NY Times Shows The Scope Of The Cell Location Data Scandal Nobody's Doing Anything About

from the ill-communication dept

First there was the Securus and LocationSmart scandal, which showcased how cellular carriers and data brokers buy and sell your daily movement data with only a fleeting effort to ensure all of the subsequent buyers and sellers of that data adhere to basic privacy and security standards. Then there was the blockbuster report by Motherboard showing how this data routinely ends up in the hands of everyone from bail bondsman to stalkers, again, with only a fleeting effort made to ensure the data itself is used ethically and responsibly.

Throughout it all, government has refused to lift a finger to address the problem, presumably because lobbyists don't want government upsetting the profitable apple cart, or because too many folks still labor under the illusion that this sort of widespread dysfunction will be fixed by a clearly broken and unaccountable US telecom market.

Enter the New York Times, which this week grabbed a hold of a massive data set from a broker, highlighting the scope of this problem. The dataset includes 50 billion location pings from the phones of more than 12 million Americans as they traveled around Washington DC, New York, San Francisco and Los Angeles. In this case the data came from a location data company that hoovers the data up from apps, though cellular carriers and appmakers alike have been equally complicit.

The report is part of a 7-part series highlighting just how big the problem has become, and just how little we're doing about it:

Each piece of information in this file represents the precise location of a single smartphone over a period of several months in 2016 and 2017. The data was provided to Times Opinion by sources who asked to remain anonymous because they were not authorized to share it and could face severe penalties for doing so. The sources of the information said they had grown alarmed about how it might be abused and urgently wanted to inform the public and lawmakers.

While cellular carriers have promised that they no longer sell that data after a parade of scandals, nobody has independently confirmed that claim. Nor has anybody asked what they're doing with the data already collected over the last decade. And despite claims of an investigation at the FCC, there are indications the agency is dragging its feet on the inquiry to help run out the clock on the statute of limitations for carrier culpablity. This is the ultimate cost of regulatory capture: profits trump all else, including basic, fundamental human rights.

While carriers and data brokers continue to say this is all just fine because people consent to be tracked and the data is anonymized, it's nice to see the Times point out that studies routinely highlight that anonymized data is far from anonymous. The Times found it wasn't particularly difficult to identify individuals and build detailed profiles based on their movement data:

Reporters hoping to evade other forms of surveillance by meeting in person with a source might want to rethink that practice. Every major newsroom covered by the data contained dozens of pings; we easily traced one Washington Post journalist through Arlington, Va.

In other cases, there were detours to hotels and late-night visits to the homes of prominent people. One person, plucked from the data in Los Angeles nearly at random, was found traveling to and from roadside motels multiple times, for visits of only a few hours each time. While these pointillist pings don’t in themselves reveal a complete picture, a lot can be gleaned by examining the date, time and length of time at each point.

The perils of what we're building here should be obvious. And it's fairly obvious that even bigger scandals on this front are waiting in the wings until we collectively demand some basic privacy guidelines for the internet era. This again highlights the myopia in DC policy circles, which have been focused in recent years almost exclusively on the perils of "big tech," while "big telecom" gets a free pass despite engaging in the exact same (or worse) behavior.

Filed Under: cell site location data, data brokers, location data, privacy

Wireless Carriers Hope You Won't Notice Their Location Data Scandal Makes The Facebook, Cambridge Fracas Look Like Amateur Hour

from the ill-communication dept

When the Facebook, Cambridge Analytica scandal broke, we noted that however bad you thought that scandal was (and it certainly was bad), it couldn't hold a candle to the routine privacy abuses that have occurred in the telecom sector for the better part of the last few decades. From charging consumers hundreds of additional dollars annually to opt out of snoopvertising, to the use of private user financial data to justify providing even worse customer service, the broadband industry has long been the poster child for privacy abuses without much in the way of practical public penalty.

It's just as bad on the wireless side, where carriers like Verizon have routinely have been caught modifying user data packets to track users around the internet (without telling them or providing opt out tools), and selling user browsing, app-usage and location data to everyone that comes calling. That's before you even touch on the fact that these companies are practically bone grafted to the NSA and other intelligence services.

As such, we noted how if you were part of the #DeleteFacebook set but were still rolling around using a stock phone on an incumbent carrier network, you failed to understand that Facebook's casual treatment of private consumer data was the cross-industry norm, not some errant exception.

The Location Smart and Securus scandals (which exposed the data of 200 million cell users) quickly proved our point. Thanks to lax handling of private location data by cellular carriers and third-party brokers, those scandals quickly highlighted how anonymized data isn't really anonymous, and this data can and is routinely abused by everybody in this chain of dysfunction (including law enforcement). Oddly, even in the wake of those reports, people still seemed to view the Cambridge, Facebook fracas as somehow far more scandalous, most likely because of that particular story's political undertones.

Clearly hoping to get ahead of the scandal before the press, public and regulators realized the depths of this particular rabbit hole, Verizon proclaimed that the company would be ending all sales of location data to third party data brokers. The company announced the decision (pdf) in a letter responding to inquiries by Senator Ron Wyden, who had begun to apply some pressure on mobile carriers. From the letter:

"We conducted a comprehensive review of our location aggregator program. As a result of this review, we are initiating a process to terminate our existing agreements for the location aggregator program. We will not enter into new location aggregation arrangements unless and until we are comfortable that we can adequately protect our customers’ location data through technological advancements and/or other practices."

Verizon announced it would be suspending all data sales to location data brokers like LocationSmart and Zumigo, which the company acknowledged sold that data in turn to a roster of more than 75 different companies. And, in short, it's promising to suspend such data sales at least until it can ensure that data is actually secure (what an incredibly novel idea). Who'll actually confirm this data is secure before the program is restarted isn't clear; you'll apparently just have to trust a company with a several-decades history of severe privacy violations and blatant false statements.

Like the Facebook scandal, there wasn't much in place to really ensure that often real-time data remained protected, something made clear when the LocationSmart scandal revealed that one Missouri Sheriff routinely (ab)used the system to spy on Judges and fellow law enforcement officers without much legitimate justification (or pesky warrants). In subsequent statements to the press, Verizon has tried to argue that the company quickly took steps to thwart the abuse:

"When these issues were brought to our attention, we took immediate steps to stop it. Customer privacy and security remain a top priority for our customers and our company. We stand-by that commitment to our customers."

But again, this was Verizon only acting after the horses escaped from the barn, suggesting that no, privacy and security was not a top priority. If Verizon's self-auditing was so stellar, it seems curious it never self-identified the potential for the kind of abuse the LocationSmart and Securus scandals revealed. Or the self-audits did reveal problems, but the money made from selling this data made actually fixing them a low priority. Knowing Verizon pretty well, it seems clear it wouldn't be taking this kind of financial hit if its lawyers didn't realize the company was potentially facing some pretty steep penalties here.

One of the key problems in location and other data sharing is that wireless cell carriers have found a way to effectively operate outside any meaningful privacy guidelines by perpetually passing the onus for user consent down a long line of location data aggregators. Blake Reid, an associate clinical professor at the University of Colorado School of Law, perfectly captures the problem in comments made to Brian Krebs:

"The carriers basically have arrangements with these location aggregators that contractually say, ‘You agree not to use this access we provide you without getting customer consent’,” Reid said. “Then that aggregator has a relationship with another aggregator, and so on. So what we then have is this long chain of trust where no one has ever consented to the provision of the location information, and yet it ends up getting disclosed anyhow."

Verizon's obviously trying to pre-empt privacy regulation before we collectively realize current oversight makes the wild west seem downright domesticated. The company has long fought tooth and nail against any kind of consumer privacy protections, stating back in 2008 that federal privacy rules aren't necessary because "public shame" would keep the company honest. More recently, Verizon successfully lobbied the FCC to kill modest broadband privacy rules that would have prevented precisely this kind of scandal from happening by requiring greater transparency -- and that users opt-in to more sensitive data sharing.

None of that is to say that regulatory action is the only solution here, or that this particular Congress could even accomplish such a task. But it's also pretty clear that sooner or later, the pinky swears and winks currently passing for oversight of the telecom sector's treatment of your private data aren't going to quite cut it.

Shortly after Verizon's announcement AT&T stated that it too had suspended location data sales to third-party brokers (for all the same reasons). Sprint followed suit. T-Mobile, which cultivates a reputation as a more consumer-friendly wireless carrier, belatedly brought up the rear, initially likely wary of highlighting any missteps as it seeks regulatory approval for its looming competition eroding megamerger. But again, most of these promises were somewhat murky in scope (T-Mobile's promise to improve, for example, was entirely devoid of substance and somehow never reached Wyden's office).

With this data having bounced around so many partners with so little transparency or oversight, you can be pretty sure we haven't heard the end of this story. And while wireless carriers would very much like the public and press to believe that they've fixed the privacy problems that plague the telecom sector, several decades of evidence to the contrary -- and the press and public's general tone deafness to the scope of this particular problem -- suggest any meaningful reckoning is still likely some time away.

Filed Under: data, data brokers, privacy, wireless carriers
Companies: at&t, cambridge analytica, sprint, t-mobile, verizon

Open Letter To Data Brokers Are A Bunch Of Idiots Or Current Business

from the data-brokers-or-broken-data? dept

Attention world: there is a problem growing and something must be done about it! Some weeks back, a story about OfficeMax sending out a letter to a customer that was addressed to "Daughter Killed in Car Crash or Current Business."

The recipient, Mike Seay of Chicago, was understandably upset, having indeed lost his daughter to a car accident the previous year. It went viral in a big way, leading many to ask how that kind of thing could even happen. In a move that may have been heavy on honesty and light on an understanding of the public relations issues it would create, OfficeMax insisted that the issue was with the 3rd party data broker that had provided them the list of recipients for this letter.

“The mailing list OfficeMax requested from the third-party provider was for Businesses, Small Offices and Home Offices,” says OfficeMax spokesperson Karen Denning by email. “NO personal information qualifiers were part of our request; we were not seeking personal information and did not ask for it. As an additional measure to prevent future mailing errors, we have upgraded the filters designed to flag inappropriate information.”

Note what they're saying. They're saying that they hadn't requested personal information for this mailing list. They are not saying that the data broker does not have that information, nor are they saying that they have not, or never will, request such information. This only made readers of the story ask even more questions about who has what data on them and how that data is used in business.

Without more information about what exactly happened here, we’re left to assume that there are data brokers keeping track of parents with dead kids and that someone put an entry into the wrong spreadsheet cell, accidentally listing Seay’s tragedy in the column designated for the name of his business.

On its own, the explanation that a telemarketer might note that there was a car death to denote sensitivity in sales might have sated most of the public. But, like I said: epidemic. Or at least the start of one, now that we have a similar story, one that might not be quite so easy to explain.

On Thursday, freelance writer Lisa McIntire's mother received a credit card offer from Bank of America sort of addressed to her daughter. There was one tiny difference, though, in the name; instead of Lisa McIntire, the letter was addressed to a "Lisa Is a Slut McIntire." McIntire's mother contacted her daughter via text and then sent a series of photos. McIntire, of course, was slightly disturbed and took to Twitter to share the unusual junk mail.

Now, look, I like a good insult perhaps more than the average person. On top of that, gratuitous vulgarity is the kind of thing that really gets my trousers off. That said, were I Lisa McIntire, I'd be damned before I'd allow Bank of America, noted promiscuous deceivers on mortgages, to call me a slut. I expect we'll get another explanation that has something to do with a data broker either pulling information from social media or Google searches, or else behaving badly and denoting random people as sluts, but that won't solve the problem. People might finally begin to understand just how much personal information, or information about them, is out there and how companies are using it. Expect the grandstanding to begin shortly.

Filed Under: data brokers, mailings, marketing
Companies: bank of america, office max