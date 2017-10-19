Wireless Carriers Again Busted Collecting, Selling User Data Without Consent Or Opt Out Tools
A few years ago, Verizon and AT&T were busted for covertly modifying wireless user data packets in order to track users around the internet. Verizon used the technology to track browsing behavior for two years before the practice was even discovered by security researchers. It took another six months of public shaming before Verizon was even willing to offer opt out tools. And while the FCC ultimately gave Verizon a $1.3 million wrist slap, it highlighted how we don't really understand the privacy implications of what mobile carriers are up to, much less have real standards in place to protect us from abuse in the modern mobile era.
While notably different in scope and application, these same companies were again caught this week collecting and selling user information without user consent or working opt out tools.
Earlier this week Philip Neustrom, co-founder of Shotwell Labs, discovered something interesting and documented his findings in this blog post. Neustrom discovered a pair of websites that, when visited by a mobile device over a cellular connection, appeared to easily glean numerous personal visitor details, including the visiting user's name, some billing and location data, and more. Users simply needed to input a zip code, and the carriers providing your cellular service seemingly provide a wide array of personal data to these services without user consent or an opt out.
On the surface, the intention behind these services isn't particularly nefarious. These websites are examples of fraud prevention services companies like Payfone offer to companies, employers and organizations to help verify a visitor is who they say they are. Visitors to a specific website have their data immediately cross-referenced with billing, phone number, or even GPS data that's provided by wireless carriers. The problem, as Neustrom documents, is that mobile carriers don't appear to be adequately informing users this data is being collected or sold:
"But what these services show us is even more alarming: US telcos appear to be selling direct, non-anonymized, real-time access to consumer telephone data to third party services — not just federal law enforcement officials — who are then selling access to that data. Given the trivial “consent” step required by these services and unlikely audit controls, it appears that these services could be used to track or de-anonymize nearly anyone with a cell phone in the United States with potentially no oversight.
He also found that the existing opt out mechanisms used by T-Mobile, Verizon, AT&T and other mobile carriers don't do a damn thing to prevent this data from being monetized:
"AT&T’s “consumer choice” opt-out at https://att.com/cmpchoice didn’t appear to do anything to stop this, even after waiting the stated 48 hours. All of the demos were still working for me on the morning of 2017–10–15 after I had opted out on 2017–10–13. Many users on Twitter and elsewhere also report that AT&T’s opt-out process doesn’t do anything here. Verizon’s “opt-out” pages also may not do anything to prevent this, either (A, B)."
The report was seemingly a bit too obscure to get much mainstream media attention, but obviously hit a nerve all the same. Shortly after publication, both websites -- and their previously public API documentation were pulled offline by Payfone. Similarly, video of a joint AT&T Danal presentation from 2014 explaining how this technology works was pulled from YouTube. The security community was surprised to learn of the technology, with some offering more concise analysis than others:
what the fuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuck https://t.co/ppLhDwH0IZ
— NightmareOnTayStreet (@SwiftOnSecurity) October 15, 2017
You'll recall that for years mobile carriers like Verizon argued that we don't need meaningful privacy protections because they always self-regulate within the boundaries of good taste. Carriers re-used this justification earlier this year when they convinced the Trump administration and GOP to kill FCC broadband privacy protections. But it's hard to hold these companies accountable for privacy violations when even security researchers aren't aware it's happening, and unlike the realm of Google, Facebook or other advertisers, a lack of competition in the telecom sector means less organic competitive pressure to behave.
This week's discovery is just another example of how mobile carrier self-regulation isn't working, and some modest rules requiring more transparency (and mandatory, opt out or opt in tools) would have been of immense public benefit.
Reader Comments
why not , the nsa gets away with your data
should be next to worth less soon ....perhaps some copyright infringement notices on use of MY DATA I CREATE AS I SURF might start a new use that's more cool for copyright
Re: why not , the nsa gets away with your data
Re: why not , the nsa gets away with your data
When you pay attention, you realize that they are both demo sites, and both are things being worked on since 2013. They are not "live" for the public or in general use, from what I can see.
Also, in both cases the projects appear to be "joint operations" between the two partners, which would permit your user data to be shared as part of the project. The companies are not third parties buying data.
Good story, but a few sniffs and the fun goes away.
Re:
Re:
In a sane legal system, deliberately putting that information out there would get you a prison sentence, "demo" or no "demo". And even letting it outside of a closed billing system into a larger corporate system would be grounds for damages. Let's set the damages by statute at the same as the damages for sharing a pop song: $150k per record.
And "partners" are third parties. That's just what pieces of shit like to call the particular third parties they happen to be working with that week, as part of the various cons they're running.
Corporate toady.
Re: Re:
Ad homs, how nice!
"They're offering "live" data to anybody who fucking comes in over the Internet."
The two sites in question were (a) demos, and (b) appear to be showing only your own data to yourself. There was no indication that the data was widely available without having access to the AT&T API, which has restricted access.
"even letting it outside of a closed billing system into a larger corporate system would be grounds for damages."
Not sure that is entirely true, especially not pre-2017, when these were developed.
"And "partners" are third parties. That's just what pieces of shit like to call the particular third parties they happen to be working with that week, as part of the various cons they're running."
It depends on the structure of the deal. It would also depend on if the data was actually stored by third parties, or only requested and used during a single transaction. Since we don't have a completed product with a final consumer facing view, we may never know.
It would appear to mostly be two demo systems that were never turned off. At best, AT&T appears to perhaps be a bit lax is turning off access to their API.
"pieces of shit"
Indeed. Cussing and calling names sums up your post nicely!
Re: Re: Re:
Re: Re: Re:
Indeed. Cussing and calling names sums up your post nicely!
You don't have a lot of mirrors where you live, do you?
Re:
The original report says that the sites were taken down after the report starting getting traction.
>Also, in both cases the projects appear to be "joint operations" between the two partners, which would permit your user data to be shared as part of the project
After showing what the journalist could access, the journalist cites two sources about the programs that Danal and Payfone are paying for access. I don't see anything that suggests that Danal and Payfone have an exclusive deal with the telcos, if that's your definition of 'not third party.'
Re:
Re:
they watchin'
collectin'
tryin' to sell all my data
-tryin' to sell all my data
-tryin' to sell all my data
-tryin' to sell all my data - data - data - data - data...
The real question is: To whom are they selling this data? Probably Equifax (and the like), and the Russians. The hackers are selling this data also. I wonder if they're selling the data to the same clientele, just at a lower price.
Competition is key.
anal arse passage fucks
Re: anal arse passage fucks
Re: anal arse passage fucks
Another reason not to trust Windows 10
http://www.tomshardware.com/forum/id-2750361/microsoft-win-watch-report-police.html
Re: Another reason not to trust Windows 10
Re: Re: Another reason not to trust Windows 10
Once again, is there any example of this ever actually happening? Megacorporations do not "self-regulate." Ever.
Re:
Hahahahahahahahaha - that's a good one!
Pity the amount of money it takes to buy Congress members is so low. They are bought and paid for across the board, we need to stop pretending otherwise. They do whatever makes the corps happy at the expense of those they are supposed to represent. We keep blindly reelecting them because of dog whistles, ignoring how much worse they have made our lives & country.
-- expanded to fit new Twitter character limit
