Privacy

by Karl Bode


Filed Under:
privacy, selling, user info, wireless

Companies:
at&t, t-mobile, verizon



Wireless Carriers Again Busted Collecting, Selling User Data Without Consent Or Opt Out Tools

from the privacy-no-longer-exists dept

A few years ago, Verizon and AT&T were busted for covertly modifying wireless user data packets in order to track users around the internet. Verizon used the technology to track browsing behavior for two years before the practice was even discovered by security researchers. It took another six months of public shaming before Verizon was even willing to offer opt out tools. And while the FCC ultimately gave Verizon a $1.3 million wrist slap, it highlighted how we don't really understand the privacy implications of what mobile carriers are up to, much less have real standards in place to protect us from abuse in the modern mobile era.

While notably different in scope and application, these same companies were again caught this week collecting and selling user information without user consent or working opt out tools.

Earlier this week Philip Neustrom, co-founder of Shotwell Labs, discovered something interesting and documented his findings in this blog post. Neustrom discovered a pair of websites that, when visited by a mobile device over a cellular connection, appeared to easily glean numerous personal visitor details, including the visiting user's name, some billing and location data, and more. Users simply needed to input a zip code, and the carriers providing your cellular service seemingly provide a wide array of personal data to these services without user consent or an opt out.

On the surface, the intention behind these services isn't particularly nefarious. These websites are examples of fraud prevention services companies like Payfone offer to companies, employers and organizations to help verify a visitor is who they say they are. Visitors to a specific website have their data immediately cross-referenced with billing, phone number, or even GPS data that's provided by wireless carriers. The problem, as Neustrom documents, is that mobile carriers don't appear to be adequately informing users this data is being collected or sold:

"But what these services show us is even more alarming: US telcos appear to be selling direct, non-anonymized, real-time access to consumer telephone data to third party services — not just federal law enforcement officials — who are then selling access to that data. Given the trivial “consent” step required by these services and unlikely audit controls, it appears that these services could be used to track or de-anonymize nearly anyone with a cell phone in the United States with potentially no oversight.

He also found that the existing opt out mechanisms used by T-Mobile, Verizon, AT&T and other mobile carriers don't do a damn thing to prevent this data from being monetized:

"AT&T’s “consumer choice” opt-out at https://att.com/cmpchoice didn’t appear to do anything to stop this, even after waiting the stated 48 hours. All of the demos were still working for me on the morning of 2017–10–15 after I had opted out on 2017–10–13. Many users on Twitter and elsewhere also report that AT&T’s opt-out process doesn’t do anything here. Verizon’s “opt-out” pages also may not do anything to prevent this, either (A, B)."

The report was seemingly a bit too obscure to get much mainstream media attention, but obviously hit a nerve all the same. Shortly after publication, both websites -- and their previously public API documentation were pulled offline by Payfone. Similarly, video of a joint AT&T Danal presentation from 2014 explaining how this technology works was pulled from YouTube. The security community was surprised to learn of the technology, with some offering more concise analysis than others:

You'll recall that for years mobile carriers like Verizon argued that we don't need meaningful privacy protections because they always self-regulate within the boundaries of good taste. Carriers re-used this justification earlier this year when they convinced the Trump administration and GOP to kill FCC broadband privacy protections. But it's hard to hold these companies accountable for privacy violations when even security researchers aren't aware it's happening, and unlike the realm of Google, Facebook or other advertisers, a lack of competition in the telecom sector means less organic competitive pressure to behave.

This week's discovery is just another example of how mobile carrier self-regulation isn't working, and some modest rules requiring more transparency (and mandatory, opt out or opt in tools) would have been of immense public benefit.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Champion, 19 Oct 2017 @ 4:25am

    why not , the nsa gets away with your data

    why not , the nsa gets away with your data...its not like everyone in short order wont know you and everything you do....

    should be next to worth less soon ....perhaps some copyright infringement notices on use of MY DATA I CREATE AS I SURF might start a new use that's more cool for copyright

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Oct 2017 @ 8:53am

      Re: why not , the nsa gets away with your data

      Points finger .. they're doing it too

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Oct 2017 @ 9:17am

      Re: why not , the nsa gets away with your data

      Just because the NSA gets the data doesn't mean others do. I detest people like you - you help surveillance boosters by demoralizing others from even trying to oppose it. You may as well work for the NSA for all that you do.

      reply to this | link to this | view in chronology ]

  • icon
    MyNameHere (profile), 19 Oct 2017 @ 5:02am

    I'm having a bit of a giggle here.

    When you pay attention, you realize that they are both demo sites, and both are things being worked on since 2013. They are not "live" for the public or in general use, from what I can see.

    Also, in both cases the projects appear to be "joint operations" between the two partners, which would permit your user data to be shared as part of the project. The companies are not third parties buying data.

    Good story, but a few sniffs and the fun goes away.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Oct 2017 @ 5:35am

      Re:

      MyNameHere having a giddy fit over the selling of user data because people put personal things on Facebook? Wow, who would've ever saw that coming?

      reply to this | link to this | view in chronology ]

    • identicon
      Sok Puppette, 19 Oct 2017 @ 5:53am

      Re:

      They're offering "live" data to anybody who fucking comes in over the Internet. That's "live" and "public" enough for me, thanks.

      In a sane legal system, deliberately putting that information out there would get you a prison sentence, "demo" or no "demo". And even letting it outside of a closed billing system into a larger corporate system would be grounds for damages. Let's set the damages by statute at the same as the damages for sharing a pop song: $150k per record.

      And "partners" are third parties. That's just what pieces of shit like to call the particular third parties they happen to be working with that week, as part of the various cons they're running.

      Corporate toady.

      reply to this | link to this | view in chronology ]

      • icon
        MyNameHere (profile), 19 Oct 2017 @ 1:43pm

        Re: Re:

        "Corporate toady."

        Ad homs, how nice!

        "They're offering "live" data to anybody who fucking comes in over the Internet."

        The two sites in question were (a) demos, and (b) appear to be showing only your own data to yourself. There was no indication that the data was widely available without having access to the AT&T API, which has restricted access.

        "even letting it outside of a closed billing system into a larger corporate system would be grounds for damages."

        Not sure that is entirely true, especially not pre-2017, when these were developed.

        "And "partners" are third parties. That's just what pieces of shit like to call the particular third parties they happen to be working with that week, as part of the various cons they're running."

        It depends on the structure of the deal. It would also depend on if the data was actually stored by third parties, or only requested and used during a single transaction. Since we don't have a completed product with a final consumer facing view, we may never know.

        It would appear to mostly be two demo systems that were never turned off. At best, AT&T appears to perhaps be a bit lax is turning off access to their API.

        "pieces of shit"

        Indeed. Cussing and calling names sums up your post nicely!

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 19 Oct 2017 @ 3:03pm

          Re: Re: Re:

          I don't share your IP I purchased with third parties just with "partners" and only for "demo purposes".

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 20 Oct 2017 @ 8:05am

          Re: Re: Re:

          Indeed. Cussing and calling names sums up your post nicely!

          You don't have a lot of mirrors where you live, do you?

          reply to this | link to this | view in chronology ]

    • identicon
      fdsa, 19 Oct 2017 @ 6:51am

      Re:

      >They are not "live" for the public or in general use, from what I can see.

      The original report says that the sites were taken down after the report starting getting traction.

      >Also, in both cases the projects appear to be "joint operations" between the two partners, which would permit your user data to be shared as part of the project

      After showing what the journalist could access, the journalist cites two sources about the programs that Danal and Payfone are paying for access. I don't see anything that suggests that Danal and Payfone have an exclusive deal with the telcos, if that's your definition of 'not third party.'

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Oct 2017 @ 7:46am

      Re:

      Hey MyNameHere - you just dont get it do you?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Oct 2017 @ 5:11am

    By all means, please continue to give these companies your money.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Oct 2017 @ 5:39am

    I be surfin'
    they watchin'
    collectin'
    tryin' to sell all my data
    -tryin' to sell all my data
    -tryin' to sell all my data
    -tryin' to sell all my data - data - data - data - data...

    The real question is: To whom are they selling this data? Probably Equifax (and the like), and the Russians. The hackers are selling this data also. I wonder if they're selling the data to the same clientele, just at a lower price.
    Competition is key.

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    anal arse passage fucks, 19 Oct 2017 @ 5:42am

    anal arse passage fucks

    this is just totally anal arse passage fucking sucking and rimming the anal arse passage.

    reply to this | link to this | view in chronology ]

  • icon
    OldGeezer (profile), 19 Oct 2017 @ 8:40am

    Another reason not to trust Windows 10

    So if these carriers can give you an "opt out" and go right on snooping? What if the 13 "privacy" screens in Windows 10 are just a facade and every extremely invasive default is still on (including your mike always being hot) and transmitting to Microsoft and god knows who else? I see nothing in the privacy agreement that lets you opt out of the part that you agree they can search your programs & private folders (looking for piracy?), read your emails & should they choose, rat you to law enforcement. That's why I am on Linux now took Windows 8.1 offline. I have some Windows programs I can't find replacements for. Some things are just easier to do in Windows. I know you can't never escape all snooping. It doesn't really bother me that I can buy an amp and when I go to Amazon the "items suggested for you" include speakers. I might want the speakers.
    http://www.tomshardware.com/forum/id-2750361/microsoft-win-watch-report-police.html

    reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 19 Oct 2017 @ 9:18am

      Re: Another reason not to trust Windows 10

      This snooping and selling of your data is OS-independent. Switching to Linux does nothing to stop it.

      reply to this | link to this | view in chronology ]

      • identicon
        Isma'il, 19 Oct 2017 @ 8:16pm

        Re: Re: Another reason not to trust Windows 10

        I'm glad I run a VPN; desktop and mobile. It's not perfect and has its own flaws, but at least I'm not willingly "sharing" this info.

        reply to this | link to this | view in chronology ]

  • identicon
    Mason Wheeler, 19 Oct 2017 @ 8:50am

    You'll recall that for years mobile carriers like Verizon argued that we don't need meaningful privacy protections because they always self-regulate within the boundaries of good taste.

    Once again, is there any example of this ever actually happening? Megacorporations do not "self-regulate." Ever.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Oct 2017 @ 8:55am

    "mobile carriers like Verizon argued that we don't need meaningful privacy protections because they always self-regulate"


    Hahahahahahahahaha - that's a good one!

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 19 Oct 2017 @ 9:41am

    Corporations are people my friends, but if we sold of their data like they do ours, we'd be in jail.

    Pity the amount of money it takes to buy Congress members is so low. They are bought and paid for across the board, we need to stop pretending otherwise. They do whatever makes the corps happy at the expense of those they are supposed to represent. We keep blindly reelecting them because of dog whistles, ignoring how much worse they have made our lives & country.

    reply to this | link to this | view in chronology ]

  • identicon
    Stosh, 19 Oct 2017 @ 10:22am

    My simple solution is to use my phone only to make phone calls ... that way only the NSA has a record of what was said.

    reply to this | link to this | view in chronology ]

  • identicon
    ryuugami, 20 Oct 2017 @ 6:12am

    twitter

    what the fuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuck https://t.co/ppLhDwH0IZ

    -- expanded to fit new Twitter character limit

    reply to this | link to this | view in chronology ]

  • icon
    CISP029 (profile), 17 Nov 2017 @ 9:24am

    Sell your Data?

    Hmmm, ever try to unsubscribe to Techdirt? Now that is a quagmire of dead end streets if I have ever seen one. Google unsubscribe techdirt, and you will be presented with numerous articles on how hitting unsubscribe in emails is dangerous. Among others. But unsubscribing to Techdirt, hmm, is so unfathomable that when I email'd the tech people here they were agast. Well to unsubscribe from our reporting service, oh, I see you have already done that, or to unsubsc.....

    The question was, remove my account, permanent like, flaming users, paranoid, and misunderstanding all that they see....

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer
Anonymous number for texting and calling from Hushed. $25 lifetime membership, use code TECHDIRT25
Report this ad  |  Hide Techdirt ads
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.