies.
Well, T-Mobile now say they won’t sell to any "shady middlemen" (anymore; shady business dealings were totally OK under last week’s policy). How about selling it to nobody? If I want roadside assistance to find me, I can install an app or explicitly tell my carrier to give it (not sell it) to them; they don’t need to trust some company that, wink wink, claims they got my permission. (Of course the carriers know what that means, because they never actually got any customer’s permission to sell the data either.)
i guess it all depended on what anyone’s definition of “shady” is.
Harris Corp
Why are the police wasting money on cell site simulators?
This seems easier quicker and cheaper – plus no warrant necessary!
Re: "No warrant necessary!"
When parallel reconstruction is successfully implemented, no warrant is ever necessary.
But bribing a guy is definitely on the fruit-of-the-poisonous-tree side of the evidence fence. It would have to be laundered out.
Re: Re: "No warrant necessary!"
Or get a warrant for the records that they have seen and know will support their case.
Oops
The word "probably" is not usually used for certainties, Karl.
Not I, Said the Duck
This is simple yo fix. Dump your cell phone. If you can’t, cover the GPS antenna with foil and use a GPS spoofer. And keep it in airplane mode until you need to make a call.
Re: Not I, Said the Duck
Do you do that?
No?
STFU
Karl, please stop using the word “breathlessly”. Thanks.