Wireless Carriers Hope You Won't Notice Their Location Data Scandal Makes The Facebook, Cambridge Fracas Look Like Amateur Hour
from the ill-communication dept
When the Facebook, Cambridge Analytica scandal broke, we noted that however bad you thought that scandal was (and it certainly was bad), it couldn't hold a candle to the routine privacy abuses that have occurred in the telecom sector for the better part of the last few decades. From charging consumers hundreds of additional dollars annually to opt out of snoopvertising, to the use of private user financial data to justify providing even worse customer service, the broadband industry has long been the poster child for privacy abuses without much in the way of practical public penalty.
It's just as bad on the wireless side, where carriers like Verizon have routinely have been caught modifying user data packets to track users around the internet (without telling them or providing opt out tools), and selling user browsing, app-usage and location data to everyone that comes calling. That's before you even touch on the fact that these companies are practically bone grafted to the NSA and other intelligence services.
As such, we noted how if you were part of the #DeleteFacebook set but were still rolling around using a stock phone on an incumbent carrier network, you failed to understand that Facebook's casual treatment of private consumer data was the cross-industry norm, not some errant exception.
The Location Smart and Securus scandals (which exposed the data of 200 million cell users) quickly proved our point. Thanks to lax handling of private location data by cellular carriers and third-party brokers, those scandals quickly highlighted how anonymized data isn't really anonymous, and this data can and is routinely abused by everybody in this chain of dysfunction (including law enforcement). Oddly, even in the wake of those reports, people still seemed to view the Cambridge, Facebook fracas as somehow far more scandalous, most likely because of that particular story's political undertones.
Clearly hoping to get ahead of the scandal before the press, public and regulators realized the depths of this particular rabbit hole, Verizon proclaimed that the company would be ending all sales of location data to third party data brokers. The company announced the decision (pdf) in a letter responding to inquiries by Senator Ron Wyden, who had begun to apply some pressure on mobile carriers. From the letter:
"We conducted a comprehensive review of our location aggregator program. As a result of this review, we are initiating a process to terminate our existing agreements for the location aggregator program. We will not enter into new location aggregation arrangements unless and until we are comfortable that we can adequately protect our customers’ location data through technological advancements and/or other practices."
Verizon announced it would be suspending all data sales to location data brokers like LocationSmart and Zumigo, which the company acknowledged sold that data in turn to a roster of more than 75 different companies. And, in short, it's promising to suspend such data sales at least until it can ensure that data is actually secure (what an incredibly novel idea). Who'll actually confirm this data is secure before the program is restarted isn't clear; you'll apparently just have to trust a company with a several-decades history of severe privacy violations and blatant false statements.
Like the Facebook scandal, there wasn't much in place to really ensure that often real-time data remained protected, something made clear when the LocationSmart scandal revealed that one Missouri Sheriff routinely (ab)used the system to spy on Judges and fellow law enforcement officers without much legitimate justification (or pesky warrants). In subsequent statements to the press, Verizon has tried to argue that the company quickly took steps to thwart the abuse:
"When these issues were brought to our attention, we took immediate steps to stop it. Customer privacy and security remain a top priority for our customers and our company. We stand-by that commitment to our customers."
But again, this was Verizon only acting after the horses escaped from the barn, suggesting that no, privacy and security was not a top priority. If Verizon's self-auditing was so stellar, it seems curious it never self-identified the potential for the kind of abuse the LocationSmart and Securus scandals revealed. Or the self-audits did reveal problems, but the money made from selling this data made actually fixing them a low priority. Knowing Verizon pretty well, it seems clear it wouldn't be taking this kind of financial hit if its lawyers didn't realize the company was potentially facing some pretty steep penalties here.
One of the key problems in location and other data sharing is that wireless cell carriers have found a way to effectively operate outside any meaningful privacy guidelines by perpetually passing the onus for user consent down a long line of location data aggregators. Blake Reid, an associate clinical professor at the University of Colorado School of Law, perfectly captures the problem in comments made to Brian Krebs:
"The carriers basically have arrangements with these location aggregators that contractually say, ‘You agree not to use this access we provide you without getting customer consent’,” Reid said. “Then that aggregator has a relationship with another aggregator, and so on. So what we then have is this long chain of trust where no one has ever consented to the provision of the location information, and yet it ends up getting disclosed anyhow."
Verizon's obviously trying to pre-empt privacy regulation before we collectively realize current oversight makes the wild west seem downright domesticated. The company has long fought tooth and nail against any kind of consumer privacy protections, stating back in 2008 that federal privacy rules aren't necessary because "public shame" would keep the company honest. More recently, Verizon successfully lobbied the FCC to kill modest broadband privacy rules that would have prevented precisely this kind of scandal from happening by requiring greater transparency -- and that users opt-in to more sensitive data sharing.
None of that is to say that regulatory action is the only solution here, or that this particular Congress could even accomplish such a task. But it's also pretty clear that sooner or later, the pinky swears and winks currently passing for oversight of the telecom sector's treatment of your private data aren't going to quite cut it.
Shortly after Verizon's announcement AT&T stated that it too had suspended location data sales to third-party brokers (for all the same reasons). Sprint followed suit. T-Mobile, which cultivates a reputation as a more consumer-friendly wireless carrier, belatedly brought up the rear, initially likely wary of highlighting any missteps as it seeks regulatory approval for its looming competition eroding megamerger. But again, most of these promises were somewhat murky in scope (T-Mobile's promise to improve, for example, was entirely devoid of substance and somehow never reached Wyden's office).
With this data having bounced around so many partners with so little transparency or oversight, you can be pretty sure we haven't heard the end of this story. And while wireless carriers would very much like the public and press to believe that they've fixed the privacy problems that plague the telecom sector, several decades of evidence to the contrary -- and the press and public's general tone deafness to the scope of this particular problem -- suggest any meaningful reckoning is still likely some time away.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data, data brokers, privacy, wireless carriers
Companies: at&t, cambridge analytica, sprint, t-mobile, verizon
Reader Comments
The First Word
“No fix
They won't fix it because they don't have to. De-regulation and a lack of government oversight means they are free to do as they choose. Welcome to the Libertarian paradise asked for by some of the more vocal (Anonymous) Cowards.Subscribe: RSS
View by: Time | Thread
No fix
[ link to this | view in thread ]
GDPR
[ link to this | view in thread ]
So, solution is to attack ISPs and distract from Facebook?
Anyhoo, you don't *actually* state that corporations getting, keeping, and collating *should be stopped,* all the data erased and the corporations broken up until small enough for local control. At most, you say it's bad.
[ link to this | view in thread ]
Re: No fix
So tell us what "de-regulation" is responsible for this problem? Or are you just throwing about buzzwords as usual without knowing what you are talking about to snag a ride on the self masturbation retard train going by?
Read the fucking article you twit...
"Verizon's obviously trying to pre-empt privacy regulation before we collectively realize current oversight makes the wild west seem downright domesticated."
the word "pre-empt" means something you nano brained moron!
[ link to this | view in thread ]
My precious
[ link to this | view in thread ]
Re: No fix
[ link to this | view in thread ]
Re: My precious
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: GDPR
There should, but lets be honest here... which law written in the past decade can you point to that does not make the problem actually worse without even solving the original problem?
I have no confidence that anything will change for the better, no matter which law you get written on the books.
[ link to this | view in thread ]
Re: Re: My precious
"Government does no wrong, ONLY businesses!"
~The Left
[ link to this | view in thread ]
Read that carefully
I'm reading their statements in a very paranoid way, as seems to be necessary these days. They're only going to stop selling it to third-party data brokers, temporarily.
They can still give it to them. First- and second-party brokers are OK (meaning telcos can sell it to people who won't resell, like cops). Non-brokers aren't affected (e.g., people who will sell derived data). Once "controls" are in place all of this goes out the window, and they'll be back to selling it without your consent; they'll just be able to sue someone when it leaks.
[ link to this | view in thread ]
Re:
Both parties are in power and the same result occurs each year regardless of the "mouth breathing" either side does over the issue and the voters just get taken for a ride and they like it!
[ link to this | view in thread ]
primary, secondary, and vicarious liability
The Supreme Court has established the legal framework for primary, secondary, and vicarious liability (MGM v. Grokster), but why is it that these concepts only seem to apply to protecting copyright and not other legal infringements such as privacy? If the same rules applied, it would seem that cellular telephone carriers could be held liable for anything nefarious their downstream partners did that they either knew about or should have known about.
[ link to this | view in thread ]
Re: Re: No fix
[ link to this | view in thread ]
Well, that raises a question..,
There are plenty of regulations we want, privacy protections being one of them. (Meat inspection being the old standby example). Considering regulatory capture is a form of government failure, how does having less or no government fix the problem of having bad or captured government?
To clarify, I'm not trying to mock you or Libertarianism, I just don't understand the mechanism by which removing the regulatory function of government would serve the public. How would it?
[ link to this | view in thread ]
Re: Re: Re: No fix
Sad is better word to describe me. Sad that it is so easy to fool people because they cannot break away from political mind control, it is sad and nearly equal parts scary.
[ link to this | view in thread ]
[ link to this | view in thread ]
FTFY
And, in short, it's promising to suspend such data sales at least until it can ensure that it can get away with the sales again
[ link to this | view in thread ]
This raises an ongoing systemic problem.
It seems that we get regulation and protections for the public by the following process:
a. A business begins, unregulated
b. The business engages in atrocity to augment its revenues.
c. A lot people in the public get hurt or inconvenienced, and suffer as a consequence.
d. A public uproar emerges demanding the practice stop.
e. Company lobbiests advise representatives the damage is overblown.
f. A flagship incident in which someone is horribly hurt by the company's policies makes mainstream news. Some little girl dies.
g. As a result of f. the company rolls back policy b. or legislators pass a bill regulating against b.
h. Once f. blows over, company resumes b. or resumes lobbying to deregulate so it can resume b. as soon as possible.
So my question is, can we get to g. without all the c. and especially not the f.
[ link to this | view in thread ]
Re: Well, that raises a question..,
This is not quite the correct way to look at it. It is about the "approach" being taken. The problem with regulations is that the term is general and meaningless. Regulation = Law, we just use a different term for it because we can. When people are saying "more regulation" they just mean "more law" while also complaining about having bad laws.
Yes, we all know that people are really only just asking for "reasonable" regulations but that is a pointless ask. If you want to solve the problem you must first create a framework that helps mitigate bad regulation. And that means you choose the "types" of regulation you will allow and the types you will NOT allow.
In general we should be focusing on anti-trust and anti-monopoly laws along with laws the make dishonesty by businesses criminally punishable not just civil or fine based. Managers need to go to jail when they intentionally falsely advertise. There are millions of people in the US, and even if a false ad robs each of them just $1 dollar, it is still millions of dollars of ill gotten gain.
"To clarify, I'm not trying to mock you or Libertarianism, I just don't understand the mechanism by which removing the regulatory function of government would serve the public. How would it?"
I have a better question? If the regulations are bad or failing, what does it serve us to keep them? How would it?
[ link to this | view in thread ]
Re: Re: Re: Re: No fix
You could try not posting things that make those well deserved, for once. If your criticism is not constructive, why should anybody respond in any other way? You did not even attempt to state why the person you responded to was incorrect, other than hint that you have a different dictionary, you just attacked them with no substance.
"Sad is better word to describe me"
Yes, it's just that everybody else is thinking of a different definition of the word when they read your posts.
[ link to this | view in thread ]
Re: Re: GDPR
[ link to this | view in thread ]
Re: So, solution is to attack ISPs and distract from Facebook?
Yes, people often write multiple articles on the same topic, especially when new information is introduced. This article is clearly in response to new things that have been done in the last couple of days.
What is the problem here, exactly, other than someone whining about the writing because they cannot argue with the substance?
"At most, you say it's bad."
Which may well be his opinion and the point he's trying to get across. "Letting it all happen" and "stopping everything" are not the only two choices.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: No fix
What is sad is that you offer nothing constructive either PaulT, I have been on the receiving end of your hypocrisy as well.
Is this were we both say "you first"?
This is the game each and every time. Only ONE side gets called out for negativity while ONE side gets a complete pass.
First remove the beam from your own eye before you can see clearly enough to remove the speck from mine.
"Yes, it's just that everybody else is thinking of a different definition of the word when they read your posts."
This was your final line in a post you typed up to admonish someone? I guess lead by example is something you are not capable of is it PaulT?
You are only proving my point!
[ link to this | view in thread ]
Re: Re: Re: GDPR
You already know I am right, it's why you get so pissed off at me.
[ link to this | view in thread ]
Re: Re: So, solution is to attack ISPs and distract from Facebook?
It is people like you framing everything in an all or nothing perspective, not those you are accusing. So put your dick beaters on your face, palm open and wipe down... maybe you can finally get that egg off your face for a change!
[ link to this | view in thread ]
Re: Re: My precious
Theoretical defenses against a global passive adversary have been proposed. They might not be practical, and nobody's yet built a practical system based on the ideas. Anyway, these ideas are far off for cellular networks—we'd need the providers to cooperate, or we'd need to replace them, to have a network where the providers don't know the location of each user. Then we'd at least stand a chance against governments.
[ link to this | view in thread ]
So let's apply it.
Let's pull it under the "performances" part of copyright law.
According to copyright law, the performer is the author and owner of a performance, absent explicit written and individually-signed agreement to the contrary.
I am the author of my life, including that derivative work which is the sequence of my location-information. Verizon et al. are engaged in selling a work I own for commercial gain, hence should be prosecuted to the extent of the law, both criminal and civil.
Note that if I sue for copyright infringement, the Copyright Act allows the plaintiff ex parte seizure of evidence of that infringement, which (as the Scientology cases show) includes the seizure of all relevant computers. How well would any of these organizations survive that?
[ link to this | view in thread ]
Re: This raises an ongoing systemic problem.
Lie or ignorance peddling #1, no business begins unregulated. No matter what if a business starts in a country there is at least 1 regulation they had to follow just to become a business to begin with.
"b. The business engages in atrocity to augment its revenues."
Misrepresentation #1. Not all businesses do this and one businesses atrocity is another mans treasure. Think planned parent hood, atrocity for some, salvation for others. Poorly funded for some, over funded for others.
"c. A lot people in the public get hurt or inconvenienced, and suffer as a consequence."
Misrepresentation #2. Duplication of Misrepresentation #1 using different words.
"d. A public uproar emerges demanding the practice stop."
Sometimes... most public uproars are just news trends making politicians believe there is one when there isn't. Some call it "fake news" or the more original term "yellow journalism".
"e. Company lobbiests advise representatives the damage is overblown."
Something we can agree on, the problem here is that sometimes the lobby is correct and things are indeed overblown. But the problem is that being overblown is meaningless. A problem can still be very bad whether it is being overblown or not and the words are just being used to provide mental fuckery on BOTH sides.
Example, saying that 3 people died is overblowing the situation because only 2 people died, but it really does not matter if it was overblown because people still died, the number or its accuracy in report is actually not worth focusing on, but we focus on it because... well... we all have little mind games to play!
"f. A flagship incident in which someone is horribly hurt by the company's policies makes mainstream news. Some little girl dies."
yep, and the usual response is often overblown as well. Tragedy has often been the goto excuse to get people to swallow laws that otherwise could not be easily made, and for good reason. And because of that we often make the laws even worse than we would have under saner un-rushed circumstances.
"g. As a result of f. the company rolls back policy b. or legislators pass a bill regulating against b."
The usual games, whether company is evil or benevolent, it is not likely this activity would change. These things are done as "public relations" moves because people NEED to see something happen, even when it is meaningless.
"So my question is, can we get to g. without all the c. and especially not the f."
No... cannot be done because as you have already admitted in how your put the chain together that you are already biased about outcome. First get enough people to clear their bias, which is not going to happen.
This whole problem is a catch-22, chicken or the egg, no light without dark problem. You are a hammer looking for a nail to hammer in other words and shows that you are risk adverse to the point where you would even try to destroy risk that might be beneficial just to spite the nose on your face.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: No fix for PaulTs ass for a mouth
Its people (?) Like him that are actively killing pure speech online, like dilligent Little Eichmanns.
[ link to this | view in thread ]
Re: No fix
Every Nation eats the Paint chips it Deserves!
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: No fix for PaulTs ass for a mouth
If we all stopped responding to him, flagged his posts and moved on maybe he would go away. Even if he didn't disappear at least his posts would and we can get back to focusing on the topics at hand.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: No fix for PaulTs ass for a mouth
The truth does not disappear like that, but you can still try. You all tried it with the last election and you lost. Perhaps you should get a different gambit eh?
I remember all of the people scoffing at the idea of Trump winning the presidency. And do you know what, that actually helped make sure he won, but like I have always said here at TD. You guys are so stupid, that all of your efforts to save yourselves turn out resulting in your own self harm. Kinda like a group of Wile E. Coyote's chasing the road runner. You are nothing but a bunch of clueless fuck-ups spending all of your time helping the broadband industry fuck you sideways but blaming others not worshiping at your political altars.
[ link to this | view in thread ]
Re: This raises an ongoing systemic problem.
Wired phone systems that HAD TONS of protections
CHEAP wireless phones that had little to tell anyone about our location, unless being within 10 miles was something..
SMART phones that can be contacted REMOTELY..and located..
ALL those rights for the wired phones?? GONE..
The IDEA that cellphones are SAFE??
The signal from phone to tower is EQUAL in the opposite direction..Anyone with in MILES OF YOU, can listen to your conversation..
THERE IS LITTLE ENCRYPTION from your Cellphone to the tower, and all forms of encryption are ALREADY KNOWN..
Think you can encrypt your conversation BEFORE its sent?? NOT easy, and dont work very well..
Encrypt your TXT msg..does not stop it from being received and tested..
VPN for your phone?? dont work until you GET TO THE REMOTE SERVER..
There used to be allot of tricks you could do with the OLD wired phones..
NOW you have them aLL in your hand..they need nothing special to track and monitor you..
HAVE FUN..
[ link to this | view in thread ]
"Lie or ignorance peddling" etc.
It looks like you rejected the model entirely so it surprises me you felt the need to line-item it.
no business begins unregulated.
I thought it was obvious in context: I wasn't saying businesses don't begin without regulation at all (though some, at one point, did.)
I was saying that regulations form because the business is, in some way doing damage or mischief to the public. A contemporary example would be a cattle ranch with high methane emissions.
Maybe, Anonymous Coward you misunderstood what I was saying. I certainly could not understand at least half your critiques.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: No fix for PaulTs ass for a mouth
[ link to this | view in thread ]
Re: Re: Re: Re: GDPR
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: No fix for PaulTs ass for a mouth
Trump won because the racist neocons pmayed Democrat white male guilt like a fiddle, and all .of those Comi conjobs and and faux liberalism, Israelification via Haim Saban and other toxic racist billionaires.
Sheeple.
Meanwhile, the prisons keep growing, and none of these cowards can see the new slavery/peonage systen growing up around them.
KoolAid...
[ link to this | view in thread ]
Re:
Is Techdirt's official stance that we should let Facebook/Google/etc slide because other companies are doing bad things as well?
Uh, no.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: No fix
No, this is where you notice that I offered constructive criticism in how to avoid being responded to like you are by the community here, and chose to ignore it and attack me instead. If you choose to continue to act like someone whose opinion is worthless and is only here to try and cause problems, you will continue to be treated as such.
But, the hilarity of someone who so often baselessly attacks and lies about people whining about the way someone addresses them is noted.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: Re:
Let's do an experiment then - present some and we'll see how the community reacts. Your track record is rather poor thus far.
"I remember all of the people scoffing at the idea of Trump winning the presidency"
Yeah, we didn't think you'd be that stupid, but here we are. The only silver lining is that he didn't actually get more people voting for him, and he's making people a lot more passionate about doing something about it, so there's a chance of redemption next time round.
"You are nothing but a bunch of clueless fuck-ups spending all of your time helping the broadband industry fuck you sideway"
No, I'm in a place with decent broadband watching the train wreck unfold from afar, as Trump installs industry puppets to screw you as everyone predicted he would. But, you sure showed them, huh?
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: No fix for PaulTs ass for a mouth
[ link to this | view in thread ]
Re: Re: Re: So, solution is to attack ISPs and distract from Facebook?
You attack regulation as the root of all the problems, but offer no solution other than removing the current protections. Therefore, I believe you mean what you are saying. Idf you mean to say something different, then say it.
"It is people like you framing everything in an all or nothing perspective"
You're hallucinating again, because I never say any such thing. I only try to counter people like you who openly state that regulation caused your current problems. Stop saying that and read the words I actually type, then maybe you won't be so offended all the time.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: No fix for PaulTs ass for a mouth
you are so clueless it hurts my head!
[ link to this | view in thread ]