AT&T, Verizon, T-Mobile & Sprint Want Even Broader Access To Your Personal Data
from the hard-pass dept
We’ve noted repeatedly that however bad Facebook has been on privacy (pretty clearly terrible), the broadband industry has traditionally been much, much worse. From AT&T’s efforts to charge consumers more just to protect their privacy, to Verizon getting busted for covertly tracking users around the internet without telling them (or letting users opt out), this is not an industry that respects you or your privacy. That’s before we even get to their cozy, often mindlessly-loyal relationship with intelligence and law enforcement.
As such, it’s kind of amusing to note that these are the same companies now trying to position themselves as the gatekeepers of all of your private data online. As security expert Brian Krebs notes, AT&T, Verizon, T-Mobile and Sprint (the latter two of which will likely soon be one company) are cooking up something dubbed “Project Verify,” which would let end users eschew traditional website passwords — instead authenticating visitors by leveraging data elements unique to each customer?s phone and mobile subscriber account, including location, “customer reputation”, and device hardware specs.
This video by the carriers offers a little more detail:
The problem, as Krebs is quick to note, is that giving more private data to companies with an utterly abysmal track record on privacy might not be a particularly bright idea:
“A key question about adoption of this fledgling initiative will be how much trust consumers place with the wireless companies, which have struggled mightily over the past several years to validate that their own customers are who they say they are.”
As we’ve been noting, these are the same companies that have been struggling to prevent hackers from routinely stealing customer identities via SIM hijacking, which involves a hacker bribing an employee to port your phone number to a new device, then jacking your identity and making off with your private data (or making millions by selling your cryptocurrency or valuable accounts). These are also the same carriers that have routinely failed to do much about the SS7 exploit that’s been in the wild for seemingly ever, allowing hackers to spy on an undetermined number of cellular customers for years.
These are also the same wireless carriers that were just caught up in a massive scandal involving their collection of sale of user location data, a multi-billion dollar venture that involves selling your daily motion habits to a cavalcade of different companies, many of which have shown a similarly-flimsy disregard for actually keeping that data safe. And these are the same companies that work tirelessly to scuttle any and every effort to actually shore up nationwide privacy standards, usually by lying to lawmakers and the public about what these plans would actually do.
For his part, Krebs thinks this is a hard pass:
“I am not likely to ever take the carriers up on this offer. In fact, I?ve been working hard of late to disconnect my digital life from these mobile providers. And I?m not about to volunteer more information than necessary beyond the bare minimum needed to have wireless service.”
Other widely-respected security reporters were similarly unimpressed:
I don't wanna be a Debbie Downer but if you can't figure out how to stop SIM Swapping or securing your web servers I don't know if you should be trusted to become * the * digital identity manager for millions of people.
— Lorenzo Franceschi-Bicchierai (@lorenzofb) September 13, 2018
Again, the devil will be in the details. But at first glimpse, you’d be pretty foolish to trust companies with additional private data that have repeatedly proven to be routinely cavalier about the oceans of data they already collect. Time and time again wireless carriers have prioritized profits over the personal interest and welfare of consumers, and anybody expecting that to magically change ahead of Project Verify’s launch haven’t been paying attention.