Another Day, Another Massive Cellular Location Data Privacy Scandal We'll Probably Do Nothing About

from the ill-communication dept

We've noted a few times now that while Facebook gets a lot of justified heat for its privacy scandals, the stuff going on in the cellular data and app market in regards to location data makes many of Facebook's privacy issues seem like a grade-school picnic. That's something that was pretty well highlighted by the recent Securus and LocationSmart scandals, which showcased perfectly how cellular carriers and location data brokers routinely buy and sell your daily travel habits with only a fleeting effort to ensure all of the subsequent buyers and sellers of that data adhere to basic privacy and security standards.

This week, Joseph Cox at Motherboard dropped yet another bombshell report on this subject, noting how he was easily able to pay a bounty hunter $300 to obtain the (supposedly) private location data collected by his cellular provider (T-Mobile). Much like the Securus scandal, the problem once again is the countless location data brokers and third party vendors which are being sold this data, then doing pretty much whatever they'd like with it. In this instance, his data was collected by T-Mobile, shared with brokers and aggregators like Microbilt and Zumingo, then in turn shared with bail bond outfits and private investigators:

"Microbilt buys access to location data from an aggregator called Zumigo and then sells it to a dizzying number of sectors, including landlords to scope out potential renters; motor vehicle salesmen, and others who are conducting credit checks. Armed with just a phone number, Microbilt’s “Mobile Device Verify” product can return a target’s full name and address, geolocate a phone in an individual instance, or operate as a continuous tracking service."

Cellular carriers make a small fortune collecting and selling this data, and there's virtually no oversight of the practice. Consumers often sign one privacy agreement with their cellular provider, which in turn is then broadly interpreted as a green light down a long road of companies which then collect and sell that data in turn. As we saw with the Securus scandal (when a local Sheriff was busted snooping on the private cellular location data of Judges and fellow law enforcement officers), everybody in this chain of dysfunction likes to play stupid when the problem repeatedly comes to light. The same thing occurred here:

“We take the privacy and security of our customers’ information very seriously and will not tolerate any misuse of our customers’ data,” A T-Mobile spokesperson told Motherboard in an emailed statement. “While T-Mobile does not have a direct relationship with Microbilt, our vendor Zumigo was working with them and has confirmed with us that they have already shut down all transmission of T-Mobile data. T-Mobile has also blocked access to device location data for any request submitted by Zumigo on behalf of Microbilt as an additional precaution.”

When the NY Times broke the Securus scandal story last year, cellular carriers all played stupid, insisted they'd ceased the sale of such data, and breathlessly assured everybody that this behavior wouldn't happen again. When Senator Ron Wyden complained, you might recall that T-Mobile CEO John Legere took to Twitter at the time to insist he'd learned the error of his ways:

Apparently not.

Needless to say, Wyden, who has been pushing new privacy legislation, isn't particularly impressed:

If you were an industry hoping to avoid government regulation of your business, you'd think you'd be a little more cautious in the way you treat private data. But as we've noted countless times, this kind of cavalier treatment of private data is the norm for telecom. From hoovering up your clickstream data to covertly modifying data packets to track you around the internet, telecom has long played fast and loose with consumers' private data. Some have even flirted with the idea of only seriously respecting your privacy if you pay an additional fee, effectively making consumer privacy a luxury feature.

So while broadband giants will surely whine incessantly during the looming quest to pass some meaningful rules of the road, it's worth remembering they had ample opportunities, over decades, to avoid stricter government intervention by adopting better, more ethical business practices. It's also worth reminding folks that ISPs lobbied furiously to convince the GOP to kill some fairly basic privacy protections at the FCC that would have required ISPs clearly inform users who is buying and selling this data, giving users a little more control over how it was shared.

And it's also worth noting that even without legislation or those rules, the FCC still has Section 222 authority to police this kind of behavior. While the FCC's privacy rules were killed, mobile carriers are still subject to CPNI rules for voice calls, which were expanded in 2005 to include subscriber location information. The bottom line is that the Ajit Pai FCC could easily address this problem using the authority it has now, they've just chosen not to because it might just hurt telecom revenues. The FTC could also probably ding T-Mobile for being "unfair and deceptive" under Section 5 of the FTC act, yet has been similarly mute as carriers bullshit their way around their failures on this front.

All of that said, there's countless folks who think they're taking meaningful steps to protect their privacy by deleting Facebook (or on-phone apps), yet are oblivious to the perils of walking around with a stock carrier phone in their pocket. It might be time to stop being quite so collectively naive about US privacy practices if we're going to have a serious (and undeniably difficult) adult conversation on what privacy rules of the road should look like. One thing we can probably mostly agree upon: this practice of hoovering up your every move and selling it to an ocean of companies with little to no real attempt to protect it is behavior we need to change, one way or another.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: bounty hunters, john legere, location data, mobile operators, privacy, ron wyden, selling data
Companies: at&t, microbilt, sprint, t-mobile, verizon, zumingo


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 9 Jan 2019 @ 11:01am

    Pessimism is anti-American

    … Scandal We'll Probably Do Nothing About

    If there was one enduring American political principle President Ron Reagan understood down to his bones — Americans adore optimisism in their politicians: America can be a better place.

    So quit feeling depressed: It's a new Congress now. A new day.

    Write your congressmen. Call your representatives. Tell them we deserve better. Tell them to right this wrong. Demand that they fix this scandal.

    America can be better. No more Carterism! Carter's malaise is a loser!

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 9 Jan 2019 @ 11:31am

    Re: Pessimism is anti-American

    And all the law enforcement and security agencies will be crying out about risking an increase in the darkness if something is done about this problem.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 9 Jan 2019 @ 11:37am

    Re: Pessimism is anti-American

    Carter is so last century.

    link to this | view in thread ]

  4. icon
    Gary (profile), 9 Jan 2019 @ 11:38am

    Ownership

    Hey, it's Sprint's network. They own it, and can do whatever they want with it, right? Privacy regulations are just big government butting in where it doesn't belong. /s

    link to this | view in thread ]

  5. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 9 Jan 2019 @ 11:41am

    > Another Massive <fill in the blank> Data Privacy Scandal We'll Probably Do Nothing About

    This will continue as long as people like Masnick screech about how terrible it would be for the "tech" (surveillance) industry and the world if the US ever implemented any kind of law to protect the privacy of its citizens.

    After all, we know we can trust massive corporations to "self regulate", since it has been working so well for Facebook, Google, Comcast, Verizon, AT&T and the rest. Actual laws and accountability might "stop them from 'innovating'".

    For an example of the many horrors that might come from such a law, just look at all of the poor EU citizens who, thanks to the evil anti-innovation GDPR, can no longer count on Facebook to subject them to algorithmic swatting in order to protect them from killing themselves!

    link to this | view in thread ]

  6. icon
    Mason Wheeler (profile), 9 Jan 2019 @ 11:56am

    Re: Pessimism is anti-American

    Didn't Winston Churchill say that Americans can always be counted on to do the right thing... after they've tried every other option?

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 9 Jan 2019 @ 12:03pm

    Re: Re: Pessimism is anti-American

    Carter is so last century.

    Some vocabulary then, for all the kids. From the Merriam-Webster dictionary…

    malaise – noun

    Did You Know?

    Malaise, which ultimately traces back to Old French, has been part of English since the mid-18th century. One of its most notable uses, however, came in 1979 - well, sort of. President Jimmy Carter never actually used the word in his July 15 televised address, but it became known as the malaise speech all the same. In the speech, Carter described the U.S. as a nation facing a crisis of confidence and rife with paralysis and stagnation and drift. He spoke of a national malaise a few days later, and it's not hard to see why the malaise name stuck. The speech was praised by some and criticized by many others, but whatever your politics, it remains a vivid illustration of the meaning of malaise.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 9 Jan 2019 @ 12:13pm

    How is this "another" scandal?

    Should we really be calling these the Securus scandal, the LocationSmart scandal, the Microbilt scandal, etc.? It's like we're going out of our way to call it the T-Mobile, Sprint, AT&T, and Verizon scandal. There's nothing new here. This is the same scandal, continuing, because they never stopped selling the data. They just stopped selling to certain companies.

    Well, T-Mobile now say they won't sell to any "shady middlemen" (anymore; shady business dealings were totally OK under last week's policy). How about selling it to nobody? If I want roadside assistance to find me, I can install an app or explicitly tell my carrier to give it (not sell it) to them; they don't need to trust some company that, wink wink, claims they got my permission. (Of course the carriers know what that means, because they never actually got any customer's permission to sell the data either.)

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 9 Jan 2019 @ 12:17pm

    Re:

    bullshit. quit conflating different sectors and one's ability to avoid doing business with them or not. that being said, fb and teh goog and ... well everyone else, not just in the "tech" (loose weird grouping of vaguely IT-related businesses) are horrible with privacy. and you are still full of shit if you claim that Mike Masnick has ever indicated he was cool with that. The problem is that laws have to be good laws, not bad ones that actually make things worse for privacy and add in five other awful consequences. The GDPR has good points, but quite apparently also many bad points and is written and executed horribly.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 9 Jan 2019 @ 12:18pm

    i guess it all depended on what anyone's definition of "shady" is.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 9 Jan 2019 @ 12:39pm

    Harris Corp

    Why are the police wasting money on cell site simulators?

    This seems easier quicker and cheaper - plus no warrant necessary!

    link to this | view in thread ]

  12. icon
    Uriel-238 (profile), 9 Jan 2019 @ 12:57pm

    Write your congressperson...

    But, as Larry Lessig has statistically proven, the chances your letter (and a few thousand more) will change that representative's policy without a $1000+ campaign contribution are 0.00%

    Optimism is great, but solutions that actually work are what's needed. Petitioning the government regarding grievances does not.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 9 Jan 2019 @ 12:57pm

    Re:

    Yeah, hit that straw.

    link to this | view in thread ]

  14. icon
    Uriel-238 (profile), 9 Jan 2019 @ 1:01pm

    "No warrant necessary!"

    When parallel reconstruction is successfully implemented, no warrant is ever necessary.

    But bribing a guy is definitely on the fruit-of-the-poisonous-tree side of the evidence fence. It would have to be laundered out.

    link to this | view in thread ]

  15. icon
    Thad (profile), 9 Jan 2019 @ 1:17pm

    Re: Write your congressperson...

    But, as Larry Lessig has statistically proven, the chances your letter (and a few thousand more) will change that representative's policy without a $1000+ campaign contribution are 0.00%

    If the message you get out of Lessig's work is "don't even try", then I think you've greatly misunderstood his point.

    To the best of my knowledge, Lessig hasn't said anything about my representative -- because my representative has only been in office for a week.

    link to this | view in thread ]

  16. icon
    Thad (profile), 9 Jan 2019 @ 1:18pm

    Re: Ownership

    Don't feed the trolls.

    Especially don't feed them when they haven't even shown up yet.

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 9 Jan 2019 @ 1:29pm

    Re: Write your congressperson...

    Petitioning the government regarding grievances does not.

    Oh, so it was all those kilobuck contributions that defeated SOPA and PIPA? Of course, optimism should always be tempered with a healthy does of realism.

    Like Thad, my new representative has only been in office for a week.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 9 Jan 2019 @ 2:02pm

    Re: Ownership

    I fail to see the similarity.

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 9 Jan 2019 @ 2:04pm

    Re:

    "This will continue as long as people like Masnick screech about how terrible it would be for the "tech" (surveillance) industry and the world if the US ever implemented any kind of law to protect the privacy of its citizens."

    When did he say that?

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 9 Jan 2019 @ 2:12pm

    Re: "No warrant necessary!"

    Or get a warrant for the records that they have seen and know will support their case.

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 9 Jan 2019 @ 3:35pm

    Lead for the lead throne!

    Paint for the paint god!

    link to this | view in thread ]

  22. icon
    Coyne Tibbets (profile), 9 Jan 2019 @ 5:43pm

    Oops

    Another Day, Another Massive Cellular Location Data Privacy Scandal We'll Probably Do Nothing About

    The word "probably" is not usually used for certainties, Karl.

    link to this | view in thread ]

  23. identicon
    Smartassicus the Roman, 9 Jan 2019 @ 7:06pm

    Not I, Said the Duck

    This is simple yo fix. Dump your cell phone. If you can't, cover the GPS antenna with foil and use a GPS spoofer. And keep it in airplane mode until you need to make a call.

    link to this | view in thread ]

  24. icon
    Uriel-238 (profile), 10 Jan 2019 @ 1:29am

    Re: Re: Write your congressperson...

    Thad, the sentiment don't even try is not what I got out of it. By all means, do something, but you are going to need more than a lance to take down this giant.

    Anonymous Coward, Regarding for SOPA and PIPA, they were killed (well, momentarily routed) by an internet blitz. Feel free to organize one, or, like the SOPA blackouts, find a way to spread your message to 160 million people.

    Lessig's point was that until we get money out of politics, until we have a massive election reform, we can't rely on our representatives for anything else. Not police reform, not environmental conservation and certainly not telephone privacy.

    But yeah, maybe our new representatives have seen the light and have figured out how to campaign without huge benefactors. I think waiting for them to come around is kinda like waiting for Trump to break and pass a budget without wall funding. Unless you're using a lot of (proverbial) dynamite, you can expect to be disappointed.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 10 Jan 2019 @ 2:31am

    Re: Not I, Said the Duck

    Do you do that?

    No?

    STFU

    link to this | view in thread ]

  26. icon
    Thad (profile), 10 Jan 2019 @ 7:25am

    Re: Re: Re: Write your congressperson...

    Anonymous Coward, Regarding for SOPA and PIPA, they were killed (well, momentarily routed) by an internet blitz.

    Which is another way of saying that representatives received a few thousand letters.

    Lessig's point was that until we get money out of politics, until we have a massive election reform, we can't rely on our representatives for anything else. Not police reform, not environmental conservation and certainly not telephone privacy.

    But he's also campaigned to elect people to Congress (and other offices) who are not beholden to special interests. He's never suggested that working through Congress was a waste of time. And if he's "statistically proven" that it's impossible to change a representative's policy position without paying them, that's news to me.

    Lessig's point is that financial corruption makes it much harder for individuals to influence their representatives; that much is true. But it wasn't that we can't achieve anything at all until we pass campaign finance reform. And if he did say that, he was plainly wrong; there have been positive changes in the government over the past decade (healthcare, ending DADT, reducing sentencing guidelines, a state-by-state push to legalize marijuana -- those are off the top of my head), even if they haven't gone as far as I'd like them to.

    Lessig's point that the American government favors special interests over individuals is a true one. But you're carrying it to an absurd endpoint. His point was never "Don't call your representatives; it won't matter." That's a sort of lazy fatalism that I would never associate with Lessig.

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 11 Jan 2019 @ 7:35am

    Karl, please stop using the word "breathlessly". Thanks.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.