← Back to context

Comment by kevcampb

8 years ago

Carriers have been providing these services to 3rd party providers since at least 2006

https://www.theguardian.com/technology/2006/feb/01/news.g2

A few points to note:

* Obtaining consent is entirely left to the provider to implement. It does not appear to have any auditing. A provider can query any number they like.

* The opt-in process used by many providers is easy to exploit, by spoofing SMS replies or abusing the SMS template so that the surveillance target does not get notified

* The providers have are well aware of the potential to exploit this and have been for some time. It has never been resolved in over 10 years.

3 comments

kevcampb

Reply
kevcampb  8 years ago

I just discovered this treasure trove from the UK house of commons in 2006

https://publications.parliament.uk/pa/cm200506/cmhansrd/vo06...

"To extend that to adults, The Guardian journalist Ben Goldacre showed recently that someone needs possession of another person's mobile phone for only a couple of minutes to appear to give the consent required under mobile phone companies' current procedures. The person he was tracking never got any of the warning messages that were meant to have been sent to her. Even more scarily, a hacker's website has recently published information telling how to spoof consent without even having to have temporary possession of the target's phone; all that is needed is the number. If someone has a person's number, he can track them. It is not a problem. I know where the website is, but I am not going to tell Members. It is possible to track people just through their phone numbers."

fixermark  8 years ago

Is it even considered an exploit?

It's a cell carrier providing data about the radio communications between hardware they own and someone else. At a moral level, seems somewhat equivalent to a web server providing data about clients that access the server.

To opt out, stop using some third-party corporation's owned hardware to route your communications near lightspeed around the world. Hey, the Amish communities may have something in their overall philosophy of "Don't be beholden to strangers who aren't part of your community."

  • kevcampb  8 years ago

    I'm not clear if you missed the point here? This isn't aggregate data, it's obtaining the location of a specific individual just by knowing their phone number. It can be done without their knowledge or consent.

    By your webserver analogy, the equivalent would be more akin to google publishing the contact details and search queries of anyone using the service.