Comment by random6547545

Parralel construction.

You pull the phone location records of everyone near a protest without a warrant (and no intention of using the location data in court) then you dig into them to find something unrelated to the protest you can nail them on.

That way you take out key players without it looking like a political crackdown.

Yes, these applications are blatantly violating the GDPR: https://www.gdpreu.org/the-regulation/key-concepts/personal-...

Because they will just hire someone else.

I know TV and movies have imparted upon people that there is some kind of feeling of immense guilt, or maybe you are just dishing the ubiquitous passive aggressive shaming as a weak attempt at social control, but fact of the matter is that today's devs (yes, many if not all of us here) have exponentially less qualms about what we do and support and develop (let alone even fully understand the ramifications, as has become apparent to me) on a day to day basis, than any of the soldiers or henchmen or perpetrators of the favorite historical villains we are trained to hate from early on. Reality is that to the vast majority of people that are swept up in the cult mania and are essentially blindly and instinctually following their most basic herding impulses, the actions they are taking and the things they are doing are just fine as they say "it doesn't look like anything to me".

We have thoroughly entered a pathway with an ever more narrow set of possible outcomes, none of which are good, but just as all the other past events that all the "smartest" people were warned about well in advance and who self-magnanimously proclaim how the inevitable outcomes "could not have been predicted" in to protect, at all and any cost necessary, the most important thing there is ... something so important and sacrosanct that reality and fact and intellect and rationality will be suffocated and smothered and exterminated and sacrificed the very microsecond it potentially could even maybe rear its head .... their ego and incomprehensible notion of having to admit fault or infallibility.

It is utter hubris that will be bringing about the inevitable next calamity that will, due to the ever growing and expanding size of the house of cards, collapse under it's own self-deluding weight.

Remember kids, tech fraud valuations were based on sound business and house prices could only go up; and those were just the early tremors of what is to come ... unfortunately. All manias invariable are followed by crashes, regardless of how they manifest themselves. What goes up must come down and down, farther and harder, it will come crashing the higher it climbed into the sun. Lest us forget Icarus

Icarus (IK-uh-rus) Son of Daedalus who dared to fly too near the sun on wings of feathers and wax. Daedalus had been imprisoned by King Minos of Crete within the walls of his own invention, the Labyrinth. But the great craftsman's genius would not suffer captivity. He made two pairs of wings by adhering feathers to a wooden frame with wax. Giving one pair to his son, he cautioned him that flying too near the sun would cause the wax to melt. But Icarus became ecstatic with the ability to fly and forgot his father's warning. The feathers came loose and Icarus plunged to his death in the sea.

The folly of Daedalus to not be mindful of the foolish youth of Icarus. But, do tell us of how the young of today will not cause the calamities of past generations of young who thought the too were infallible from their unearned privilege, pampered, and hedonic existence.

Should they? The vast quantity of users find it incredibly useful and have no reason to be concerned about governments or third parties being able to determine their geographic location, because governments or third parties don't generally care.

This breaks the HN guidelines. Please read and follow them when commenting here.

https://news.ycombinator.com/newsguidelines.html

Edit: you've repeatedly posted unsubstantive comments and we've asked you to stop before. We ban accounts that do this, so would you please not do it anymore?

Screw that. Put together a consumer stalking website, sell the data directly. Advertise, make tons of money, and let the outrage from that bring light to the entire industry.

It's not that easy when you're not in their network. I've tried to contact a few journalists recently as I discovered twitter knows everything about youporn's user which considering their track record in term of security and the amount of politician in there could have some pretty bad effects.

It goes like this: https://pbs.twimg.com/media/DczGQICUQAA9ljF.jpg

The domain "syndication.twitter.com" tracks everyone but the page says: "Sorry, that page doesn’t exist!". The point is I haven't been able to run the story so far

> btw, apple and google ad spyware process (google play service) will collect gps and wifi data without any user visible UI, not to mention download ads in the background.

Would be nice to see actual proof of this. I am very familiar with all network traffic an iOS device may emit and do not know what you are referring to here.

Carrying a cell transmitter allows them to triangulate your position. It's not as awesome as GPS but it still meets a lot of needs.

I don't think naming and shaming will do anything, but maybe when somebody's location data embarrasses them, they will do something about it. I think a good analogy is the Video Privacy Protection Act.

I'm a liberal in Texas so being ignored by politicians is nothing new to me.

FFS. "Cyber" is an adjective. Not a noun.

Just because the less-technically adept parts of the infosec community & even more hapless government workers wanted to sound cool doesn't suddenly make it right.

You seem to be quite familiar with Qualcomm, but do you know if there's anything similar in Mediatek SoCs? They do have assisted GPS ("A-GPS"/"EPO") but from the info I can find (including leaked very thorough datasheets and programming manuals), it does nothing more than downloading already-public ephemeris data from an FTP server periodically. I've also inspected the firmware, and there doesn't appear to be any traces of the TrustZone/Trustonic stuff that you mention is present for Qualcomm; AFAICS the only thing running on the main CPU cores is Android itself, the modem runs its own baseband firmware, and the GPS/WiFi/BT/FM combo chip (which is a physically separate part, accessed over a serial interface with no direct DMA capabilities) runs a third firmware. Any "secure boot" features in MTK SoCs are (fortunately?) not very secure, so it's all quite easy to inspect.

There's some bits of interesting info here:

https://github.com/cyrozap/mediatek-lte-baseband-re

https://postmarketos.org/blog/2018/04/14/lowlevel/

How is it sending the data though? if it's using mobile plans, wouldn't it be noticeable on the data usage plan? (or is it that manufacturers have agreements with carriers to not charge for it?)

>Qualcomm IZat location services

did a quick check, it's not on my phone (SD 820 SoC).

>other location-based trustzone applets remain running even on custom ROMs.

I have no doubt some proprietary blobs still remain on custom ROMs, but do those actually send back location data to the OEM?

Hopefully this shows people how deep it is.

I just used the internet site it said up to 14 miles off in accuracy on the results page. It was actually 4 miles off with my wifi off and GPS off and ZLAT off. I'm also pretty sure the location it picked is very close to an existing cell tower.

Did you have WiFi on? Several companies have basically mapped (wardriving) nearly every wifi spot in the US and have correlated that with GPS. The vast majority of these wifi spots never, or rarely, move. By using several known wifi locations and their given latency, you can accurately predict location without cellular or GPS, like, down to the tens of meters.

If the mobile carriers are selling your real time location data, I don't think there is much stopping them from also selling your browser user agents.

*wary

You agreed to it when you signed the terms of service

LocationSmart: Reply YES or YES LS to confirm consent for cloud location & messaging demo. Reply HELP for help, Reply STOP to cancel. Msg&Data Rates may apply.

That is what I was sent.

I'm betting the opt-in is something along these lines

"FirstName LastName wants to obtain your location..."

Also betting that you can put 160 characters into those fields, so effectively a blank SMS is received

Betting further still that you can just spoof the SMS reply

Expose's by investigative Journalists have often made politicians angry, but they have also effected change.

My idea is based on the fact that in my experience people rarely really care about privacy until it personally affects them.

Snowdens' revelations had a massive effect on the tech. sector.

It provided security people with ammunition to push things like encryption of data over "private" network connections, which prevented their misuse by governments (or at least made it harder)

It also pushed tech. companies to publicly take positions on government spying, in general by insisting they wouldn't co-operate.

Snowden's revelations arguably were a significant factor in EU privacy law, including GDPR. In the U.S., government has been unable to regulate big business for awhile, about privacy or anything else.

We, and the media mainstream, are still discussing Snowden, five years on.

Not sure anyone would lose their jobs.

1) Be an investigative Journalist

2) Purchase access to these location vendors data

3) Correlate data with known mobile numbers of politicians

4) Find things in data that might be of interest to readers (e.g. "politician x was noted to be in the same place as Lobbyist y on 5 different occasions")

5) Publish Story :)

Why not? How do you think change comes about, by complaining about it on a tech forum?

Not if precautions are taken, and even if someone did, such a patriotic disclosure (if done responsibly a la Snowden) would put that person is very esteemed company.

Link to pinsight: https://pinsightmedia.com

> Ever wonder what your consumer thinks minute-by-minute? Pinsight’s ID Suite gets behind the lock screen to understand the mindset of your best customer. Leveraging 24/7 insights from the mobile device, we uncover new audiences and discover new market opportunities so you can engage with consumers in ways that matter.

“Gets behind the lock screen”

Jeez that is some brazen marketing.

Assuming you’re talking about Airmail, the iOS and Mac mail client[1] (which is not a free app), do you have any reference to back up this claim? Their privacy statement states:

> Airmail does not share your information with any third parties. We are not in the business of selling your data. However, we may disclose information if we determine that such disclosure is reasonably necessary to comply with the law.

They also state that they do not send information to their servers unless you enable push notifications, store data only for this purpose, and delete the data when you disable this setting.

[1] http://airmailapp.com

Hasn't Foursquare been doing this and nothing but this for ten years now?

Do you get that data before you place the bid? Can you can just bid the minimum amount so you never actually buy an ad, but get the tracking data anyway?

Crawling under the rock safe from the light of day.

That's always been common knowledge, the shocker is that it's being transmitted to "everyone and their dog" or even being sold. Afaik that was never the case with dumb phones.

Not my area of knowledge at all, so perhaps someone who knows radio better could chime in: Would it be possible to fool the triangulation from the device, by arbitrary (or intelligently) delaying the mobile radio signals? Or are they too dependent on timings and such to work?

As an amateur radio operator, I would expect nothing less for carrying a highly networked radio transceiver with loads of sensors including geopositioning.

Simply put: don't want to be tracked? Put your phone in a lead sealed box or leave it at home. Tracking only tracks the phone , not your person.

Every app that has access to nearby WiFi SSIDs (or even just the one you’re connected to) can also turn this data into location data.

In fact I don’t think that is even a gated permission on iOS.

The tracking seems to be happening below that level. I had all location services turned off, it dropped a pin on the very room of the house I was in

No. Search this thread for Qualcomm, QSEE or IZat.

That has no affect on this tracking.

Banning things works relatively well for people because they fear having trouble with law and justice. Doesn't work that well for corporations whose law department is just like any other department. In this case you must assume that if it's technically possible then it's done.

They will just move it all offshore.

I can't find a link, but this problem was foreseen and solved by Robert Morris Jr. He wrote a paper on how users could register their location with a 3rd party using a hash of their IP address. When someone wanted to call them, they would contact that 3rd party for the location then route to the cell. The cell knew someone was there, it just didn't know who. And each 3rd party only had info on a few users, and no choice over which ones it had, if I recall correctly.

Looks like there is info here:

https://en.wikipedia.org/wiki/Robert_Tappan_Morris#Later_lif...

This is the way we should have designed these networks from the beginning. It was inevitable that the stuff in TFA would happen, given the interests of the companies involved and no regulation to prevent it. Same with FaceBook and Cambridge Analytica.

Calls could be done over IP, and as long as you could anonymously authenticate to the tower then you could be granted a new IP address at each tower via something like DHCP. I imagine roaming and handovers would have to be done on the end-device though; the end-device would need to proactively associate to new towers and both ends of the voice call would need to agree to switch to the new IP address.

But if the tower operators collude then they can still track you across towers by localizing the physical source of the end-device's signal.

Off the top of my head, you could have this system: you use a new id that authenticates you with the carrier every n packets, and you do the routing from the source to your id on a server that you control yourself.

Spoiler. The utility of the live call is overstated. Most of the people I interact via a phone vastly prefer async SMS over sync voice calls. We can do SMS via polling, the network doesn't need to push anything to us.

With the current setup, sure, but that's by design. The cellular modem could stay off until you decided to take the call if there was a nationwide page circuit listening, the user would get the ring, see the number the page sent, and if desired, answer, which powers on the modem, hits a tower and connects to a backend system that sent the page which took the incoming call.

Page messages are in-the clear, but that's fixable by (gasp) OTP.

I mean unless you've got a ham license and bounce your signal through your own network of relays using a different band than the final signal to the cell tower. But I don't think that's going to work as a popular solution. Would be a really fun experiment to build though.

I wonder if you could still use latency timing to get a rough fix on location through a secondary network like that. Not that anyone would be trying to.

> using a prepaid mobile phone (paid with cash, via an intermediary to avoid appearing on store CCTV)

Nathan Fielder provides a good demonstration on how to properly do this:

https://youtu.be/N9gbdv5cXKg?t=51s

If your goal is to simply avoid your location being sold by your carrier for marketing purposes, an intermediary seems a little excessive, no? Unless you have reason to believe that your local pharmacy or cell shop is selling facial recognition data as well ...

Last I heard, buying a "burner" phone in this way has been outlawed in many states.

Removing the battery is a better choice.

Carriers will still be able to track you via the cell towers you're connected to. I'm sure they can triangulate based upon signal strength, and that's strictly using your cellphone as a dumb phone.

> "But switching off location will probably do it too."

Wrong. Phones can be triangulated by the carriers regardless.

Can we trust the GPS receiver to be powered down when we the OS tells us it's powered down? I know Android keeps listening for WiFi stations even if you tell it to turn off the antenna. Might it do the same thing with GPS?

No switching off location would not do it - why would it? Cell tower data is sold at the carrier as per the article.

It may help in regards to your exact location via GPS, but cell companies can still triangulate your location based off how strong your signal is to certain towers in the area and which towers you have connected to recently.

True, but at least you'd have somewhat more granular control and be able to do things like put a hardware switch on the transceiver. Crude, but it would at least work for when you're not actively using it.

I guess that's no different than a faraday pouch though.