Nearly Everyone In The U.S. And Canada Just Had Their Private Cell Phone Location Data Exposed

from the Whoops-a-daisy dept

A company by the name of LocationSmart isn’t having a particularly good month.

The company recently received all the wrong kind of attention when it was caught up in a privacy scandal involving the nation’s wireless carriers and our biggest prison phone monopoly. Like countless other companies and governments, LocationSmart buys your wireless location data from cell carriers. It then sells access to that data via a portal that can provide real-time access to a user’s location via a tailored graphical interface using just the target’s phone number.

Theoretically, this functionality is sold under the pretense that the tool can be used to track things like drug offenders who have skipped out of rehab. And ideally, all the companies involved were supposed to ensure that data lookup requests were accompanied by something vaguely resembling official documentation. But a recent deep dive by the New York Times noted how the system was open to routine abuse by law enforcement, after a Missouri Sherrif used the system to routinely spy on Judges and fellow law enforcement officers without much legitimate justification (or pesky warrants):

“The service can find the whereabouts of almost any cellphone in the country within seconds. It does this by going through a system typically used by marketers and other companies to get location data from major cellphone carriers, including AT&T, Sprint, T-Mobile and Verizon, documents show.

Between 2014 and 2017, the sheriff, Cory Hutcheson, used the service at least 11 times, prosecutors said. His alleged targets included a judge and members of the State Highway Patrol. Mr. Hutcheson, who was dismissed last year in an unrelated matter, has pleaded not guilty in the surveillance cases.”

It was yet another example of the way nonexistent to lax consumer privacy laws in the States (especially for wireless carriers) routinely come back to bite us.

But then things got worse.

Driven by curiousity in the wake of the Times report, a PhD student at Carnegie Mellon University by the name of Robert Xiao discovered that the “try before you buy” system used by LocationSmart to advertise the cell location tracking system contained a bug, A bug so bad that it exposed the data of roughly 200 million wireless subscribers across the United States and Canada (read: nearly everybody). As we see all too often, the researcher highlighted how the security standards in place to safeguard this data were virtually nonexistent:

“Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location,” said Robert Xiao, a PhD student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call. “The implication of this is that LocationSmart never required consent in the first place,” he said. “There seems to be no security oversight here.”

The researcher notes that one of the APIs in the portal was not properly validating the consent response, making it “trivially easy” to skip the portion where the API sends a text message to the end user attempting to obtain consent (Brian Krebs, who first reported the vulnerability, has also confirmed the problem). Given the New York Times story had been making headlines since its May 10 publication, it’s obviously possible that others discovered the vulnerability. LocationSmart has since pulled their location data tracking portal offline.

Meanwhile, none of the four major wireless carriers have been willing to confirm any business relationship with LocationSmart, but all claim to be investigating the problem after the week of bad press. That this actually results in substantive changes to the nation’s cavalier treatment of private user data is a wager few would be likely to make.

Filed Under: , , , ,
Companies: locationsmart

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Nearly Everyone In The U.S. And Canada Just Had Their Private Cell Phone Location Data Exposed”

Subscribe: RSS Leave a comment
51 Comments
Anonymous Coward says:

"Theoretically, this functionality is sold under the pretense that the tool can be used to track things like drug offenders who have skipped out "

Even a quarter of a century ago, criminals on the run knew to take out the battery until they were ready to made a call, and then make it quick and get out of there fast (though even those precautions didn’t prevent fugitive drug kingpin Pablo Escobar from getting nailed).

Ninja (profile) says:

It will keep happening. Over and over. Until there’s actual punishment.

You see, stuff like Cambrige Analitica (the Facebook scandal) will probably not happen as often or at the very least everybody will be more careful because the backlash drove CA to bankruptcy. In a sense, it’s a form of punishment. (Of course there were some law enforcement operations and so but generally speaking they didn’t go belly up because a court told them to shut down and jailed their executives).

Unless we start punishing the companies that leak data heavily with jail time and all it will keep happening. Of course, considering the telcos are effectively obliterating any and all oversight we are actually walking in the opposite direction.

kallethen says:

Re: But Cambridge Analytica wasn't punished.

You see, stuff like Cambrige Analitica (the Facebook scandal) will probably not happen as often or at the very least everybody will be more careful because the backlash drove CA to bankruptcy. In a sense, it’s a form of punishment.

IMO, there was no punishment there that I can see. According to Ars Technica, all the execs bailed ship like rats to another company, Emerdata. Emerdata is a data analytics firm funded by the Mercer family. Which, go figure, is the same as Cambridge Analytica was. Basically, it’s the same thing with a new coat of paint.

If anybody is being punished, it’s the peons of the old company who suddenly found themselves jobless.

So really, nobody of value was punished.

Uriel-238 (profile) says:

Re: Re: Re:2 Data leaks as a status quo.

It’s a very cyberpunk dystopian problem. I wonder if its possible to capitalize on this by providing a personal disinformation service that maintains alternative personalities for the same identity. It’s like the problem of having to maintain multiple social network pages when bosses insisted on being friended (or sometimes even having password access) to employee pages.

Anonymous Coward says:

Re: Re: Re:3 Cyberpunk Dystopia [was Data leaks as a status quo]

It’s a very cyberpunk dystopian problem.

No, the cyberpunk dystopia begins…

      … when pedestrians who walk around without globally emitting their personal id and location become automatically suspicious. Subject to immediate detention. Held for investigation. Questioned at police HQ as terrorists.

Fined in magistrate’s court for causing a public disturbance.

Released with locking ankle bracelet to remove potential for future reoffense.

Anonymous Coward says:

Re: Re: Re:4 Cyberpunk Dystopia [was Data leaks as a status quo]

Released with locking ankle bracelet to remove potential for future reoffense.

Chai left the “gender” boxes blank on the printed form. It felt like expressing individuality. A tiny, silent protest against being boxed in.

Chai expected the bureaucracy to reject the form. “The gender box isn’t filled in”, they would probably complain, shoving the form back. Instead, they assigned Chai to Ann.

Ann explained herself as a veteran probation officer. Ann’s job was to unlock and temporarily remove the ankle bracelet. Once a week. So the skin could be washed. The skin checked for sores. Salve applied. Ann was no-nonsense.

 . . . .

Anonymous Coward says:

Re: Re: Re:5 Cyberpunk Dystopia [was Data leaks as a status quo]

Ann was no-nonsense.

“Take your pants off,” she said to Chai.

Then she said, “Here is the basin.” It was on the floor, stainless steel, and very obvious. “This is the tap.” A single button on the wall. No temperature control. “This is the soap dispenser.” A translucent white plastic drum half-filled with an orangish liquid. Garishly marked ‘50 L’ in blue. It had a squirt handle.

“The scrub brush is single-use.” It came wrapped in plastic film. “Here. Scrub. Your entire ankle. Scrub it hard.”

 . . . .

Anonymous Coward says:

Re: Re: Re:3 Data leaks as a status quo.

Those families that concoct extra children and get phony birth certificates for them for the purpose of increasing the size of their welfare check — they could also at the age of 18 presumably sell these phony documented identities to fugitive criminals or illegal aliens since they’re no longer making any money off them.

http://www.cbc.ca/news/world/blond-angel-case-prompts-greek-birth-certificates-probe-1.2158484

Anonymous Coward says:

Re: Re: Re:5 Data leaks as a status quo.

One reason is because the solution to the problems directly created by big government is (drum roll please) even bigger government. And along with that comes a huge private industy, from lawyers to accountants to lobbyists, to help people get through this byzantine system that they helped create.

Anonymous Coward says:

Re: Re: Re:6 Data leaks as a status quo.

Indeed, these problems most definitely build upon each other and any call to attempt to dismantle this mess is often met with near religious like derision.

While TD seems to get the “nerd harder” sarcasm the often fail to understand that “government harder” is much of the same logic.

Anonymous Coward says:

Re: Re: Re:6 Data leaks as a status quo.

Dear Mr. Anarchy,

I suggest you take your complaints to Congress, as they are the ones who make such decisions – not those who post here, DUH.

You know .. Congress, the ones who approve welfare and food stamps for the poor. Do you understand that Congress does this in order to please their corporate sponsors who refuse to pay a living wage and expect the taxpayers to make up the difference – right?

Signed,
Real People

Anonymous Coward says:

Re: Re: Re:7 Data leaks as a status quo.

Dear Mr. Straw-man Fallacy,

Not one is calling for anarchy. And if you are a voter then those of us with different opinions obviously have to change your minds first, otherwise your many lesser informed votes will cancel out the few of the more informed votes.

“Do you understand that Congress does this in order to please their corporate sponsors who refuse to pay a living wage and expect the taxpayers to make up the difference – right?”

That question is better asked of you. Do you not understand that the first step on the road to oppression is a politician promising to protect you from something if you give them power and authority? Citizens are nothing more than a commodity to be traded between Politicians and Businesses. The only way citizens can have a say is if they have a free-market to work with (which does not exist) AND rights to exercise (which have been effectively destroyed).

Which leaves us where we are now. An oligarchy running a police state. And low information voters like yourself helped give it to them. We are trying to inform you of this, but it is difficult to do so when you have been fooled into batting for the people you claim to call your enemy.

Anonymous Coward says:

Re: Re: Re:3 Data leaks as a status quo.

I wonder if its possible to capitalize on this by providing a personal disinformation service that maintains alternative personalities for the same identity.

Yes:

When he landed in Spain, Ahearn tried to imagine what a man of Bucard’s wealth might indulge in while on holiday. Then he began a riot of spending: fine clothes, meals out, a king’s ransom of trinkets. “I had a blast with his plastic,” he says. “And that, my friend, is how to leave a trail of super-cool disinformation.”

Ahearn explains that he might start by taking over your Facebook account, and “creating information” about Sydney, Australia. “I’ll befriend people in Sydney, then create new, fake Facebook accounts who become your friends in Australia.” He then starts up public conversations between these accounts. “You create a fake digital friend and get them to post an update about how they had dinner with you and another fake Facebook friend last night. It’s about offering coherent titbits of information. Deleting stuff is just useless. It’s already [been] there. Perhaps the person looking for you copied the information. So it becomes a game of total misdirection: you have to keep the predator busy.”

But the long-term cyberpunk-dystopia solution is to design systems so the information doesn’t exist—such as anonymous onion-routed cell networks.

Anonymous Coward says:

Re: Re:

It will keep happening. Over and over. Until there’s actual punishment.

Unlike the USA, Canada does have a general-purpose federal privacy law. That might make things interesting, though the process looks baroque: a complaint would have to contact the Office of the Privacy Commissioner of Canada, who would make a non-binding report, and only then could the complainant petition a court for penalties.

Anonymous Coward says:

puleeze!!!!

It’s not just now… it is an always been. The constant real time telemetry we subject ourselves to is no secret, and the idea that you have any meaningful privacy is a farce. Even the outrage is largely manufactured. There has never been, or will ever be, any actual security on the data that you consider private.

People are just like little wild hogs in the woods happily pigging out on the pile of food suspiciously left out while ignoring the huge contraption suspended just above them waiting to fall and imprison them.

Anonymous Coward says:

Re: Re: "People are just like little wild hogs"

that is quite an apt name for them.

if the supposition that Wells derived Morlocks from the Morlachs in the Balkans and were primitive, backward, and barbaric then the name is a sure fit. Often time government is primitive in logic, backward in action, and barbaric by result.

I agree with you… a damn fine name for law enforcement. Especially since lower IQ’s are a literal requirement to be one.

Anonymous Coward says:

Re: Re: puleeze!!!!

You misunderstand… read it again and you will realize that I am saying you NEVER FOUGHT THEM! And you are happily eating at the pile of food they left for you so they could trap you.

In short… I don’t see you all really doing anything about it. You are still going to vote for the same people letting the same businesses rape your privacy playing the same lobby game writing the same laws and going through the same make empty promises campaigns while you go to your same job and and get treated the same way.

What are you going to do about? Vote in one of the two parties that have done nothing about for the past several decades but make it worse?

Research Organized Stalking says:

re: database abuse and gang stalking

Missouri is a major database abuse state, but Illinois, Minnesota, California and New York use these databases to stalk low income people, who get caught up in the virtualized slave nets of child support debtors,anything domestic violence, and anything realated to kangaroo courts,like fakerape administration hearings, family courts; and as we see here, politics.

Google “NGOs ang gang stalking,” Rotary Club and gang stalking, LEIUsang gangstalking, or Domestic Violence IndustrialComplex and gangstalkig for an eye opener.

TAll modern organized/ gang stalking begins in hidden, secret databases, and where once,these hidden cowards stalked liwer income and easily accessible people,it has creptinto the middle class, asithe welfare state turned into our secret polce state that we see today.

And, using Palantir,DataMinr, and NSA-to Israel anf FVEY whole capture internet, the statehas begun targeting whole families for generations, as we see with LosAngeles use of the CalGang database, and the CIAs LASER systems.

http://www.researchorganizedgangstalking.wordpress.com

a female faust (user link) says:

in the end power is sociopolitical not financial: class not inco

@ECA

don’t kid yourself that your money makes that big a difference.

by way of example, i think the following bears:

The People of Santa Barbara vs. Big Corporate Oil:
A Cautionary Tale

even though the corporate evil in question is Big Oil not Big Data. (it was originally posted in response to the BP oil spill, it shows how little of an effect money really has, when corporations and citizens disagree.)

also see
Proof That The United States Is Not A Democracy.

so i guess, in a twist on the commonsense adage, if the service is not free, you are probably still the product.

ECA (profile) says:

Re: in the end power is sociopolitical not financial: class not inco

WEll,
Part of this is that WE THE PEOPLE, have not had interaction with THOSE WE HIRED to represent us..
The CORPS have covered most of it up with THEIR OWN, backup system to what THEY WANT.. They can DUMP LOADS of mail/email onto a bill, saying THEY WANT IT..
The Old phone service was great and had LOTS of gov. protections..BUT no one understands THAT cellphones DONT have those protections.. EVEN tho it uses the Fiber Backbone, that the OLD system USES..

And Basic Econ is easy to understand and FIX, IF THEY WOULD FIX IT.. its NOT hard. But the CORPS keep threatening the Gov…(we will move out and take jobs away, is NOT A GOOD REASON TO KEEP THEM HERE) We can fill ANY Corps position Even if the Gov. has to replace it..
Its like Protecting banks…DONT. Let the Lower ranked banks TAKE THE POSITION..Screw the BIG guys who will have to pay out to stock holders..

Jessica mason says:

A very good Cyberguru you can reach,reliable,Trustyworthy and Active via mail cybertroll3@gmail com Its both public and private information. It goes beyond what one source can do for you or what search engines can give you. You’ll have access to public records, social media analysis, a all round internet research, court public records, arrest records, cell phone data (both open public and exclusive repositories ), driving information plus more.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...