I work in location / mapping / geo. Some of us have been waiting for this to blow (which it hasn't yet). The public has zero idea how much personal location data is available.
It's not just your cell carrier. Your cell phone chip manufacturer, GPS chip manufacturer, phone manufacturer and then pretty much anyone on the installed OS (android crapware) is getting a copy of your location data. Usually not in software but by contract, one gives gps data to all the others as part of the bill of materials.
This is then usually (but not always) "anonymized" by cutting it in to ~5 second chunks. It's easy to put it back together again. We can figure out everything about your day from when you wake up to where you go to when you sleep.
This data is sold to whoever wants it. Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go. This isn't fantasy, it's what happens every day.
Almost every web/smartphone mapping company is doing it, so is almost everyone that tracks you for some service - "turn the lights on when I get home". The web mapping companies and those that provide SDKs for "free". It's a monetization model for apps which don't need location. That's why Apple is trying hard to restrict it without scaring off consumers.
I can confirm this is happening, I designed some of the analysis systems used. Contrary to what many people assume, this is not just a US thing. It is done throughout the industrialized world to varying degrees, including countries where most people believe privacy protections disallow such activity. Governments tacitly support it because they've found these capabilities immensely useful for their own purposes.
I'm in the space as well. I've tried telling my congressmen but they ignore me. I'm waiting for the backlash, especially will all the recent privacy issues. It hasn't happened yet and the problem is so large that I honestly doubt whether the public will ever truly grasp what the scope.
The advice I always give when this topic comes up us to be very careful with what you install on your phone. The least expensive mobile location data tends to come from random apps collecting the data to sell it, and ad networks. Permission to use your GPS is permission to track you until you uninstall the app.
If you're willing to have your name attached to this, if / when it does finally blow up, please make an effort to talk to news organizations about who and when you initially reached out to congress people.
If you're not comfortable with your name being publicly attached, at least give news orgs the information and request confidentiality.
Part of the reason congress people can punt is that the cost of inaction < cost of action before it penetrates media.
A big part of shifting that equation is starting to publicize "You had all the information available now on X date and did nothing" as loudly as possible. Naming and shaming has been healthy for vulnerability disclosure.
Are you able to send them a copy of their individual location data, or the location data of their staffers/friends/family? That might make for a potent wake up call. Though, you'd want to run that by an attorney first.
I'm in the space as well. I've tried telling my
congressmen but they ignore me.
If you have hard evidence, forward it to the journalist or newspaper that broke a similar recent story, or whose reporting of that story you respected.
Maybe you can find a journalist you respect for their reporting on Cambridge Analytica, the Paradise Papers, Edward Snowden and so on?
that's only the low end. app gps usage shows up on the UI.
the article discusses when the ISP/telco sells the data that you have zero visibility on. there's no way to get around this.
btw, apple and google ad spyware process (google play service) will collect gps and wifi data without any user visible UI, not to mention download ads in the background.
Thanks for the tip. I've made a habit of turning off location services on Android once I'm done using navigation (Waze), do you know if this sufficiently blocks all background tracking for apps I've consented to allow GPS location tracking? Thanks.
What about a state senator or representative? Could your state start enacting a privacy framework, that would apply to businesses that wanted to do business in your state? Sort of like California emissions for cars.
>It's not just your cell carrier. Your cell phone chip manufacturer, GPS chip manufacturer, phone manufacturer and then pretty much anyone on the installed OS (android crapware) is getting a copy of your location data. Usually not in software but by contract, one gives gps data to all the others as part of the bill of materials.
so what's the flow here? is it something like this?: phone gps -> manufacturer installed crapware app -> crapware server -> (various third parties)
wouldn't this be mitigated if you use a custom ROM like lineageos?
some of crapware can be avoided by using custom ROMs, but not all of it. For example: Qualcomm IZat location services and other location-based trustzone applets remain running even on custom ROMs.
I have a strong suspicion that it intentionally places you some distance from where it knows you actually are. Unless there is some underlying reason why it would never be 100% accurate -- I've seen dozens of people post their results and every time it's 1-300 meters off.
And it's not just "no one tests while under the cell tower" because the location it gave me was 150 meters in the opposite direction of the cell tower that I can see out my window. And the location it gave was smack in the middle of a neighborhood I know well and know to be free of cell towers. Or I'm just paranoid.
I'm somewhat weary. This might be the final missing piece to connect your mobile phone number to your mobile browser user agent, or even worse, your desktop browser agent.
if you want to get it to blow up then (based on past experience of what seems to catch regulator/legislator interest) I'd say that someone tracking the locations of a load of politicians for a while, finding things of interest about places they've visited and then publishing on a news outlet would do the job.
Your approach starts off by making the very politicians that you want to help you extremely pissed off at you.
More effective would be to track a few key politicians, such as those on the committees that would deal with regulating these things, and also a few reporters who have agreed beforehand to participate.
Then the tracking on the politicians is turned over to the politicians, but NOT made public. The reporters write stories about this, illustrating the tracking detail by publishing what it showed about them.
This approach gets the news out to the public, personally shows the key politicians the scope of the issue (and that they are vulnerable too), and lets the public know that the politicians have seen proof of how serious the issue is so that the politicians know that they need to get to work on this because their opponents come the next election will certainly be gearing up to use it as an issue if they do not.
When Snowden revealed the extent of NSA activities, it caused a momentary uproar but the people moved on pretty quickly after that. As far as I know (and let me know if I am wrong!!), there was no fallout for the government, and business continues as before.
So I am not sure if people will care this time either.
> Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go.
Any articles/webpages about this one? Or a company name who is doing it?
But there are too many to name. In 2018, you should assume that any free service (Unroll.me), web/mobile SDK (Slice), email client (Airmail), personal finance tracker (Mint), integration API (Plaid), geolocator (Foursquare), etc is monetized by selling your data en masse for market research.
It's not just location data. Dig into the TOS of free services you use. It's your receipts, your transactions, your subscriptions...all are "anonymized" to varying degrees of success. Even Meraki, the network router/switch company, sells location data.[1]
Any company that sells you access to ad real-time bidding. You connect to a event fire-hose that gives you a nice standardized json for each ad target, with plenty of data about the user (including geolocation), and you choose whether to bid or not on each ad, in realtime.
Advan, Reveal Mobile, QuestMobile, Pinsight, Streetlight Data, RootMetrics, OpenSignal, SafeGraph are a few of the companies selling various forms of mobile user location data.
>> Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go.
> Any articles/webpages about this one? Or a company name who is doing it?
Foursquare does it, there were some articles last year about how they pivoted to providing that data. They were able to accurately predict Chipotle customer declines after their food contamination scandals.
I'm not sure if they use this carrier location data, or just the data from the people who are still using their app.
> This data is sold to whoever wants it. Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go. This isn't fantasy, it's what happens every day.
I read just recently that one of Foursquares biggest revenue slices is selling their users check in data to hedge funds. On a previous HN post, one commenter claimed the app Robinhood sells their order flow through clearing houses, which the net result is hedge funds and other such firms trade off of — under the assumption that Robinhood investors are emotional rather than educated.
Hedge funds in general seem like a major consumer of retail data, which makes sense. Home Depot just announced earnings: imagine if you knew exactly how many people went into Home Depot, walked out empty handed, and then went to Lowe’s... how you could profit off that data in the market.
The problem is once it's at the cell carrier level it doesn't even matter if you use a dumb phone. They know roughly where you are based on tower triangulation.
It's android for the hardware manufacturers and OS crapware getting location data.
For iOS, assume every app using your location is selling the data. That means every app using a map or location smoothing SDK (GPS jumps around, there are services to smooth it out), since the map SDK providers (and there's not many) are selling your data even if the app itself isn't.
Google, Apple, Microsoft etc are pretty careful for good reason. Anyone below that is probably selling it.
The original article seems to be saying that the carriers track and sell phone location by cell triangulation ("less accurate than using GPS, but cell tower data won't drain a phone battery"). This is less accurate, as seen by the example of "within a city block."
The parent comment seems to be saying that the OS and apps use the internal GPS data to get a much more accurate location, which is then freely transmitted somehow and shared and sold. My question is to clarify that this more accurate data, needed to enable the "walk into specific store" scenario, can only be obtained via data (eg 3G, LTE, or wifi)?
Therefore not buying a data plan or turning off cellular data manually should prevent the GPS-accuracy tracking, but the only way to prevent the less accurate cell-tower tracking is to use a faraday cage.
The stock trading I've heard of, and even seen news articles about before.
Location tracking lets stock traders know how well a store is doing well before public results are announced. If foot traffic is down at a store, time to sell off (or short) the stock before it becomes publicly known.
Defense contractors have been using this capability for competitive intelligence for the last few years. Namely performing surveillance of contractors both internal and external to their company. Private investigators are using the same capability for similar purposes, especially for litigation support. “How” is never required to be revealed in court because the primary purpose is to find information that will “encourage” the other party to not go to court. If there was a way to audit queries/lookups performed against specific telephone numbers I think a lot of people would be shocked.
This is a problem with the GSM/UMTS standards themselves. Carriers always know where you are, but one could create a standard where they wouldn't have to know unless you make a call. With enough encryption and effort, I'm pretty sure one could even create a standard where carriers would never know where you are, even while you are using services.
Would not it be easier to ban anyone from using this location data for anything except explicitly permitted by law? The problem is not with standards, the problem is with people.
I don't think it's possible through technological means to avoid being tracked and still use a wireless network. Even if you could anonymously authenticate to the network, if the base stations have a large number of antennas then they can locate the physical origin of your signal and track you that way.
It may be possible of course through other means, like government regulation or only using carriers that have some guarantee of privacy.
A good start would be using a prepaid mobile phone (paid with cash, via an intermediary to avoid appearing on store CCTV), plus using phone apps that are not tied to your real identity. A Faraday bag for the phone when it's not in use.
Honestly, it just depends on how paranoid you want to get, and who your adversary is.
okay, so, to cut to the chase here: how do we disrupt or destroy the companies doing this?
it isn't acceptable that they are taking advantage of us in this way.
we can't expect any political solution to the problem, which leaves us to pursue other means if we want to protect ourselves.
is there a way to introduce fake data or noise? what about opting out?
is there a law being broken here that we can make into a lawsuit? i wonder if there is a precedent regarding restraining orders or unwanted surveillance by private entities...
> This data is sold to whoever wants it. Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go. This isn't fantasy, it's what happens every day.
Honestly, this is the least bothersome part of the whole thing. The only problem is that there's no way I trust anyone involved to properly anonymize and secure the data in question.
I agree some of this is happening but some things don't add up.
Is there a huge delay in this data? Because why don't law agencies use it to find criminals? Like I have 2 crimes at these two locations. Who was around these 2 locations at these times etc.
But if hedge funds are trading on it, they need very low latencies?
> But if hedge funds are trading on it, they need very low latencies?
Not quite. Hedge funds aren't trading real time on this data. They use this data to essentially figure out how a business is doing before they announce that information. Essentially, if x% of our data went to Chipotle in 2016 and y% went in 2017, and y >> x, then we expect Chipotle's earnings to be higher.
RE: "That's why Apple is trying hard to restrict it without scaring off consumers"
Don't you understand why Apple V-2 (the one who works for shareholders, not users as Apple V-1 did) is trying to restrict APPs from selling your information?
Its because they are competing with Apple, who is trying to sell the same information for maximum revenue.
Everything at Apple V-2 is driven by greed and profit. If looking good publicly is needed to generate sales, they'll also try to do that. But what happens behind closed doors doesn't necessarily match the promoted image.
(yes I'm cynical. I've been around long enough to recognize the BS happening).
Making a cell phone out of a pi with a sim card and gps daughter board is sounding less and less crazy each day. Really looking forward to when the librem phone starts shipping. I wonder if they've really been thorough enough vetting hardware for those bare-metal security issues.
This is at once staggering and completely unsurprising that companies would violate user trust in such a way and sell data without proper vetting that exploits people and could potentially put them in danger. Yet another episode in the misadventures of techno-illiterate regulation and totally unread TOS agreements.
Even a RPI won't help you unless you can build all of the software for the microprocessors which drive the wireless stack. Even then, vendors (e.g. Qualcomm) will already have their software on the chip when you get it.
A completely open spec, open source set of components is what the community has desired for a long time. As standards get more complex and evolve faster, 4G and beyond, it becomes less possible to keep up in the open.
Most of the descriptions of the service so far indicate a real time or near real time feed. I'm curious if it's possible to go take a phone number and ask "give me location data for this person around xx:xx at yyyy-mm-dd."
I am a journalist for a major news organization and would like to know specifics about hedge funds and the like and how they use this data. Reach me at sfrancisbjr@gmail.com
What specific data about the person is traded alongside their location history in the... schemes that you describe? (name? Some govt ID number? Phone number? Address? ....)
Ah yes I've personally seen this while working at an OEM. There are a lot of other insane things happening on a phone like CIQ. FYI, listening to users via microphone is one thing that actually does not happen.
It's funny that this is coming up now. The other day I was on the phone with Geico's roadside assistance and they wanted to know my location. I told them I didn't have their app downloaded, they said it wasn't a problem and they could get it without it. Sure enough they could. I checked their disclaimers [1] and they purchase the data from my cell carrier. They didn't even have to know which one.
The other respondents to this message more or less have it right.
The way this stuff works is that when GEICO signed the deal to get access to this, they pinky-swore in a contract to only use the data certain ways.
Often, the representatives on both sides of such transactions even have a wink-wink nod-nod deal going which is different from what the contract materially represents.
Importantly, these contracts virtually always avoid talking about mechanisms for tracking such usage, auditing such usage, and even any remedies for violations (beyond discontinuing the service access - and then only if it's egregious).
You'd be amazed how much in the telecom world is handshake and contractual with no technological enforcement and often neither side of these agreements are incentivized to enforce the terms laid out.
The parts of these agreements that are solid is how transactions, events, etc are measured and what these cost and who pays and how. Shocking, that.
They don't need oral approval or any approval. GEICO is only asking so that their customers won't freak out when GEICO magically knows where they are. The customer service rep probably had the data up on their screen already when they asked.
For those on T-Mobile, there are privacy settings that can be adjusted here: https://my.t-mobile.com/profile/privacy_notifications/advert... I already had all of them disabled, and I was still able to get the location of my cell phone from LocationSmart.
I chatted with T-Mobile support yesterday to see if I could opt-out of them sharing my data. Not surprisingly, the support agent was less than helpful. "Don't worry, your data is secured"
Are there any US carriers that respect privacy and do not share private information with 3rd parties? Or is that a pipe dream?
But they also say that they may share personal information (which may include location??) to 3rd parties with user "consent":
"Do you share my Personal Information with other companies for them to market to me?
We may share your Personal Information with AT&T and other AT&T affiliates for a variety of purpose, including so that they can market products and services to you. Except for AT&T and other AT&T affiliates, we will not share your Personal Information with other companies for them to use for the marketing of their own products and services without your consent."
Did T-Mobile have a breach recently? I got malware on one of my machines a year or so back and had to change my passwords everywhere, and T-Mobile was one of the two sites that was so assed-up I couldn't actually change it. I clicked your privacy link earlier and had to go through two separate SMS verifications and change my password because they said it was "old".
Switching from T-Mobile to Google Fi might be jumping out of the frying pan and into the fire ;)
The Google Fi Terms of Service says they are collecting location data:
"When your device is turned on or when you use the Services, we may collect and process information about your actual location. This may include information about your current activity (e.g., driving, running, walking, etc.), which lets us know when you may be moving between different mobile and Wi-Fi networks." https://fi.google.com/about/tos/#project-fi-privacy-notice
I'm okay with Google collecting location information, insofar as they only use it to provide cell service, and not for advertising and don't provide it to 3rd parties. Unfortunately, their Privacy Policy states that they can use it for advertising:
"We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content – like giving you more relevant search results and ads ." https://policies.google.com/privacy?hl=en&gl=us#infouse
And they can provide it to 3rd parties. Note that they require "consent", just like T-Mobile's privacy policy:
Well, now it works on my phone as well. I wonder if it is only when on/near my work campus. I was outside but they do have some repeaters for some carriers. (I often get a message saying my carrier has "disabled voice services" when on campus)
> Kevin Bankston, director of New America's Open Technology Institute, explained in a phone call that the Electronic Communications Privacy Act only restricts telecom companies from disclosing data to the government. It doesn't restrict disclosure to other companies, who then may disclose that same data to the government.
It seems like intelligence services spend a lot of their time dreaming up ways to do an end-run around the law. This is the same reason US intelligence does partnerships with foreign intelligence services.
Just think of how amazing the museum will be for your great grandkids when we completely dismantle them when, inevitably, their stated mission goals supersede common sense and a responsible relationship to the American public.
* Obtaining consent is entirely left to the provider to implement. It does not appear to have any auditing. A provider can query any number they like.
* The opt-in process used by many providers is easy to exploit, by spoofing SMS replies or abusing the SMS template so that the surveillance target does not get notified
* The providers have are well aware of the potential to exploit this and have been for some time. It has never been resolved in over 10 years.
"To extend that to adults, The Guardian journalist Ben Goldacre showed recently that someone needs possession of another person's mobile phone for only a couple of minutes to appear to give the consent required under mobile phone companies' current procedures. The person he was tracking never got any of the warning messages that were meant to have been sent to her. Even more scarily, a hacker's website has recently published information telling how to spoof consent without even having to have temporary possession of the target's phone; all that is needed is the number. If someone has a person's number, he can track them. It is not a problem. I know where the website is, but I am not going to tell Members. It is possible to track people just through their phone numbers."
It's a cell carrier providing data about the radio communications between hardware they own and someone else. At a moral level, seems somewhat equivalent to a web server providing data about clients that access the server.
To opt out, stop using some third-party corporation's owned hardware to route your communications near lightspeed around the world. Hey, the Amish communities may have something in their overall philosophy of "Don't be beholden to strangers who aren't part of your community."
I'm not clear if you missed the point here? This isn't aggregate data, it's obtaining the location of a specific individual just by knowing their phone number. It can be done without their knowledge or consent.
By your webserver analogy, the equivalent would be more akin to google publishing the contact details and search queries of anyone using the service.
I am starting to wonder what all have I consented to? Every week I learn I have consented to this and that because of a news article as I never read those contracts or TOS. I wonder if there will be a way to phrase long contracts into bullet list of ideas for someone simple minded like me in the near future.
Maybe by some 3rd party then? Maybe an application of all the fancy natural language processing or some other ML. I visit the site, paste the TOS or maybe there is a list of TOS that has been translated and i get a nice gist.
I was aware the cell phone companies were selling anonymized data for some time (not revealing the numbers and adding some jitter to the location data to avoid identifying users).
This is the first I’m hearing that they’re releasing detailed personal tracking by phone number. When I sat in on a recent presentation with Verizon execs they flat out said they were not doing this. Oops.
A while ago I thought of a very neat 'future job': you walk around town with somebody else's phone. So if you 'need to be' somewhere, you just hire this service, deliver your phone, which will be returned to you, and there goes your track record.
That probably won't do much for you in many urban areas in many countries. Municipalities are routinely maintaining data captured from license-plate scanners and some cities now have CCTV networks with facial recognition software. So unless you don't drive and walk around with a new rubber mask on every day you are still subject to the panopticon.
Most businesses these days have some kind of camera system for security, it won't be too long now before someone starts buying these video feeds from say Starbucks, etc. running recognition AI on them, tagging individuals, and selling this aggregated location data, maybe even realtime. At the moment, I don't think this would even violate any privacy laws.
The reason that cell phone networks actually work (they're effectively decentralized networks) is that they pay the big bucks to rent space on high towers, building roofs, etc.
The only thing that matters for radio communications is line of sight. The only thing that gives you line of sight is relative height. The only thing that gives you consistent height is money.
Until/unless they modify the law - turning off your phone thwarts it. While your phone is powered off, it has no ability to track & record your location movements. Obviously your active location will then be picked back up after you power it on, it won't have a record of anything inbetween.
A simple example of limiting the invasiveness using this approach, would be to have your phone on only at work & home, or similar. In absence of phone snooping, someone can already easily locate you at those two standard destinations, and can easily discover when you'd typically be at those places (ie you're not giving them much by using your phone there under normal circumstances).
So, use Google voice or setup your own w/ Twilio (try all numbers), and have a work cellphone and a home cellphone, a one-way pager (for when you are traveling), and another travel phone without a battery that you would use if necessary, based on the pager message?
Most wifi hotspots have location information anyway, so your phone will know where it is, and then one of the many apps on your phone can report back with that information.
And isn't a pager just a really simple cell phone? I'm not sure how that's a solution if cell towers can triangulate your position.
The most obvious use of the data appears to be by credit card companies to detect fraudulent use of a card and decline those transactions. This is something I'm relatively comfortable with, though it's plainly in the interests of the bank and I only indirectly benefit from the tracking.
Or maybe parallel construction used to deny/approve loans. E.g. I can't weight the loan approval negatively specifically bc the person is black, but the GPS information suggests they frequent black areas.
But really every use of this information is highly assymetrical. If they're using it to trade stocks, while regular people are using traditional means, it's an advantage we don't have access to. This is basically the virtual castle walls keeping us peasants out in the fields. Modern feudalism.
As blocking fraudulent claims could remove a reason for my premiums to he higher, I can't say I'm against that.
With the caveat, for course, that people are not always where their phone is so this taken on its own would be circumstantial evidence: one would hope decisions are not made directly based on this information.
Yes, I am greatly bothered by it, especially because I am not aware of the extent that my information is being distributed.
On the one hand, I opt-in to location tracking for apps and services such as Google services, because I genuinely believe that I benefit greatly from location-targeted information. On the other hand, I would opt out of any other location tracking of my cellphone to companies that I do not see the benefit of having. I want fraud-protection and no liability when it comes to fraudulent purchases (opt-in for credit card companies and banks), but I don't want the government/Facebook/retailers/insurers to have this access without permission.
I'm not the person you're asking this question to, but I thought I'd reply anyways.
No, it doesn't really bother me. Why would anyone care that I get up around 7AM on weekdays, drive to work around 9, stay there until 5, and then drive home?
On weekends they will see me going to Target and the grocery store. Sometimes another store. Sometimes I go to visit my family in another city.
I really don't care if people have that information. Many people (not me) post that information freely on Facebook, Instagram, or Twitter.
There are some future situations in which I might care that I am being tracked. If that were the case, it's highly unlikely I would bring a phone with me.
Would I prefer not to be tracked? Probably. Does it bother me that I am being tracked? Nope.
I suspect these views line up with the majority of people in the US.
How do you expect this data to be used in your favor? If there is a technical glitch/human error and your data is intermingled with someone else's, it will be used against you silently and you will have no recourse.
I went to a recruiting event in 2013, or 14 perhaps, for a major telecom network in Canada. They were proudly showcasing their ability and interest to analyze people's data. I was shocked, so I spoke to the hiring manager:
"You should be concerned about google and Microsoft, they have much more data" he said. They do, but much less sensitive data. And I am paying you! And google gives me free excellent services. You are an expensive oligopoly with not the best customer protection track record.
2. I had a free modem from a major network that came with the internet. I used the modem at another location while I was away. I got charged for my usage! The modem was not just a modem, it was sensing more information to their system. That is how they tracked my usage, if that is the only thing they tracked. Their technical customer service avoided any form of discussion. Cancelled my internet line with them, and using VPN for trackable stuff ever since.
I am seriously considering cancelling my cell phone until their practices changes.
The way I understood it is that the requester of the location is trusted to have gotten consent from the subject of the query. The providers will answer any queries.
So Securus works on the "we're sure our customers are getting consent for their inquiries" presumption. What are the consequences if a company is found to not have gotten consent? Business sense dictates there to be no consequence at all if Securus can avoid it.
The way this should work is that the carriers can get permission to share location data with third-parties. They should not do it without having gotten permission from their customer. But then they probably get that when you sign the contract. Or do they just not mention it?
Carriers are also selling your billing records. They offer a service to return the carrier billing address/name based on the mobile number.
Not only this but late last year all 4 of the major US carriers are offering APIs to convert mobile IP to a billing record (name/address/phone number).
>Not only this but late last year all 4 of the major US carriers are offering APIs to convert mobile IP to a billing record (name/address/phone number).
That's terrifying. Do you have a source I can look at for this? It might be time to always-on VPN my phone.
If you take that cell phone home with you regularly and don't live in a multi-unit building, it would be relatively trivial to figure out your identity using this data.
Undoubtably. Not a strong protection against doxxing, but might offer some semblance of protection from 'drive-by-lookups'. With a modern smartphone and location services, there's only so much you can do.
Just a heads up: Twilio now offers a metric fuckton of services geared towards SIM-enabled IoT. You can order SIM cards by the pile and then bind them to a Twilio number by activating it in the UI (or via API). So now instead of (or in addition to) simply forwarding traffic from garbage numbers to your real number, you can get Twilio numbers that are registered on T-Mobile's network via an actual SIM card, making it much easier to send from your Twilio number than it used to be without it bound to a SIM card. Fairly good price, too. Unfortunately, I'm not sure what happened to Twilio's API as it's now as opaque and awkward as any AWS API (almost as though someone on Twilio's engineering team made the decision to model their API after the way AWS builds their APIs), but the services they offer are as compelling as they always were. I'd give Twilio a solid D for what the API has turned into, but A+ for service innovation.
Through FISA, all foreigners are legal monitorable, no matter what.
This is part of how US mass surveillance works. We record everything and if it turns out to be a citizen, we're supposed to throw it out. Of course in reality, it goes to the Parallel Construction Department who uses the information to build a case against someone through other means, knowing the answer in advance.
> Of course in reality, it goes to the Parallel Construction Department
Not the case. US Person Information cannot be queried. You are referring to a practice used against foreign targets to obfuscate methods of surveillance (Reasonable folks can object to this as well of course - my only point is that your portrayal is not accurate).
Maybe [1]. I wouldn't count on being protected while outside the EU.
Art. 3 GDPR Territorial scope
Article 3(1) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
Article 3(2)(a) - the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
Article 3(2)(b) - the monitoring of their behaviour as far as their behaviour takes place within the Union.
Article 3(3) This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Practically you're just going to get extra tracked because you're a foreigner. Also if the articles about TSA borrowing your phone to clone it real quick or forcing you to log into facebook are true, I wouldn't expect them to abide to GDPR.
I wondered how the spam callers knew what area code I was in while traveling out of state.
I would assume that through clustering analysis (eg coworkers/friends travel together) even fairly coarse position data can allow you to construct relationships. Then they can spam/fish both you end your coworkers with the same fake number. That makes it seem more important to answer and more organic.
A friend of mine just got back from NYC and then received a fake call from an NYC area code. I get several every day from random area codes, and we had to wonder whether it was coincidence or not.
Another 'fun' implication of this are the increasingly large number of sites that try to obtain your phone number either through SMS messages during account setup, two factor authentication, or any other number of ways. The accounts you have on those sites link directly to your physical presence. Taking it one small step further, any accounts on other sites you have linked to those accounts are similarly effected. Taking it one step even your dynamic IP address at any given moment can end up working as a physical identifier.
The amount of information the NSA has on people is going to be phenomenal. It'd be interesting to be able to glimpse the data just to see how much we all give away. Here's to hoping we never once ever end up putting a 'bad' person in high office because the amount of targeted damage somebody could do with this information is just staggering to even consider.
> the Electronic Communications Privacy Act only restricts telecom companies from disclosing data to the government. It doesn't restrict disclosure to other companies
Clearly the US has their priorities completely the wrong way.
Part of the American mythology is that government involvement is always bad. It's hard for me to know if this developed because of the myths of the America Revolution, that a small colony won it alone and not because of external factors, and how much is due to people preaching small government politics. Regardless a distrust of the government seems to be ingrained in the American psyche IMO.
At a more local level, people have much more influence and ability to change problems that they see. At a more federal level, policy is imposed without localities having much/any influence.
That centralization and imposition of policy that half the country opposes is the reason for the political divide that we see today. If the same policies that we argue about so much were implemented at a state level, people would have the ability vote with their feet.
That doesn’t mean some legislation shouldn’t be federal, but there is a reason that the intention was for federal policy to be overwhelmingly agreed upon rather than forced in along party lines.
Another part of the American mystique is that every politician is for sale via legal bribery where companies donate to their campaigns and get them to do mostly whatever the company wants, totally contrary to the interests of the public.
You leave out another option: Americans distrust government because we see it fail us every day. Corruption, police brutality, inefficiency, politician sleaze baggery...
In general corporations provide a much higher quality service than the government in the US.
Also, if a government employee does a lookup in their spare time as a private person out of curiosity, it is ok? Or if they ask their friend to do the lookup?
Well, such a release should of course be limited, regulated and with oversight. But I'd argue that at least police should have some possibility to get at customer data, even without opt-in.
Release of privacy-sensitive data to other companies should strictly be by clear customer opt-in, with clear limits on its use. And even some of that should be forbidden for semi-monopolies such as telecom providers.
Actually, not true by the defnition of inalienable right: something of which you may be deprived, but no other person may gain.
It is possible to take from you real or chattel property, funds, papers, etc., and give them to another. Your life (though no longer your organs and tissues), your liberty, your happiness, not so.
Those are inalienable in that they cannot exist seperate frome you.
There was mild discontent when the Data Retention laws [1] were being rolled out across the EU in the early 2010s. This was a legal harmonization of existing collection practices for law enforcement purposes. It did receive a lot of press coverage and some small protests (even though in reality the collection was already widespread).
In 2009, Malte Spitz (German Green Party politician) sued his telecom provider for all the information they had stored on him in the last 6 moths. He and others made a good (and spooky) visualization showing how it tracked his entire life [2]. He did a TED talk about it [3], which received a spirited applause and unfortunately minor press coverage.
I think many naively bought the idea that all this detailed data was only for LE (maybe a side effect of all the reporting on the Data Retention Laws?), despite constantly seeing clauses in their EULA's saying their data will be shared with third parties.
----
People only care about these issues once they become evident and widespread, and they personally are affected. I remember the shock my friends had when Google Maps released the location history feature. Up until then, its just a theoretical concern.
Good demonstrations, hard hitting expositions and good press coverage are essential.
The individual rights under the Constitution have been deemed, in the U.S., to only apply to government and government institutions.
The private companies are exercising their free market rights, unfettered by inconveniences like privacy rights, and thus can (as per the article and the random65... whistleblower user at the top of this thread at the time of this writing) track behavior and sell the data.
Therefore, does it follow that government canNOT be the buyer of such data? That police departments or the FBI or others cannot access this data?
Is there a Chinese Wall in place to prevent such things from happening. Or...?
How outrageous and disgusting that congress can make a big show of questioning facebook over privacy, when they don't have the courage to pass even moderate data privacy laws. How much do you want to bet this location data will be ignored by congress?
I met a high-level executive at Ericsson who told me that he had met with Tim Armstrong (CEO of AOL) could make $5 billion more a year if he had access to location data with <50m accuracy.
So as a private citizen, I can pool some money and get the same level of tracking that American intellignece services have of individual cell hardware?
It's funny to me that this is news to anyone. This has been going on for quite some time - at least the length of my career. For the longest time it was wide open for anyone to access who had an inkling of knowledge about how mobile devices worked.
Did this _never_ come up at defcon or in an issue of 2600? Are people really _that_ focused on web security?
This exploits a vulnerability in the SS7/MAP protocols that power mobile networks worldwide; the cooperation of the carrier isn't even required (even if carriers were against this; bad actors can and will get this data anyway).
You are referring to the command used to request where to route an SMS message, I assume? If so, carriers can (and have been albeit very slowly) restrict this activity so it is less of a free-for-all.
That said, it seems they are intentionally selling this data as well, which is a whole new issue.
After reading this post a couple hours ago, I was able to play around with LocationSmart's API. Indeed seems quite powerful/comprenhensive. As of an hour or so, they took down their try/demo webpage and related open API.
Don't banks use this data when you create an account nowadays too? I just created a capital one account and they were actually pretty transparent that they'd be checking the location of my phone via carrier.
I tried location smart website said location accuracy was up to 14 miles off. They were really 4 miles off. So not that accurate. If it was 2 blocks like other poster I'd be worried.
It is very tempting to go full "tin foil hat" at this point. I am seriously considering removing my cell battery and powering it up semi hourly to check for messages.
i havent read all 504 comments, and dont plan to, but this should come as no suprise to anyone, unfortunatly it does. cogress, dc, will not help there is too uch to gain, posting the info in real time of the ones in power, will shine a light on the issue, they will make it look like this has been taken care of-while it continues.
the ONLY solution in my opinion its a revolt-against big data/tech, not a boycott, and exodus to DIY open source tech.
I see a lot of suggestions about reducing or shutting off your signals, but what about boosting them in certain directions? As far as I understand cell tower triangulation, having a stronger signal in one direction might offset your calculated position in that direction. I wouldn't expect that to decrease connectivity, just require special equipment and more battery life.
There's no way to do this without using your own antenna network. Even then, you need encryption just to anonymize your calls, but if you end up talking to people subscribed to the same carriers you're trying to avoid, you can trivially be de-anonymized by timing attacks. So there's no good solution, unless you're willing to turn your calls to voice mail.
More practical solutions would include:
-(physically) Powered off radio unless you want to make a call. A clear drawback is that you can't receive calls.
-Satphones. I'm pretty sure satellite phone providers aren't in this yet. They could be, but my guess is that they wouldn't want to waste bandwidth triangulating their users. Also satellite-based triangulation would be much harder and less accurate, and if you use your own directional antenna and sat-tracking mount, you can avoid this altogether. Until they start installing phased array antennas or something.
-Finding a provider that doesn't sell your data to third parties. Probably the hardest of all, and you have to rely on their word.
It used to be possible to buy prepaid SIM cards with cash and not have to provide any identification. AFAIK, this isn't possible anymore. Does anyone know for sure?
If it's happening at the carrier level (triangulation via towers) there's zero you can do at the client (your phone) besides stop transmission by turning it off or placing it in a faraday cage.
It sounds like GPS units are also involved: tower triangulation is inaccurate so by carrying a phone that has no GPS you would be able to claw back a few meters.
Out of all the solutions suggested - this is the most practical. This would actually fix the problem at hand. Make it illegal for them to either obtain and/or sell this data.
There is a reason that pagers are popular with drug dealers...
Assuming that you can actually get pager service where you are... Then you only get tracked when your phone goes hot and you access the network to return a call.
This occurred to me. It solves part of the problem, in that your phone number isn't tied to a physical location anymore. But it creates a new problem in that you don't actually have a cellular connection.
Carrier IQ was far more invasive than just location. Their "Experience Manager" was supposedly tracking every app launch, time spent in that app, metrics on key & button presses within that app, and other misc interactions.
They got accused of being a "keylogger" which they rightly said they weren't, but that ignores how invasive and creepy Experience Manager was (is?). Their whole argument was that carriers can use this app data to see what apps are draining battery, which is kind of bs since carriers are in no position to resolve battery issues or advise customers.
The reality is that carriers wanted more information on how customers were using their devices, Carrier IQ provided that raw data, and both got rich. They survived the scandal because the critics focused on keylogging, instead of the highly invasive usage analytics which it really was.
Not really "valid arguments" but differing opinions. If you are fine with closed systems and surveillance states then everything RMS says against these systems will sound wrong to you.
Yeah him and every tin foil hat guy have been ranting about this for years. Doesn't make it not true, but RMS? Really? That guys is a certifiable nut job and we would all do well to let him lapse into the dust of history.
It's so strange--I never would have expected the boot of tyranny to come from private corporations, but here we are. And what all this proves is that technology is value-neutral and can wipe us all out, or just make us incredibly miserable, if we let it.
Hopefully there will be a way to opt out. Otherwise, I should start selling faraday bags for devices. Probably should anyways.
This tracking abomination is an emergent phenomenon of the merger of private industry and government in the US. See for example both legalized bribery (a.k.a. unlimited campaign contributions by corporations thanks to Citizens United) and outright bribery (Cohen) by telecoms like AT&T, ensuring that they will have the flexibility to perpetrate such garbage as this tracking data sale.
Why not distrust both government and industry? The rule "power corrupts" holds in either case.
I think it depends a lot on the kind of capitalism you have. There's what I think of as small-business capitalism, where business owners in a community naturally take the community's interest into account because that's where they live.
I think that's distinct from American MBA capitalism, which is the increase-shareholder-value, up-and-to-the-right, maximize-short-term-cash-gains kind.
The former is positive-sum, the latter can easily be negative sum. And I think the latter, because it doesn't include any humanity in its calculus, is perfectly capable of profitable tyrrany.
Go read some history. Power is Power, and will wear any damned guise it wants.
Corporations, criminals, monarchies, democracies, Fascists, Communists, Catholics, Protestants, Jews, Muslims, Hindus, Confucists, Goths, Huns, Romams, Macedonians, Persians, Greeks, Trojans, Hittites, Israelites, etc., etc., etc., have slaughtered, sacked, enslaved, oppressed, or dehumanised others, all in the name of temporary gain.
The British East India company had armies. Wyoming cattlemen funded a mercenary army in the Johnson Count War. Coal wars in Apallachia and Colorado. U.S. Steel, Standard Oil, the Pullman Company, the L.A. Times, Union Carbide in Bhopal, oil companies throughout the US, Middle-east, Indonesia, and Africa. Fruit companies in Latin America. Sugar, tobacco, and cotton plantations. Coal mines in Wales. The Kochs today.
Somebody hears you. you know that. you know that.
Somebody hears you. you know that inside.
Someone is learning the colors of all your moods, to
(say just the right thing and) show that you’re understood.
Here you’re known.
Leave your life open. you don’t have. you don’t have.
Leave your life open. you don’t have to hide.
Someone is gathering every crumb you drop, these
(mindless decisions and) moments you long forgot.
Keep them all.
Let our formulas find your soul.
We’ll divine your artesian source (in your mind),
Marshal feed and force (our machines will)
To design you a perfect love—
Or (better still) a perfect lust.
O how glorious, glorious: a brand new need is born.
Now we possess you. you’ll own that. you’ll own that.
Now we possess you. you’ll own that in time.
Now we will build you an endlessly upward world,
(reach in your pocket) embrace you for all you’re worth.
"Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say,"
I’m shocked that anyone is shocked about this! Transportation departments have been buying this data since the late 90s.
More creepy are the planning solutions for commercial development. You can buy datasets that will tell you the average income of drivers on larger highways in hourly buckets.
I've just started using Signal and was surprised by how good the call quality is. For those that aren't aware, Signal calls are encrypted, so you effectively give nothing to the cell carrier when you make a call through it (except that you used some data).
Unless I misunderstood, this has nothing to do with what apps you use to communicate. It has to do with connecting to the cellular network at all. I think the only way around this would be to run airplane mode with wifi only, and then taking lots of steps to keep your wifi use private too.
While it is true that Signal's call quality is great, this doesn't seem relevant to the fact that cell providers can track you regardless of what apps you use.
Throwaway account.
I work in location / mapping / geo. Some of us have been waiting for this to blow (which it hasn't yet). The public has zero idea how much personal location data is available.
It's not just your cell carrier. Your cell phone chip manufacturer, GPS chip manufacturer, phone manufacturer and then pretty much anyone on the installed OS (android crapware) is getting a copy of your location data. Usually not in software but by contract, one gives gps data to all the others as part of the bill of materials.
This is then usually (but not always) "anonymized" by cutting it in to ~5 second chunks. It's easy to put it back together again. We can figure out everything about your day from when you wake up to where you go to when you sleep.
This data is sold to whoever wants it. Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go. This isn't fantasy, it's what happens every day.
Almost every web/smartphone mapping company is doing it, so is almost everyone that tracks you for some service - "turn the lights on when I get home". The web mapping companies and those that provide SDKs for "free". It's a monetization model for apps which don't need location. That's why Apple is trying hard to restrict it without scaring off consumers.
I can confirm this is happening, I designed some of the analysis systems used. Contrary to what many people assume, this is not just a US thing. It is done throughout the industrialized world to varying degrees, including countries where most people believe privacy protections disallow such activity. Governments tacitly support it because they've found these capabilities immensely useful for their own purposes.
> for their own purposes
Such as?
If this also happens in the EU and is as blatant as you say it is and with GDPR and all, surely this is just waiting to blow up?
14 replies →
You and op work for companies you seem to fundamentally disagree with. Can you say why you don’t leave? Asking not out of judgment but to understand.
3 replies →
I am a journalist and want to know more about how hedge funds use/abuse this. Please get in touch if you have first-hand knowledge: fbajak@ap.org.
I am a journalist and would like to know more. Reach me at sfrancisbjr@gmail.com if you can help.
Do you feel guilt over creating them?
49 replies →
Thank you for your contributions in making the world a little more shitty! /s
1 reply →
I'm in the space as well. I've tried telling my congressmen but they ignore me. I'm waiting for the backlash, especially will all the recent privacy issues. It hasn't happened yet and the problem is so large that I honestly doubt whether the public will ever truly grasp what the scope.
The advice I always give when this topic comes up us to be very careful with what you install on your phone. The least expensive mobile location data tends to come from random apps collecting the data to sell it, and ad networks. Permission to use your GPS is permission to track you until you uninstall the app.
If you're willing to have your name attached to this, if / when it does finally blow up, please make an effort to talk to news organizations about who and when you initially reached out to congress people.
If you're not comfortable with your name being publicly attached, at least give news orgs the information and request confidentiality.
Part of the reason congress people can punt is that the cost of inaction < cost of action before it penetrates media.
A big part of shifting that equation is starting to publicize "You had all the information available now on X date and did nothing" as loudly as possible. Naming and shaming has been healthy for vulnerability disclosure.
Are you able to send them a copy of their individual location data, or the location data of their staffers/friends/family? That might make for a potent wake up call. Though, you'd want to run that by an attorney first.
7 replies →
If you have hard evidence, forward it to the journalist or newspaper that broke a similar recent story, or whose reporting of that story you respected.
Maybe you can find a journalist you respect for their reporting on Cambridge Analytica, the Paradise Papers, Edward Snowden and so on?
2 replies →
that's only the low end. app gps usage shows up on the UI.
the article discusses when the ISP/telco sells the data that you have zero visibility on. there's no way to get around this.
btw, apple and google ad spyware process (google play service) will collect gps and wifi data without any user visible UI, not to mention download ads in the background.
1 reply →
Thanks for the tip. I've made a habit of turning off location services on Android once I'm done using navigation (Waze), do you know if this sufficiently blocks all background tracking for apps I've consented to allow GPS location tracking? Thanks.
1 reply →
What about a state senator or representative? Could your state start enacting a privacy framework, that would apply to businesses that wanted to do business in your state? Sort of like California emissions for cars.
Can you name and shame the congressmen that ignore you?
Or can you make a tip to one of the newspapers? Given the facebook privacy news saga this might get picked up.
2 replies →
Talk to a congressperson who knows about cyber like Ron Wyden.
5 replies →
>It's not just your cell carrier. Your cell phone chip manufacturer, GPS chip manufacturer, phone manufacturer and then pretty much anyone on the installed OS (android crapware) is getting a copy of your location data. Usually not in software but by contract, one gives gps data to all the others as part of the bill of materials.
so what's the flow here? is it something like this?: phone gps -> manufacturer installed crapware app -> crapware server -> (various third parties)
wouldn't this be mitigated if you use a custom ROM like lineageos?
some of crapware can be avoided by using custom ROMs, but not all of it. For example: Qualcomm IZat location services and other location-based trustzone applets remain running even on custom ROMs.
34 replies →
For those who want to try out LocationSmart, you can use it here: https://www.locationsmart.com/try/
They were about two blocks off, and located me by cell tower. Apparently they don't have (or at least don't admit to having) A-GPS level data for me.
Tested and same result.
I have a strong suspicion that it intentionally places you some distance from where it knows you actually are. Unless there is some underlying reason why it would never be 100% accurate -- I've seen dozens of people post their results and every time it's 1-300 meters off.
And it's not just "no one tests while under the cell tower" because the location it gave me was 150 meters in the opposite direction of the cell tower that I can see out my window. And the location it gave was smack in the middle of a neighborhood I know well and know to be free of cell towers. Or I'm just paranoid.
4 replies →
I'm somewhat weary. This might be the final missing piece to connect your mobile phone number to your mobile browser user agent, or even worse, your desktop browser agent.
5 replies →
Just tried it and was pretty accurate for me as well. How is it even legal for our cell phone providers to sell this data...?
2 replies →
Can you post the SMS opt-in message you received? Curious as to whether this is exploitable as well
2 replies →
mine was 4.5 miles off
I'm a journalist interested in learning more. Please reach out. Will keep confidential. adam.satariano@nytimes.com
^^^ this is what to do if you've got info relevant
if you want to get it to blow up then (based on past experience of what seems to catch regulator/legislator interest) I'd say that someone tracking the locations of a load of politicians for a while, finding things of interest about places they've visited and then publishing on a news outlet would do the job.
Your approach starts off by making the very politicians that you want to help you extremely pissed off at you.
More effective would be to track a few key politicians, such as those on the committees that would deal with regulating these things, and also a few reporters who have agreed beforehand to participate.
Then the tracking on the politicians is turned over to the politicians, but NOT made public. The reporters write stories about this, illustrating the tracking detail by publishing what it showed about them.
This approach gets the news out to the public, personally shows the key politicians the scope of the issue (and that they are vulnerable too), and lets the public know that the politicians have seen proof of how serious the issue is so that the politicians know that they need to get to work on this because their opponents come the next election will certainly be gearing up to use it as an issue if they do not.
2 replies →
Will it blow up, even if the public is aware?
When Snowden revealed the extent of NSA activities, it caused a momentary uproar but the people moved on pretty quickly after that. As far as I know (and let me know if I am wrong!!), there was no fallout for the government, and business continues as before.
So I am not sure if people will care this time either.
4 replies →
Malta Spitz (German politician) did this to himself in 2010: http://www.dw.com/en/german-politician-reveals-six-months-of...
Good way to loose your job very quickly. I don't think we should have to rely on somebody sacrificing themselves to make a difference.
12 replies →
And how can I buy this realtime data? Also
> Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go.
Any articles/webpages about this one? Or a company name who is doing it?
Pinsight is a big one.
But there are too many to name. In 2018, you should assume that any free service (Unroll.me), web/mobile SDK (Slice), email client (Airmail), personal finance tracker (Mint), integration API (Plaid), geolocator (Foursquare), etc is monetized by selling your data en masse for market research.
It's not just location data. Dig into the TOS of free services you use. It's your receipts, your transactions, your subscriptions...all are "anonymized" to varying degrees of success. Even Meraki, the network router/switch company, sells location data.[1]
____________________________________________
1. https://meraki.cisco.com/technologies/location-analytics
8 replies →
Any company that sells you access to ad real-time bidding. You connect to a event fire-hose that gives you a nice standardized json for each ad target, with plenty of data about the user (including geolocation), and you choose whether to bid or not on each ad, in realtime.
It is an open standard:
https://www.iab.com/guidelines/real-time-bidding-rtb-project...
5 replies →
Advan, Reveal Mobile, QuestMobile, Pinsight, Streetlight Data, RootMetrics, OpenSignal, SafeGraph are a few of the companies selling various forms of mobile user location data.
Most funds actively try to stay out of the media. For some it's a core strategy.
( "Out of sight, out of mind" )
2 replies →
>> Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go.
> Any articles/webpages about this one? Or a company name who is doing it?
Foursquare does it, there were some articles last year about how they pivoted to providing that data. They were able to accurately predict Chipotle customer declines after their food contamination scandals.
I'm not sure if they use this carrier location data, or just the data from the people who are still using their app.
Edit: here's one: https://www.washingtonpost.com/news/innovations/wp/2016/04/2...
> This data is sold to whoever wants it. Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go. This isn't fantasy, it's what happens every day.
I initially thought this was too far fetched but then I started duckduckgoing* and found this: https://www.fnlondon.com/articles/regulators-campaigners-sou...
* If 'googling' is a verb, why not this.
I read just recently that one of Foursquares biggest revenue slices is selling their users check in data to hedge funds. On a previous HN post, one commenter claimed the app Robinhood sells their order flow through clearing houses, which the net result is hedge funds and other such firms trade off of — under the assumption that Robinhood investors are emotional rather than educated.
Hedge funds in general seem like a major consumer of retail data, which makes sense. Home Depot just announced earnings: imagine if you knew exactly how many people went into Home Depot, walked out empty handed, and then went to Lowe’s... how you could profit off that data in the market.
Is this happening with iPhone as well, or primarily android due to the third party nature of the hardware?
The problem is once it's at the cell carrier level it doesn't even matter if you use a dumb phone. They know roughly where you are based on tower triangulation.
46 replies →
It's android for the hardware manufacturers and OS crapware getting location data.
For iOS, assume every app using your location is selling the data. That means every app using a map or location smoothing SDK (GPS jumps around, there are services to smooth it out), since the map SDK providers (and there's not many) are selling your data even if the app itself isn't.
Google, Apple, Microsoft etc are pretty careful for good reason. Anyone below that is probably selling it.
3 replies →
The original article seems to be saying that the carriers track and sell phone location by cell triangulation ("less accurate than using GPS, but cell tower data won't drain a phone battery"). This is less accurate, as seen by the example of "within a city block."
The parent comment seems to be saying that the OS and apps use the internal GPS data to get a much more accurate location, which is then freely transmitted somehow and shared and sold. My question is to clarify that this more accurate data, needed to enable the "walk into specific store" scenario, can only be obtained via data (eg 3G, LTE, or wifi)?
Therefore not buying a data plan or turning off cellular data manually should prevent the GPS-accuracy tracking, but the only way to prevent the less accurate cell-tower tracking is to use a faraday cage.
Or just turn off location services when you’re not using them.
Turning off Google Now & location services will radically improve battery life on standby.
3 replies →
Allow me to ask some questions :)
> It's not just your cell carrier
No reason to think this is only US right?
> cell phone chip manufacturer, GPS chip manufacturer
How & when is this transmitted and what other data apart from lat & long?
> pretty much anyone on the installed OS [...] is getting a copy of your location data
You mean the devs of whatever app is installed on the phone? The outgoing data should be visible in things like Charles proxy, right?
Is this analogous to FB data being available to any dev that gets permission to access your profile?
> It's normal to track hundreds of millions of people a day and trade stocks based on where they go
Whaaa ... ? Do explain, fascinating.
Can this all be mitigated by those smartphones-hardened-for-criminals type devices?
> Whaaa ... ? Do explain, fascinating.
The stock trading I've heard of, and even seen news articles about before.
Location tracking lets stock traders know how well a store is doing well before public results are announced. If foot traffic is down at a store, time to sell off (or short) the stock before it becomes publicly known.
Defense contractors have been using this capability for competitive intelligence for the last few years. Namely performing surveillance of contractors both internal and external to their company. Private investigators are using the same capability for similar purposes, especially for litigation support. “How” is never required to be revealed in court because the primary purpose is to find information that will “encourage” the other party to not go to court. If there was a way to audit queries/lookups performed against specific telephone numbers I think a lot of people would be shocked.
This is a problem with the GSM/UMTS standards themselves. Carriers always know where you are, but one could create a standard where they wouldn't have to know unless you make a call. With enough encryption and effort, I'm pretty sure one could even create a standard where carriers would never know where you are, even while you are using services.
Would not it be easier to ban anyone from using this location data for anything except explicitly permitted by law? The problem is not with standards, the problem is with people.
8 replies →
How does one determine which tower to route an incoming call through, in your model? How could roaming work?
Spoiler: I don’t think doing what you are describing is feasible.
14 replies →
> where they wouldn't have to know unless you make a call
Presumably this is actually "unless you make a call or use data"?
They have to know your location if you want to receive a call.
7 replies →
How can one prevent this and still carry a cell phone? Would keeping one's phone in a faraday bag defeat this constant tracking?
I don't think it's possible through technological means to avoid being tracked and still use a wireless network. Even if you could anonymously authenticate to the network, if the base stations have a large number of antennas then they can locate the physical origin of your signal and track you that way.
It may be possible of course through other means, like government regulation or only using carriers that have some guarantee of privacy.
2 replies →
A good start would be using a prepaid mobile phone (paid with cash, via an intermediary to avoid appearing on store CCTV), plus using phone apps that are not tied to your real identity. A Faraday bag for the phone when it's not in use.
Honestly, it just depends on how paranoid you want to get, and who your adversary is.
6 replies →
Yes, electrostatic shielding will stop the signal, which will also prevent incoming calls/msgs/etc.
Taking the battery out?
Switch to flight mode.
2 replies →
Yes. But switching off location will probably do it too.
6 replies →
okay, so, to cut to the chase here: how do we disrupt or destroy the companies doing this?
it isn't acceptable that they are taking advantage of us in this way.
we can't expect any political solution to the problem, which leaves us to pursue other means if we want to protect ourselves.
is there a way to introduce fake data or noise? what about opting out?
is there a law being broken here that we can make into a lawsuit? i wonder if there is a precedent regarding restraining orders or unwanted surveillance by private entities...
> This data is sold to whoever wants it. Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go. This isn't fantasy, it's what happens every day.
Honestly, this is the least bothersome part of the whole thing. The only problem is that there's no way I trust anyone involved to properly anonymize and secure the data in question.
I agree some of this is happening but some things don't add up.
Is there a huge delay in this data? Because why don't law agencies use it to find criminals? Like I have 2 crimes at these two locations. Who was around these 2 locations at these times etc.
But if hedge funds are trading on it, they need very low latencies?
> But if hedge funds are trading on it, they need very low latencies?
Not quite. Hedge funds aren't trading real time on this data. They use this data to essentially figure out how a business is doing before they announce that information. Essentially, if x% of our data went to Chipotle in 2016 and y% went in 2017, and y >> x, then we expect Chipotle's earnings to be higher.
You might be confusing hedge funds in general with the strategy of high frequency trading. Not all funds trade at high frequency.
Law agencies are using it, with some controversy:
https://www.wral.com/Raleigh-police-search-google-location-h...
RE: "That's why Apple is trying hard to restrict it without scaring off consumers" Don't you understand why Apple V-2 (the one who works for shareholders, not users as Apple V-1 did) is trying to restrict APPs from selling your information? Its because they are competing with Apple, who is trying to sell the same information for maximum revenue. Everything at Apple V-2 is driven by greed and profit. If looking good publicly is needed to generate sales, they'll also try to do that. But what happens behind closed doors doesn't necessarily match the promoted image. (yes I'm cynical. I've been around long enough to recognize the BS happening).
Making a cell phone out of a pi with a sim card and gps daughter board is sounding less and less crazy each day. Really looking forward to when the librem phone starts shipping. I wonder if they've really been thorough enough vetting hardware for those bare-metal security issues.
This is at once staggering and completely unsurprising that companies would violate user trust in such a way and sell data without proper vetting that exploits people and could potentially put them in danger. Yet another episode in the misadventures of techno-illiterate regulation and totally unread TOS agreements.
Even a RPI won't help you unless you can build all of the software for the microprocessors which drive the wireless stack. Even then, vendors (e.g. Qualcomm) will already have their software on the chip when you get it.
A completely open spec, open source set of components is what the community has desired for a long time. As standards get more complex and evolve faster, 4G and beyond, it becomes less possible to keep up in the open.
1 reply →
And the complicit employees letting them get away with it.
I am a journalist and want to know more about how hedge funds use/abuse this. Please get in touch if you have first-hand knowledge: fbajak@ap.org.
How much of this data is archived and searchable?
Most of the descriptions of the service so far indicate a real time or near real time feed. I'm curious if it's possible to go take a phone number and ask "give me location data for this person around xx:xx at yyyy-mm-dd."
Isn't this covered under CPNI [1]? Something that consumers can opt out?
[1] https://www.wikiwand.com/en/Customer_proprietary_network_inf...
Wow, thanks sharing. Does it make a difference if I use an Android phone vs the iPhone?
These days it seems like you need to remove all the batteries from your phone/smartwatch/assorted botnet devices to get any sort of privacy.
And then you'd still have a half dozen CCTV cameras on you.
I am a journalist for a major news organization and would like to know specifics about hedge funds and the like and how they use this data. Reach me at sfrancisbjr@gmail.com
What specific data about the person is traded alongside their location history in the... schemes that you describe? (name? Some govt ID number? Phone number? Address? ....)
>Almost every web/smartphone mapping company is doing it
Are you aware of any device vendors and/or providers that aren't doing this?
Likewise ISPs are selling sensitive DNS data like crazy and most users probably think the green lock keeps them safe from that.
> That's why Apple is trying hard to restrict it without scaring off consumers.
Do you have any details on this?
No, that is an entirely different matter regarding far more precise location information.
I am a journalist and would like to know more. Reach me at sfrancisbjr@gmail.com if you can help.
I'm a journalist and would like to know more. Please contact me at fbajak@ap.org
Ah yes I've personally seen this while working at an OEM. There are a lot of other insane things happening on a phone like CIQ. FYI, listening to users via microphone is one thing that actually does not happen.
Is it this bad in other countries too? Or just U.S?
The article mentions Canadian carriers too.
i’m not quite following. are you saying that individual,identifiable location data is being collected and sold?
It's funny that this is coming up now. The other day I was on the phone with Geico's roadside assistance and they wanted to know my location. I told them I didn't have their app downloaded, they said it wasn't a problem and they could get it without it. Sure enough they could. I checked their disclaimers [1] and they purchase the data from my cell carrier. They didn't even have to know which one.
[1] https://www.geico.com/web-and-mobile/mobile-apps/roadside-as... (see disclaimers at the bottom)
Wow. The fact that they can just get this with "oral approval" (relayed by them to your carrier) is shocking to me. This is ridiculous.
The other respondents to this message more or less have it right.
The way this stuff works is that when GEICO signed the deal to get access to this, they pinky-swore in a contract to only use the data certain ways.
Often, the representatives on both sides of such transactions even have a wink-wink nod-nod deal going which is different from what the contract materially represents.
Importantly, these contracts virtually always avoid talking about mechanisms for tracking such usage, auditing such usage, and even any remedies for violations (beyond discontinuing the service access - and then only if it's egregious).
You'd be amazed how much in the telecom world is handshake and contractual with no technological enforcement and often neither side of these agreements are incentivized to enforce the terms laid out.
The parts of these agreements that are solid is how transactions, events, etc are measured and what these cost and who pays and how. Shocking, that.
2 replies →
They don't need oral approval or any approval. GEICO is only asking so that their customers won't freak out when GEICO magically knows where they are. The customer service rep probably had the data up on their screen already when they asked.
8 replies →
I believe the relevant T-Mobile privacy policy (that I definitely read before signing up...) is:
"With your consent. We may provide location-based services or provide third parties with access to your approximate location to provide services to you." https://www.t-mobile.com/company/website/privacypolicy.aspx
That is why a text message confirmation is required to get a cell phone's location from https://www.locationsmart.com/try/
For those on T-Mobile, there are privacy settings that can be adjusted here: https://my.t-mobile.com/profile/privacy_notifications/advert... I already had all of them disabled, and I was still able to get the location of my cell phone from LocationSmart.
I chatted with T-Mobile support yesterday to see if I could opt-out of them sharing my data. Not surprisingly, the support agent was less than helpful. "Don't worry, your data is secured"
Are there any US carriers that respect privacy and do not share private information with 3rd parties? Or is that a pipe dream?
I think the ACLU did a report a while back and Cricket Wireless was the best largeish cell phone provider.
Provider comparison: https://privacysos.org/blog/how-long-does-my-phone-company-s...
Study details: https://privacysos.org/blog/att-stores-either-five-or-twenty...
Cricket's Privacy Policy looks much better than T-Mobile's or Google Fi's:
"We will not sell your personal information to anyone, for any purpose. Period." https://www.cricketwireless.com/privacy
But they also say that they may share personal information (which may include location??) to 3rd parties with user "consent":
"Do you share my Personal Information with other companies for them to market to me?
We may share your Personal Information with AT&T and other AT&T affiliates for a variety of purpose, including so that they can market products and services to you. Except for AT&T and other AT&T affiliates, we will not share your Personal Information with other companies for them to use for the marketing of their own products and services without your consent."
Can someone with Cricket Wireless see if LocationSmart has access to their location https://www.locationsmart.com/try/ ?
4 replies →
Did T-Mobile have a breach recently? I got malware on one of my machines a year or so back and had to change my passwords everywhere, and T-Mobile was one of the two sites that was so assed-up I couldn't actually change it. I clicked your privacy link earlier and had to go through two separate SMS verifications and change my password because they said it was "old".
Well, the locationsmart fails completely on my Google fi phone.
Switching from T-Mobile to Google Fi might be jumping out of the frying pan and into the fire ;)
The Google Fi Terms of Service says they are collecting location data:
"When your device is turned on or when you use the Services, we may collect and process information about your actual location. This may include information about your current activity (e.g., driving, running, walking, etc.), which lets us know when you may be moving between different mobile and Wi-Fi networks." https://fi.google.com/about/tos/#project-fi-privacy-notice
I'm okay with Google collecting location information, insofar as they only use it to provide cell service, and not for advertising and don't provide it to 3rd parties. Unfortunately, their Privacy Policy states that they can use it for advertising:
"We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content – like giving you more relevant search results and ads ." https://policies.google.com/privacy?hl=en&gl=us#infouse
And they can provide it to 3rd parties. Note that they require "consent", just like T-Mobile's privacy policy:
"We will share personal information with companies, organizations or individuals outside of Google when we have your consent to do so." https://policies.google.com/privacy?hl=en&gl=us#nosharing
So even if they are not currently providing information to LocationSmart, according to my understanding of their privacy policy, they are able to.
Are you using your Google Voice number? Fi numbers are GV and in cloud.
Somewhere in your sim/about under settings you can find your underlying phone numbers for Sprint/TMO that you can look up.
2 replies →
I'm on Project Fi and it worked for my phone.
1 reply →
Well, now it works on my phone as well. I wonder if it is only when on/near my work campus. I was outside but they do have some repeaters for some carriers. (I often get a message saying my carrier has "disabled voice services" when on campus)
... well now I'm wondering if I should have stuck w/ my Pixel + Fi instead of the S9 + T-Mobile plan I signed up for today. Whoops.
1 reply →
I imagine Google wants sole access to your location.
> Kevin Bankston, director of New America's Open Technology Institute, explained in a phone call that the Electronic Communications Privacy Act only restricts telecom companies from disclosing data to the government. It doesn't restrict disclosure to other companies, who then may disclose that same data to the government.
It seems like intelligence services spend a lot of their time dreaming up ways to do an end-run around the law. This is the same reason US intelligence does partnerships with foreign intelligence services.
I'd rather them try to do end-runs around the law than run it up the gut... (If I had to choose)
Just think of how amazing the museum will be for your great grandkids when we completely dismantle them when, inevitably, their stated mission goals supersede common sense and a responsible relationship to the American public.
2 replies →
False dichotomy. There are a million choices.
What if they were simply held to a higher standard and not allowed to operate with practical impunity?
Carriers have been providing these services to 3rd party providers since at least 2006
https://www.theguardian.com/technology/2006/feb/01/news.g2
A few points to note:
* Obtaining consent is entirely left to the provider to implement. It does not appear to have any auditing. A provider can query any number they like.
* The opt-in process used by many providers is easy to exploit, by spoofing SMS replies or abusing the SMS template so that the surveillance target does not get notified
* The providers have are well aware of the potential to exploit this and have been for some time. It has never been resolved in over 10 years.
I just discovered this treasure trove from the UK house of commons in 2006
https://publications.parliament.uk/pa/cm200506/cmhansrd/vo06...
"To extend that to adults, The Guardian journalist Ben Goldacre showed recently that someone needs possession of another person's mobile phone for only a couple of minutes to appear to give the consent required under mobile phone companies' current procedures. The person he was tracking never got any of the warning messages that were meant to have been sent to her. Even more scarily, a hacker's website has recently published information telling how to spoof consent without even having to have temporary possession of the target's phone; all that is needed is the number. If someone has a person's number, he can track them. It is not a problem. I know where the website is, but I am not going to tell Members. It is possible to track people just through their phone numbers."
Is it even considered an exploit?
It's a cell carrier providing data about the radio communications between hardware they own and someone else. At a moral level, seems somewhat equivalent to a web server providing data about clients that access the server.
To opt out, stop using some third-party corporation's owned hardware to route your communications near lightspeed around the world. Hey, the Amish communities may have something in their overall philosophy of "Don't be beholden to strangers who aren't part of your community."
I'm not clear if you missed the point here? This isn't aggregate data, it's obtaining the location of a specific individual just by knowing their phone number. It can be done without their knowledge or consent.
By your webserver analogy, the equivalent would be more akin to google publishing the contact details and search queries of anyone using the service.
I am starting to wonder what all have I consented to? Every week I learn I have consented to this and that because of a news article as I never read those contracts or TOS. I wonder if there will be a way to phrase long contracts into bullet list of ideas for someone simple minded like me in the near future.
Terms of Service; Didn't Read (https://tosdr.org)
TOSBack, the gitified version (https://tosback.org)
A new version of ToS;DR is also in development: https://github.com/tosdr/phoenix
One of the things that GDPR requires is real informed consent, small print hidden inside a thirty-page EULA is not acceptable.
And unlike some of the recent proposals in the U.S., it's generalized to all industries.
You would need 76 work days per year to keep up with reading all of your TOS
http://techland.time.com/2012/03/06/youd-need-76-work-days-t...
And that was 6 years ago. I'd imagine it's quite a bit worse now.
Is that possible? Yes, but it's not in their interest to do.
Maybe by some 3rd party then? Maybe an application of all the fancy natural language processing or some other ML. I visit the site, paste the TOS or maybe there is a list of TOS that has been translated and i get a nice gist.
1 reply →
I was aware the cell phone companies were selling anonymized data for some time (not revealing the numbers and adding some jitter to the location data to avoid identifying users).
This is the first I’m hearing that they’re releasing detailed personal tracking by phone number. When I sat in on a recent presentation with Verizon execs they flat out said they were not doing this. Oops.
The worst part is there isn't any possible way I know of to defend yourself against this other than not having a phone.
A while ago I thought of a very neat 'future job': you walk around town with somebody else's phone. So if you 'need to be' somewhere, you just hire this service, deliver your phone, which will be returned to you, and there goes your track record.
That's fairly easily detectable through analysis, though.
2 replies →
yeah but... then the customer doesn't have their phone
I need my phone, especially when I'm out
1 reply →
I'm hoping the Librem 5 succeeds. I think disabling the baseband would be a solve and at least slightly more trustworthy than airplane mode.
Right now I think you're right, there's no defending against it without turning off devices.
> more trustworthy than airplane mode
All airplane mode does is turn of transmitters. There is no reason that the firmware should stop caching GPS data for later transmission
That probably won't do much for you in many urban areas in many countries. Municipalities are routinely maintaining data captured from license-plate scanners and some cities now have CCTV networks with facial recognition software. So unless you don't drive and walk around with a new rubber mask on every day you are still subject to the panopticon.
Most businesses these days have some kind of camera system for security, it won't be too long now before someone starts buying these video feeds from say Starbucks, etc. running recognition AI on them, tagging individuals, and selling this aggregated location data, maybe even realtime. At the moment, I don't think this would even violate any privacy laws.
>So unless you don't drive and walk around with a new rubber mask on every day you are still subject to the panopticon.
Gotta invent that Scramble Suit!
What about a decentralized networks over 802.11?
It wouldn’t be a total solution, because access points get hacked, etc. but it would make the data a lot fuzzier.
The reason that cell phone networks actually work (they're effectively decentralized networks) is that they pay the big bucks to rent space on high towers, building roofs, etc.
The only thing that matters for radio communications is line of sight. The only thing that gives you line of sight is relative height. The only thing that gives you consistent height is money.
5 replies →
Until/unless they modify the law - turning off your phone thwarts it. While your phone is powered off, it has no ability to track & record your location movements. Obviously your active location will then be picked back up after you power it on, it won't have a record of anything inbetween.
A simple example of limiting the invasiveness using this approach, would be to have your phone on only at work & home, or similar. In absence of phone snooping, someone can already easily locate you at those two standard destinations, and can easily discover when you'd typically be at those places (ie you're not giving them much by using your phone there under normal circumstances).
So, use Google voice or setup your own w/ Twilio (try all numbers), and have a work cellphone and a home cellphone, a one-way pager (for when you are traveling), and another travel phone without a battery that you would use if necessary, based on the pager message?
Does turning the phone off actually turn the baseband off though?
How could we possibly tell?
While unreliable it wouldn't be unrealistic to use wifi in densely populated areas. It looks like the pager industry is still alive, too.
Most wifi hotspots have location information anyway, so your phone will know where it is, and then one of the many apps on your phone can report back with that information.
And isn't a pager just a really simple cell phone? I'm not sure how that's a solution if cell towers can triangulate your position.
4 replies →
I wonder if even an old iPod Touch withought a cellular chip would actually be a useful decice for this kind of wi-fi-only connectivity.
You still can't be sure. Your car may contain a SIM card nowadays, always connected, for your protection, sure thing.
The most obvious use of the data appears to be by credit card companies to detect fraudulent use of a card and decline those transactions. This is something I'm relatively comfortable with, though it's plainly in the interests of the bank and I only indirectly benefit from the tracking.
The most obvious use is insurance companies looking for excuses to deny claims.
Or maybe parallel construction used to deny/approve loans. E.g. I can't weight the loan approval negatively specifically bc the person is black, but the GPS information suggests they frequent black areas.
But really every use of this information is highly assymetrical. If they're using it to trade stocks, while regular people are using traditional means, it's an advantage we don't have access to. This is basically the virtual castle walls keeping us peasants out in the fields. Modern feudalism.
As blocking fraudulent claims could remove a reason for my premiums to he higher, I can't say I'm against that.
With the caveat, for course, that people are not always where their phone is so this taken on its own would be circumstantial evidence: one would hope decisions are not made directly based on this information.
7 replies →
Does it bother you that you're being tracked?
Yes, I am greatly bothered by it, especially because I am not aware of the extent that my information is being distributed.
On the one hand, I opt-in to location tracking for apps and services such as Google services, because I genuinely believe that I benefit greatly from location-targeted information. On the other hand, I would opt out of any other location tracking of my cellphone to companies that I do not see the benefit of having. I want fraud-protection and no liability when it comes to fraudulent purchases (opt-in for credit card companies and banks), but I don't want the government/Facebook/retailers/insurers to have this access without permission.
I'm not the person you're asking this question to, but I thought I'd reply anyways.
No, it doesn't really bother me. Why would anyone care that I get up around 7AM on weekdays, drive to work around 9, stay there until 5, and then drive home?
On weekends they will see me going to Target and the grocery store. Sometimes another store. Sometimes I go to visit my family in another city.
I really don't care if people have that information. Many people (not me) post that information freely on Facebook, Instagram, or Twitter.
There are some future situations in which I might care that I am being tracked. If that were the case, it's highly unlikely I would bring a phone with me.
Would I prefer not to be tracked? Probably. Does it bother me that I am being tracked? Nope.
I suspect these views line up with the majority of people in the US.
7 replies →
How do you expect this data to be used in your favor? If there is a technical glitch/human error and your data is intermingled with someone else's, it will be used against you silently and you will have no recourse.
Do baks sell customers location data?
Two related stories:
I went to a recruiting event in 2013, or 14 perhaps, for a major telecom network in Canada. They were proudly showcasing their ability and interest to analyze people's data. I was shocked, so I spoke to the hiring manager:
"You should be concerned about google and Microsoft, they have much more data" he said. They do, but much less sensitive data. And I am paying you! And google gives me free excellent services. You are an expensive oligopoly with not the best customer protection track record.
2. I had a free modem from a major network that came with the internet. I used the modem at another location while I was away. I got charged for my usage! The modem was not just a modem, it was sensing more information to their system. That is how they tracked my usage, if that is the only thing they tracked. Their technical customer service avoided any form of discussion. Cancelled my internet line with them, and using VPN for trackable stuff ever since.
I am seriously considering cancelling my cell phone until their practices changes.
The way I understood it is that the requester of the location is trusted to have gotten consent from the subject of the query. The providers will answer any queries.
So Securus works on the "we're sure our customers are getting consent for their inquiries" presumption. What are the consequences if a company is found to not have gotten consent? Business sense dictates there to be no consequence at all if Securus can avoid it.
The way this should work is that the carriers can get permission to share location data with third-parties. They should not do it without having gotten permission from their customer. But then they probably get that when you sign the contract. Or do they just not mention it?
Carriers are also selling your billing records. They offer a service to return the carrier billing address/name based on the mobile number.
Not only this but late last year all 4 of the major US carriers are offering APIs to convert mobile IP to a billing record (name/address/phone number).
>Not only this but late last year all 4 of the major US carriers are offering APIs to convert mobile IP to a billing record (name/address/phone number).
That's terrifying. Do you have a source I can look at for this? It might be time to always-on VPN my phone.
This is even more disconcerting - just out of curiousirty what does this cost?
9c on the high end, under a 1c on the low end (with volume/long term commitment)
Previously discussed yesterday, and again two days before that: https://news.ycombinator.com/item?id=17069459
This is one of the reasons I use a public-facing Twilio number, which forwards to a private number which I never hand out.
This isn't something that people should have to do to opt-out of tracking like this, but it doesn't seem like there are many other reliable options.
If you take that cell phone home with you regularly and don't live in a multi-unit building, it would be relatively trivial to figure out your identity using this data.
Undoubtably. Not a strong protection against doxxing, but might offer some semblance of protection from 'drive-by-lookups'. With a modern smartphone and location services, there's only so much you can do.
Just a heads up: Twilio now offers a metric fuckton of services geared towards SIM-enabled IoT. You can order SIM cards by the pile and then bind them to a Twilio number by activating it in the UI (or via API). So now instead of (or in addition to) simply forwarding traffic from garbage numbers to your real number, you can get Twilio numbers that are registered on T-Mobile's network via an actual SIM card, making it much easier to send from your Twilio number than it used to be without it bound to a SIM card. Fairly good price, too. Unfortunately, I'm not sure what happened to Twilio's API as it's now as opaque and awkward as any AWS API (almost as though someone on Twilio's engineering team made the decision to model their API after the way AWS builds their APIs), but the services they offer are as compelling as they always were. I'd give Twilio a solid D for what the API has turned into, but A+ for service innovation.
Last time I checked the data price for twilio sim was not good for daily use. Far cheaper to use something like Google Fi and a data only sim.
1 reply →
Service Meant to Monitor Inmates’ Calls Could Track You, Too https://news.ycombinator.com/item?id=17046632
What if I as an European visit the states? Am I protected by through some agreements with my local provider or even GDPR?
Through FISA, all foreigners are legal monitorable, no matter what.
This is part of how US mass surveillance works. We record everything and if it turns out to be a citizen, we're supposed to throw it out. Of course in reality, it goes to the Parallel Construction Department who uses the information to build a case against someone through other means, knowing the answer in advance.
> Of course in reality, it goes to the Parallel Construction Department
Not the case. US Person Information cannot be queried. You are referring to a practice used against foreign targets to obfuscate methods of surveillance (Reasonable folks can object to this as well of course - my only point is that your portrayal is not accurate).
Why do you assume European carriers do not do the same?
Maybe [1]. I wouldn't count on being protected while outside the EU.
Art. 3 GDPR Territorial scope
Article 3(1) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
Article 3(2)(a) - the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or Article 3(2)(b) - the monitoring of their behaviour as far as their behaviour takes place within the Union.
Article 3(3) This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
[1] https://gdpr-info.eu/art-3-gdpr/
Practically you're just going to get extra tracked because you're a foreigner. Also if the articles about TSA borrowing your phone to clone it real quick or forcing you to log into facebook are true, I wouldn't expect them to abide to GDPR.
Does GDPR even protect against this inside the EU?
I doubt you get extraterritorial protection.
I wondered how the spam callers knew what area code I was in while traveling out of state.
I would assume that through clustering analysis (eg coworkers/friends travel together) even fairly coarse position data can allow you to construct relationships. Then they can spam/fish both you end your coworkers with the same fake number. That makes it seem more important to answer and more organic.
A friend of mine just got back from NYC and then received a fake call from an NYC area code. I get several every day from random area codes, and we had to wonder whether it was coincidence or not.
Anyone have a link to jeans with faraday pockets?
Hope you like short battery life and warm pockets.
Found on Google: http://thefaradayproject.com/
Would airplane mode work?
It is implemented below the kernel, nothing you can do in the OS can touch it.
Airplane mode would work, yes. But it only works against the cell provider. The on-phone GPS can still work and sync the data later.
7 replies →
The off button/battery out is a simpler solution. You won't be receiving calls anyway.
Way to disrupt the market for RFID-blocking wallets
Problem is now you can't receive calls.
Many would see that as another plus :) . (I've just received a call from "Scam Likely")
I’d buy a pair.
Another 'fun' implication of this are the increasingly large number of sites that try to obtain your phone number either through SMS messages during account setup, two factor authentication, or any other number of ways. The accounts you have on those sites link directly to your physical presence. Taking it one small step further, any accounts on other sites you have linked to those accounts are similarly effected. Taking it one step even your dynamic IP address at any given moment can end up working as a physical identifier.
The amount of information the NSA has on people is going to be phenomenal. It'd be interesting to be able to glimpse the data just to see how much we all give away. Here's to hoping we never once ever end up putting a 'bad' person in high office because the amount of targeted damage somebody could do with this information is just staggering to even consider.
Does anyone know of a way you can request consent status from your service provider?
Send a letter to their legal department requesting the information.
> the Electronic Communications Privacy Act only restricts telecom companies from disclosing data to the government. It doesn't restrict disclosure to other companies
Clearly the US has their priorities completely the wrong way.
Part of the American mythology is that government involvement is always bad. It's hard for me to know if this developed because of the myths of the America Revolution, that a small colony won it alone and not because of external factors, and how much is due to people preaching small government politics. Regardless a distrust of the government seems to be ingrained in the American psyche IMO.
Small government just means localized government.
At a more local level, people have much more influence and ability to change problems that they see. At a more federal level, policy is imposed without localities having much/any influence.
That centralization and imposition of policy that half the country opposes is the reason for the political divide that we see today. If the same policies that we argue about so much were implemented at a state level, people would have the ability vote with their feet.
That doesn’t mean some legislation shouldn’t be federal, but there is a reason that the intention was for federal policy to be overwhelmingly agreed upon rather than forced in along party lines.
1 reply →
Ahaha what? There's no myth that we won it alone. Elementary school texts on the subject lay it out fairly clearly that we did it with the French.
9 replies →
Another part of the American mystique is that every politician is for sale via legal bribery where companies donate to their campaigns and get them to do mostly whatever the company wants, totally contrary to the interests of the public.
4 replies →
It's reasonable and wise to distrust government. What is unreasonable is American blind faith in private industry.
This tracking is a great example of the threat posed by industry to individual citizens.
The term "big business" preceded "big government", and has been far more prevalent.
Big government arose as a response to and check on big business.
https://books.google.com/ngrams/graph?content=big+business%2...
You leave out another option: Americans distrust government because we see it fail us every day. Corruption, police brutality, inefficiency, politician sleaze baggery...
In general corporations provide a much higher quality service than the government in the US.
4 replies →
The clever part is that the government in turn is allowed to purchase data from the other companies.
Also, if a government employee does a lookup in their spare time as a private person out of curiosity, it is ok? Or if they ask their friend to do the lookup?
Why? Releasing the data to the government creates Big Brother. I thought we were all against that?
Now you've created a corporate Big Brother, who is hell bent on pure profits and doesn't even have to answer to you in the elections. Is that better?
9 replies →
Two big brothers: Government and Corporate - lately, in some cases, these brothers have merged.
2 replies →
Contrasted to Palantir, Facebook, cambridge analytica and private firms working for NSA?
Ironically, governments are somewhat still under democratic control... somewhat.
Corporations are completely authoritarian, and by design.
Well, such a release should of course be limited, regulated and with oversight. But I'd argue that at least police should have some possibility to get at customer data, even without opt-in.
Release of privacy-sensitive data to other companies should strictly be by clear customer opt-in, with clear limits on its use. And even some of that should be forbidden for semi-monopolies such as telecom providers.
Releasing the data to corporations creates a different Big Brother.
To corporations, you have no inalienable rights. They're just more things to be bought and sold.
Actually, not true by the defnition of inalienable right: something of which you may be deprived, but no other person may gain.
It is possible to take from you real or chattel property, funds, papers, etc., and give them to another. Your life (though no longer your organs and tissues), your liberty, your happiness, not so.
Those are inalienable in that they cannot exist seperate frome you.
1 reply →
What would stop the government from just getting this stuff from a third-party who has purchased it?
Nothing, that's one reason why these companies exist. Its corporate surveillance
Probably the same above-named act.
2 replies →
I'd say only half the wrong way.
There was mild discontent when the Data Retention laws [1] were being rolled out across the EU in the early 2010s. This was a legal harmonization of existing collection practices for law enforcement purposes. It did receive a lot of press coverage and some small protests (even though in reality the collection was already widespread).
In 2009, Malte Spitz (German Green Party politician) sued his telecom provider for all the information they had stored on him in the last 6 moths. He and others made a good (and spooky) visualization showing how it tracked his entire life [2]. He did a TED talk about it [3], which received a spirited applause and unfortunately minor press coverage.
I think many naively bought the idea that all this detailed data was only for LE (maybe a side effect of all the reporting on the Data Retention Laws?), despite constantly seeing clauses in their EULA's saying their data will be shared with third parties.
----
People only care about these issues once they become evident and widespread, and they personally are affected. I remember the shock my friends had when Google Maps released the location history feature. Up until then, its just a theoretical concern.
Good demonstrations, hard hitting expositions and good press coverage are essential.
----
[1] - https://en.m.wikipedia.org/wiki/Data_retention
[2] - https://www.zeit.de/digital/datenschutz/2011-03/data-protect...
[3] - https://youtu.be/Gv7Y0W0xmYQ
Turns out that Stallman was right.
The individual rights under the Constitution have been deemed, in the U.S., to only apply to government and government institutions.
The private companies are exercising their free market rights, unfettered by inconveniences like privacy rights, and thus can (as per the article and the random65... whistleblower user at the top of this thread at the time of this writing) track behavior and sell the data.
Therefore, does it follow that government canNOT be the buyer of such data? That police departments or the FBI or others cannot access this data?
Is there a Chinese Wall in place to prevent such things from happening. Or...?
> one of the biggest gaps in US privacy law.
Gaps? How about lack of?
https://content.next.westlaw.com/6-502-0467?transitionType=D...
General Laws: Not Applicable.
Sectoral Laws: There is no national law.
----
How outrageous and disgusting that congress can make a big show of questioning facebook over privacy, when they don't have the courage to pass even moderate data privacy laws. How much do you want to bet this location data will be ignored by congress?
I met a high-level executive at Ericsson who told me that he had met with Tim Armstrong (CEO of AOL) could make $5 billion more a year if he had access to location data with <50m accuracy.
So as a private citizen, I can pool some money and get the same level of tracking that American intellignece services have of individual cell hardware?
Sounds like a win for the citizens.
> Cook: What would he do if he were Facebook CEO Mark Zuckerberg? His answer: “I wouldn’t be in this situation.”
Sounds like one of those situations to me...
It's funny to me that this is news to anyone. This has been going on for quite some time - at least the length of my career. For the longest time it was wide open for anyone to access who had an inkling of knowledge about how mobile devices worked.
Did this _never_ come up at defcon or in an issue of 2600? Are people really _that_ focused on web security?
When are we going to wake up and reform privacy laws?! This cannot be the new norm.
Something about this has to be illegal.
Have you heard of our lord and saviour, GDPR?
This article is about the US telecoms
Isn't this covered under CPNI [1]? Something that consumers can opt out?
[1] https://www.wikiwand.com/en/Customer_proprietary_network_inf...
This exploits a vulnerability in the SS7/MAP protocols that power mobile networks worldwide; the cooperation of the carrier isn't even required (even if carriers were against this; bad actors can and will get this data anyway).
You are referring to the command used to request where to route an SMS message, I assume? If so, carriers can (and have been albeit very slowly) restrict this activity so it is less of a free-for-all.
That said, it seems they are intentionally selling this data as well, which is a whole new issue.
After reading this post a couple hours ago, I was able to play around with LocationSmart's API. Indeed seems quite powerful/comprenhensive. As of an hour or so, they took down their try/demo webpage and related open API.
Don't banks use this data when you create an account nowadays too? I just created a capital one account and they were actually pretty transparent that they'd be checking the location of my phone via carrier.
I assume this is how we get real-time road traffic information, is it not?
I tried location smart website said location accuracy was up to 14 miles off. They were really 4 miles off. So not that accurate. If it was 2 blocks like other poster I'd be worried.
It is very tempting to go full "tin foil hat" at this point. I am seriously considering removing my cell battery and powering it up semi hourly to check for messages.
How much do you typically move in 30 minutes?
i havent read all 504 comments, and dont plan to, but this should come as no suprise to anyone, unfortunatly it does. cogress, dc, will not help there is too uch to gain, posting the info in real time of the ones in power, will shine a light on the issue, they will make it look like this has been taken care of-while it continues. the ONLY solution in my opinion its a revolt-against big data/tech, not a boycott, and exodus to DIY open source tech.
Does disabling the location data via the settings make any difference, and is there an app which will turn off location data after a set period?
No, I tried with my number, all location data off. GPS landed right on my house, very room phone was in.
The article mentions banks tracking your credit card usage to detect fraud. Are there known instances of banks reselling this location data?
Has anyone suggested a practical way that people can avoid being tracked? (Aside from Airplane Mode or keeping your phone in a Faraday Cage)
I see a lot of suggestions about reducing or shutting off your signals, but what about boosting them in certain directions? As far as I understand cell tower triangulation, having a stronger signal in one direction might offset your calculated position in that direction. I wouldn't expect that to decrease connectivity, just require special equipment and more battery life.
Interesting concept, although I don't even want my general vicinity to be tracked or shared without my consent.
There's no way to do this without using your own antenna network. Even then, you need encryption just to anonymize your calls, but if you end up talking to people subscribed to the same carriers you're trying to avoid, you can trivially be de-anonymized by timing attacks. So there's no good solution, unless you're willing to turn your calls to voice mail.
More practical solutions would include:
-(physically) Powered off radio unless you want to make a call. A clear drawback is that you can't receive calls.
-Satphones. I'm pretty sure satellite phone providers aren't in this yet. They could be, but my guess is that they wouldn't want to waste bandwidth triangulating their users. Also satellite-based triangulation would be much harder and less accurate, and if you use your own directional antenna and sat-tracking mount, you can avoid this altogether. Until they start installing phased array antennas or something.
-Finding a provider that doesn't sell your data to third parties. Probably the hardest of all, and you have to rely on their word.
It used to be possible to buy prepaid SIM cards with cash and not have to provide any identification. AFAIK, this isn't possible anymore. Does anyone know for sure?
3 replies →
If it's happening at the carrier level (triangulation via towers) there's zero you can do at the client (your phone) besides stop transmission by turning it off or placing it in a faraday cage.
It sounds like GPS units are also involved: tower triangulation is inaccurate so by carrying a phone that has no GPS you would be able to claw back a few meters.
Change the law (don't know if it is practical though).
Out of all the solutions suggested - this is the most practical. This would actually fix the problem at hand. Make it illegal for them to either obtain and/or sell this data.
Don't use a cell phone, I guess.
There is a reason that pagers are popular with drug dealers...
Assuming that you can actually get pager service where you are... Then you only get tracked when your phone goes hot and you access the network to return a call.
Use a service like Twilio or Google Voice.
This occurred to me. It solves part of the problem, in that your phone number isn't tied to a physical location anymore. But it creates a new problem in that you don't actually have a cellular connection.
2 replies →
Once the books are all burned, there will be no more book-burnings.
Isn't this how teralytics.net gets the data it sells?
Isn’t carrier IQ been always doing that?
Carrier IQ was far more invasive than just location. Their "Experience Manager" was supposedly tracking every app launch, time spent in that app, metrics on key & button presses within that app, and other misc interactions.
They got accused of being a "keylogger" which they rightly said they weren't, but that ignores how invasive and creepy Experience Manager was (is?). Their whole argument was that carriers can use this app data to see what apps are draining battery, which is kind of bs since carriers are in no position to resolve battery issues or advise customers.
The reality is that carriers wanted more information on how customers were using their devices, Carrier IQ provided that raw data, and both got rich. They survived the scandal because the critics focused on keylogging, instead of the highly invasive usage analytics which it really was.
We don’t have a problem when google does it ?
You don't have to use a Google powered phone. But the modern economy almost demands you have a cell phone.
1. Whatabboutism.
2. Yes, we do.
https://plus.google.com/104092656004159577193/posts/foKDxbyh...
One of these days, most of you will finally understand just how right RMS was and is...
It's just a shame so many can't see it, and worse, give those of us who do shit.
RMS = Richard Stallman?
Correct
Stallman is not a prophet and there are many valid arguments against his views.
Not really "valid arguments" but differing opinions. If you are fine with closed systems and surveillance states then everything RMS says against these systems will sound wrong to you.
Yeah him and every tin foil hat guy have been ranting about this for years. Doesn't make it not true, but RMS? Really? That guys is a certifiable nut job and we would all do well to let him lapse into the dust of history.
It's so strange--I never would have expected the boot of tyranny to come from private corporations, but here we are. And what all this proves is that technology is value-neutral and can wipe us all out, or just make us incredibly miserable, if we let it.
Hopefully there will be a way to opt out. Otherwise, I should start selling faraday bags for devices. Probably should anyways.
This tracking abomination is an emergent phenomenon of the merger of private industry and government in the US. See for example both legalized bribery (a.k.a. unlimited campaign contributions by corporations thanks to Citizens United) and outright bribery (Cohen) by telecoms like AT&T, ensuring that they will have the flexibility to perpetrate such garbage as this tracking data sale.
Why not distrust both government and industry? The rule "power corrupts" holds in either case.
Are you saying AT&T bribed Cohen in order to have the Justice Dept. sue AT&T over its acquisition with Time Warner?
1 reply →
Alright, but distrusting all parties doesn't suggest a way forward.
5 replies →
Why wouldn't you have expected that?
I think it depends a lot on the kind of capitalism you have. There's what I think of as small-business capitalism, where business owners in a community naturally take the community's interest into account because that's where they live.
I think that's distinct from American MBA capitalism, which is the increase-shareholder-value, up-and-to-the-right, maximize-short-term-cash-gains kind.
The former is positive-sum, the latter can easily be negative sum. And I think the latter, because it doesn't include any humanity in its calculus, is perfectly capable of profitable tyrrany.
Go read some history. Power is Power, and will wear any damned guise it wants.
Corporations, criminals, monarchies, democracies, Fascists, Communists, Catholics, Protestants, Jews, Muslims, Hindus, Confucists, Goths, Huns, Romams, Macedonians, Persians, Greeks, Trojans, Hittites, Israelites, etc., etc., etc., have slaughtered, sacked, enslaved, oppressed, or dehumanised others, all in the name of temporary gain.
The British East India company had armies. Wyoming cattlemen funded a mercenary army in the Johnson Count War. Coal wars in Apallachia and Colorado. U.S. Steel, Standard Oil, the Pullman Company, the L.A. Times, Union Carbide in Bhopal, oil companies throughout the US, Middle-east, Indonesia, and Africa. Fruit companies in Latin America. Sugar, tobacco, and cotton plantations. Coal mines in Wales. The Kochs today.
> Hopefully there will be a way to opt out
Don't use a cellphone.
See also: the FBI can't wiretap your phone lines if you never use a telephone.
Live in a cabin in the woods and never have contact with anyone. Now your surveillance worries are solved.
1 reply →
Very much a tangent, but this song is the perfect soundtrack for privacy / tracking articles like these: https://www.youtube.com/watch?v=8ttTf8N7Bwg
"The Hymn Of Acxiom"
Somebody hears you. you know that. you know that. Somebody hears you. you know that inside. Someone is learning the colors of all your moods, to (say just the right thing and) show that you’re understood. Here you’re known.
Leave your life open. you don’t have. you don’t have. Leave your life open. you don’t have to hide. Someone is gathering every crumb you drop, these (mindless decisions and) moments you long forgot. Keep them all.
Let our formulas find your soul. We’ll divine your artesian source (in your mind), Marshal feed and force (our machines will) To design you a perfect love— Or (better still) a perfect lust. O how glorious, glorious: a brand new need is born.
Now we possess you. you’ll own that. you’ll own that. Now we possess you. you’ll own that in time. Now we will build you an endlessly upward world, (reach in your pocket) embrace you for all you’re worth.
Is that wrong? Isn’t this what you want? Amen.
I think that Snowden comment fits here:
"Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say,"
Other companies are selling access to this and other info too. Check out Urban Airship’s Connect product.
Class Action Status: One dollar for every minute per person per conversation captured.
How do I get into this business? PM me if you want to collaborate.
I’m shocked that anyone is shocked about this! Transportation departments have been buying this data since the late 90s.
More creepy are the planning solutions for commercial development. You can buy datasets that will tell you the average income of drivers on larger highways in hourly buckets.
We don't _all_ work in adtech, you know?
And thank god for that...
I've just started using Signal and was surprised by how good the call quality is. For those that aren't aware, Signal calls are encrypted, so you effectively give nothing to the cell carrier when you make a call through it (except that you used some data).
Unless I misunderstood, this has nothing to do with what apps you use to communicate. It has to do with connecting to the cellular network at all. I think the only way around this would be to run airplane mode with wifi only, and then taking lots of steps to keep your wifi use private too.
While it is true that Signal's call quality is great, this doesn't seem relevant to the fact that cell providers can track you regardless of what apps you use.
> Signal calls are encrypted, so you effectively give nothing to the cell carrier when you make a call through it (except that you used some data).
Maybe not to your carrier, but presumably Google could capture some form of metadata.