It's Apparently Easy To Pretend To Be A Cop, Grab Location Data From Cellular Carriers
from the ill-communication dept
While Facebook tends to get the lion's share of (deserved) criticism, the telecom sector continues to make its case for being the absolute worst when it comes to protecting your private data. Scandal after scandal have highlighted how wireless carriers routinely collect and store your daily location data, then sell that data to a universe of shady middlemen with little to no oversight as to how the data is used. Users sign one overlong privacy policy with their wireless carrier, and that policy is being read to mean consumers sign off on the practice, which they certainly haven't.
This week journalist Joseph Cox again highlighted the problems on the location data front, reporting how many stalkers and debt collectors are able to get access to this data without paying for it. How? By pretending to be law enforcement officers:
"...bounty hunters and people with histories of domestic violence have managed to trick telecommunications companies into providing real-time location data by simply impersonating US officials over the phone and email, according to court records and multiple sources familiar with the technique. In some cases, these people abuse telecom company policies created to give law enforcement real-time location data without a court order in “exigent circumstances,” such as when there is the imminent threat of physical harm to a victim.
In addition to cellular tower location data, carriers were also recently busted selling A-GPS data, which is supposed to be protected by FCC data rules. Despite significant reporting on this subject and carrier promises to stop collecting and selling this data, this practice is still ongoing. Like Facebook, these are companies that are staring down the barrel of looming regulation -- and still somehow can't seem to find the motivation to behave. Regulators at the Ajit Pai FCC have also sat on their hands and have yet to issue so much as a warning to cellular carriers.
At least one skiptracer told Motherboard that wireless carriers remain several steps behind in trying to crack down on the practice:
"So many people are doing that and the telcos have been very stupid about it. They have not done due diligence and called the police [departments] directly to verify the case or vet the identity of the person calling,” Valerie McGilvrey, a skiptracer who said she has bought phone location data from those who obtained access to it, told Motherboard. A skiptracer is someone tasked with finding out where people, typically fugitives on the run or those who owe a debt, are located."
In many instances the third parties are exploiting telecom company procedures for "exigent circumstances," allowing them to request and receive real-time location data by fabricating law enforcement data request documents telecom operators aren't properly verifying. Of course as the New York Times noted more than a year ago, law enforcement officers have also been busted abusing this system to spy on judges and other law enforcement officers.
Like so many sectors, wireless carriers were so excited by the billions to be made selling your daily habits, they forgot to actually protect that data. As reporters like Cox continue to dig deeper, you have to think that many cellular carriers are scrambling hard to clean up their mess as inevitable class action lawsuits and regulatory investigations wait in the wings. This scandal is getting so ugly, even the carrier-cozy Trump FCC may, at some point, be forced to actually do something about it.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bounty hunters, data sharing, debt collectors, exigent circumstances, impersonation, law enforcement, location info, privacy, stalkers, telcos
Reader Comments
Subscribe: RSS
View by: Time | Thread
I thought impersonating a police officer was illegal.
So much for rule of law.
[ link to this | view in chronology ]
Re:
Illegality only matters if the crime gets reported. In this case, the telecom company suffers little or no harm, so they have no motivation to investigate (even after the fact) whether the request was legitimate. At worst, their harm is they might have charged the requester a bigger fee if the request had not been classified as "law enforcement/time sensitive." The stalkee likely never learns how their data was obtained, so they don't know to report a crime. The impersonator obviously will not self-report. That leaves us with no one who actually reports the crime, so there's no investigation, no arrests, and no prosecution.
Compare this impersonation to a fake officer stopping someone on the street and physically abusing the victim. The victim will likely start out trying to file a police brutality report, then the cops will point out that the offender was not a police officer at all. That gives at least the potential for someone to realize that there is a fake officer out there abusing people.
[ link to this | view in chronology ]
Re:
Rule of law? That went out the window during Cheney/Jr.
It's survival by uncivil means today. Especially in the pursuit of power.
[ link to this | view in chronology ]
Section 230? Blame the individual.
This? Blame the platform.
[ link to this | view in chronology ]
Re:
You aren't that smart it seems.
Section 230 has nothing to do with this.
[ link to this | view in chronology ]
Re: Re:
Cool response bro
[ link to this | view in chronology ]
Re: Re:
The platform (the companies) are not to blame here, since it's illegal to impersonate law enforcement. They have every right to believe that someone who claims to be from law enforcement is telling the truth. Even if they investigate, that too can be faked, so the problem is with the individual bad actor, at least according to "Section 230 logic." (or "DMCA logic" or "Article 13 logic").
[ link to this | view in chronology ]
Re: Re: Re:
Techdirt has argued that platforms shouldn't be blindly accepting DMCA takedown notices either.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Also -
"Platforms not being wrongly liable for obviously truthful third-party warnings of Jhon Smith's scam(s)" = good
"Service providers give out peoples' private information to just about anyone" = not so good
[ link to this | view in chronology ]
Re: Re: Re:
Then maybe paperwork should be required for every request....like a warrant. In this day and age its trivial to get a telephonic warrant and have it sent somewhere in short order.
[ link to this | view in chronology ]
Re:
Without section 230 the platforms would have to be perfect at filtering out all illegal material, if even a sliver of them got past the filters the cost would be ruinous.
With this, no one is asking for perfection, just that the carriers develop some method of vetting calls claiming to be cops.
[ link to this | view in chronology ]
Get us a map of everywhere Trump, Pai, and the top telco CEOs and lobbyists have been for the past year, and we'll see some changes.
[ link to this | view in chronology ]
These statements seem to contradict one another.
[ link to this | view in chronology ]
Re:
It is rather poorly worded there. For it to not be contradictory, the article should point to which regulation is looming - chances are it's sourced from Congress as opposed to the FCC.
[ link to this | view in chronology ]
Maybe they had a golden key?
Please, tell me more about how we should demand companies break their encryption systems so that "only police" will be given access to our private communications, documents, bank accounts, and other private sundries.
[ link to this | view in chronology ]
The police police train companies to hand over information on demand, without a warrant and without question. That makes it easier for anybody to demand and get information.
[ link to this | view in chronology ]
Re: why it matters
And that complacency is exactly why allowing anything "for police only" is dangerous to have. Even when there are better rules in place to stop outsiders from abusing the system, the intended users of the system can still abuse it. We have many examples of that happening at local to federal levels of intelligence and law enforcement. Even private companies internally have problems with this.
So why do politicians and others think its okay to open up encryption among other things? Because they believe falsely their program/situation is special and will not be abused (at least not severely). Or they don't care about the negative impacts because they feel it will be outweighed by the possibility of getting crooks by skirting the rules themselves.
If a means or system is established to curtail the rules for one trusted group, eventually others outside of your trust circle will have access to curtail the rules too. And when that happens you are truly screwed.
[ link to this | view in chronology ]
Re: Re: why it matters
Not to mention it is inherently authoritarian - which by design bad actors can play like a goddamned fiddle.
[ link to this | view in chronology ]
But is getting this info easier or harder than getting millions in military hardware?
[ link to this | view in chronology ]
It's techniques like these...
That the resistance should pay attention to.
Much the way the Temple of Satan serves as the bad guy to keep religion out of state business, the resistance could serve to assure bureaucratic and technical systems are defended against abuse.
Because vectors of abuse like this easily get turned into business models.
[ link to this | view in chronology ]
Wrong angle
This is basic social engineering. THAT will always be there.
The problem that the data is being collected and stored, not that you can browbeat or sweet-talk some clerk into releasing it.
[ link to this | view in chronology ]
Law enforcement likes to push laws making their lives easier, like by standardizing ID cards ("REAL ID"). So, how about we propose "COP ID" and say anyone claiming to be a cop had better provide an ID card with cryptographic verification via NFC. And any service provider had better check that any document claiming to be from a cop has a valid cryptographic signature from an actual cop, or else they'll be liable under privacy laws (I mean, if we had privacy laws for this stuff).
A good social engineer might work around it, notably by tricking actual cops; at least we could make it significantly harder.
[ link to this | view in chronology ]
Re:
We DO have "CopID". The badge number.
The "fix" is really fairly simple - the ONLY people who can disclose information is the telco Legal Department.
Cop calls, gives name, badge number, precinct, legal dept clerk calls the precinct and verifies before releasing information.
I don't know what department is being called currently, but I've found that calling the telco, ISP, or power company means two hours on hold. So they're using "not for public use" lines to contact the phone companies.
[ link to this | view in chronology ]
Re: Re:
If the badge number is valid, how do they verify it's really the cop calling? How do they even know what's a valid precinct and what the proper contact number is? Wikipedia says "There are 17,985 U.S. police agencies in the United States".
[ link to this | view in chronology ]
One might think people would have learned the lessons of the past, but the stupid always think it will never happen to them.
We had gangs with purchased access to credit reports & info... and we are shocked that they managed to get access to other information?
Until there are punishments that actually hurt the bottom line this will continue with corps collecting the cash & pretending there was no way they could have stopped the evil hackers.
[ link to this | view in chronology ]
National security letters
I am not surprised. What I am surprised about is that no one has done the same with national security letters. Those seem a perfect target for this kind of cheating, because they threaten prison and at the same time you don't even dare ask the FBI if they're valid.
Mostly what these incidents show is that you can't trust companies to defend your privacy.
[ link to this | view in chronology ]
Re: National security letters
How do you know that they haven't, because if they are believed the recipients will not talk about them. That is the benefit of a gag clause.
[ link to this | view in chronology ]
Re: Re: National security letters
More to the point: how would anyone, even the FBI or DOJ, find out? The perfect crime?
[ link to this | view in chronology ]
Cellular company sell user data
According to the Supreme Court, if the government puts a GPS tracker on you, your car, or any of your personal effects, it counts as a search—and is therefore protected by the Fourth Amendment and requires a warrant approved by a judge.
OR, they can send a note on letterhead and get the same info over the phone from Securus.
That's what rots my socks. Police jump from one technology to the next and so long as the Supreme Court doesn't specifically BAN the method, they do it. I call it exempting themselves from the rule of law. And, at least it's unethical.
Will police stop doing this now they have been found out, and despite what the SC says?
[ link to this | view in chronology ]
I know the "cops can't get a job if they're too smart" thing is technically incorrect.
News like this, though, make it harder to believe that it is, in fact, not quite accurate.
But then you consider the guys who have to toss flashbangs and rifle fire at fleeing naked men to feel secure and this sort of gaffe starts feeling like the norm, not the exception.
[ link to this | view in chronology ]
Re:
Well that sort of thing comes naturally to sociopaths - they don't have to be smart and stupid ones are more violent...
[ link to this | view in chronology ]