AT&T, Verizon, T-Mobile & Sprint Want Even Broader Access To Your Personal Data
from the hard-pass dept
We’ve noted repeatedly that however bad Facebook has been on privacy (pretty clearly terrible), the broadband industry has traditionally been much, much worse. From AT&T’s efforts to charge consumers more just to protect their privacy, to Verizon getting busted for covertly tracking users around the internet without telling them (or letting users opt out), this is not an industry that respects you or your privacy. That’s before we even get to their cozy, often mindlessly-loyal relationship with intelligence and law enforcement.
As such, it’s kind of amusing to note that these are the same companies now trying to position themselves as the gatekeepers of all of your private data online. As security expert Brian Krebs notes, AT&T, Verizon, T-Mobile and Sprint (the latter two of which will likely soon be one company) are cooking up something dubbed “Project Verify,” which would let end users eschew traditional website passwords — instead authenticating visitors by leveraging data elements unique to each customer?s phone and mobile subscriber account, including location, “customer reputation”, and device hardware specs.
This video by the carriers offers a little more detail:
The problem, as Krebs is quick to note, is that giving more private data to companies with an utterly abysmal track record on privacy might not be a particularly bright idea:
“A key question about adoption of this fledgling initiative will be how much trust consumers place with the wireless companies, which have struggled mightily over the past several years to validate that their own customers are who they say they are.”
As we’ve been noting, these are the same companies that have been struggling to prevent hackers from routinely stealing customer identities via SIM hijacking, which involves a hacker bribing an employee to port your phone number to a new device, then jacking your identity and making off with your private data (or making millions by selling your cryptocurrency or valuable accounts). These are also the same carriers that have routinely failed to do much about the SS7 exploit that’s been in the wild for seemingly ever, allowing hackers to spy on an undetermined number of cellular customers for years.
These are also the same wireless carriers that were just caught up in a massive scandal involving their collection of sale of user location data, a multi-billion dollar venture that involves selling your daily motion habits to a cavalcade of different companies, many of which have shown a similarly-flimsy disregard for actually keeping that data safe. And these are the same companies that work tirelessly to scuttle any and every effort to actually shore up nationwide privacy standards, usually by lying to lawmakers and the public about what these plans would actually do.
For his part, Krebs thinks this is a hard pass:
“I am not likely to ever take the carriers up on this offer. In fact, I?ve been working hard of late to disconnect my digital life from these mobile providers. And I?m not about to volunteer more information than necessary beyond the bare minimum needed to have wireless service.”
Other widely-respected security reporters were similarly unimpressed:
I don't wanna be a Debbie Downer but if you can't figure out how to stop SIM Swapping or securing your web servers I don't know if you should be trusted to become * the * digital identity manager for millions of people.
— Lorenzo Franceschi-Bicchierai (@lorenzofb) September 13, 2018
Again, the devil will be in the details. But at first glimpse, you’d be pretty foolish to trust companies with additional private data that have repeatedly proven to be routinely cavalier about the oceans of data they already collect. Time and time again wireless carriers have prioritized profits over the personal interest and welfare of consumers, and anybody expecting that to magically change ahead of Project Verify’s launch haven’t been paying attention.
Filed Under: accounts, digital identity, passwords, privacy, project verify, telcos
Companies: at&t, sprint, t-mobile, verizon
Comments on “AT&T, Verizon, T-Mobile & Sprint Want Even Broader Access To Your Personal Data”
Blockbuster is more regulated than Verizon?
It seems absurd that my video rental records are better protected than my mobile data.
‘giving more private data to companies with an utterly abysmal track record on privacy might not be a particularly bright idea’
really good thing when privacy is being eroded, along with freedom, by the US government and just about every other government on the Planet as well. letting what isn’t being protected well already be less protected by a bunch of liars only interested in being paid for handing out info to as many companies as possible, while knowing everything we do, every minute of every day, gives them constant access to us is despicable!!
Project Verify - aka - Project EBD (Encryption Back Door)
If you use this, you’ve just handed the feds the keys to your encryption for every web application or site you feed to this app.
Re: Project Verify - aka - Project EBD (Encryption Back Door)
So this is how liberty dies, with thunderous applause…
The masses will eat this up, not realizing that they are basically submitting themselves to branding and constant monitoring of all their activities.
Next will come the use of the privacy data to track down those responsible for “fake news” (aka, anything against the current governemnt’s wishes), and then the beheadings will begin.
Wait until the DNA databases are cross referenced with this data to track down any “foreign invaders” (aka immigrants) who will then be summarily shot by firing squad (or just deported to their country of origin, based on the highest % in their DNA record).
Now where did I put that tinfoil hat… (it stops the privacy stealing rays… when wrapped around your phone, right?)
Re: Re: Project Verify - aka - Project EBD (Encryption Back Door)
“So this is how liberty dies, with thunderous applause…”
This is how it always dies…
there is a reason that the founding fathers said that those whom give up essential liberty for a little temporary safety deserve neither that liberty or safety.
There is no greater irony than those that are crushed under the very boots they themselves elected to crush them.
Re: Project Verify - aka - Project EBD (Encryption Back Door)
Exactly, the feds have found their unicorn, key-escrow with a willing surveillance partner.
[Laughs and laughs and laughs] Yeah, right.
I will be sure to run right out and join.
DUMB PIPES
Dear AT&T, Verizon, T-Mobile and Sprint:
You don’t need my personal data.
You have exactly one job: DUMB PIPES.
Just be the world’s best, fastest, most convenient, and competitively prices dumb pipes.
Doing your business and doing it well is a time honored way of building a great business.
Sincerely,
your customers
Re: DUMB PIPES
Amazingly, Verizon just announced a suspiously great plan. I kept looking for a catch and didn’t see it. No caps, no throttling, no tethering restrictions, 300-1000 Mbps, and their advertised price includes all fees and taxes. It’s an announcement from a bizarro world. Two days later they announce they want to manage my security, and we’re back to reality. Next week they’ll be back to extorting money from Youtube and Netflix.
who cares
Just like the last time I told the knobs around here that avoiding Google is as impossible as avoiding the credit agencies my post got flagged.
Some are even dumb enough to think they can avoid the likes of google if they block scripts. If you design webpages, you already know you can hide plenty of things from the user about their sessions. This does not even count the 3rd party data sharing businesses do with Google on other things.
These companies are going to get your data, they are going to be able to use it as they see fit. Any lawsuits they lose over that data will only result in temporary setbacks as the government is going to want that data as well. It behooves businesses to get into bed with government and to spy on you for them so they can bilk you for every last penny the government will allow.
And you are going to deserve it too!
Re: who cares
Story about:
“AT&T, Verizon, T-Mobile & Sprint Want Even Broader Access To Your Personal Data”
Idiot says:
“that avoiding Google is as”
How’d Google get into this? Isn’t Mike Google? Aren’t you playing right into their devious plan? The only way you can avoid it is to completely disconnect from the internet. You better get started. Chop chop.
Re: Re: who cares
Why are people like you so fucking dumb?
The article is about AT&T…. but the primary focus is about “privacy” and your information which is why TD also brought up Facebook
“We’ve noted repeatedly that however bad Facebook has been on privacy”
And I decided to bring up Google. Please forgive me if you are too stupid to consider the parallels I brought up in my post.
You are the idiot, people like you get taken quite a lot. There is no end to the ways I could get people like you to work against your own interests but pretending for you that you are working in your own best interest.
“Isn’t Mike Google?”
Piss off with that bullshit, Google is google and no one else.
“The only way you can avoid it is to completely disconnect from the internet.”
Not true, but I don’t think you are intelligent enough to understand why.
Re: Re: Re: who cares
Lots of words but you haven’t actually said anything.
Re: Re: Re:2 who cares
Let me make it clear then since you can’t figure it out.
AT&T, Verizon, Facebook (as mentioned by TD), Google, and many other businesses can mine your data and there is not a jack fucking thing you can effectively do about it.
If you take them to court and win, they just pay out a little bit but will keep doing what the fuck they want. If you get a politician to side with you then they just buy the politician and still keep tracking you except they will now just agree to hand that data over to the politician.
You
are
fucked
either
way!
that is what I am saying!
Re: Re: Re:3 who cares
Like I said, lots of words but not really saying anything.
Re: Re: Re: who cares
“And I decided to bring up Google.”
For no good reason whatsoever other than… well… to bring up your vendetta against Google at every opportunity.
Yeah, we know.
The rest of your comment is just you all butthurt.
Seems you are in a perpetual state of butthurt.
Re: Re: Re:2 who cares
I don’t have a vendetta against google… still use their email service and I also use their search engine.
I am just telling clueless people like you that you don’t know as much as you think you do and you can’t avoid google collecting data on you no matter what you do.
You CAN reduce the amount they collect on you by taking steps but there is a limit.
The only thing I am “butthurt” about is the level of stupidity and ignorance around here. I can tolerate people having different views, I just have low tolerance for willfully blind ignorance. It’s not like the things I say cannot be easily discovered. It just takes you to get your head out of your little sheep ass.
Re: Re: Re:3 who cares
Your constant railing against them and berating people for using their services would indicate otherwise.
So you’re just a hypocrite then. Got it.
We feel the same way about you.
Actually, they can’t, because they aren’t true.
You keep using those words, I don’t think they mean what you think they mean.
Re: who cares
You can 100% avoid google along with any other site you desire to block. First, use a few addons such as ublock origin & decentraleyes — custom set them up tight. Then, take control of your machine by first setting up very tight host firewall rules (if privacy is imortant, block port 80). Then, to stop MS abuse, use dnscrypt setting up tight blacklist, whitelist, & cloaking rules (see concise example snippets below). Finally, monitor all dnscrypt logs for rouge apps and block when necessary. Javascript should also be disabled 99% of the time. I just skip sites that insist on js, not worth the security risk. This settings will break a few sites, but you must ask, what is more important?… then we live accordingly. Also, if I need to see a blocked site, I temporarily put it in the whitelist & restart dnscrypt via a script, takes less than .1 second.
dnscrypt cloaking examples…
googleapis 127.0.0.51
gstatic. 127.0.0.50
google-analytics 127.0.0.52
dnscrypt blacklist examples…
cs9.wac.phicdn.net
google.com
youtube.com
mozilla
microsoft.
go.microsoft
microsoftonline.com
.msftncsi
windowsupdate
telemetry.
ipv6.microsoft
appsforoffice
social.msdn.microsoft
social.technet.microsoft*
Re: Re: who cares
no you can’t
You don’t even have to be online for google to collect data and information about you.
I work in IT, people share data, you have already given data to others and they share it, and then google buys it from them. Google is not the only people that do this, in fact this has been happening since before google existed. The things YOU DO on the internet is not the only things being collected about you.
You know what, ignore everything I just said… be a stupid fucking sheep, not a single fucking thing is being used to track you and this entire fucking story is a load of bullshit.
Take your tin hat off, find the nearest pile of loose dirt, no make that “hard” dirt and slam your fucking head into it until you either bury your head enough to suffocate you or the process knocks some fucking sense into you!
Re: Re: Re: who cares
My guidance concerned limiting data we give directly to corporations via our browsing activity. If you really worked in IT as a professional, were intelligent & understood what I wrote, then you would know this wouldn’t you. My guidance gives 100% effective methods to control what domains a computer visits. It also gives a suggestion to monitor that activity in the event of anomalies or rouge activity. That is the problem domain my solution addresses.
I does not address corrupt practices such as google buying data from Master Card. If you were not so crazed from sniffing glue, you would know this wouldn’t you. Outside the internet is a different problem domain not directly solvable thanks to political corruption. If you really worked in IT as a professional, then you would know how to split up problem domains wouldn’t you.
So that is all we can do, to try to limit the amount of data that is out there. Any other protections must come via laws. Given that the US is in a downward, 900mph spirial race to the bottom, I wouldn’t hold your breath waiting for a politician to save you. There are only one or two who have not sold their mother, spouse, and children’s souls to the lowest bidder for peanuts.
Re: Re: Re:2 who cares
Your guidance includes advice to monitor the logs, then block as necessary. By definition we can’t reach 100% if we let things through and then block. Nor can you realistically say you’re going to get us to 100% and then give an incomplete list of examples (how about doubleclick.net?).
Re: Re: Re:3 who cares
Let me help you with your concerns about “doubleclick.net”.
First, read where I stated “First, use a few addons such as ublock origin…”. Ublock origin blocks all privacy invading domains BEFORE connection. If you really worked in IT as a professional, then you would not be embarrassing yourself typing nonsense such as, “(how about doubleclick.net?)”.
Furthermore, where you write, “And then give an incomplete list of examples”, go back and read my original post, where it states “concise example snippets”. A 15 yo child knows what those words mean in combination. See the definitions at the end of this post for a reminder of what words mean. Fact is, you seem to be very ignorant about technology and your reading comprehension compounds your problems.
As far as your conern over “monitoring dnscrypt logs”, I see a few mental inefficiencies in your interpretations of our dialogue. My ACTUAL advice was, “Monitor all dnscrypt logs for ROUGE APPS and block when necessary.” But your glue disabled mind did not take note of the terms “rouge apps”. It also missed my advise about setting up “tight firewall rules”.
So, let me help you; yet again. The way the internet works is, a rouge app first looks up an ip address. This is where dnscrypt comes in, working as a flag that informs you something is wrong. The rouge app then attempts to connect to that ip. But, because a careful reader would have setup “tight firewall rules”, that rouge app’s connection would have been blocked. In fact, if you are smart, you have several lines of defense to block rouge connections, not just the host firewall & dnscrypt. If you really worked in IT as a professional, then you would know all of this wouldn’t you. Call me old fashioned, but I feel someone like you who sniffs glue while mopping floors at a data center is not the same as actually working in tech.
Extra credit, if privacy is important to you, NEVER allow your mobile phone to access the internet. The second you do, you just joined ranks with the non-tech masses.
Research how third party tracking ACTUALLY works, along with how google ACTUALLY tracks you across domains, along with the high effectiveness of Firefox’s native third party tracker blocking (compounded in effectiveness with ublock origin).
Then, see my advice about blocking port 80. Then, combine all of this advice with disabling javascript, using dnscrypt, et al. All combined, you can effectively block any domain you wish; including the blocking MS windows spyware. You have the logs to prove it. You can further absolutely prove your work by placing a Unix (not windows) wireshark fox between your browsing virtual machine and your hardware firewall (as an IT pro, you are using a locked down vm to browse and a hardware firewall to protect your network, right?). Fact is, ms, google, twitter, fb, et al are not even aware I exist on the internet.
Note, js is what a big killer in user privacy. But if you need js so you can tweet about your hurt butt, Firefox has many settings to limit that damage; such as disabling WebRTC, GL, etc… You also have 100s of other protective about:config settings, such as
about:config?filter=security.mixed_content.block_display_content
about:config?filter=security.mixed_content.block_active_content
about:config?filter=beacon.enabled
about:config?filter=dom.storage.enabled
+ 100s more
You being an IT pro and concerned about privacy knew to use Firefox and not chrome, and also how to setup a box for privacy, right?
Re: Re: Re:4 who cares
Rouges are overpowdered.
Re: Re: Re:5 who cares
hehe my err, thanks friend. sb “Rogue Apps” everywhere above not rouge apps.
“The problem, as Krebs is quick to note, is that giving more private data to companies with an utterly abysmal track record on privacy might not be a particularly bright idea”
This reminds me of the time FB suggested users upload their nudes so that FB could prevent revenge porn or something like that.
Re: Re:
Would you believe me if I told you that I know of a way to steal your property AND get you to actually like me after doing it?
Re: Re: Re:
No. Nobody believes anything you say.
Re: Re: Re:
If you knew a way to get people to like you, you would have done it by now.
Re: Re: Re: Re:
Why would I seek to be liked by a group of knobs and idiots?
I have higher priorities, like trying to get you to stop being an idiot and be able to think for yourself and not rely on others to hand feed you a bunch of bogus information designed to sucker you like a dope!
Once you like truth you will then start to like me, because people that like truth stop getting butthurt when truth appears on the scene. They begin to welcome it!
Re: Re: Re:2 Re:
Why would I seek to be LIKEd by people who I want to egt to LISTEN to “me”? That doesn’t Make any Sense! You stupid “sycophantic” KNOBS! You will Listen to “me” because I call you Idiots! That is how being SMART works! If you were SMART like “me”, you would “know” THAT! Knobs! Idiots! Sycophants! Why “won’t” you LISTEN to ME?
You don ot understand “truth”> And by “truth” I mean Paint CHIPS. Truth is the “brand” of PAINT that I like to Buy. It contains LEAD because I am knot a KNOB who does not eat LEAD. Regulations are BAD and both “sies” are BAD and you are STUPID KNOBS who do NOT “see” the Truth! Why would I want you to “like” me, you Knobs? I wnt you to LISTEN to “me”, not Like me. The two things are “obiovously” toally UN related, as anybody who is SMART and understands “truth”, like Me, can Tell you! You knob!
One day you will “see” and you will “like Truth”, because you will eat Paint chips like “me”. And than at Last I will have “friends” and people who “like” me.
Every Nation eats the Paint chips it Deserves!
Re: Re: Re:3 Re:
Where have you been you little shit? It has been a while since I read one of your little posts.
How have the paint chips been? Are they nice and tasty still?
Now, I don’t know if every nation eats the paint chips they deserve, but I can tell them that they need to get up early to get their fair share before you eat it all.
Re: Re: Re:2 Re:
“I have higher priorities”
Yeah, like posting on a forum of knobw and idiots. You’re not very bright, are you?
Re: Re: Re:
You have a desire to get people to like you?
Oh, I get it… you’re trying to get voted funny before the week finishes.
Re: Re: Re:
“Would you believe me if I told you that I know of a way to steal your property AND get you to actually like me after doing it?”
Uploading your nudes to FB will not do it for me, but thanks anyways.
Let's not go with "SIM hijacking"
Nothing was done to the SIM card. We should come up with a better term before we’re stuck with something as bad as “identity theft”. (Nobody loses their identity from “SIM hijacking” BTW, nor does the “thief” gain their identity.)
How about “the telco fucked up and gave a criminal access to the account”?
Re: Let's not go with "SIM hijacking"
It is just another of their ill fated attempts at blaming the victim.
Re: Re: Let's not go with "SIM hijacking"
Yeah, like when people say they’re the victim of identity theft because someone took a loan in their name. Uh, no. Whoever loaned them the money is the victim. It’s their problem to fix, not ours.
Nobody staged a heist on a SIM truck. The telco reps were not held at gunpoint until they let criminals into the account. They were simply incompetent.
Re: Re: Re: Let's not go with "SIM hijacking"
The person whose identity used will have to deal with the fall out, like all those credit histories that need fixing.
Re: Re: Re:2 Let's not go with "SIM hijacking"
That’s still the bank’s fault. The person would be a victim of the bank’s incompetence, and banks should be held liable for the results. Legally, if the bank can’t prove they took the loan, they should be required to fix the damn problem—e..g, retract the lies they told to the credit agencies. (Legally BTW, they are: the FCRA requires them to correct the report; the FDCPA requires them to stop contacting you after you dispute the debt, and to not report false information to a credit agency. But we pretend like the client lost their identity—should’ve been more careful with it!—and don’t hold lenders to account.)
Re: Re: Re: Let's not go with "SIM hijacking"
Or corrupt. Bribes were involved in several of the reports.
Re: Re: Re:2 Let's not go with "SIM hijacking"
True enough, but the telco’s security procedures must be lax for that to go unnoticed. If I want to get into my account, and don’t have the associated phone or SIM card, and don’t know the password/PIN, that should be a red flag that gets a supervisor involved. (And while they could be corrupt, people involved with casual conspiracies are usually not great at keeping them secret.)