AT&T, Verizon, T-Mobile & Sprint Want Even Broader Access To Your Personal Data
from the hard-pass dept
We've noted repeatedly that however bad Facebook has been on privacy (pretty clearly terrible), the broadband industry has traditionally been much, much worse. From AT&T's efforts to charge consumers more just to protect their privacy, to Verizon getting busted for covertly tracking users around the internet without telling them (or letting users opt out), this is not an industry that respects you or your privacy. That's before we even get to their cozy, often mindlessly-loyal relationship with intelligence and law enforcement.
As such, it's kind of amusing to note that these are the same companies now trying to position themselves as the gatekeepers of all of your private data online. As security expert Brian Krebs notes, AT&T, Verizon, T-Mobile and Sprint (the latter two of which will likely soon be one company) are cooking up something dubbed "Project Verify," which would let end users eschew traditional website passwords -- instead authenticating visitors by leveraging data elements unique to each customer’s phone and mobile subscriber account, including location, "customer reputation", and device hardware specs.
This video by the carriers offers a little more detail:
The problem, as Krebs is quick to note, is that giving more private data to companies with an utterly abysmal track record on privacy might not be a particularly bright idea:
"A key question about adoption of this fledgling initiative will be how much trust consumers place with the wireless companies, which have struggled mightily over the past several years to validate that their own customers are who they say they are."
As we've been noting, these are the same companies that have been struggling to prevent hackers from routinely stealing customer identities via SIM hijacking, which involves a hacker bribing an employee to port your phone number to a new device, then jacking your identity and making off with your private data (or making millions by selling your cryptocurrency or valuable accounts). These are also the same carriers that have routinely failed to do much about the SS7 exploit that's been in the wild for seemingly ever, allowing hackers to spy on an undetermined number of cellular customers for years.
These are also the same wireless carriers that were just caught up in a massive scandal involving their collection of sale of user location data, a multi-billion dollar venture that involves selling your daily motion habits to a cavalcade of different companies, many of which have shown a similarly-flimsy disregard for actually keeping that data safe. And these are the same companies that work tirelessly to scuttle any and every effort to actually shore up nationwide privacy standards, usually by lying to lawmakers and the public about what these plans would actually do.
For his part, Krebs thinks this is a hard pass:
"I am not likely to ever take the carriers up on this offer. In fact, I’ve been working hard of late to disconnect my digital life from these mobile providers. And I’m not about to volunteer more information than necessary beyond the bare minimum needed to have wireless service."
Other widely-respected security reporters were similarly unimpressed:
I don't wanna be a Debbie Downer but if you can't figure out how to stop SIM Swapping or securing your web servers I don't know if you should be trusted to become * the * digital identity manager for millions of people.
— Lorenzo Franceschi-Bicchierai (@lorenzofb) September 13, 2018
Again, the devil will be in the details. But at first glimpse, you'd be pretty foolish to trust companies with additional private data that have repeatedly proven to be routinely cavalier about the oceans of data they already collect. Time and time again wireless carriers have prioritized profits over the personal interest and welfare of consumers, and anybody expecting that to magically change ahead of Project Verify's launch haven't been paying attention.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: accounts, digital identity, passwords, privacy, project verify, telcos
Companies: at&t, sprint, t-mobile, verizon
Reader Comments
Subscribe: RSS
View by: Time | Thread
Blockbuster is more regulated than Verizon?
[ link to this | view in chronology ]
really good thing when privacy is being eroded, along with freedom, by the US government and just about every other government on the Planet as well. letting what isn't being protected well already be less protected by a bunch of liars only interested in being paid for handing out info to as many companies as possible, while knowing everything we do, every minute of every day, gives them constant access to us is despicable!!
[ link to this | view in chronology ]
Project Verify - aka - Project EBD (Encryption Back Door)
[ link to this | view in chronology ]
Re: Project Verify - aka - Project EBD (Encryption Back Door)
The masses will eat this up, not realizing that they are basically submitting themselves to branding and constant monitoring of all their activities.
Next will come the use of the privacy data to track down those responsible for "fake news" (aka, anything against the current governemnt's wishes), and then the beheadings will begin.
Wait until the DNA databases are cross referenced with this data to track down any "foreign invaders" (aka immigrants) who will then be summarily shot by firing squad (or just deported to their country of origin, based on the highest % in their DNA record).
Now where did I put that tinfoil hat... (it stops the privacy stealing rays... when wrapped around your phone, right?)
[ link to this | view in chronology ]
Re: Re: Project Verify - aka - Project EBD (Encryption Back Door)
This is how it always dies...
there is a reason that the founding fathers said that those whom give up essential liberty for a little temporary safety deserve neither that liberty or safety.
There is no greater irony than those that are crushed under the very boots they themselves elected to crush them.
[ link to this | view in chronology ]
Re: Project Verify - aka - Project EBD (Encryption Back Door)
[ link to this | view in chronology ]
I will be sure to run right out and join.
[ link to this | view in chronology ]
DUMB PIPES
You don't need my personal data.
You have exactly one job: DUMB PIPES.
Just be the world's best, fastest, most convenient, and competitively prices dumb pipes.
Doing your business and doing it well is a time honored way of building a great business.
Sincerely,
your customers
[ link to this | view in chronology ]
Re: DUMB PIPES
Amazingly, Verizon just announced a suspiously great plan. I kept looking for a catch and didn't see it. No caps, no throttling, no tethering restrictions, 300-1000 Mbps, and their advertised price includes all fees and taxes. It's an announcement from a bizarro world. Two days later they announce they want to manage my security, and we're back to reality. Next week they'll be back to extorting money from Youtube and Netflix.
[ link to this | view in chronology ]
who cares
Some are even dumb enough to think they can avoid the likes of google if they block scripts. If you design webpages, you already know you can hide plenty of things from the user about their sessions. This does not even count the 3rd party data sharing businesses do with Google on other things.
These companies are going to get your data, they are going to be able to use it as they see fit. Any lawsuits they lose over that data will only result in temporary setbacks as the government is going to want that data as well. It behooves businesses to get into bed with government and to spy on you for them so they can bilk you for every last penny the government will allow.
And you are going to deserve it too!
[ link to this | view in chronology ]
Re: who cares
"AT&T, Verizon, T-Mobile & Sprint Want Even Broader Access To Your Personal Data"
Idiot says:
"that avoiding Google is as"
How'd Google get into this? Isn't Mike Google? Aren't you playing right into their devious plan? The only way you can avoid it is to completely disconnect from the internet. You better get started. Chop chop.
[ link to this | view in chronology ]
Re: Re: who cares
The article is about AT&T.... but the primary focus is about "privacy" and your information which is why TD also brought up Facebook
"We've noted repeatedly that however bad Facebook has been on privacy"
And I decided to bring up Google. Please forgive me if you are too stupid to consider the parallels I brought up in my post.
You are the idiot, people like you get taken quite a lot. There is no end to the ways I could get people like you to work against your own interests but pretending for you that you are working in your own best interest.
"Isn't Mike Google?"
Piss off with that bullshit, Google is google and no one else.
"The only way you can avoid it is to completely disconnect from the internet."
Not true, but I don't think you are intelligent enough to understand why.
[ link to this | view in chronology ]
Re: Re: Re: who cares
[ link to this | view in chronology ]
Re: Re: Re: Re: who cares
AT&T, Verizon, Facebook (as mentioned by TD), Google, and many other businesses can mine your data and there is not a jack fucking thing you can effectively do about it.
If you take them to court and win, they just pay out a little bit but will keep doing what the fuck they want. If you get a politician to side with you then they just buy the politician and still keep tracking you except they will now just agree to hand that data over to the politician.
You
are
fucked
either
way!
that is what I am saying!
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: who cares
[ link to this | view in chronology ]
Re: Re: Re: who cares
For no good reason whatsoever other than... well... to bring up your vendetta against Google at every opportunity.
Yeah, we know.
The rest of your comment is just you all butthurt.
Seems you are in a perpetual state of butthurt.
[ link to this | view in chronology ]
Re: Re: Re: Re: who cares
I am just telling clueless people like you that you don't know as much as you think you do and you can't avoid google collecting data on you no matter what you do.
You CAN reduce the amount they collect on you by taking steps but there is a limit.
The only thing I am "butthurt" about is the level of stupidity and ignorance around here. I can tolerate people having different views, I just have low tolerance for willfully blind ignorance. It's not like the things I say cannot be easily discovered. It just takes you to get your head out of your little sheep ass.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: who cares
Your constant railing against them and berating people for using their services would indicate otherwise.
So you're just a hypocrite then. Got it.
We feel the same way about you.
Actually, they can't, because they aren't true.
You keep using those words, I don't think they mean what you think they mean.
[ link to this | view in chronology ]
Re: who cares
dnscrypt cloaking examples...
*googleapis* 127.0.0.51
*gstatic.* 127.0.0.50
*google-analytics* 127.0.0.52
dnscrypt blacklist examples...
cs9.wac.phicdn.net
*google.com*
*youtube.com*
*mozilla*
*microsoft.*
*go.microsoft*
*microsofto nline.com
*.msftncsi*
*windowsupdate*
*telemetry.*
*ipv6.microsoft*
*appsforoffice*
*social.msdn.microsoft *
*social.technet.microsoft*
[ link to this | view in chronology ]
Re: Re: who cares
You don't even have to be online for google to collect data and information about you.
I work in IT, people share data, you have already given data to others and they share it, and then google buys it from them. Google is not the only people that do this, in fact this has been happening since before google existed. The things YOU DO on the internet is not the only things being collected about you.
You know what, ignore everything I just said... be a stupid fucking sheep, not a single fucking thing is being used to track you and this entire fucking story is a load of bullshit.
Take your tin hat off, find the nearest pile of loose dirt, no make that "hard" dirt and slam your fucking head into it until you either bury your head enough to suffocate you or the process knocks some fucking sense into you!
[ link to this | view in chronology ]
Re: Re: Re: who cares
I does not address corrupt practices such as google buying data from Master Card. If you were not so crazed from sniffing glue, you would know this wouldn't you. Outside the internet is a different problem domain not directly solvable thanks to political corruption. If you really worked in IT as a professional, then you would know how to split up problem domains wouldn't you.
So that is all we can do, to try to limit the amount of data that is out there. Any other protections must come via laws. Given that the US is in a downward, 900mph spirial race to the bottom, I wouldn't hold your breath waiting for a politician to save you. There are only one or two who have not sold their mother, spouse, and children's souls to the lowest bidder for peanuts.
[ link to this | view in chronology ]
Re: Re: Re: Re: who cares
Your guidance includes advice to monitor the logs, then block as necessary. By definition we can't reach 100% if we let things through and then block. Nor can you realistically say you're going to get us to 100% and then give an incomplete list of examples (how about doubleclick.net?).
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: who cares
First, read where I stated "First, use a few addons such as ublock origin...". Ublock origin blocks all privacy invading domains BEFORE connection. If you really worked in IT as a professional, then you would not be embarrassing yourself typing nonsense such as, "(how about doubleclick.net?)".
Furthermore, where you write, "And then give an incomplete list of examples", go back and read my original post, where it states "concise example snippets". A 15 yo child knows what those words mean in combination. See the definitions at the end of this post for a reminder of what words mean. Fact is, you seem to be very ignorant about technology and your reading comprehension compounds your problems.
As far as your conern over "monitoring dnscrypt logs", I see a few mental inefficiencies in your interpretations of our dialogue. My ACTUAL advice was, "Monitor all dnscrypt logs for ROUGE APPS and block when necessary." But your glue disabled mind did not take note of the terms "rouge apps". It also missed my advise about setting up "tight firewall rules".
So, let me help you; yet again. The way the internet works is, a rouge app first looks up an ip address. This is where dnscrypt comes in, working as a flag that informs you something is wrong. The rouge app then attempts to connect to that ip. But, because a careful reader would have setup "tight firewall rules", that rouge app's connection would have been blocked. In fact, if you are smart, you have several lines of defense to block rouge connections, not just the host firewall & dnscrypt. If you really worked in IT as a professional, then you would know all of this wouldn't you. Call me old fashioned, but I feel someone like you who sniffs glue while mopping floors at a data center is not the same as actually working in tech.
Extra credit, if privacy is important to you, NEVER allow your mobile phone to access the internet. The second you do, you just joined ranks with the non-tech masses.
Research how third party tracking ACTUALLY works, along with how google ACTUALLY tracks you across domains, along with the high effectiveness of Firefox's native third party tracker blocking (compounded in effectiveness with ublock origin).
Then, see my advice about blocking port 80. Then, combine all of this advice with disabling javascript, using dnscrypt, et al. All combined, you can effectively block any domain you wish; including the blocking MS windows spyware. You have the logs to prove it. You can further absolutely prove your work by placing a Unix (not windows) wireshark fox between your browsing virtual machine and your hardware firewall (as an IT pro, you are using a locked down vm to browse and a hardware firewall to protect your network, right?). Fact is, ms, google, twitter, fb, et al are not even aware I exist on the internet.
Note, js is what a big killer in user privacy. But if you need js so you can tweet about your hurt butt, Firefox has many settings to limit that damage; such as disabling WebRTC, GL, etc... You also have 100s of other protective about:config settings, such as
about:config?filter=security.mixed_content.block_display_content
about:config?filter=security.mixed _content.block_active_content
about:config?filter=beacon.enabled
about:config?filter=dom.storage.enabl ed
+ 100s more
You being an IT pro and concerned about privacy knew to use Firefox and not chrome, and also how to setup a box for privacy, right?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: who cares
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: who cares
[ link to this | view in chronology ]
This reminds me of the time FB suggested users upload their nudes so that FB could prevent revenge porn or something like that.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
I have higher priorities, like trying to get you to stop being an idiot and be able to think for yourself and not rely on others to hand feed you a bunch of bogus information designed to sucker you like a dope!
Once you like truth you will then start to like me, because people that like truth stop getting butthurt when truth appears on the scene. They begin to welcome it!
[ link to this | view in chronology ]
Re: Re: Re: Re:
You don ot understand "truth"> And by "truth" I mean Paint CHIPS. Truth is the "brand" of PAINT that I like to Buy. It contains LEAD because I am knot a KNOB who does not eat LEAD. Regulations are BAD and both "sies" are BAD and you are STUPID KNOBS who do NOT "see" the Truth! Why would I want you to "like" me, you Knobs? I wnt you to LISTEN to "me", not Like me. The two things are "obiovously" toally UN related, as anybody who is SMART and understands "truth", like Me, can Tell you! You knob!
One day you will "see" and you will "like Truth", because you will eat Paint chips like "me". And than at Last I will have "friends" and people who "like" me.
Every Nation eats the Paint chips it Deserves!
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
How have the paint chips been? Are they nice and tasty still?
Now, I don't know if every nation eats the paint chips they deserve, but I can tell them that they need to get up early to get their fair share before you eat it all.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Yeah, like posting on a forum of knobw and idiots. You're not very bright, are you?
[ link to this | view in chronology ]
Re: Re:
Oh, I get it... you're trying to get voted funny before the week finishes.
[ link to this | view in chronology ]
Re: Re:
Uploading your nudes to FB will not do it for me, but thanks anyways.
[ link to this | view in chronology ]
Let's not go with "SIM hijacking"
How about "the telco fucked up and gave a criminal access to the account"?
[ link to this | view in chronology ]
Re: Let's not go with "SIM hijacking"
[ link to this | view in chronology ]
Re: Re: Let's not go with "SIM hijacking"
Nobody staged a heist on a SIM truck. The telco reps were not held at gunpoint until they let criminals into the account. They were simply incompetent.
[ link to this | view in chronology ]
Re: Re: Re: Let's not go with "SIM hijacking"
The person whose identity used will have to deal with the fall out, like all those credit histories that need fixing.
[ link to this | view in chronology ]
Re: Re: Re: Re: Let's not go with "SIM hijacking"
That's still the bank's fault. The person would be a victim of the bank's incompetence, and banks should be held liable for the results. Legally, if the bank can't prove they took the loan, they should be required to fix the damn problem—e..g, retract the lies they told to the credit agencies. (Legally BTW, they are: the FCRA requires them to correct the report; the FDCPA requires them to stop contacting you after you dispute the debt, and to not report false information to a credit agency. But we pretend like the client lost their identity—should've been more careful with it!—and don't hold lenders to account.)
[ link to this | view in chronology ]
Re: Re: Re: Let's not go with "SIM hijacking"
[ link to this | view in chronology ]
Re: Re: Re: Re: Let's not go with "SIM hijacking"
[ link to this | view in chronology ]