It's Apparently Easy To Pretend To Be A Cop, Grab Location Data From Cellular Carriers

from the ill-communication dept

While Facebook tends to get the lion’s share of (deserved) criticism, the telecom sector continues to make its case for being the absolute worst when it comes to protecting your private data. Scandal after scandal have highlighted how wireless carriers routinely collect and store your daily location data, then sell that data to a universe of shady middlemen with little to no oversight as to how the data is used. Users sign one overlong privacy policy with their wireless carrier, and that policy is being read to mean consumers sign off on the practice, which they certainly haven’t.

This week journalist Joseph Cox again highlighted the problems on the location data front, reporting how many stalkers and debt collectors are able to get access to this data without paying for it. How? By pretending to be law enforcement officers:

“…bounty hunters and people with histories of domestic violence have managed to trick telecommunications companies into providing real-time location data by simply impersonating US officials over the phone and email, according to court records and multiple sources familiar with the technique. In some cases, these people abuse telecom company policies created to give law enforcement real-time location data without a court order in ?exigent circumstances,? such as when there is the imminent threat of physical harm to a victim.

In addition to cellular tower location data, carriers were also recently busted selling A-GPS data, which is supposed to be protected by FCC data rules. Despite significant reporting on this subject and carrier promises to stop collecting and selling this data, this practice is still ongoing. Like Facebook, these are companies that are staring down the barrel of looming regulation — and still somehow can’t seem to find the motivation to behave. Regulators at the Ajit Pai FCC have also sat on their hands and have yet to issue so much as a warning to cellular carriers.

At least one skiptracer told Motherboard that wireless carriers remain several steps behind in trying to crack down on the practice:

“So many people are doing that and the telcos have been very stupid about it. They have not done due diligence and called the police [departments] directly to verify the case or vet the identity of the person calling,? Valerie McGilvrey, a skiptracer who said she has bought phone location data from those who obtained access to it, told Motherboard. A skiptracer is someone tasked with finding out where people, typically fugitives on the run or those who owe a debt, are located.”

In many instances the third parties are exploiting telecom company procedures for “exigent circumstances,” allowing them to request and receive real-time location data by fabricating law enforcement data request documents telecom operators aren’t properly verifying. Of course as the New York Times noted more than a year ago, law enforcement officers have also been busted abusing this system to spy on judges and other law enforcement officers.

Like so many sectors, wireless carriers were so excited by the billions to be made selling your daily habits, they forgot to actually protect that data. As reporters like Cox continue to dig deeper, you have to think that many cellular carriers are scrambling hard to clean up their mess as inevitable class action lawsuits and regulatory investigations wait in the wings. This scandal is getting so ugly, even the carrier-cozy Trump FCC may, at some point, be forced to actually do something about it.

Filed Under: , , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “It's Apparently Easy To Pretend To Be A Cop, Grab Location Data From Cellular Carriers”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

Illegality only matters if the crime gets reported. In this case, the telecom company suffers little or no harm, so they have no motivation to investigate (even after the fact) whether the request was legitimate. At worst, their harm is they might have charged the requester a bigger fee if the request had not been classified as "law enforcement/time sensitive." The stalkee likely never learns how their data was obtained, so they don’t know to report a crime. The impersonator obviously will not self-report. That leaves us with no one who actually reports the crime, so there’s no investigation, no arrests, and no prosecution.

Compare this impersonation to a fake officer stopping someone on the street and physically abusing the victim. The victim will likely start out trying to file a police brutality report, then the cops will point out that the offender was not a police officer at all. That gives at least the potential for someone to realize that there is a fake officer out there abusing people.

Anonymous Coward says:

Re: Re: Re:

The platform (the companies) are not to blame here, since it’s illegal to impersonate law enforcement. They have every right to believe that someone who claims to be from law enforcement is telling the truth. Even if they investigate, that too can be faked, so the problem is with the individual bad actor, at least according to "Section 230 logic." (or "DMCA logic" or "Article 13 logic").

norahc (profile) says:

Re: Re: Re: Re:

The platform (the companies) are not to blame here, since it’s illegal to impersonate law enforcement. They have every right to believe that someone who claims to be from law enforcement is telling the truth. Even if they investigate, that too can be faked, so the problem is with the individual bad actor

Then maybe paperwork should be required for every request….like a warrant. In this day and age its trivial to get a telephonic warrant and have it sent somewhere in short order.

bob says:

Re: why it matters

And that complacency is exactly why allowing anything "for police only" is dangerous to have. Even when there are better rules in place to stop outsiders from abusing the system, the intended users of the system can still abuse it. We have many examples of that happening at local to federal levels of intelligence and law enforcement. Even private companies internally have problems with this.

So why do politicians and others think its okay to open up encryption among other things? Because they believe falsely their program/situation is special and will not be abused (at least not severely). Or they don’t care about the negative impacts because they feel it will be outweighed by the possibility of getting crooks by skirting the rules themselves.

If a means or system is established to curtail the rules for one trusted group, eventually others outside of your trust circle will have access to curtail the rules too. And when that happens you are truly screwed.

Anonymous Coward says:

This is basic social engineering. THAT will always be there.

Law enforcement likes to push laws making their lives easier, like by standardizing ID cards ("REAL ID"). So, how about we propose "COP ID" and say anyone claiming to be a cop had better provide an ID card with cryptographic verification via NFC. And any service provider had better check that any document claiming to be from a cop has a valid cryptographic signature from an actual cop, or else they’ll be liable under privacy laws (I mean, if we had privacy laws for this stuff).

A good social engineer might work around it, notably by tricking actual cops; at least we could make it significantly harder.

Bamboo Harvester (profile) says:

Re: Re:

We DO have "CopID". The badge number.

The "fix" is really fairly simple – the ONLY people who can disclose information is the telco Legal Department.

Cop calls, gives name, badge number, precinct, legal dept clerk calls the precinct and verifies before releasing information.

I don’t know what department is being called currently, but I’ve found that calling the telco, ISP, or power company means two hours on hold. So they’re using "not for public use" lines to contact the phone companies.

That Anonymous Coward (profile) says:

One might think people would have learned the lessons of the past, but the stupid always think it will never happen to them.
We had gangs with purchased access to credit reports & info… and we are shocked that they managed to get access to other information?

Until there are punishments that actually hurt the bottom line this will continue with corps collecting the cash & pretending there was no way they could have stopped the evil hackers.

Coyne Tibbets (profile) says:

National security letters

I am not surprised. What I am surprised about is that no one has done the same with national security letters. Those seem a perfect target for this kind of cheating, because they threaten prison and at the same time you don’t even dare ask the FBI if they’re valid.

Mostly what these incidents show is that you can’t trust companies to defend your privacy.

Dheeraj (profile) says:

Cellular company sell user data

According to the Supreme Court, if the government puts a GPS tracker on you, your car, or any of your personal effects, it counts as a search—and is therefore protected by the Fourth Amendment and requires a warrant approved by a judge.

OR, they can send a note on letterhead and get the same info over the phone from Securus.

That’s what rots my socks. Police jump from one technology to the next and so long as the Supreme Court doesn’t specifically BAN the method, they do it. I call it exempting themselves from the rule of law. And, at least it’s unethical.

Will police stop doing this now they have been found out, and despite what the SC says?

Anonymous Coward says:

I know the "cops can’t get a job if they’re too smart" thing is technically incorrect.

News like this, though, make it harder to believe that it is, in fact, not quite accurate.

But then you consider the guys who have to toss flashbangs and rifle fire at fleeing naked men to feel secure and this sort of gaffe starts feeling like the norm, not the exception.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...