Nearly Everyone In The U.S. And Canada Just Had Their Private Cell Phone Location Data Exposed

from the Whoops-a-daisy dept

A company by the name of LocationSmart isn't having a particularly good month.

The company recently received all the wrong kind of attention when it was caught up in a privacy scandal involving the nation's wireless carriers and our biggest prison phone monopoly. Like countless other companies and governments, LocationSmart buys your wireless location data from cell carriers. It then sells access to that data via a portal that can provide real-time access to a user's location via a tailored graphical interface using just the target's phone number.

Theoretically, this functionality is sold under the pretense that the tool can be used to track things like drug offenders who have skipped out of rehab. And ideally, all the companies involved were supposed to ensure that data lookup requests were accompanied by something vaguely resembling official documentation. But a recent deep dive by the New York Times noted how the system was open to routine abuse by law enforcement, after a Missouri Sherrif used the system to routinely spy on Judges and fellow law enforcement officers without much legitimate justification (or pesky warrants):

"The service can find the whereabouts of almost any cellphone in the country within seconds. It does this by going through a system typically used by marketers and other companies to get location data from major cellphone carriers, including AT&T, Sprint, T-Mobile and Verizon, documents show.

Between 2014 and 2017, the sheriff, Cory Hutcheson, used the service at least 11 times, prosecutors said. His alleged targets included a judge and members of the State Highway Patrol. Mr. Hutcheson, who was dismissed last year in an unrelated matter, has pleaded not guilty in the surveillance cases."

It was yet another example of the way nonexistent to lax consumer privacy laws in the States (especially for wireless carriers) routinely come back to bite us.

But then things got worse.

Driven by curiousity in the wake of the Times report, a PhD student at Carnegie Mellon University by the name of Robert Xiao discovered that the "try before you buy" system used by LocationSmart to advertise the cell location tracking system contained a bug, A bug so bad that it exposed the data of roughly 200 million wireless subscribers across the United States and Canada (read: nearly everybody). As we see all too often, the researcher highlighted how the security standards in place to safeguard this data were virtually nonexistent:

"Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," said Robert Xiao, a PhD student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call. "The implication of this is that LocationSmart never required consent in the first place," he said. "There seems to be no security oversight here."

The researcher notes that one of the APIs in the portal was not properly validating the consent response, making it "trivially easy" to skip the portion where the API sends a text message to the end user attempting to obtain consent (Brian Krebs, who first reported the vulnerability, has also confirmed the problem). Given the New York Times story had been making headlines since its May 10 publication, it's obviously possible that others discovered the vulnerability. LocationSmart has since pulled their location data tracking portal offline.

Meanwhile, none of the four major wireless carriers have been willing to confirm any business relationship with LocationSmart, but all claim to be investigating the problem after the week of bad press. That this actually results in substantive changes to the nation's cavalier treatment of private user data is a wager few would be likely to make.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: brian krebs, leaks, location data, privacy, robert xiao
Companies: locationsmart


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • This comment has been flagged by the community. Click here to show it
    identicon
    Richard Bennett, 21 May 2018 @ 6:49am

    What a crock, Bodey McBodeface.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 May 2018 @ 9:49am

      Re:

      Try again Richard.

      link to this | view in chronology ]

      • This comment has been flagged by the community. Click here to show it
        identicon
        Richard Bennett, 21 May 2018 @ 7:26pm

        Re: Re:

        Fuck you too, Bode.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 22 May 2018 @ 6:17am

          Re: Re: Re:

          Not Bode but whatevs.

          Name one thing in this article that isn't true.

          Try again Richard.

          link to this | view in chronology ]

        • identicon
          Anonymous Coward, 22 May 2018 @ 6:21am

          Re: Re: Re:

          I am amused though. For someone who "doesn't post anonymously" AND "doesn't engage with Anonymous Cowards", you seem to sure be doing a lot of both.

          Try again Richard.

          link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 May 2018 @ 6:52am

    "Theoretically, this functionality is sold under the pretense that the tool can be used to track things like drug offenders who have skipped out "

    Even a quarter of a century ago, criminals on the run knew to take out the battery until they were ready to made a call, and then make it quick and get out of there fast (though even those precautions didn't prevent fugitive drug kingpin Pablo Escobar from getting nailed).

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 May 2018 @ 6:56am

    I suggest the location data of all congressional members be released, then maybe something will finally be done about tracing rich people - because we can not have that sort of thing. The minions do not matter track them all you want, in fact - here - have some taxpayer money to help with that.
    /s jic

    link to this | view in chronology ]

  • icon
    Ninja (profile), 21 May 2018 @ 6:58am

    It will keep happening. Over and over. Until there's actual punishment.

    You see, stuff like Cambrige Analitica (the Facebook scandal) will probably not happen as often or at the very least everybody will be more careful because the backlash drove CA to bankruptcy. In a sense, it's a form of punishment. (Of course there were some law enforcement operations and so but generally speaking they didn't go belly up because a court told them to shut down and jailed their executives).

    Unless we start punishing the companies that leak data heavily with jail time and all it will keep happening. Of course, considering the telcos are effectively obliterating any and all oversight we are actually walking in the opposite direction.

    link to this | view in chronology ]

    • identicon
      kallethen, 21 May 2018 @ 7:10am

      But Cambridge Analytica wasn't punished.

      You see, stuff like Cambrige Analitica (the Facebook scandal) will probably not happen as often or at the very least everybody will be more careful because the backlash drove CA to bankruptcy. In a sense, it's a form of punishment.

      IMO, there was no punishment there that I can see. According to Ars Technica, all the execs bailed ship like rats to another company, Emerdata. Emerdata is a data analytics firm funded by the Mercer family. Which, go figure, is the same as Cambridge Analytica was. Basically, it's the same thing with a new coat of paint.

      If anybody is being punished, it's the peons of the old company who suddenly found themselves jobless.

      So really, nobody of value was punished.

      link to this | view in chronology ]

      • icon
        Ninja (profile), 21 May 2018 @ 7:26am

        Re: But Cambridge Analytica wasn't punished.

        Yeah but the company failed. The next ship will be more careful I think. But you see, if that's the case then it's one more point to my comment: it will keep happening as long as there's no punishment.

        link to this | view in chronology ]

        • identicon
          kallethen, 21 May 2018 @ 7:30am

          Re: Re: But Cambridge Analytica wasn't punished.

          Yep, I completely agree that we'll keep seeing this and worse as the status quo.

          link to this | view in chronology ]

          • icon
            Uriel-238 (profile), 21 May 2018 @ 8:01am

            Data leaks as a status quo.

            It's a very cyberpunk dystopian problem. I wonder if its possible to capitalize on this by providing a personal disinformation service that maintains alternative personalities for the same identity. It's like the problem of having to maintain multiple social network pages when bosses insisted on being friended (or sometimes even having password access) to employee pages.

            link to this | view in chronology ]

            • identicon
              Anonymous Coward, 21 May 2018 @ 8:52am

              Cyberpunk Dystopia [was Re: Data leaks as a status quo]

              It's a very cyberpunk dystopian problem.

              No, the cyberpunk dystopia begins…

                    … when pedestrians who walk around without globally emitting their personal id and location become automatically suspicious. Subject to immediate detention. Held for investigation. Questioned at police HQ as terrorists.

              Fined in magistrate's court for causing a public disturbance.

              Released with locking ankle bracelet to remove potential for future reoffense.

              link to this | view in chronology ]

              • identicon
                Anonymous Coward, 21 May 2018 @ 9:46am

                Re: Cyberpunk Dystopia [was Re: Data leaks as a status quo]

                Released with locking ankle bracelet to remove potential for future reoffense.

                Chai left the “gender” boxes blank on the printed form. It felt like expressing individuality. A tiny, silent protest against being boxed in.

                Chai expected the bureaucracy to reject the form. “The gender box isn't filled in”, they would probably complain, shoving the form back. Instead, they assigned Chai to Ann.

                Ann explained herself as a veteran probation officer. Ann's job was to unlock and temporarily remove the ankle bracelet. Once a week. So the skin could be washed. The skin checked for sores. Salve applied. Ann was no-nonsense.

                 . . . .

                link to this | view in chronology ]

                • identicon
                  Anonymous Coward, 21 May 2018 @ 11:13am

                  Re: Re: Cyberpunk Dystopia [was Re: Data leaks as a status quo]

                  Ann was no-nonsense.

                  “Take your pants off,” she said to Chai.

                  Then she said, “Here is the basin.” It was on the floor, stainless steel, and very obvious. “This is the tap.” A single button on the wall. No temperature control. “This is the soap dispenser.” A translucent white plastic drum half-filled with an orangish liquid. Garishly marked ‘50 L’ in blue. It had a squirt handle.

                  “The scrub brush is single-use.” It came wrapped in plastic film. “Here. Scrub. Your entire ankle. Scrub it hard.”

                   . . . .

                  link to this | view in chronology ]

            • identicon
              Anonymous Coward, 21 May 2018 @ 8:55am

              Re: Data leaks as a status quo.

              Those families that concoct extra children and get phony birth certificates for them for the purpose of increasing the size of their welfare check -- they could also at the age of 18 presumably sell these phony documented identities to fugitive criminals or illegal aliens since they're no longer making any money off them.

              http://www.cbc.ca/news/world/blond-angel-case-prompts-greek-birth-certificates-probe-1.2158484

              link to this | view in chronology ]

              • identicon
                Anonymous Coward, 21 May 2018 @ 9:16am

                Re: Re: Data leaks as a status quo.

                These problems are created by idiot regulations and unfair taxing schemes.

                There is a big reason that governments create all of these labyrinthine tax systems.

                link to this | view in chronology ]

                • identicon
                  Anonymous Coward, 21 May 2018 @ 9:30am

                  Re: Re: Re: Data leaks as a status quo.

                  One reason is because the solution to the problems directly created by big government is (drum roll please) even bigger government. And along with that comes a huge private industy, from lawyers to accountants to lobbyists, to help people get through this byzantine system that they helped create.

                  link to this | view in chronology ]

                  • identicon
                    Anonymous Coward, 21 May 2018 @ 9:43am

                    Re: Re: Re: Re: Data leaks as a status quo.

                    Indeed, these problems most definitely build upon each other and any call to attempt to dismantle this mess is often met with near religious like derision.

                    While TD seems to get the "nerd harder" sarcasm the often fail to understand that "government harder" is much of the same logic.

                    link to this | view in chronology ]

                  • identicon
                    Anonymous Coward, 21 May 2018 @ 11:28am

                    Re: Re: Re: Re: Data leaks as a status quo.

                    Dear Mr. Anarchy,

                    I suggest you take your complaints to Congress, as they are the ones who make such decisions - not those who post here, DUH.

                    You know .. Congress, the ones who approve welfare and food stamps for the poor. Do you understand that Congress does this in order to please their corporate sponsors who refuse to pay a living wage and expect the taxpayers to make up the difference - right?

                    Signed,
                    Real People

                    link to this | view in chronology ]

                    • identicon
                      Anonymous Coward, 21 May 2018 @ 1:49pm

                      Re: Re: Re: Re: Re: Data leaks as a status quo.

                      Dear Mr. Straw-man Fallacy,

                      Not one is calling for anarchy. And if you are a voter then those of us with different opinions obviously have to change your minds first, otherwise your many lesser informed votes will cancel out the few of the more informed votes.

                      "Do you understand that Congress does this in order to please their corporate sponsors who refuse to pay a living wage and expect the taxpayers to make up the difference - right?"

                      That question is better asked of you. Do you not understand that the first step on the road to oppression is a politician promising to protect you from something if you give them power and authority? Citizens are nothing more than a commodity to be traded between Politicians and Businesses. The only way citizens can have a say is if they have a free-market to work with (which does not exist) AND rights to exercise (which have been effectively destroyed).

                      Which leaves us where we are now. An oligarchy running a police state. And low information voters like yourself helped give it to them. We are trying to inform you of this, but it is difficult to do so when you have been fooled into batting for the people you claim to call your enemy.

                      link to this | view in chronology ]

                      • identicon
                        Anonymous Coward, 21 May 2018 @ 3:04pm

                        Re: Re: Re: Re: Re: Re: Data leaks as a status quo.

                        For somebody who wants political change, you sure have a knack for pissing off any potential supporters. All that your attempts to beat people into submission achieve is painting you as a worse potential tyrant than those currently in power.

                        link to this | view in chronology ]

                      • identicon
                        Anonymous Coward, 21 May 2018 @ 3:05pm

                        Re: Re: Re: Re: Re: Re: Data leaks as a status quo.

                        Go wag yer finger at someone else.

                        link to this | view in chronology ]

            • identicon
              Anonymous Coward, 21 May 2018 @ 9:18am

              Re: Data leaks as a status quo.

              I wonder if its possible to capitalize on this by providing a personal disinformation service that maintains alternative personalities for the same identity.

              Yes:

              When he landed in Spain, Ahearn tried to imagine what a man of Bucard’s wealth might indulge in while on holiday. Then he began a riot of spending: fine clothes, meals out, a king’s ransom of trinkets. “I had a blast with his plastic,” he says. “And that, my friend, is how to leave a trail of super-cool disinformation.”

              ...

              Ahearn explains that he might start by taking over your Facebook account, and “creating information” about Sydney, Australia. “I’ll befriend people in Sydney, then create new, fake Facebook accounts who become your friends in Australia.” He then starts up public conversations between these accounts. “You create a fake digital friend and get them to post an update about how they had dinner with you and another fake Facebook friend last night. It’s about offering coherent titbits of information. Deleting stuff is just useless. It’s already [been] there. Perhaps the person looking for you copied the information. So it becomes a game of total misdirection: you have to keep the predator busy.”

              But the long-term cyberpunk-dystopia solution is to design systems so the information doesn't exist—such as anonymous onion-routed cell networks.

              link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 May 2018 @ 8:10am

      Re:

      Facebook needs to be punished as well, or it'll just keep happening.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 May 2018 @ 9:07am

      Re:

      It will keep happening. Over and over. Until there's actual punishment.

      Unlike the USA, Canada does have a general-purpose federal privacy law. That might make things interesting, though the process looks baroque: a complaint would have to contact the Office of the Privacy Commissioner of Canada, who would make a non-binding report, and only then could the complainant petition a court for penalties.

      link to this | view in chronology ]

  • icon
    discordian_eris (profile), 21 May 2018 @ 7:11am

    When will Congress take this kind of shit seriously and start jailing the execs at these fly-by-night companies? Yes, yes, fine the hell out of them, but history has shown that that is just a slap on the wrist. How about 6 months in jail per leaked/hacked record stolen? That seems fair.

    link to this | view in chronology ]

  • icon
    Berenerd (profile), 21 May 2018 @ 7:21am

    Robert Xiao will be arrested shortly for hacking or Copyright infringement or some such in the near future. No good deed can go unpunished after all.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 May 2018 @ 8:52am

    puleeze!!!!

    It's not just now... it is an always been. The constant real time telemetry we subject ourselves to is no secret, and the idea that you have any meaningful privacy is a farce. Even the outrage is largely manufactured. There has never been, or will ever be, any actual security on the data that you consider private.

    People are just like little wild hogs in the woods happily pigging out on the pile of food suspiciously left out while ignoring the huge contraption suspended just above them waiting to fall and imprison them.

    link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 21 May 2018 @ 9:28am

      "People are just like little wild hogs"

      Our law enforcement officers are Morlocks.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 21 May 2018 @ 9:49am

        Re: "People are just like little wild hogs"

        that is quite an apt name for them.

        if the supposition that Wells derived Morlocks from the Morlachs in the Balkans and were primitive, backward, and barbaric then the name is a sure fit. Often time government is primitive in logic, backward in action, and barbaric by result.

        I agree with you... a damn fine name for law enforcement. Especially since lower IQ's are a literal requirement to be one.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 May 2018 @ 11:33am

      Re: puleeze!!!!

      Yeah - makes no sense to fight them, just give up already.

      I don't think so.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 21 May 2018 @ 1:57pm

        Re: Re: puleeze!!!!

        You misunderstand... read it again and you will realize that I am saying you NEVER FOUGHT THEM! And you are happily eating at the pile of food they left for you so they could trap you.

        In short... I don't see you all really doing anything about it. You are still going to vote for the same people letting the same businesses rape your privacy playing the same lobby game writing the same laws and going through the same make empty promises campaigns while you go to your same job and and get treated the same way.

        What are you going to do about? Vote in one of the two parties that have done nothing about for the past several decades but make it worse?

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 21 May 2018 @ 6:11pm

          Re: Re: Re: puleeze!!!!

          It is funny in a sick sort of way, that some believe the person they vote for will actually do any of those things they promised.

          link to this | view in chronology ]

  • identicon
    Research Organized Stalking, 21 May 2018 @ 10:13am

    re: database abuse and gang stalking

    Missouri is a major database abuse state, but Illinois, Minnesota, California and New York use these databases to stalk low income people, who get caught up in the virtualized slave nets of child support debtors,anything domestic violence, and anything realated to kangaroo courts,like fakerape administration hearings, family courts; and as we see here, politics.


    Google "NGOs ang gang stalking," Rotary Club and gang stalking, LEIUsang gangstalking, or Domestic Violence IndustrialComplex and gangstalkig for an eye opener.

    TAll modern organized/ gang stalking begins in hidden, secret databases, and where once,these hidden cowards stalked liwer income and easily accessible people,it has creptinto the middle class, asithe welfare state turned into our secret polce state that we see today.

    And, using Palantir,DataMinr, and NSA-to Israel anf FVEY whole capture internet, the statehas begun targeting whole families for generations, as we see with LosAngeles use of the CalGang database, and the CIAs LASER systems.

    www.researchorganizedgangstalking.wordpress.com

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 May 2018 @ 10:32am

    Give up on having both phone and privacy. Never did, never will.

    Get your eyes off the screen and see that you are in the dystopian sci-fi Minority Report world.

    Go live in a cave if don't like it.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 May 2018 @ 11:37am

      Re: Give up on having both phone and privacy. Never did, never will.

      Wage slaves unite!
      Do not believe the bullshit, use your head.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 May 2018 @ 6:20am

      Re: Give up on having both phone and privacy. Never did, never will.

      Go live in a cave if don't like it.

      I take it you already live in a cave then since you complain about it so much?

      link to this | view in chronology ]

  • icon
    ECA (profile), 21 May 2018 @ 1:36pm

    Protection

    I wonder what happened to privacy AFTER we paid for a product??
    Isnt there ANY privacy for a PAID FOR SERVICE?? Or do I have to PAY MORE..

    Sounds like a trip to canada would be interesting, they have a service to Kill all your tracking in phone.

    link to this | view in chronology ]

  • icon
    a female faust (profile), 22 May 2018 @ 9:22am

    in the end power is sociopolitical not financial: class not inco

    @ECA

    don't kid yourself that your money makes that big a difference.

    by way of example, i think the following bears:

    The People of Santa Barbara vs. Big Corporate Oil: A Cautionary Tale

    even though the corporate evil in question is Big Oil not Big Data. (it was originally posted in response to the BP oil spill, it shows how little of an effect money really has, when corporations and citizens disagree.)

    also see Proof That The United States Is Not A Democracy.

    so i guess, in a twist on the commonsense adage, if the service is not free, you are probably still the product.

    link to this | view in chronology ]

    • icon
      ECA (profile), 22 May 2018 @ 9:57am

      Re: in the end power is sociopolitical not financial: class not inco

      WEll,
      Part of this is that WE THE PEOPLE, have not had interaction with THOSE WE HIRED to represent us..
      The CORPS have covered most of it up with THEIR OWN, backup system to what THEY WANT.. They can DUMP LOADS of mail/email onto a bill, saying THEY WANT IT..
      The Old phone service was great and had LOTS of gov. protections..BUT no one understands THAT cellphones DONT have those protections.. EVEN tho it uses the Fiber Backbone, that the OLD system USES..

      And Basic Econ is easy to understand and FIX, IF THEY WOULD FIX IT.. its NOT hard. But the CORPS keep threatening the Gov...(we will move out and take jobs away, is NOT A GOOD REASON TO KEEP THEM HERE) We can fill ANY Corps position Even if the Gov. has to replace it..
      Its like Protecting banks...DONT. Let the Lower ranked banks TAKE THE POSITION..Screw the BIG guys who will have to pay out to stock holders..

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 May 2018 @ 9:32pm

    You have nothing to hide, have you?

    link to this | view in chronology ]

  • identicon
    Jessica mason, 24 Jul 2019 @ 3:26pm

    A very good Cyberguru you can reach,reliable,Trustyworthy and Active via mail cybertroll3@gmail com Its both public and private information. It goes beyond what one source can do for you or what search engines can give you. You’ll have access to public records, social media analysis, a all round internet research, court public records, arrest records, cell phone data (both open public and exclusive repositories ), driving information plus more.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.