It's Apparently Easy To Pretend To Be A Cop, Grab Location Data From Cellular Carriers

from the ill-communication dept

While Facebook tends to get the lion's share of (deserved) criticism, the telecom sector continues to make its case for being the absolute worst when it comes to protecting your private data. Scandal after scandal have highlighted how wireless carriers routinely collect and store your daily location data, then sell that data to a universe of shady middlemen with little to no oversight as to how the data is used. Users sign one overlong privacy policy with their wireless carrier, and that policy is being read to mean consumers sign off on the practice, which they certainly haven't.

This week journalist Joseph Cox again highlighted the problems on the location data front, reporting how many stalkers and debt collectors are able to get access to this data without paying for it. How? By pretending to be law enforcement officers:

"...bounty hunters and people with histories of domestic violence have managed to trick telecommunications companies into providing real-time location data by simply impersonating US officials over the phone and email, according to court records and multiple sources familiar with the technique. In some cases, these people abuse telecom company policies created to give law enforcement real-time location data without a court order in “exigent circumstances,” such as when there is the imminent threat of physical harm to a victim.

In addition to cellular tower location data, carriers were also recently busted selling A-GPS data, which is supposed to be protected by FCC data rules. Despite significant reporting on this subject and carrier promises to stop collecting and selling this data, this practice is still ongoing. Like Facebook, these are companies that are staring down the barrel of looming regulation -- and still somehow can't seem to find the motivation to behave. Regulators at the Ajit Pai FCC have also sat on their hands and have yet to issue so much as a warning to cellular carriers.

At least one skiptracer told Motherboard that wireless carriers remain several steps behind in trying to crack down on the practice:

"So many people are doing that and the telcos have been very stupid about it. They have not done due diligence and called the police [departments] directly to verify the case or vet the identity of the person calling,” Valerie McGilvrey, a skiptracer who said she has bought phone location data from those who obtained access to it, told Motherboard. A skiptracer is someone tasked with finding out where people, typically fugitives on the run or those who owe a debt, are located."

In many instances the third parties are exploiting telecom company procedures for "exigent circumstances," allowing them to request and receive real-time location data by fabricating law enforcement data request documents telecom operators aren't properly verifying. Of course as the New York Times noted more than a year ago, law enforcement officers have also been busted abusing this system to spy on judges and other law enforcement officers.

Like so many sectors, wireless carriers were so excited by the billions to be made selling your daily habits, they forgot to actually protect that data. As reporters like Cox continue to dig deeper, you have to think that many cellular carriers are scrambling hard to clean up their mess as inevitable class action lawsuits and regulatory investigations wait in the wings. This scandal is getting so ugly, even the carrier-cozy Trump FCC may, at some point, be forced to actually do something about it.

Filed Under: bounty hunters, data sharing, debt collectors, exigent circumstances, impersonation, law enforcement, location info, privacy, stalkers, telcos


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 11 Mar 2019 @ 11:07am

    I thought impersonating a police officer was illegal.
    So much for rule of law.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Mar 2019 @ 11:20am

      Re:

      Illegality only matters if the crime gets reported. In this case, the telecom company suffers little or no harm, so they have no motivation to investigate (even after the fact) whether the request was legitimate. At worst, their harm is they might have charged the requester a bigger fee if the request had not been classified as "law enforcement/time sensitive." The stalkee likely never learns how their data was obtained, so they don't know to report a crime. The impersonator obviously will not self-report. That leaves us with no one who actually reports the crime, so there's no investigation, no arrests, and no prosecution.

      Compare this impersonation to a fake officer stopping someone on the street and physically abusing the victim. The victim will likely start out trying to file a police brutality report, then the cops will point out that the offender was not a police officer at all. That gives at least the potential for someone to realize that there is a fake officer out there abusing people.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Mar 2019 @ 11:57am

      Re:

      Rule of law? That went out the window during Cheney/Jr.

      It's survival by uncivil means today. Especially in the pursuit of power.

      reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 11 Mar 2019 @ 11:15am

    Section 230? Blame the individual.
    This? Blame the platform.

    reply to this | link to this | view in chronology ]

    • identicon
      Rocky, 11 Mar 2019 @ 11:22am

      Re:

      You aren't that smart it seems.

      Section 230 has nothing to do with this.

      reply to this | link to this | view in chronology ]

      • This comment has been flagged by the community. Click here to show it
        identicon
        Anonymous Coward, 11 Mar 2019 @ 11:35am

        Re: Re:

        Cool response bro

        reply to this | link to this | view in chronology ]

      • This comment has been flagged by the community. Click here to show it
        identicon
        Anonymous Coward, 11 Mar 2019 @ 11:36am

        Re: Re:

        The platform (the companies) are not to blame here, since it's illegal to impersonate law enforcement. They have every right to believe that someone who claims to be from law enforcement is telling the truth. Even if they investigate, that too can be faked, so the problem is with the individual bad actor, at least according to "Section 230 logic." (or "DMCA logic" or "Article 13 logic").

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 11 Mar 2019 @ 12:01pm

          Re: Re: Re:

          (or "DMCA logic" or "Article 13 logic").

          Techdirt has argued that platforms shouldn't be blindly accepting DMCA takedown notices either.

          reply to this | link to this | view in chronology ]

          • icon
            Toom1275 (profile), 11 Mar 2019 @ 12:05pm

            Re: Re: Re: Re:

            Also -
            "Platforms not being wrongly liable for obviously truthful third-party warnings of Jhon Smith's scam(s)" = good

            "Service providers give out peoples' private information to just about anyone" = not so good

            reply to this | link to this | view in chronology ]

        • icon
          norahc (profile), 11 Mar 2019 @ 2:12pm

          Re: Re: Re:

          The platform (the companies) are not to blame here, since it's illegal to impersonate law enforcement. They have every right to believe that someone who claims to be from law enforcement is telling the truth. Even if they investigate, that too can be faked, so the problem is with the individual bad actor

          Then maybe paperwork should be required for every request....like a warrant. In this day and age its trivial to get a telephonic warrant and have it sent somewhere in short order.

          reply to this | link to this | view in chronology ]

    • icon
      Matthew Cline (profile), 11 Mar 2019 @ 1:47pm

      Re:

      Without section 230 the platforms would have to be perfect at filtering out all illegal material, if even a sliver of them got past the filters the cost would be ruinous.

      With this, no one is asking for perfection, just that the carriers develop some method of vetting calls claiming to be cops.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Mar 2019 @ 11:21am

    This scandal is getting so ugly, even the carrier-cozy Trump FCC may, at some point, be forced to actually do something about it.

    Get us a map of everywhere Trump, Pai, and the top telco CEOs and lobbyists have been for the past year, and we'll see some changes.

    reply to this | link to this | view in chronology ]

  • icon
    btr1701 (profile), 11 Mar 2019 @ 11:23am

    these are companies that are staring down the barrel of looming regulation -- and still somehow can't seem to find the motivation to behave.

    Regulators at the Ajit Pai FCC have also sat on their hands and have yet to issue so much as a warning to cellular carriers.

    These statements seem to contradict one another.

    reply to this | link to this | view in chronology ]

    • identicon
      TFG, 11 Mar 2019 @ 12:47pm

      Re:

      It is rather poorly worded there. For it to not be contradictory, the article should point to which regulation is looming - chances are it's sourced from Congress as opposed to the FCC.

      reply to this | link to this | view in chronology ]

  • icon
    Jeremy Lyman (profile), 11 Mar 2019 @ 11:37am

    Maybe they had a golden key?

    Please, tell me more about how we should demand companies break their encryption systems so that "only police" will be given access to our private communications, documents, bank accounts, and other private sundries.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Mar 2019 @ 11:48am

    The police police train companies to hand over information on demand, without a warrant and without question. That makes it easier for anybody to demand and get information.

    reply to this | link to this | view in chronology ]

    • identicon
      bob, 11 Mar 2019 @ 12:05pm

      Re: why it matters

      And that complacency is exactly why allowing anything "for police only" is dangerous to have. Even when there are better rules in place to stop outsiders from abusing the system, the intended users of the system can still abuse it. We have many examples of that happening at local to federal levels of intelligence and law enforcement. Even private companies internally have problems with this.

      So why do politicians and others think its okay to open up encryption among other things? Because they believe falsely their program/situation is special and will not be abused (at least not severely). Or they don't care about the negative impacts because they feel it will be outweighed by the possibility of getting crooks by skirting the rules themselves.

      If a means or system is established to curtail the rules for one trusted group, eventually others outside of your trust circle will have access to curtail the rules too. And when that happens you are truly screwed.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 12 Mar 2019 @ 6:46am

        Re: Re: why it matters

        Not to mention it is inherently authoritarian - which by design bad actors can play like a goddamned fiddle.

        reply to this | link to this | view in chronology ]

  • icon
    Toom1275 (profile), 11 Mar 2019 @ 12:01pm

    But is getting this info easier or harder than getting millions in military hardware?

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 11 Mar 2019 @ 12:35pm

    It's techniques like these...

    That the resistance should pay attention to.

    Much the way the Temple of Satan serves as the bad guy to keep religion out of state business, the resistance could serve to assure bureaucratic and technical systems are defended against abuse.

    Because vectors of abuse like this easily get turned into business models.

    reply to this | link to this | view in chronology ]

  • icon
    Bamboo Harvester (profile), 11 Mar 2019 @ 12:40pm

    Wrong angle

    This is basic social engineering. THAT will always be there.

    The problem that the data is being collected and stored, not that you can browbeat or sweet-talk some clerk into releasing it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Mar 2019 @ 2:08pm

    This is basic social engineering. THAT will always be there.

    Law enforcement likes to push laws making their lives easier, like by standardizing ID cards ("REAL ID"). So, how about we propose "COP ID" and say anyone claiming to be a cop had better provide an ID card with cryptographic verification via NFC. And any service provider had better check that any document claiming to be from a cop has a valid cryptographic signature from an actual cop, or else they'll be liable under privacy laws (I mean, if we had privacy laws for this stuff).

    A good social engineer might work around it, notably by tricking actual cops; at least we could make it significantly harder.

    reply to this | link to this | view in chronology ]

    • icon
      Bamboo Harvester (profile), 12 Mar 2019 @ 7:00am

      Re:

      We DO have "CopID". The badge number.

      The "fix" is really fairly simple - the ONLY people who can disclose information is the telco Legal Department.

      Cop calls, gives name, badge number, precinct, legal dept clerk calls the precinct and verifies before releasing information.

      I don't know what department is being called currently, but I've found that calling the telco, ISP, or power company means two hours on hold. So they're using "not for public use" lines to contact the phone companies.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 12 Mar 2019 @ 7:16am

        Re: Re:

        If the badge number is valid, how do they verify it's really the cop calling? How do they even know what's a valid precinct and what the proper contact number is? Wikipedia says "There are 17,985 U.S. police agencies in the United States".

        reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 11 Mar 2019 @ 3:36pm

    One might think people would have learned the lessons of the past, but the stupid always think it will never happen to them.
    We had gangs with purchased access to credit reports & info... and we are shocked that they managed to get access to other information?

    Until there are punishments that actually hurt the bottom line this will continue with corps collecting the cash & pretending there was no way they could have stopped the evil hackers.

    reply to this | link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 11 Mar 2019 @ 6:26pm

    National security letters

    I am not surprised. What I am surprised about is that no one has done the same with national security letters. Those seem a perfect target for this kind of cheating, because they threaten prison and at the same time you don't even dare ask the FBI if they're valid.

    Mostly what these incidents show is that you can't trust companies to defend your privacy.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Mar 2019 @ 8:50am

      Re: National security letters

      What I am surprised about is that no one has done the same with national security letters.

      How do you know that they haven't, because if they are believed the recipients will not talk about them. That is the benefit of a gag clause.

      reply to this | link to this | view in chronology ]

  • identicon
    Dheeraj, 11 Mar 2019 @ 11:02pm

    Cellular company sell user data

    According to the Supreme Court, if the government puts a GPS tracker on you, your car, or any of your personal effects, it counts as a search—and is therefore protected by the Fourth Amendment and requires a warrant approved by a judge.

    OR, they can send a note on letterhead and get the same info over the phone from Securus.

    That's what rots my socks. Police jump from one technology to the next and so long as the Supreme Court doesn't specifically BAN the method, they do it. I call it exempting themselves from the rule of law. And, at least it's unethical.

    Will police stop doing this now they have been found out, and despite what the SC says?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Mar 2019 @ 11:03pm

    I know the "cops can't get a job if they're too smart" thing is technically incorrect.

    News like this, though, make it harder to believe that it is, in fact, not quite accurate.

    But then you consider the guys who have to toss flashbangs and rifle fire at fleeing naked men to feel secure and this sort of gaffe starts feeling like the norm, not the exception.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Mar 2019 @ 6:50am

      Re:

      Well that sort of thing comes naturally to sociopaths - they don't have to be smart and stupid ones are more violent...

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.