Wireless Carriers Again Busted Collecting, Selling User Data Without Consent Or Opt Out Tools
from the privacy-no-longer-exists dept
A few years ago, Verizon and AT&T were busted for covertly modifying wireless user data packets in order to track users around the internet. Verizon used the technology to track browsing behavior for two years before the practice was even discovered by security researchers. It took another six months of public shaming before Verizon was even willing to offer opt out tools. And while the FCC ultimately gave Verizon a $1.3 million wrist slap, it highlighted how we don’t really understand the privacy implications of what mobile carriers are up to, much less have real standards in place to protect us from abuse in the modern mobile era.
While notably different in scope and application, these same companies were again caught this week collecting and selling user information without user consent or working opt out tools.
Earlier this week Philip Neustrom, co-founder of Shotwell Labs, discovered something interesting and documented his findings in this blog post. Neustrom discovered a pair of websites that, when visited by a mobile device over a cellular connection, appeared to easily glean numerous personal visitor details, including the visiting user’s name, some billing and location data, and more. Users simply needed to input a zip code, and the carriers providing your cellular service seemingly provide a wide array of personal data to these services without user consent or an opt out.
On the surface, the intention behind these services isn’t particularly nefarious. These websites are examples of fraud prevention services companies like Payfone offer to companies, employers and organizations to help verify a visitor is who they say they are. Visitors to a specific website have their data immediately cross-referenced with billing, phone number, or even GPS data that’s provided by wireless carriers. The problem, as Neustrom documents, is that mobile carriers don’t appear to be adequately informing users this data is being collected or sold:
“But what these services show us is even more alarming: US telcos appear to be selling direct, non-anonymized, real-time access to consumer telephone data to third party services???not just federal law enforcement officials???who are then selling access to that data. Given the trivial ?consent? step required by these services and unlikely audit controls, it appears that these services could be used to track or de-anonymize nearly anyone with a cell phone in the United States with potentially no oversight.
He also found that the existing opt out mechanisms used by T-Mobile, Verizon, AT&T and other mobile carriers don’t do a damn thing to prevent this data from being monetized:
“AT&T?s ?consumer choice? opt-out at https://att.com/cmpchoice didn?t appear to do anything to stop this, even after waiting the stated 48 hours. All of the demos were still working for me on the morning of 2017?10?15 after I had opted out on 2017?10?13. Many users on Twitter and elsewhere also report that AT&T?s opt-out process doesn?t do anything here. Verizon?s ?opt-out? pages also may not do anything to prevent this, either (A, B).”
The report was seemingly a bit too obscure to get much mainstream media attention, but obviously hit a nerve all the same. Shortly after publication, both websites — and their previously public API documentation were pulled offline by Payfone. Similarly, video of a joint AT&T Danal presentation from 2014 explaining how this technology works was pulled from YouTube. The security community was surprised to learn of the technology, with some offering more concise analysis than others:
what the fuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuck https://t.co/ppLhDwH0IZ
— NightmareOnTayStreet (@SwiftOnSecurity) October 15, 2017
You’ll recall that for years mobile carriers like Verizon argued that we don’t need meaningful privacy protections because they always self-regulate within the boundaries of good taste. Carriers re-used this justification earlier this year when they convinced the Trump administration and GOP to kill FCC broadband privacy protections. But it’s hard to hold these companies accountable for privacy violations when even security researchers aren’t aware it’s happening, and unlike the realm of Google, Facebook or other advertisers, a lack of competition in the telecom sector means less organic competitive pressure to behave.
This week’s discovery is just another example of how mobile carrier self-regulation isn’t working, and some modest rules requiring more transparency (and mandatory, opt out or opt in tools) would have been of immense public benefit.
Filed Under: privacy, selling, user info, wireless
Companies: at&t, t-mobile, verizon
Comments on “Wireless Carriers Again Busted Collecting, Selling User Data Without Consent Or Opt Out Tools”
why not , the nsa gets away with your data
why not , the nsa gets away with your data…its not like everyone in short order wont know you and everything you do….
should be next to worth less soon ….perhaps some copyright infringement notices on use of MY DATA I CREATE AS I SURF might start a new use that’s more cool for copyright
Re: why not , the nsa gets away with your data
Points finger .. they’re doing it too
Re: why not , the nsa gets away with your data
Just because the NSA gets the data doesn’t mean others do. I detest people like you – you help surveillance boosters by demoralizing others from even trying to oppose it. You may as well work for the NSA for all that you do.
I’m having a bit of a giggle here.
When you pay attention, you realize that they are both demo sites, and both are things being worked on since 2013. They are not “live” for the public or in general use, from what I can see.
Also, in both cases the projects appear to be “joint operations” between the two partners, which would permit your user data to be shared as part of the project. The companies are not third parties buying data.
Good story, but a few sniffs and the fun goes away.
Re: Re:
MyNameHere having a giddy fit over the selling of user data because people put personal things on Facebook? Wow, who would’ve ever saw that coming?
Re: Re:
They’re offering “live” data to anybody who fucking comes in over the Internet. That’s “live” and “public” enough for me, thanks.
In a sane legal system, deliberately putting that information out there would get you a prison sentence, “demo” or no “demo”. And even letting it outside of a closed billing system into a larger corporate system would be grounds for damages. Let’s set the damages by statute at the same as the damages for sharing a pop song: $150k per record.
And “partners” are third parties. That’s just what pieces of shit like to call the particular third parties they happen to be working with that week, as part of the various cons they’re running.
Corporate toady.
Re: Re: Re:
“Corporate toady.”
Ad homs, how nice!
“They’re offering “live” data to anybody who fucking comes in over the Internet.”
The two sites in question were (a) demos, and (b) appear to be showing only your own data to yourself. There was no indication that the data was widely available without having access to the AT&T API, which has restricted access.
“even letting it outside of a closed billing system into a larger corporate system would be grounds for damages.”
Not sure that is entirely true, especially not pre-2017, when these were developed.
“And “partners” are third parties. That’s just what pieces of shit like to call the particular third parties they happen to be working with that week, as part of the various cons they’re running.”
It depends on the structure of the deal. It would also depend on if the data was actually stored by third parties, or only requested and used during a single transaction. Since we don’t have a completed product with a final consumer facing view, we may never know.
It would appear to mostly be two demo systems that were never turned off. At best, AT&T appears to perhaps be a bit lax is turning off access to their API.
“pieces of shit”
Indeed. Cussing and calling names sums up your post nicely!
Re: Re: Re: Re:
I don’t share your IP I purchased with third parties just with “partners” and only for “demo purposes”.
Re: Re: Re: Re:
Indeed. Cussing and calling names sums up your post nicely!
You don’t have a lot of mirrors where you live, do you?
Re: Re:
Re: Re:
Hey MyNameHere – you just dont get it do you?
By all means, please continue to give these companies your money.
Re: Re:
Isn’t the issue with this topic is that if you want internet access, you don’t have a lot of options to pick from.
I be surfin’
they watchin’
collectin’
tryin’ to sell all my data
-tryin’ to sell all my data
-tryin’ to sell all my data
-tryin’ to sell all my data – data – data – data – data…
The real question is: To whom are they selling this data? Probably Equifax (and the like), and the Russians. The hackers are selling this data also. I wonder if they’re selling the data to the same clientele, just at a lower price.
Competition is key.
anal arse passage fucks
this is just totally anal arse passage fucking sucking and rimming the anal arse passage.
Re: anal arse passage fucks
At least it’s not the tired old “I made $500″ with a method I promise you can find at this malware-hosting link” spam.
Re: anal arse passage fucks
Huzzah! The Profane Zorro’s sidekick Bernarshole is no longer a mute! Confuckulations Bern-o, you llama-buggering shitesack!
Another reason not to trust Windows 10
So if these carriers can give you an “opt out” and go right on snooping? What if the 13 “privacy” screens in Windows 10 are just a facade and every extremely invasive default is still on (including your mike always being hot) and transmitting to Microsoft and god knows who else? I see nothing in the privacy agreement that lets you opt out of the part that you agree they can search your programs & private folders (looking for piracy?), read your emails & should they choose, rat you to law enforcement. That’s why I am on Linux now took Windows 8.1 offline. I have some Windows programs I can’t find replacements for. Some things are just easier to do in Windows. I know you can’t never escape all snooping. It doesn’t really bother me that I can buy an amp and when I go to Amazon the “items suggested for you” include speakers. I might want the speakers.
http://www.tomshardware.com/forum/id-2750361/microsoft-win-watch-report-police.html
Re: Another reason not to trust Windows 10
This snooping and selling of your data is OS-independent. Switching to Linux does nothing to stop it.
Re: Re: Another reason not to trust Windows 10
I’m glad I run a VPN; desktop and mobile. It’s not perfect and has its own flaws, but at least I’m not willingly “sharing” this info.
Once again, is there any example of this ever actually happening? Megacorporations do not "self-regulate." Ever.
Re: Re:
Many megacorps do self-regulate, but primarily in industries in which they can’t hide malfeasance.
“mobile carriers like Verizon argued that we don’t need meaningful privacy protections because they always self-regulate”
Hahahahahahahahaha – that’s a good one!
Corporations are people my friends, but if we sold of their data like they do ours, we’d be in jail.
Pity the amount of money it takes to buy Congress members is so low. They are bought and paid for across the board, we need to stop pretending otherwise. They do whatever makes the corps happy at the expense of those they are supposed to represent. We keep blindly reelecting them because of dog whistles, ignoring how much worse they have made our lives & country.
My simple solution is to use my phone only to make phone calls … that way only the NSA has a record of what was said.
twitter
— expanded to fit new Twitter character limit
Sell your Data?
Hmmm, ever try to unsubscribe to Techdirt? Now that is a quagmire of dead end streets if I have ever seen one. Google unsubscribe techdirt, and you will be presented with numerous articles on how hitting unsubscribe in emails is dangerous. Among others. But unsubscribing to Techdirt, hmm, is so unfathomable that when I email’d the tech people here they were agast. Well to unsubscribe from our reporting service, oh, I see you have already done that, or to unsubsc…..
The question was, remove my account, permanent like, flaming users, paranoid, and misunderstanding all that they see….
Buy only linux based phone os, eh?
https://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/cvssscoremin-7/cvssscoremax-7.99/Linux-Linux-Kernel.html
We are being watched
Is it surprising for you? There is nothing personal, everything is tracked. Every step, every person. This is a complete violation of the rights and freedoms of the individual. But nothing can be done. We are details of a large mechanism.