I Gave a Bounty Hunter $300. Then He Located Our Phone.
January 8, 2019 12:09 PM Subscribe
Whereas it’s common knowledge that law enforcement agencies can track phones with a warrant to service providers, IMSI catchers, or until recently via other companies that sell location data such as one called Securus, at least one company, called Microbilt, is selling phone geolocation services with little oversight to a spread of different private industries, ranging from car salesmen and property managers to bail bondsmen and bounty hunters, according to sources familiar with the company’s products and company documents obtained by Motherboard. Compounding that already highly questionable business practice, this spying capability is also being resold to others on the black market who are not licensed by the company to use it, including me, seemingly without Microbilt’s knowledge.
Motherboard’s investigation shows just how exposed mobile networks and the data they generate are, leaving them open to surveillance by ordinary citizens, stalkers, and criminals, and comes as media and policy makers are paying more attention than ever to how location and other sensitive data is collected and sold. The investigation also shows that a wide variety of companies can access cell phone location data, and that the information trickles down from cell phone providers to a wide array of smaller players, who don’t necessarily have the correct safeguards in place to protect that data.
...In the case of the phone we tracked, six different entities had potential access to the phone’s data. T-Mobile shares location data with an aggregator called Zumigo, which shares information with Microbilt. Microbilt shared that data with a customer using its mobile phone tracking product. The bounty hunter then shared this information with a bail industry source, who shared it with Motherboard.
...Microbilt buys access to location data from an aggregator called Zumigo and then sells it to a dizzying number of sectors, including landlords to scope out potential renters; motor vehicle salesmen, and others who are conducting credit checks. Armed with just a phone number, Microbilt’s “Mobile Device Verify” product can return a target’s full name and address, geolocate a phone in an individual instance, or operate as a continuous tracking service.
“You can set up monitoring with control over the weeks, days and even hours that location on a device is checked as well as the start and end dates of monitoring,” a company brochure Motherboard found online reads.
Previously 1, 2, 3, 4
Motherboard’s investigation shows just how exposed mobile networks and the data they generate are, leaving them open to surveillance by ordinary citizens, stalkers, and criminals, and comes as media and policy makers are paying more attention than ever to how location and other sensitive data is collected and sold. The investigation also shows that a wide variety of companies can access cell phone location data, and that the information trickles down from cell phone providers to a wide array of smaller players, who don’t necessarily have the correct safeguards in place to protect that data.
...In the case of the phone we tracked, six different entities had potential access to the phone’s data. T-Mobile shares location data with an aggregator called Zumigo, which shares information with Microbilt. Microbilt shared that data with a customer using its mobile phone tracking product. The bounty hunter then shared this information with a bail industry source, who shared it with Motherboard.
...Microbilt buys access to location data from an aggregator called Zumigo and then sells it to a dizzying number of sectors, including landlords to scope out potential renters; motor vehicle salesmen, and others who are conducting credit checks. Armed with just a phone number, Microbilt’s “Mobile Device Verify” product can return a target’s full name and address, geolocate a phone in an individual instance, or operate as a continuous tracking service.
“You can set up monitoring with control over the weeks, days and even hours that location on a device is checked as well as the start and end dates of monitoring,” a company brochure Motherboard found online reads.
Previously 1, 2, 3, 4
Also, IANAL but isn't it already illegal to search the contents of someone's phone without a warrant? Isn't the location part of it's data?
posted by gwint at 12:38 PM on January 8, 2019 [3 favorites]
posted by gwint at 12:38 PM on January 8, 2019 [3 favorites]
I'm confused. Isn't this the primary purpose of a cell phone? I thought bank cards are primarily for tracking your purchases, social media is for figuring out who you are and cell phones are primarily for tracking you. Isn't that where the money in providing those services comes from?
posted by Jane the Brown at 12:43 PM on January 8, 2019 [11 favorites]
posted by Jane the Brown at 12:43 PM on January 8, 2019 [11 favorites]
“Every major wireless carrier pledged to end this kind of data sharing after I exposed this practice last year. Now it appears these promises were little more than worthless spam in their customers’ inboxes.”
I'm shocked.
posted by Greg_Ace at 12:51 PM on January 8, 2019 [6 favorites]
I'm shocked.
posted by Greg_Ace at 12:51 PM on January 8, 2019 [6 favorites]
Isn't the location part of it's data?
It's also part of the base station's data. Which is 100% phone company data.
posted by GuyZero at 12:54 PM on January 8, 2019 [5 favorites]
It's also part of the base station's data. Which is 100% phone company data.
posted by GuyZero at 12:54 PM on January 8, 2019 [5 favorites]
Fuck it, they won't learn otherwise.
It's time for HIPAA For Everything.
posted by NoxAeternum at 12:56 PM on January 8, 2019 [29 favorites]
It's time for HIPAA For Everything.
posted by NoxAeternum at 12:56 PM on January 8, 2019 [29 favorites]
I wasn't sure if I should post this because I know a bunch of MeFites will be rolling their eyes over the non-news that companies are still selling location data they claimed they were not going to. But there are people here who have been stalked, for example, and it seems kind of important for anyone using a cell phone to understand how easy it is to track them. Not everyone understands that, and I think we all need to understand that.
posted by Bella Donna at 12:56 PM on January 8, 2019 [67 favorites]
posted by Bella Donna at 12:56 PM on January 8, 2019 [67 favorites]
"Seemingly without Microbilt's knowledge." Sure, buddy. Sure.
posted by mhoye at 12:57 PM on January 8, 2019 [4 favorites]
posted by mhoye at 12:57 PM on January 8, 2019 [4 favorites]
Also, this is my favorite comment from the 2006 thread I linked to above as number 4.
posted by Bella Donna at 12:58 PM on January 8, 2019 [1 favorite]
posted by Bella Donna at 12:58 PM on January 8, 2019 [1 favorite]
Isn't the location part of it's data?
It's also part of the base station's data. Which is 100% phone company data.
The Carpenter decision ruled that the cops need a warrant to get cell site data, even though it is data held by the phone companies.
But that doesn't mean the phone companies can't sell that info to the nearest bounty hunter, as long as they're not acting as an agent of the state.
posted by BungaDunga at 1:32 PM on January 8, 2019 [8 favorites]
It's also part of the base station's data. Which is 100% phone company data.
The Carpenter decision ruled that the cops need a warrant to get cell site data, even though it is data held by the phone companies.
But that doesn't mean the phone companies can't sell that info to the nearest bounty hunter, as long as they're not acting as an agent of the state.
posted by BungaDunga at 1:32 PM on January 8, 2019 [8 favorites]
My read of the article is that the phone companies think (wrongly) that this data is getting aggregated when it's not.
Honestly, I would trust Facebook over old-school telcom companies. At least FB knows that data has value and that privacy is a thing, even if they don't always provide it. I think telcos just plain don't understand and don't care. They fight warrants in court because those suck up a lot of time but these data sales agreement seem beyond their ability to understand. Or they understand and just don't give a shit.
“The allegation here would violate our contract and Privacy Policy,” an AT&T spokesperson told Motherboard in an email.... before they went back to having a nap
posted by GuyZero at 1:38 PM on January 8, 2019 [1 favorite]
Honestly, I would trust Facebook over old-school telcom companies. At least FB knows that data has value and that privacy is a thing, even if they don't always provide it. I think telcos just plain don't understand and don't care. They fight warrants in court because those suck up a lot of time but these data sales agreement seem beyond their ability to understand. Or they understand and just don't give a shit.
“The allegation here would violate our contract and Privacy Policy,” an AT&T spokesperson told Motherboard in an email.... before they went back to having a nap
posted by GuyZero at 1:38 PM on January 8, 2019 [1 favorite]
But that doesn't mean the phone companies can't sell that info to the nearest bounty hunter, as long as they're not acting as an agent of the state.
The article alleges the seller is a couple steps removed from the phone company.
This is akin to giving all your bank statement to your buddy to shred and then being shocked when you find that he's been telling other people about all the purchases you make. Well, except you at least have some control there.
This is like your bank sending your bank statements directly to a third party without your knowledge or consent.
posted by GuyZero at 1:39 PM on January 8, 2019 [5 favorites]
The article alleges the seller is a couple steps removed from the phone company.
This is akin to giving all your bank statement to your buddy to shred and then being shocked when you find that he's been telling other people about all the purchases you make. Well, except you at least have some control there.
This is like your bank sending your bank statements directly to a third party without your knowledge or consent.
posted by GuyZero at 1:39 PM on January 8, 2019 [5 favorites]
Also:
Due to the ongoing government shutdown, the Federal Communications Commission (FCC) was unable to provide a statement.
sweet sweet libertarian fantasy land dream come true.
I'll be over here broadcasting high-power wideband white noise at 2GHz, don't mind me.
posted by GuyZero at 1:43 PM on January 8, 2019 [18 favorites]
Due to the ongoing government shutdown, the Federal Communications Commission (FCC) was unable to provide a statement.
sweet sweet libertarian fantasy land dream come true.
I'll be over here broadcasting high-power wideband white noise at 2GHz, don't mind me.
posted by GuyZero at 1:43 PM on January 8, 2019 [18 favorites]
My read of the article is that the phone companies think (wrongly) that this data is getting aggregated when it's not.
LocationSmart provide(d|s) an online portal for querying the location of individual cell phones that was trivially hackable. And LocationSmart appears to have bought access to this info direct from the cell companies.
posted by BungaDunga at 1:44 PM on January 8, 2019 [2 favorites]
LocationSmart provide(d|s) an online portal for querying the location of individual cell phones that was trivially hackable. And LocationSmart appears to have bought access to this info direct from the cell companies.
posted by BungaDunga at 1:44 PM on January 8, 2019 [2 favorites]
This is like your bank sending your bank statements directly to a third party without your knowledge or consent.
Credit companies sell itemized real-time transaction data. We probably all "consented" to this via whatever we sign when opening the account.
posted by BungaDunga at 1:46 PM on January 8, 2019 [2 favorites]
Credit companies sell itemized real-time transaction data. We probably all "consented" to this via whatever we sign when opening the account.
posted by BungaDunga at 1:46 PM on January 8, 2019 [2 favorites]
Per that very link, Mastercard says "There is no exchange of the transaction data itself." They understand that they have to do the aggregation and anonymization.
Somehow the phone companies think they can trust third parties to do that.
posted by GuyZero at 1:49 PM on January 8, 2019 [2 favorites]
Somehow the phone companies think they can trust third parties to do that.
posted by GuyZero at 1:49 PM on January 8, 2019 [2 favorites]
You carry a little box in your pocket that is always on that has a camera, a microphone, and a means to transmit data, plus the names and numbers of everyone you know and probably your credit card tied to various apps. Why does the ability to collect and track all that data come as such a shock to people? This is like being shocked that facebook knows more about you than you do when people put every waking moment of their lives on it.
posted by prepmonkey at 1:58 PM on January 8, 2019 [3 favorites]
posted by prepmonkey at 1:58 PM on January 8, 2019 [3 favorites]
This is not handset GPS data - this is cell tower data and the technique described in the OP works perfectly well with a flip phone.
posted by GuyZero at 2:04 PM on January 8, 2019 [14 favorites]
posted by GuyZero at 2:04 PM on January 8, 2019 [14 favorites]
You carry a little box in your pocket that is always on that has a camera, a microphone, and a means to transmit data, plus the names and numbers of everyone you know and probably your credit card tied to various apps. Why does the ability to collect and track all that data come as such a shock to people? This is like being shocked that facebook knows more about you than you do when people put every waking moment of their lives on it.
This is a worn out, tiresome, victim blaming argument. It's time we stopped blaming victims of these abuses for "not knowing better".
posted by NoxAeternum at 2:06 PM on January 8, 2019 [77 favorites]
This is a worn out, tiresome, victim blaming argument. It's time we stopped blaming victims of these abuses for "not knowing better".
posted by NoxAeternum at 2:06 PM on January 8, 2019 [77 favorites]
Where do you draw the line between when it is their fault, when it's partially their fault and when it isn't their fault?
posted by biffa at 2:39 PM on January 8, 2019
posted by biffa at 2:39 PM on January 8, 2019
Why does the ability to collect and track all that data come as such a shock to people
It's not the ability, it's the blatant willingness to roll out a pipe full of that information and let the highest bidder suck it all down.
I wouldn't be shocked if my carrier could transcribe every conversation I have over the phone. They obviously have access. I'd be shocked if they used it that way. We have to trust the people we do business with to be ethical with the information we tell them.
I'd be shocked if cortex took our credit card information and sold it on the black market. I mean, is it "our fault" for having paid $5 and thereby handed over our data, or would it be MirrorVerse cortex's fault for abusing our trust? I think the latter.
posted by BungaDunga at 2:48 PM on January 8, 2019 [25 favorites]
It's not the ability, it's the blatant willingness to roll out a pipe full of that information and let the highest bidder suck it all down.
I wouldn't be shocked if my carrier could transcribe every conversation I have over the phone. They obviously have access. I'd be shocked if they used it that way. We have to trust the people we do business with to be ethical with the information we tell them.
I'd be shocked if cortex took our credit card information and sold it on the black market. I mean, is it "our fault" for having paid $5 and thereby handed over our data, or would it be MirrorVerse cortex's fault for abusing our trust? I think the latter.
posted by BungaDunga at 2:48 PM on January 8, 2019 [25 favorites]
Where do you draw the line between when it is their fault, when it's partially their fault and when it isn't their fault?
Data collected from base stations, that is sold solely to generate additional revenue and which does nothing to improve the quality of the service I receive... that's 110% the carrier's fault.
This is not complaining about seeing mattress ads on Facebook after buying a mattress. This isn't even leaking PII - this is outright straight-up selling PII.
posted by GuyZero at 2:57 PM on January 8, 2019 [10 favorites]
Data collected from base stations, that is sold solely to generate additional revenue and which does nothing to improve the quality of the service I receive... that's 110% the carrier's fault.
This is not complaining about seeing mattress ads on Facebook after buying a mattress. This isn't even leaking PII - this is outright straight-up selling PII.
posted by GuyZero at 2:57 PM on January 8, 2019 [10 favorites]
But that doesn't mean the phone companies can't sell that info to the nearest bounty hunter, as long as they're not acting as an agent of the state.
You are free to use any methods necessary, but I want them alive. No disintegrations.
posted by peeedro at 3:15 PM on January 8, 2019 [8 favorites]
You are free to use any methods necessary, but I want them alive. No disintegrations.
posted by peeedro at 3:15 PM on January 8, 2019 [8 favorites]
Whereas it’s common knowledge that law enforcement agencies can track phones with a warrant to service providers, IMSI catchers, or until recently via other companies that sell location data such as one called Securus, at least one company, called Microbilt, is selling phone geolocation services with little oversight to a spread of different private industries, ranging from car salesmen and property managers to bail bondsmen and bounty hunters, according to sources familiar with the company’s products and company documents obtained by Motherboard.
That sentence made my head hurt.
posted by humuhumu at 3:41 PM on January 8, 2019 [4 favorites]
That sentence made my head hurt.
posted by humuhumu at 3:41 PM on January 8, 2019 [4 favorites]
Combined with the way many modern phones make it incredibly difficult to remove the battery, this is an issue.
posted by corb at 3:55 PM on January 8, 2019 [4 favorites]
posted by corb at 3:55 PM on January 8, 2019 [4 favorites]
Between the annoyance of being bugged when I am out and about, the annoyance of having to carry this bulky object, and the privacy issues, I'm ready to leave my phone at home all the time. Does that make it into a land line?
(Of course this is made easier for me, by the fact I don't travel much. If I were on the road a lot, I might care more about taking it with me.)
posted by elizilla at 4:07 PM on January 8, 2019 [2 favorites]
(Of course this is made easier for me, by the fact I don't travel much. If I were on the road a lot, I might care more about taking it with me.)
posted by elizilla at 4:07 PM on January 8, 2019 [2 favorites]
This is horrifying, and they should be held liable for any crimes they’ve enabled with their negligence. It is entirely foreseeable that, at scale, you will eventually sell someone’s location to a bad actor or a stalker.
We need national legislation on privacy protections ASAP.
posted by schadenfrau at 4:18 PM on January 8, 2019 [1 favorite]
We need national legislation on privacy protections ASAP.
posted by schadenfrau at 4:18 PM on January 8, 2019 [1 favorite]
But that doesn't mean the phone companies can't sell that info to the nearest bounty hunter, as long as they're not acting as an agent of the state.
The greatest thing that U.S. law needs in the age of privacy concerns is a broadening of the category referred to in the law as "innkeepers and common carriers," which is basically an olde-tyme recognition that there are sorts of private businesses that are central enough to everyday life and serve such a purpose as to need to be held to a higher duty of care than others. Cell phones, social media, and bank records all should fall under this duty of care in any sensible modern society.
posted by Navelgazer at 4:23 PM on January 8, 2019 [16 favorites]
The greatest thing that U.S. law needs in the age of privacy concerns is a broadening of the category referred to in the law as "innkeepers and common carriers," which is basically an olde-tyme recognition that there are sorts of private businesses that are central enough to everyday life and serve such a purpose as to need to be held to a higher duty of care than others. Cell phones, social media, and bank records all should fall under this duty of care in any sensible modern society.
posted by Navelgazer at 4:23 PM on January 8, 2019 [16 favorites]
We need a simple direct constitutional amendment specifically on privacy.
At the world level really, but a US amendment would be a start. The details of the law would (and should) take time to roll though courts and establish a basis of case law, but a single clear statement that a persons privacy is a right is needed to remove ambiguity.
posted by sammyo at 5:40 PM on January 8, 2019 [3 favorites]
At the world level really, but a US amendment would be a start. The details of the law would (and should) take time to roll though courts and establish a basis of case law, but a single clear statement that a persons privacy is a right is needed to remove ambiguity.
posted by sammyo at 5:40 PM on January 8, 2019 [3 favorites]
this duty of care in any sensible modern society
Well, yes, but this is the United States we're talking about; half of your political spectrum is trying to dismantle the very concept of government except insofar as it affects the wealthy, and nearly half of your citizens are cheering them on, so really this becomes something akin to being worried that your house is on fire while at the same time a tsunami is thundering toward you destroying all in its path.
There is no chance anything even approaching a "privacy amendment" will pass through the US political system at any time in the next twenty years (given the way things entrench, this means never) and it will absolutely never happen in places like China (so it'll never mean anything to the UN). Probably the best that can be hoped for is something along the lines of "we will sell your data to someone; if you are prepared to meet our price then we won't sell it to other parties, and the government has to at least ask us nicely, although we won't need to notify you of their request, ever."
Now, should some massive life-destroying privacy fault hit the Republican power elites, then maybe you might see action, but that action will again be restricted to a monetary exchange -- thereby ensuring you do not have privacy, but they do ("Cell Service Prime Extra, only $3650 per year!"). Even that is probably unlikely; they'll just crack down on ISPs for "allowing" people to see their repellent sex tapes or whatever ("see? this is why network neutrality was evil and needed to die!") or do something even more pointless, like blame the Import-Export Bank.
posted by aramaic at 5:55 PM on January 8, 2019 [5 favorites]
Well, yes, but this is the United States we're talking about; half of your political spectrum is trying to dismantle the very concept of government except insofar as it affects the wealthy, and nearly half of your citizens are cheering them on, so really this becomes something akin to being worried that your house is on fire while at the same time a tsunami is thundering toward you destroying all in its path.
There is no chance anything even approaching a "privacy amendment" will pass through the US political system at any time in the next twenty years (given the way things entrench, this means never) and it will absolutely never happen in places like China (so it'll never mean anything to the UN). Probably the best that can be hoped for is something along the lines of "we will sell your data to someone; if you are prepared to meet our price then we won't sell it to other parties, and the government has to at least ask us nicely, although we won't need to notify you of their request, ever."
Now, should some massive life-destroying privacy fault hit the Republican power elites, then maybe you might see action, but that action will again be restricted to a monetary exchange -- thereby ensuring you do not have privacy, but they do ("Cell Service Prime Extra, only $3650 per year!"). Even that is probably unlikely; they'll just crack down on ISPs for "allowing" people to see their repellent sex tapes or whatever ("see? this is why network neutrality was evil and needed to die!") or do something even more pointless, like blame the Import-Export Bank.
posted by aramaic at 5:55 PM on January 8, 2019 [5 favorites]
I've said this before somewhere, but what Orwell couldn't imagine is that people would pay to carry their personal pocket telescreens around with them and even compete to upgrade and personally maintain them even at premium prices.
And Huxley and Orwell both didn't forsee the integration of bumble-puppy and Soma and telescreens, all in one as a profit center and control and spying tool.
I'm saying this as someone who doesn't currently have a working computer or non-phone internet connection except for this low end budget smartfone piece of black mirror and tenuous low bandwidth connection in an arguably rural part of the world.
For fuck's sake, I even have a rain jacket for my pocket telescreen. I don't think it's been off for.more than 20 minutes in a year, including a 10 day bike tour and half a dozen power outages.
Someone needs to crowdfund a mesh grid phone we can start to adopt as a secondary comms device or something.
posted by loquacious at 6:16 PM on January 8, 2019 [4 favorites]
And Huxley and Orwell both didn't forsee the integration of bumble-puppy and Soma and telescreens, all in one as a profit center and control and spying tool.
I'm saying this as someone who doesn't currently have a working computer or non-phone internet connection except for this low end budget smartfone piece of black mirror and tenuous low bandwidth connection in an arguably rural part of the world.
For fuck's sake, I even have a rain jacket for my pocket telescreen. I don't think it's been off for.more than 20 minutes in a year, including a 10 day bike tour and half a dozen power outages.
Someone needs to crowdfund a mesh grid phone we can start to adopt as a secondary comms device or something.
posted by loquacious at 6:16 PM on January 8, 2019 [4 favorites]
Not sure if I can post this here or not, but this seems like a start concerning phones and privacy: puri.sm
I did order one to try and won't receive it until April, so can't speak fully about the merits of the Librem 5, but it seems like a step in the right direction.
posted by lunastellasol at 6:59 PM on January 8, 2019
I did order one to try and won't receive it until April, so can't speak fully about the merits of the Librem 5, but it seems like a step in the right direction.
posted by lunastellasol at 6:59 PM on January 8, 2019
The Librem 5 is fully vulnerable to carriers selling tower data. The only defence is to abandon modernity.
posted by GuyZero at 9:07 PM on January 8, 2019 [2 favorites]
posted by GuyZero at 9:07 PM on January 8, 2019 [2 favorites]
Interesting that the brand of phone is not mentioned in the article.
< skepticism >Therefore, my bet would be that it wasn't an iPhone, since the mere mention of Apple in any such article increases the click revenue by at least an order of magnitude.< /skepticism >
posted by fairmettle at 11:11 PM on January 8, 2019
< skepticism >Therefore, my bet would be that it wasn't an iPhone, since the mere mention of Apple in any such article increases the click revenue by at least an order of magnitude.< /skepticism >
posted by fairmettle at 11:11 PM on January 8, 2019
Are these telco related means to track people only for smartphones, or does this one specifically also apply to featurephones and dumbphones?
posted by infini at 3:41 AM on January 9, 2019
posted by infini at 3:41 AM on January 9, 2019
I wonder what the situation is in say, the EU, where privacy is taken more seriously?
It would be blatantly illegal here, especially after GDPR. Without a doubt there are companies small and large hiding behind their terms of use in order to resell data, but it's not up to them to decide what they can do with your data.
I am not a lawyer.
posted by romanb at 4:42 AM on January 9, 2019
It would be blatantly illegal here, especially after GDPR. Without a doubt there are companies small and large hiding behind their terms of use in order to resell data, but it's not up to them to decide what they can do with your data.
I am not a lawyer.
posted by romanb at 4:42 AM on January 9, 2019
this seems like a start concerning phones and privacy: https://puri.smYou can get a more secure & private experience right now by using iOS but that won’t matter in this case because the information in question is being collected from the cell towers and sold by the carriers — think of it like asking whether there’s a more private car to buy when your city is deploying license plate readers everywhere. The OS might do things like encourage encryption on connections but, just as with tinted windows in the car example, traffic analysis gets a lot of sensitive information.
posted by adamsc at 4:58 AM on January 9, 2019 [3 favorites]
Honestly, I would trust Facebook over old-school telcom companies
The Facebook that lobbies against privacy bills and interfears in elections? Experiments on people's emotional state without any oversight or constant e? The one that stores your credit score along with the rest of your data but doesn't tell that it is, much less see it? That one?
To hell with them both.
posted by jonnay at 6:16 AM on January 9, 2019 [2 favorites]
The Facebook that lobbies against privacy bills and interfears in elections? Experiments on people's emotional state without any oversight or constant e? The one that stores your credit score along with the rest of your data but doesn't tell that it is, much less see it? That one?
To hell with them both.
posted by jonnay at 6:16 AM on January 9, 2019 [2 favorites]
My read of the article is that the phone companies think (wrongly) that this data is getting aggregated when it's not.
T-Mobile's deal is with Zumigo. From the landing page of Zumigo's site:
"Zumigo seamlessly ensures user authenticity and prevents fraud by combining authoritative mobile identity and location."
So no, the telcos absolutely know that this is being used to shop individual level data. I suspect 'aggregator' refers to aggregating across providers. (And maybe also time?)
Are these telco related means to track people only for smartphones, or does this one specifically also apply to featurephones and dumbphones
They are the same means that they use to route the call to you in the first place, so no, nothing about this is specific to smartphones.
posted by PMdixon at 6:42 AM on January 9, 2019 [3 favorites]
T-Mobile's deal is with Zumigo. From the landing page of Zumigo's site:
"Zumigo seamlessly ensures user authenticity and prevents fraud by combining authoritative mobile identity and location."
So no, the telcos absolutely know that this is being used to shop individual level data. I suspect 'aggregator' refers to aggregating across providers. (And maybe also time?)
Are these telco related means to track people only for smartphones, or does this one specifically also apply to featurephones and dumbphones
They are the same means that they use to route the call to you in the first place, so no, nothing about this is specific to smartphones.
posted by PMdixon at 6:42 AM on January 9, 2019 [3 favorites]
This thread got me looking into the Communications Assistance for Law Enforcement Act (CALEA) and it's creepier than I thought. Definitely Big Brother type stuff, I didn't realize the extent to which we're being monitored.
posted by lunastellasol at 6:57 AM on January 9, 2019 [1 favorite]
posted by lunastellasol at 6:57 AM on January 9, 2019 [1 favorite]
(I was a little surprised at the lack of control the telcos chose to exercise around this data. I would expect they'd at least understand that it's valuable to be monopoly (ok oligopoly) suppliers and if they just let it out into an open market they're not going to get as much of a cut.)
posted by PMdixon at 7:10 AM on January 9, 2019
posted by PMdixon at 7:10 AM on January 9, 2019
So what's to be done about this? Regulation? That's it? That's all we can do?
So we need a Dem trifecta in 2020, and then we have two years to do literally everything?
Jesus.
posted by schadenfrau at 7:11 AM on January 9, 2019 [3 favorites]
So we need a Dem trifecta in 2020, and then we have two years to do literally everything?
Jesus.
posted by schadenfrau at 7:11 AM on January 9, 2019 [3 favorites]
So what's to be done about this? Regulation? That's it? That's all we can do?
Pretty much. You could try to have some elaborate system of burners but it's unlikely that you won't fuck up the opsec. Even if this got mass coverage, everyone does it so it's not like there's a boycott to be had and most consumers don't actually care anyway.
So we need a Dem trifecta in 2020, and then we have two years to do literally everything
Yeah pretty much. If we restrict it to eliminating the present day Republican party and its constituencies as a political force that might buy some breathing room for another couple of years.
posted by PMdixon at 7:15 AM on January 9, 2019 [2 favorites]
Pretty much. You could try to have some elaborate system of burners but it's unlikely that you won't fuck up the opsec. Even if this got mass coverage, everyone does it so it's not like there's a boycott to be had and most consumers don't actually care anyway.
So we need a Dem trifecta in 2020, and then we have two years to do literally everything
Yeah pretty much. If we restrict it to eliminating the present day Republican party and its constituencies as a political force that might buy some breathing room for another couple of years.
posted by PMdixon at 7:15 AM on January 9, 2019 [2 favorites]
Interesting that the brand of phone is not mentioned in the article.
It's not relevant- this is being done with triangulation, so approximately every single cellphone can be tracked this way, back to the Nokia 3310 candybar and beyond. When you're carrying around a portable radio transmitter, it's not that hard to work out where the transmitter is, especially if you're the telecom company and you own all of the cell towers that it's communicating with.
At the very least they have to know which cell tower you're talking to, so that narrows you down to a neighborhood. After that they can use some physics and math to locate you more specifically, and with the rollout of e911 there's a mandate for them to be able to do it on demand anyway.
posted by BungaDunga at 7:51 AM on January 9, 2019 [4 favorites]
It's not relevant- this is being done with triangulation, so approximately every single cellphone can be tracked this way, back to the Nokia 3310 candybar and beyond. When you're carrying around a portable radio transmitter, it's not that hard to work out where the transmitter is, especially if you're the telecom company and you own all of the cell towers that it's communicating with.
At the very least they have to know which cell tower you're talking to, so that narrows you down to a neighborhood. After that they can use some physics and math to locate you more specifically, and with the rollout of e911 there's a mandate for them to be able to do it on demand anyway.
posted by BungaDunga at 7:51 AM on January 9, 2019 [4 favorites]
this is being done with triangulation, so approximately every single cellphone can be tracked this way,
In which I demonstrate that and possibly why I'm not an EE:
Couldn't you induce fuzz by having a randomly-changing directionally biased radio in the phone? Can't do anything about tower-level resolution, obviously.
posted by PMdixon at 9:09 AM on January 9, 2019
In which I demonstrate that and possibly why I'm not an EE:
Couldn't you induce fuzz by having a randomly-changing directionally biased radio in the phone? Can't do anything about tower-level resolution, obviously.
posted by PMdixon at 9:09 AM on January 9, 2019
Couldn't you induce fuzz by having a randomly-changing directionally biased radio in the phone?
So I'm not really a mobile telephony expert but:
a) this data isn't always perfectly accurate anyway and I think most users accept that. A few hundred m radius in urban area is sufficient. Even if all you knew was which tower the phone connected to you have a lot.
b) adjusting transmit power very carefully on the handset is usually pretty important. It's one of the key elements of CDMA networks and I suspect that LTE networks (which I guess are FDD and TDD) probably have pretty strict controls on how the handset behaves.
Maybe you could hack it, but certainly no one conforming to the standards would build it that way. You think you have a lot of control over your smartphone but the baseband chip is a black box that's some pretty deep magic.
posted by GuyZero at 9:32 AM on January 9, 2019 [1 favorite]
So I'm not really a mobile telephony expert but:
a) this data isn't always perfectly accurate anyway and I think most users accept that. A few hundred m radius in urban area is sufficient. Even if all you knew was which tower the phone connected to you have a lot.
b) adjusting transmit power very carefully on the handset is usually pretty important. It's one of the key elements of CDMA networks and I suspect that LTE networks (which I guess are FDD and TDD) probably have pretty strict controls on how the handset behaves.
Maybe you could hack it, but certainly no one conforming to the standards would build it that way. You think you have a lot of control over your smartphone but the baseband chip is a black box that's some pretty deep magic.
posted by GuyZero at 9:32 AM on January 9, 2019 [1 favorite]
Couldn't you induce fuzz by having a randomly-changing directionally biased radio in the phone? Can't do anything about tower-level resolution, obviously.I don't think it'd work for more than a few seconds anyway unless you were in an environment where only one cell tower could see the device — with multiple receivers in known locations and reliable clocks, they'd pretty quickly narrow down the radius from each tower even if it fluctuated over time because without a directional antenna they'd all be getting a measurement at a single point in time and the ratio of received signal strengths is what matters, not the absolute value. (Timing is a key part of the radio protocol, too, so the cell towers will have extremely accurate timestamps)
Randomness in general doesn't work very well for this kind of work in general because you can average out the noise with enough samples. The GPS system had something like that (Selective Availability) which was turned off in 2000 because it was too easy to cancel out. For phones that especially seems like a losing game since they're chatty devices and you'd have plenty of radio traffic to analyze.
posted by adamsc at 10:30 AM on January 9, 2019 [2 favorites]
Fair points, so even as a thought experiment it wouldn't work.
posted by PMdixon at 11:53 AM on January 9, 2019
posted by PMdixon at 11:53 AM on January 9, 2019
So I guess I look forward to one day showing up at a Congressional hearing with legally obtained but very detailed records of every MOC’s movements for the past year, which I will have made publicly available on a website just before the start of said hearing.
Or you know, anyone actually likely to get a hearing can do that, I guess.
Please someone do that.
posted by schadenfrau at 12:10 PM on January 9, 2019 [10 favorites]
Or you know, anyone actually likely to get a hearing can do that, I guess.
Please someone do that.
posted by schadenfrau at 12:10 PM on January 9, 2019 [10 favorites]
It seems like we've mostly hammered out the misunderstandings, but yeah, this isn't a smartphone issue. If you are carrying a cellphone, any cellphone, from the dumbest big-button sold-on-daytime-TV-to-geezers smartphone to the latest iPhone Excess, you're vulnerable to your carrier selling your location data.
The problem is very simple: the carriers should in no way be allowed to sell un-aggregated metadata to third parties, period. Trusting third parties to do the aggregation is ridiculous, lazy, and irresponsible, but exactly the sort of thing you'd expect a company to do if they're not expressly prohibited from doing it.
There is no user-side defense to this, except to not have a cellphone. Which is sort of like telling people that the solution to exploding Ford Pintos is to just stop riding in cars and go back to horses if they don't like the risk of painful death by immolation. Which, I mean, it's a solution I guess but hardly a reasonable one.
You could also try to use burner phones and use a different one every day, but I bet that someone with some basic datamining skills could find you given a reasonably-complete dataset, like one you'd get from some intermediary who buys and compiles this stuff. Your movement patterns will de-anonymize you even if the phone is different every day. Similarly, stuff like generating a new pseudo-IMSI or soft-SIM periodically (something that I've heard on HN and other technical forums as a possible solution) won't really work, either.
Even if your phone doesn't have a GPS (rare even for flip-phones), or you have the GPS turned off, the carrier can still determine your location pretty accurately—is actually required, for E911, to be able to determine your location pretty accurately—based on data from the towers. And as tower densities go up, the granularity only gets better and better. With 5G, you might actually be able to get better location accuracy from towers than you can from GPS, particularly in urban environments with lots of cells, or in someplace like a shopping mall.
Some advanced 5G systems do "beam steering" on millimeter-wave frequencies, which could be good enough to pick someone out of a crowd, given a couple of cells. I've heard 4G positioning described as "Hellfire accurate", while 5G could potentially be "bullet accurate". Why those are the metrics for positional determination is left as an exercise for the reader, but as the world rushes to be the first to 5G... something to think about.
posted by Kadin2048 at 12:13 PM on January 9, 2019 [8 favorites]
The problem is very simple: the carriers should in no way be allowed to sell un-aggregated metadata to third parties, period. Trusting third parties to do the aggregation is ridiculous, lazy, and irresponsible, but exactly the sort of thing you'd expect a company to do if they're not expressly prohibited from doing it.
There is no user-side defense to this, except to not have a cellphone. Which is sort of like telling people that the solution to exploding Ford Pintos is to just stop riding in cars and go back to horses if they don't like the risk of painful death by immolation. Which, I mean, it's a solution I guess but hardly a reasonable one.
You could also try to use burner phones and use a different one every day, but I bet that someone with some basic datamining skills could find you given a reasonably-complete dataset, like one you'd get from some intermediary who buys and compiles this stuff. Your movement patterns will de-anonymize you even if the phone is different every day. Similarly, stuff like generating a new pseudo-IMSI or soft-SIM periodically (something that I've heard on HN and other technical forums as a possible solution) won't really work, either.
Even if your phone doesn't have a GPS (rare even for flip-phones), or you have the GPS turned off, the carrier can still determine your location pretty accurately—is actually required, for E911, to be able to determine your location pretty accurately—based on data from the towers. And as tower densities go up, the granularity only gets better and better. With 5G, you might actually be able to get better location accuracy from towers than you can from GPS, particularly in urban environments with lots of cells, or in someplace like a shopping mall.
Some advanced 5G systems do "beam steering" on millimeter-wave frequencies, which could be good enough to pick someone out of a crowd, given a couple of cells. I've heard 4G positioning described as "Hellfire accurate", while 5G could potentially be "bullet accurate". Why those are the metrics for positional determination is left as an exercise for the reader, but as the world rushes to be the first to 5G... something to think about.
posted by Kadin2048 at 12:13 PM on January 9, 2019 [8 favorites]
Kadin2048 makes a good point which I would like to expand on a bit:
In order for a cell phone (ANY cell phone, not just a smartphone) to work, it is absolutely necessary for the phone company to keep track, in real time, of the general location of each cell phone. Without this information, the phone company would not be able to deliver a call (or text/etc) to your cell phone when someone calls (or texts/etc) you.
This has been true for as long as cell phones that are able to take incoming calls have existed. As Kadin2048 mentioned, it doesn't rely on GPS and doesn't require your phone to have a GPS receiver.
There is no* technological solution to this problem. If you want to be able to receive calls/messages/etc on a cellular phone, the phone company must know where that phone is. If there is to be a solution, it has to be a legal one in the form of prohibiting phone companies from sharing/selling/etc this data.
*One-way pagers, which do still work (at least in some cities) do not have this problem. If you have a one-way pager and someone pages you, the paging network does not know where you are, so it has to transmit your message on every paging tower in your subscribed coverage area. This preserves your location privacy, but it is also the reason that paging networks have limited message capacity, and the reason why regional and national paging service costs so much more than local paging service. Technically speaking, you could carry a one-way pager and a cell phone and leave the cell phone turned off. You would have to give everyone your pager number and when they page you, you could turn your cell phone on and call them back. This would limit the phone company's knowledge of your location to those times when your phone is switched on. Arguably, this is a (poor) technical solution to the problem. And, of course, it wouldn't work if both you and the person you wanted to communicate with were using this scheme.
posted by Juffo-Wup at 6:06 PM on January 9, 2019 [8 favorites]
In order for a cell phone (ANY cell phone, not just a smartphone) to work, it is absolutely necessary for the phone company to keep track, in real time, of the general location of each cell phone. Without this information, the phone company would not be able to deliver a call (or text/etc) to your cell phone when someone calls (or texts/etc) you.
This has been true for as long as cell phones that are able to take incoming calls have existed. As Kadin2048 mentioned, it doesn't rely on GPS and doesn't require your phone to have a GPS receiver.
There is no* technological solution to this problem. If you want to be able to receive calls/messages/etc on a cellular phone, the phone company must know where that phone is. If there is to be a solution, it has to be a legal one in the form of prohibiting phone companies from sharing/selling/etc this data.
*One-way pagers, which do still work (at least in some cities) do not have this problem. If you have a one-way pager and someone pages you, the paging network does not know where you are, so it has to transmit your message on every paging tower in your subscribed coverage area. This preserves your location privacy, but it is also the reason that paging networks have limited message capacity, and the reason why regional and national paging service costs so much more than local paging service. Technically speaking, you could carry a one-way pager and a cell phone and leave the cell phone turned off. You would have to give everyone your pager number and when they page you, you could turn your cell phone on and call them back. This would limit the phone company's knowledge of your location to those times when your phone is switched on. Arguably, this is a (poor) technical solution to the problem. And, of course, it wouldn't work if both you and the person you wanted to communicate with were using this scheme.
posted by Juffo-Wup at 6:06 PM on January 9, 2019 [8 favorites]
AT&T says it’ll stop selling your location data, amid calls for a federal investigation
posted by Kadin2048 at 5:37 PM on January 10, 2019 [4 favorites]
“In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services — even those with clear consumer benefits," AT&T said in a statement. “We are immediately eliminating the remaining services and will be done in March.”No word on what those "clear consumer benefits" were.
posted by Kadin2048 at 5:37 PM on January 10, 2019 [4 favorites]
Probably because there aren't any they can propose with a straight face.
posted by Greg_Ace at 6:08 PM on January 10, 2019 [1 favorite]
posted by Greg_Ace at 6:08 PM on January 10, 2019 [1 favorite]
"I wonder what the situation is in say, the EU, where privacy is taken more seriously?"
I would assume exactly the same in all ways, right? Seems like "taking it seriously" amounts to fuck all, they can be as serious or silly about it as they want but the privacy cat is out of pandora's box and a dead horse is beating it.
posted by GoblinHoney at 7:21 AM on January 14, 2019
I would assume exactly the same in all ways, right? Seems like "taking it seriously" amounts to fuck all, they can be as serious or silly about it as they want but the privacy cat is out of pandora's box and a dead horse is beating it.
posted by GoblinHoney at 7:21 AM on January 14, 2019
And FCC Chair Ajit Pai responds to the matter in his usual arrogant and callous manner:
“Today, FCC Chairman Ajit Pai refused to brief Energy and Commerce Committee staff on the real-time tracking of cell phone location, as reported by Motherboard last week,” Pallone said in an emailed statement. “In a phone conversation today, his staff asserted that these egregious actions are not a threat to the safety of human life or property that the FCC will address during the Trump shutdown.”posted by NoxAeternum at 8:04 AM on January 15, 2019 [1 favorite]
Pallone added that using the shutdown as an excuse to not meet with Congress is a copout: “There’s nothing in the law that should stop the Chairman personally from meeting about this serious threat that could allow criminals to track the location of police officers on patrol, victims of domestic abuse, or foreign adversaries to track military personnel on American soil.”
After AT&T and T-Mobile said they would stop selling their customers’ phone location data to third parties, Sprint followed suit.
Journalism works, motherfuckers.
posted by gwint at 6:07 AM on January 18, 2019 [7 favorites]
Journalism works, motherfuckers.
posted by gwint at 6:07 AM on January 18, 2019 [7 favorites]
Hundreds of Bounty Hunters Had Access to AT&T, T-Mobile, and Sprint Customer Location Data for Years
Around 250 bounty hunters and related businesses had access to AT&T, T-Mobile, and Sprint customer location data, with one bail bond firm using the phone location service more than 18,000 times, and others using it thousands or tens of thousands of times, according to internal documents obtained by Motherboard from a company called CerCareOne, a now-defunct location data seller that operated until 2017. The documents list not only the companies that had access to the data, but specific phone numbers that were pinged by those companies.posted by peeedro at 5:32 AM on February 7, 2019 [2 favorites]
In some cases, the data sold is more sensitive than that offered by the service used by Motherboard last month, which estimated a location based on the cell phone towers that a phone connected to. CerCareOne sold cell phone tower data, but also sold highly sensitive and accurate GPS data to bounty hunters; an unprecedented move that means users could locate someone so accurately so as to see where they are inside a building. This company operated in near-total secrecy for over 5 years by making its customers agree to “keep the existence of CerCareOne.com confidential,” according to a terms of use document obtained by Motherboard.
« Older AFROPUNK JOBURG | Behind the columns: Advice writers tell all Newer »
This thread has been archived and is closed to new comments
posted by gwint at 12:36 PM on January 8, 2019 [4 favorites]