Nearly Everyone In The U.S. And Canada Just Had Their Private Cell Phone Location Data Exposed
from the Whoops-a-daisy dept
A company by the name of LocationSmart isn't having a particularly good month.
The company recently received all the wrong kind of attention when it was caught up in a privacy scandal involving the nation's wireless carriers and our biggest prison phone monopoly. Like countless other companies and governments, LocationSmart buys your wireless location data from cell carriers. It then sells access to that data via a portal that can provide real-time access to a user's location via a tailored graphical interface using just the target's phone number.
Theoretically, this functionality is sold under the pretense that the tool can be used to track things like drug offenders who have skipped out of rehab. And ideally, all the companies involved were supposed to ensure that data lookup requests were accompanied by something vaguely resembling official documentation. But a recent deep dive by the New York Times noted how the system was open to routine abuse by law enforcement, after a Missouri Sherrif used the system to routinely spy on Judges and fellow law enforcement officers without much legitimate justification (or pesky warrants):
"The service can find the whereabouts of almost any cellphone in the country within seconds. It does this by going through a system typically used by marketers and other companies to get location data from major cellphone carriers, including AT&T, Sprint, T-Mobile and Verizon, documents show.
Between 2014 and 2017, the sheriff, Cory Hutcheson, used the service at least 11 times, prosecutors said. His alleged targets included a judge and members of the State Highway Patrol. Mr. Hutcheson, who was dismissed last year in an unrelated matter, has pleaded not guilty in the surveillance cases."
It was yet another example of the way nonexistent to lax consumer privacy laws in the States (especially for wireless carriers) routinely come back to bite us.
But then things got worse.
Driven by curiousity in the wake of the Times report, a PhD student at Carnegie Mellon University by the name of Robert Xiao discovered that the "try before you buy" system used by LocationSmart to advertise the cell location tracking system contained a bug, A bug so bad that it exposed the data of roughly 200 million wireless subscribers across the United States and Canada (read: nearly everybody). As we see all too often, the researcher highlighted how the security standards in place to safeguard this data were virtually nonexistent:
"Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," said Robert Xiao, a PhD student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call. "The implication of this is that LocationSmart never required consent in the first place," he said. "There seems to be no security oversight here."
The researcher notes that one of the APIs in the portal was not properly validating the consent response, making it "trivially easy" to skip the portion where the API sends a text message to the end user attempting to obtain consent (Brian Krebs, who first reported the vulnerability, has also confirmed the problem). Given the New York Times story had been making headlines since its May 10 publication, it's obviously possible that others discovered the vulnerability. LocationSmart has since pulled their location data tracking portal offline.
Meanwhile, none of the four major wireless carriers have been willing to confirm any business relationship with LocationSmart, but all claim to be investigating the problem after the week of bad press. That this actually results in substantive changes to the nation's cavalier treatment of private user data is a wager few would be likely to make.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: brian krebs, leaks, location data, privacy, robert xiao
Companies: locationsmart
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Name one thing in this article that isn't true.
Try again Richard.
[ link to this | view in chronology ]
Re: Re: Re:
Try again Richard.
[ link to this | view in chronology ]
Even a quarter of a century ago, criminals on the run knew to take out the battery until they were ready to made a call, and then make it quick and get out of there fast (though even those precautions didn't prevent fugitive drug kingpin Pablo Escobar from getting nailed).
[ link to this | view in chronology ]
Pablo Escobar
Escobar used an older form of insurance, taking out standing contracts on whatever officials nailed him. It was a different kind of insurance.
That was pretty typical for organized crime in the Americas.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
That happened in Max Headroom
Twenty minutes into the future, off switches were illegal.
[ link to this | view in chronology ]
Re:
https://en.wikipedia.org/wiki/Radio_direction_finder
You could detect radio transmitter locations in the 1930s.
And YES a cell phone contains a radio transmitter.
[ link to this | view in chronology ]
/s jic
[ link to this | view in chronology ]
You see, stuff like Cambrige Analitica (the Facebook scandal) will probably not happen as often or at the very least everybody will be more careful because the backlash drove CA to bankruptcy. In a sense, it's a form of punishment. (Of course there were some law enforcement operations and so but generally speaking they didn't go belly up because a court told them to shut down and jailed their executives).
Unless we start punishing the companies that leak data heavily with jail time and all it will keep happening. Of course, considering the telcos are effectively obliterating any and all oversight we are actually walking in the opposite direction.
[ link to this | view in chronology ]
But Cambridge Analytica wasn't punished.
IMO, there was no punishment there that I can see. According to Ars Technica, all the execs bailed ship like rats to another company, Emerdata. Emerdata is a data analytics firm funded by the Mercer family. Which, go figure, is the same as Cambridge Analytica was. Basically, it's the same thing with a new coat of paint.
If anybody is being punished, it's the peons of the old company who suddenly found themselves jobless.
So really, nobody of value was punished.
[ link to this | view in chronology ]
Re: But Cambridge Analytica wasn't punished.
[ link to this | view in chronology ]
Re: Re: But Cambridge Analytica wasn't punished.
[ link to this | view in chronology ]
Data leaks as a status quo.
It's a very cyberpunk dystopian problem. I wonder if its possible to capitalize on this by providing a personal disinformation service that maintains alternative personalities for the same identity. It's like the problem of having to maintain multiple social network pages when bosses insisted on being friended (or sometimes even having password access) to employee pages.
[ link to this | view in chronology ]
Cyberpunk Dystopia [was Re: Data leaks as a status quo]
No, the cyberpunk dystopia begins…
… when pedestrians who walk around without globally emitting their personal id and location become automatically suspicious. Subject to immediate detention. Held for investigation. Questioned at police HQ as terrorists.
Fined in magistrate's court for causing a public disturbance.
Released with locking ankle bracelet to remove potential for future reoffense.
[ link to this | view in chronology ]
Re: Cyberpunk Dystopia [was Re: Data leaks as a status quo]
Chai left the “gender” boxes blank on the printed form. It felt like expressing individuality. A tiny, silent protest against being boxed in.
Chai expected the bureaucracy to reject the form. “The gender box isn't filled in”, they would probably complain, shoving the form back. Instead, they assigned Chai to Ann.
Ann explained herself as a veteran probation officer. Ann's job was to unlock and temporarily remove the ankle bracelet. Once a week. So the skin could be washed. The skin checked for sores. Salve applied. Ann was no-nonsense.
. . . .
[ link to this | view in chronology ]
Re: Re: Cyberpunk Dystopia [was Re: Data leaks as a status quo]
“Take your pants off,” she said to Chai.
Then she said, “Here is the basin.” It was on the floor, stainless steel, and very obvious. “This is the tap.” A single button on the wall. No temperature control. “This is the soap dispenser.” A translucent white plastic drum half-filled with an orangish liquid. Garishly marked ‘50 L’ in blue. It had a squirt handle.
“The scrub brush is single-use.” It came wrapped in plastic film. “Here. Scrub. Your entire ankle. Scrub it hard.”
. . . .
[ link to this | view in chronology ]
Re: Data leaks as a status quo.
http://www.cbc.ca/news/world/blond-angel-case-prompts-greek-birth-certificates-probe-1.2158484
[ link to this | view in chronology ]
Re: Re: Data leaks as a status quo.
There is a big reason that governments create all of these labyrinthine tax systems.
[ link to this | view in chronology ]
Re: Re: Re: Data leaks as a status quo.
[ link to this | view in chronology ]
Re: Re: Re: Re: Data leaks as a status quo.
While TD seems to get the "nerd harder" sarcasm the often fail to understand that "government harder" is much of the same logic.
[ link to this | view in chronology ]
Re: Re: Re: Re: Data leaks as a status quo.
I suggest you take your complaints to Congress, as they are the ones who make such decisions - not those who post here, DUH.
You know .. Congress, the ones who approve welfare and food stamps for the poor. Do you understand that Congress does this in order to please their corporate sponsors who refuse to pay a living wage and expect the taxpayers to make up the difference - right?
Signed,
Real People
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Data leaks as a status quo.
Not one is calling for anarchy. And if you are a voter then those of us with different opinions obviously have to change your minds first, otherwise your many lesser informed votes will cancel out the few of the more informed votes.
"Do you understand that Congress does this in order to please their corporate sponsors who refuse to pay a living wage and expect the taxpayers to make up the difference - right?"
That question is better asked of you. Do you not understand that the first step on the road to oppression is a politician promising to protect you from something if you give them power and authority? Citizens are nothing more than a commodity to be traded between Politicians and Businesses. The only way citizens can have a say is if they have a free-market to work with (which does not exist) AND rights to exercise (which have been effectively destroyed).
Which leaves us where we are now. An oligarchy running a police state. And low information voters like yourself helped give it to them. We are trying to inform you of this, but it is difficult to do so when you have been fooled into batting for the people you claim to call your enemy.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Data leaks as a status quo.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Data leaks as a status quo.
[ link to this | view in chronology ]
Re: Data leaks as a status quo.
Yes:
...
But the long-term cyberpunk-dystopia solution is to design systems so the information doesn't exist—such as anonymous onion-routed cell networks.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Unlike the USA, Canada does have a general-purpose federal privacy law. That might make things interesting, though the process looks baroque: a complaint would have to contact the Office of the Privacy Commissioner of Canada, who would make a non-binding report, and only then could the complainant petition a court for penalties.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
puleeze!!!!
People are just like little wild hogs in the woods happily pigging out on the pile of food suspiciously left out while ignoring the huge contraption suspended just above them waiting to fall and imprison them.
[ link to this | view in chronology ]
"People are just like little wild hogs"
Our law enforcement officers are Morlocks.
[ link to this | view in chronology ]
Re: "People are just like little wild hogs"
if the supposition that Wells derived Morlocks from the Morlachs in the Balkans and were primitive, backward, and barbaric then the name is a sure fit. Often time government is primitive in logic, backward in action, and barbaric by result.
I agree with you... a damn fine name for law enforcement. Especially since lower IQ's are a literal requirement to be one.
[ link to this | view in chronology ]
Re: puleeze!!!!
I don't think so.
[ link to this | view in chronology ]
Re: Re: puleeze!!!!
In short... I don't see you all really doing anything about it. You are still going to vote for the same people letting the same businesses rape your privacy playing the same lobby game writing the same laws and going through the same make empty promises campaigns while you go to your same job and and get treated the same way.
What are you going to do about? Vote in one of the two parties that have done nothing about for the past several decades but make it worse?
[ link to this | view in chronology ]
Re: Re: Re: puleeze!!!!
[ link to this | view in chronology ]
re: database abuse and gang stalking
Google "NGOs ang gang stalking," Rotary Club and gang stalking, LEIUsang gangstalking, or Domestic Violence IndustrialComplex and gangstalkig for an eye opener.
TAll modern organized/ gang stalking begins in hidden, secret databases, and where once,these hidden cowards stalked liwer income and easily accessible people,it has creptinto the middle class, asithe welfare state turned into our secret polce state that we see today.
And, using Palantir,DataMinr, and NSA-to Israel anf FVEY whole capture internet, the statehas begun targeting whole families for generations, as we see with LosAngeles use of the CalGang database, and the CIAs LASER systems.
www.researchorganizedgangstalking.wordpress.com
[ link to this | view in chronology ]
Re: re: database abuse and gang stalking
[ link to this | view in chronology ]
Give up on having both phone and privacy. Never did, never will.
Go live in a cave if don't like it.
[ link to this | view in chronology ]
Re: Give up on having both phone and privacy. Never did, never will.
Do not believe the bullshit, use your head.
[ link to this | view in chronology ]
Re: Give up on having both phone and privacy. Never did, never will.
I take it you already live in a cave then since you complain about it so much?
[ link to this | view in chronology ]
Protection
Isnt there ANY privacy for a PAID FOR SERVICE?? Or do I have to PAY MORE..
Sounds like a trip to canada would be interesting, they have a service to Kill all your tracking in phone.
[ link to this | view in chronology ]
in the end power is sociopolitical not financial: class not inco
@ECA
don't kid yourself that your money makes that big a difference.
by way of example, i think the following bears:
The People of Santa Barbara vs. Big Corporate Oil: A Cautionary Tale
even though the corporate evil in question is Big Oil not Big Data. (it was originally posted in response to the BP oil spill, it shows how little of an effect money really has, when corporations and citizens disagree.)
also see Proof That The United States Is Not A Democracy.
so i guess, in a twist on the commonsense adage, if the service is not free, you are probably still the product.
[ link to this | view in chronology ]
Re: in the end power is sociopolitical not financial: class not inco
Part of this is that WE THE PEOPLE, have not had interaction with THOSE WE HIRED to represent us..
The CORPS have covered most of it up with THEIR OWN, backup system to what THEY WANT.. They can DUMP LOADS of mail/email onto a bill, saying THEY WANT IT..
The Old phone service was great and had LOTS of gov. protections..BUT no one understands THAT cellphones DONT have those protections.. EVEN tho it uses the Fiber Backbone, that the OLD system USES..
And Basic Econ is easy to understand and FIX, IF THEY WOULD FIX IT.. its NOT hard. But the CORPS keep threatening the Gov...(we will move out and take jobs away, is NOT A GOOD REASON TO KEEP THEM HERE) We can fill ANY Corps position Even if the Gov. has to replace it..
Its like Protecting banks...DONT. Let the Lower ranked banks TAKE THE POSITION..Screw the BIG guys who will have to pay out to stock holders..
[ link to this | view in chronology ]
You have nothing to hide, have you?
[ link to this | view in chronology ]
A very good Cyberguru you can reach,reliable,Trustyworthy and Active via mail cybertroll3@gmail com Its both public and private information. It goes beyond what one source can do for you or what search engines can give you. You’ll have access to public records, social media analysis, a all round internet research, court public records, arrest records, cell phone data (both open public and exclusive repositories ), driving information plus more.
[ link to this | view in chronology ]