Another Day, Another Massive Cellular Location Data Privacy Scandal We'll Probably Do Nothing About

from the ill-communication dept

We’ve noted a few times now that while Facebook gets a lot of justified heat for its privacy scandals, the stuff going on in the cellular data and app market in regards to location data makes many of Facebook’s privacy issues seem like a grade-school picnic. That’s something that was pretty well highlighted by the recent Securus and LocationSmart scandals, which showcased perfectly how cellular carriers and location data brokers routinely buy and sell your daily travel habits with only a fleeting effort to ensure all of the subsequent buyers and sellers of that data adhere to basic privacy and security standards.

This week, Joseph Cox at Motherboard dropped yet another bombshell report on this subject, noting how he was easily able to pay a bounty hunter $300 to obtain the (supposedly) private location data collected by his cellular provider (T-Mobile). Much like the Securus scandal, the problem once again is the countless location data brokers and third party vendors which are being sold this data, then doing pretty much whatever they’d like with it. In this instance, his data was collected by T-Mobile, shared with brokers and aggregators like Microbilt and Zumingo, then in turn shared with bail bond outfits and private investigators:

“Microbilt buys access to location data from an aggregator called Zumigo and then sells it to a dizzying number of sectors, including landlords to scope out potential renters; motor vehicle salesmen, and others who are conducting credit checks. Armed with just a phone number, Microbilt?s ?Mobile Device Verify? product can return a target?s full name and address, geolocate a phone in an individual instance, or operate as a continuous tracking service.”

Cellular carriers make a small fortune collecting and selling this data, and there’s virtually no oversight of the practice. Consumers often sign one privacy agreement with their cellular provider, which in turn is then broadly interpreted as a green light down a long road of companies which then collect and sell that data in turn. As we saw with the Securus scandal (when a local Sheriff was busted snooping on the private cellular location data of Judges and fellow law enforcement officers), everybody in this chain of dysfunction likes to play stupid when the problem repeatedly comes to light. The same thing occurred here:

?We take the privacy and security of our customers? information very seriously and will not tolerate any misuse of our customers? data,? A T-Mobile spokesperson told Motherboard in an emailed statement. ?While T-Mobile does not have a direct relationship with Microbilt, our vendor Zumigo was working with them and has confirmed with us that they have already shut down all transmission of T-Mobile data. T-Mobile has also blocked access to device location data for any request submitted by Zumigo on behalf of Microbilt as an additional precaution.?

When the NY Times broke the Securus scandal story last year, cellular carriers all played stupid, insisted they’d ceased the sale of such data, and breathlessly assured everybody that this behavior wouldn’t happen again. When Senator Ron Wyden complained, you might recall that T-Mobile CEO John Legere took to Twitter at the time to insist he’d learned the error of his ways:

Apparently not.

Needless to say, Wyden, who has been pushing new privacy legislation, isn’t particularly impressed:

If you were an industry hoping to avoid government regulation of your business, you’d think you’d be a little more cautious in the way you treat private data. But as we’ve noted countless times, this kind of cavalier treatment of private data is the norm for telecom. From hoovering up your clickstream data to covertly modifying data packets to track you around the internet, telecom has long played fast and loose with consumers’ private data. Some have even flirted with the idea of only seriously respecting your privacy if you pay an additional fee, effectively making consumer privacy a luxury feature.

So while broadband giants will surely whine incessantly during the looming quest to pass some meaningful rules of the road, it’s worth remembering they had ample opportunities, over decades, to avoid stricter government intervention by adopting better, more ethical business practices. It’s also worth reminding folks that ISPs lobbied furiously to convince the GOP to kill some fairly basic privacy protections at the FCC that would have required ISPs clearly inform users who is buying and selling this data, giving users a little more control over how it was shared.

And it’s also worth noting that even without legislation or those rules, the FCC still has Section 222 authority to police this kind of behavior. While the FCC’s privacy rules were killed, mobile carriers are still subject to CPNI rules for voice calls, which were expanded in 2005 to include subscriber location information. The bottom line is that the Ajit Pai FCC could easily address this problem using the authority it has now, they’ve just chosen not to because it might just hurt telecom revenues. The FTC could also probably ding T-Mobile for being “unfair and deceptive” under Section 5 of the FTC act, yet has been similarly mute as carriers bullshit their way around their failures on this front.

All of that said, there’s countless folks who think they’re taking meaningful steps to protect their privacy by deleting Facebook (or on-phone apps), yet are oblivious to the perils of walking around with a stock carrier phone in their pocket. It might be time to stop being quite so collectively naive about US privacy practices if we’re going to have a serious (and undeniably difficult) adult conversation on what privacy rules of the road should look like. One thing we can probably mostly agree upon: this practice of hoovering up your every move and selling it to an ocean of companies with little to no real attempt to protect it is behavior we need to change, one way or another.

Filed Under: , , , , , ,
Companies: at&t, microbilt, sprint, t-mobile, verizon, zumingo

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Another Day, Another Massive Cellular Location Data Privacy Scandal We'll Probably Do Nothing About”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Pessimism is anti-American

… Scandal We’ll Probably Do Nothing About

If there was one enduring American political principle President Ron Reagan understood down to his bones — Americans adore optimisism in their politicians: America can be a better place.

So quit feeling depressed: It’s a new Congress now. A new day.

Write your congressmen. Call your representatives. Tell them we deserve better. Tell them to right this wrong. Demand that they fix this scandal.

America can be better. No more Carterism! Carter’s malaise is a loser!

Anonymous Coward says:

Re: Re: Pessimism is anti-American

Carter is so last century.

Some vocabulary then, for all the kids. From the Merriam-Webster dictionary…

malaise – noun

Did You Know?

Malaise, which ultimately traces back to Old French, has been part of English since the mid-18th century. One of its most notable uses, however, came in 1979 – well, sort of. President Jimmy Carter never actually used the word in his July 15 televised address, but it became known as the malaise speech all the same. In the speech, Carter described the U.S. as a nation facing a crisis of confidence and rife with paralysis and stagnation and drift. He spoke of a national malaise a few days later, and it’s not hard to see why the malaise name stuck. The speech was praised by some and criticized by many others, but whatever your politics, it remains a vivid illustration of the meaning of malaise.

Uriel-238 (profile) says:

Re: Write your congressperson...

But, as Larry Lessig has statistically proven, the chances your letter (and a few thousand more) will change that representative’s policy without a $1000+ campaign contribution are 0.00%

Optimism is great, but solutions that actually work are what’s needed. Petitioning the government regarding grievances does not.

Thad (profile) says:

Re: Re: Write your congressperson...

But, as Larry Lessig has statistically proven, the chances your letter (and a few thousand more) will change that representative’s policy without a $1000+ campaign contribution are 0.00%

If the message you get out of Lessig’s work is "don’t even try", then I think you’ve greatly misunderstood his point.

To the best of my knowledge, Lessig hasn’t said anything about my representative — because my representative has only been in office for a week.

Anonymous Coward says:

Re: Re: Write your congressperson...

Petitioning the government regarding grievances does not.

Oh, so it was all those kilobuck contributions that defeated SOPA and PIPA? Of course, optimism should always be tempered with a healthy does of realism.

Like Thad, my new representative has only been in office for a week.

Uriel-238 (profile) says:

Re: Re: Re: Write your congressperson...

Thad, the sentiment don’t even try is not what I got out of it. By all means, do something, but you are going to need more than a lance to take down this giant.

Anonymous Coward, Regarding for SOPA and PIPA, they were killed (well, momentarily routed) by an internet blitz. Feel free to organize one, or, like the SOPA blackouts, find a way to spread your message to 160 million people.

Lessig’s point was that until we get money out of politics, until we have a massive election reform, we can’t rely on our representatives for anything else. Not police reform, not environmental conservation and certainly not telephone privacy.

But yeah, maybe our new representatives have seen the light and have figured out how to campaign without huge benefactors. I think waiting for them to come around is kinda like waiting for Trump to break and pass a budget without wall funding. Unless you’re using a lot of (proverbial) dynamite, you can expect to be disappointed.

Thad (profile) says:

Re: Re: Re:2 Write your congressperson...

Anonymous Coward, Regarding for SOPA and PIPA, they were killed (well, momentarily routed) by an internet blitz.

Which is another way of saying that representatives received a few thousand letters.

Lessig’s point was that until we get money out of politics, until we have a massive election reform, we can’t rely on our representatives for anything else. Not police reform, not environmental conservation and certainly not telephone privacy.

But he’s also campaigned to elect people to Congress (and other offices) who are not beholden to special interests. He’s never suggested that working through Congress was a waste of time. And if he’s "statistically proven" that it’s impossible to change a representative’s policy position without paying them, that’s news to me.

Lessig’s point is that financial corruption makes it much harder for individuals to influence their representatives; that much is true. But it wasn’t that we can’t achieve anything at all until we pass campaign finance reform. And if he did say that, he was plainly wrong; there have been positive changes in the government over the past decade (healthcare, ending DADT, reducing sentencing guidelines, a state-by-state push to legalize marijuana — those are off the top of my head), even if they haven’t gone as far as I’d like them to.

Lessig’s point that the American government favors special interests over individuals is a true one. But you’re carrying it to an absurd endpoint. His point was never "Don’t call your representatives; it won’t matter." That’s a sort of lazy fatalism that I would never associate with Lessig.

Anonymous Coward says:

> Another Massive <fill in the blank> Data Privacy Scandal We’ll Probably Do Nothing About

This will continue as long as people like Masnick screech about how terrible it would be for the “tech” (surveillance) industry and the world if the US ever implemented any kind of law to protect the privacy of its citizens.

After all, we know we can trust massive corporations to “self regulate”, since it has been working so well for Facebook, Google, Comcast, Verizon, AT&T and the rest. Actual laws and accountability might “stop them from ‘innovating'”.

For an example of the many horrors that might come from such a law, just look at all of the poor EU citizens who, thanks to the evil anti-innovation GDPR, can no longer count on Facebook to subject them to algorithmic swatting in order to protect them from killing themselves!

Anonymous Coward says:

Re: Re:

bullshit. quit conflating different sectors and one’s ability to avoid doing business with them or not. that being said, fb and teh goog and … well everyone else, not just in the “tech” (loose weird grouping of vaguely IT-related businesses) are horrible with privacy. and you are still full of shit if you claim that Mike Masnick has ever indicated he was cool with that. The problem is that laws have to be good laws, not bad ones that actually make things worse for privacy and add in five other awful consequences. The GDPR has good points, but quite apparently also many bad points and is written and executed horribly.

Anonymous Coward says:

How is this "another" scandal?

Should we really be calling these the Securus scandal, the LocationSmart scandal, the Microbilt scandal, etc.? It’s like we’re going out of our way to call it the T-Mobile, Sprint, AT&T, and Verizon scandal. There’s nothing new here. This is the same scandal, continuing, because they never stopped selling the data. They just stopped selling to certain companies.

Well, T-Mobile now say they won’t sell to any "shady middlemen" (anymore; shady business dealings were totally OK under last week’s policy). How about selling it to nobody? If I want roadside assistance to find me, I can install an app or explicitly tell my carrier to give it (not sell it) to them; they don’t need to trust some company that, wink wink, claims they got my permission. (Of course the carriers know what that means, because they never actually got any customer’s permission to sell the data either.)

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...