Senator Wyden goes ballistic after US telcos caught selling people's location data yet again US Senator Ron Wyden is renewing his calls for legislation banning the sale of people's private cellphone location information after yet another report of phone carriers doing exactly that. The Oregon Democratic Senator claimed major telcos and their executives, including T-Mobile US CEO John Legere, lied to him last year when …
Yes. Law enforcement isin't paying them for it and wants it for FREE. The warrant forces the provider to provide the information without payment.
No doubt a sufficiently large cash payment would result in the same information being handed over. I'd suggest crowdsourcing a few million and buying the information of people in your government and start publishing what they do and where they go, laws will be passed to deal with the problem very, very quickly.
The US courts have ruled that law enforcement access to customer location data does not require a warrant. Other meta data such as when phone calls are made and to what number also does not require a warrant. Generally, only the content of the communication (texts, voice, etc.) requires a warrant.
Unless it's for national security, or covered by an existing "all customers all places at all times" warrant, or they are at the border (ie within 100mi of the coast, border or an international airport).
Of course if you break these laws you can expect a swift and decisive pardon
I'm using one of the budget services, and I just realized how likely that makes it that my data is being sold. And, since they are a re-seller, it makes me wonder if my data is being sold twice over. I feel like lining them up like Larry and Curly and double slapping them the way Moe used to do.
In today's world I just assume my phone can be tracked by my carrier, and that isn't going to change regardless of who I choose. If there were real privacy protection then I might choose my provider more carefully, and be willing to pay more for a greater assurance of privacy like I do with my phone. There will never be 100% privacy protection (even if you assume companies always keep to the letter of their privacy policies) but some is better than none.
The current situation with cell companies is far worse than with phones - while Google collects every detail about your life they don't directly sell that info to third parties they only allow effectively allow its use by using it to target their ads. If you're wanted by a bail bondsman, they can't get Google to tell them where you are (i.e. where your Android is) but it seems they can with all the major cellular companies in the US. That's bad. Very bad.
An MVNO uses a regular carrier. I would not be too sure that the carrier is not able to get to your whereabouts.
That's not in dispute. The question is whether MVNOs can also get your location data (via their agreement with the carrier) and thus also sell it. I'm not sure that's any worse (the carriers are happy to sell it to all comers, so it's not like the MVNOs would be increasing the supply), but it's conceivable that an MVNO might be able to undercut the carrier's price, or might be more likely to lose the data in a breach.
Personally, I suspect the MVNOs don't have access to the data, unless they buy it at the going rate from the carrier, so there's no additional exposure. But that's just a guess.
Or store the data, or leak the data. Once the call is over they no longer need it, there is ZERO reason for them to save it. For billing they can save the general area (city you are calling to/from) like paper phone bills used to back in the day (I haven't looked at mine for ages since I have unlimited calling, so I don't know what it lists tbh) there's no reason they need to save which tower in NYC you were calling from for billing purposes.
Once the call is over they no longer need it, there is ZERO reason for them to save it
Except for making money. They were salivating on that 10 years ago, nothing has changed now. You can have a look at the relevant articles in the industry press around the GSMA location API and the various alternatives being promoted at the time (*).
I made myself very "popular" at the time when I explained several people in a networking vendor (at VP level) the exact amount of policy that needs to be applied to such APIs in the long term and how PCRF does not come anywhere near that.
(*)I have stopped following that topic (mobile core API exposure) quite deliberately 5+ years ago on the grounds that the shit in that area piles up so high and so fast that no wings can keep you from getting dunkin'..
The data could be useful later on for technical troubleshooting SLAa etc (In the UK Orange used to give you money back if your call was dropped due to a bad connection). That data can then be summarised and anonymised after a short while based on their retention policy.
The issue is that if they have that data they will sell it, however it they say they won't sell it or there is legislation to stop them doing it then they don't need to delete it if it is properly managed. If they sell it anyway then they probably wouldn't delete it if they said they did.
That won't necessarily help you. Granted, they probably won't be able to look it up simply punching in your name, and I certainly have no idea exactly how the data access interface is structured, but your "burner phone" could easily be tied to your address where you presumably keep it (or at least the general area) and/or continued proximity to some other handset or location you _are_ on record with. So unless you are willing to never use your "burner" at places that can be related to you, and never take any other phones with you whenever you go to retrieve and use it, you might still be on hook. And that's way too far into "LARPing a drug dealer" for pretty much any sane person.
I sure wish there was a way to get real privacy protection. It doesn't do you a whole lot of good if only telcos are restricted from selling location data - no doubt some "tough on crime" senator will tack on an amendment allowing it to be made available to law enforcement without a warrant, because you have nothing to fear if you aren't guilty of something.
What about Google and Apple? What about Facebook and Twitter? What about the million other apps on the App/Play stores that may collect location info? What about Ford and Toyota? What about future wearables which could be almost anything, including maybe even stuff that's a permanent part of you? Some of this (e.g. Facebook) may be thought of as optional, but you'd have to be a committed Luddite to avoid the use of ANY possible location gathering device in your life.
It shouldn't even be allowed for this information to be collected, unless you specifically opt in via free choice. Google and Ford have no more right to this info - even if they keep it to themselves and don't sell it - than T-Mobile does.
America. Home of the vested interest and, since Trump especially, a banana republic
Why since Trump? Do you think they went to war against ex-Jugoslavia, Iraq, Afghanistan, Syria and Yemen on behalf of the people? If you think that Trump signals any difference with the past it means you are paying too much attention to the appearance.
Someone please correct me if I'm wrong, because if this is true (seen on Slashdot, so I don't know) then it may not help much to block cellular companies from selling this info. If I have a cellular modem with an AT&T SIM, apparently I can call any AT&T subscriber and when their phone rings I'll get a packet back indicating the CELLID they are currently using. That would give a ballpark location estimate (within maybe 100m in a city, or a km or two in rural areas) using one of the free sites showing GPS coordinates for a given CELLID.
In a city that's easily enough for a stalker to tell if you are home, at work, at the gym etc. assuming they are spread out a bit. For a jealous spouse to determine you are not where you said you were. For a terrorist/assassin to determine a specific target is at the right location to set off the bomb. Maybe it will take the latter to happen before someone seriously considers the protocol security as a risk?
For a terrorist/assassin to determine a specific target is at the right location to set off the bomb. Maybe it will take the latter to happen before someone seriously considers the protocol security as a risk?
You are probably correct on this. And after legislation passes, the companies will raise their rates because this particular income source has been cut off. Then they'll tack on a "national security" charge in the name of "keeping you safe" and also adding to the profit. Maybe I shouldn't have posted this, it will give them ideas.
No No No.
Then privacy becomes a social/economic issue. Those who can pay have their privacy respected and those who can't, well if you can't sell their data (because of the economic group you are in) you have to find other nefarious uses for it.
Its ok, people with limited money have had it soooooo easy over the last few years. </sarc>
All the time companies are salivating to get their hands on the data of the people who pay for privacy so over time it becomes erroded back to the state it is today. Bit by bit.
How available is users location data to other other nation-state actors?
My main concern other than privacy related is military members carrying around cellphones that transmit their location and other data.
https://www.theregister.co.uk/2018/01/29/strava_heatmap_military_base_locations/
I was reading an article about the US president making a "surprise" visit to soldiers in a combat zone in Iraq that was qoute: "shrouded in secrecy".
https://www.nytimes.com/2018/12/26/us/politics/trump-iraq-troops-visit.html
The thing that struck me most about all the photos realeased of his visit was all the soldiers holding up their cellphones taking photos and selfies with the president.
Obviuosly I have no idea if any of the cellphones have access to any data or wifi connections or if the base(s) have something similat to Chinas "great firewall" but from reading other articles about the woeful state of military tech security I doubt it.
I think there could be a market for a cellphone that had HARDWARE switches to enable/disable sensors, GPS, WIFI etc. Perhaps a series of tiny dipswithches underneath the REMOVABLE battery or something similar.
(I also think senator Wyden should be promoted and given special powers to oversee tech compamies as he seems to be the ONLY elected official that has a clue about technology)
https://www.businessinsider.com.au/steve-king-asks-google-ceo-iphone-democrats-laugh-2018-12
>My main concern other than privacy related is military members carrying around cellphones that transmit their location and other data.
Their info will be slurped and sold just like everyone else's. Which is, indeed, a major OPSEC problem.
If Congress was in any way serious about the collection and sale of PID, including location tracking, they would make the practice illegal based on exactly what you mentioned. But they aren't serious.
The two privacy gotchas I saw in the newspapers at the time were (1) the "shrouded in secrecy" visit was leaked several hours in advance when a plane-spotter in Yorkshire recognised Air Force 1's livery overhead; (2) the President posted a selfie naming the special forces unit he was with and without concealing the soldiers' faces, in violation of convention.
I do take your point FozzyBear but where I come from, lying to Parliament (or in a select committee is an imprisonable offence.
It is not clear from the article that the AT&T stooge made the promises under oath, but I am assuming it would have made no difference.
There are no consequences for the wealthy in the US anyway.
wakka wakka wakka
But did John Legere really lie?
"I’ve personally evaluated this issue & have pledged that @tmobile will not sell [we may trade it or give it away] customer location data [does not include other markers like SSID neighbors] to shady middlemen [i.e. any other type of middleman is fine]."
Comcast has been using a defective computerized global e-mail blocking system for at least four years that illegally blocks legitimate e-mail sent from Europe, Asia, Australia and elsewhere to U.S. Comcast customers. The FCC has been provided proof of the illegal blockage. Major Euro ISPs have provided proof that their networks are not sending massive SPAM to Comcast customers yet Comcast continues to block these same major ISPs. When Comcast blatantly lies to the FCC is writing claiming they do not have a computerized global blocking system, the FCC looks the other way instead of fining Comcast billions for lying to them and defrauding customers paying for all legitimate e-mail to be delivered.
It is hard to prove a negative. While I am not a defender of Comcast, unless an ISP is inspecting and logging TCP port 25 usage of its customers then it would not have the capability to "provide proof" that their networks aren't being used to transmit spam. So, are you saying that "Major Euro ISPs" are in fact doing such in-depth spying on their customers, and then defending them against the evil Comcast?
Major Euro ISPs absolutely are doing basic monitoring of their e-mail services to protect against them being used for spam. Major Euro ISPs are not doing monitoring of port 25 in general because it's not required. If a specific customer of an ISP is spamming Comcast, Comcast should block that IP and contact the ISP's abuse department.
I don't know the answer to that but here's a strange thing. One of my web-mail accounts in the UK is OK to send me virus laden attachments. But when I try to forward them to the UK's *eFraud department they get blocked, message says "This contains malware". ???
*NFIBPhishing(at)city-of-london.pnn.police.uk
In US usage, "ticked off" means that one is angry about something. There is no implied action. Intensity of this statement is between "I am annoyed" and "I'm going to fire that tosser".
Put another way, if I've ticked you off we are at the point where a pint may no longer patch things up, but I do not have to worry about any rough stuff.
"So is that better or worse than "pissed" in the American sense, or "pissed off" in the UK version?"
According to 'Very Bad Words' podcast, the FCC ban any mention of urine (part of the famous George Carlin's list) but when asked to rule on a radio station that had a competition 'which member of <insert football team> would you p!$$ on' ruled it OK because they seemed to think 'p!$$ed on' meant the same as 'p!$$ed off'
Interesting podcast, that.
Best use of "pissed on" I've seen was in a leaked "360deg feedback" evaluation of a line manager. The line that sticks with me are: "If he were on fire, perhaps I might deign to piss on him, but I'm conflicted."
The other gem was something along the lines of, "Out of millions of sperm, one wonders how his won the race."
We were having some morale problems at the time.
Those who think that the situation in better in Europe because of GDPR are naive, this is a field where GDPR is hardly enforced. The same is true for transport payment cards, those that are not anonymous are easily tracked, but after some time even the anonymous ones can be associated with a person giving a rough overview of their whereabouts.
BTW what is the legal status in the US of prepaid anonymous SIM cards? Mandatory registration is also something that makes things worse.
"Sounds like word hasn’t gotten to you, @ronwyden. I’ve personally evaluated this issue & have pledged that @tmobile will not sell customer location data to shady middlemen."
That promise isn't worth anything. He pledged not to sell to shady middlemen, not to anyone else.
So, translation: "Sounds like word hasn’t gotten to you, @ronwyden. I’ve personally evaluated this issue & have pledged that @tmobile will only sell customer location data to everyone but shady middlemen" (Shady obviously being vague, and middlemen? If you sell to someone who then sells to the middlemen you're still keeping your crappy pledge.)
After I exposed these dangerous practices last year, several carriers, including @tmobile’s CEO @JohnLegere told me point blank that his company would stop selling customer location data to shady third parties.
You left it up to them to determine who was shady. That's your problem right there, you trusted them to police themselves.
Simple solution. Enforce this penalty whenever necessary: the CEO, and all executive level subordinates will be sentenced to carry appropriate electronic devices, and have their real-time locations published on an open and free website for a period of no less than two years. Violation of this order will result in immediate incarceration for the remaining time period of that sentence.
Think we have privacy concerns? Think of all that they may engage in that would destroy them if discovered.
I am not a fan of businesses selling customer data, but if it is going to be allowed, I don't see bounty hunters as an illegitimate use of the data. The customers would be people who have broken their promise to show up in court. Some of the US states give bounty hunters too much power and some bounty hunters abuse what powers they do have so some bounty hunters are not worthy of respect, but that can be said about regular police forces as well.
As I understand it, GDPR applies to people from the EU wherever they are on the planet, as part of their rights of citizenship. So if a european happened to be in america and their cellphone data was sold on, It'd be a clear-cut breach of GDPR. I don't think the law enforcement clauses would cover this, even if it did end in the hands of a bounty hunter (which is stretching the definition of "law enforcement" anyway).
Do the US Telcos check for EU citizenship before they sell the data, or are their snouts rammed too far into the trough to care?
Trump is stupid enough to use non encrypted, non government issue phones, I wonder if any of the Telco's have sold his location data, amongst other things.
Oh and why do Senators think they can stop this? Theres a shitload of business in selling on location and tracking data, its arguably one of the fastest growing fields in Telecoms. And with Ajit Pai telling them they can do whatever the hell they like (whilst doing dancing/singing numbers on Youtube), the FCC wont do anything.
The Senator in Question should be chided for believing that when someone said "Im going to stop doing a thing that is literally making me millions of dollars a year, because youre annoyed at it" they might actually be lying through their teeth.
He's a politican for gods sake. If anyone knows how to spot a liar (and be an exceptional one) its this guy.
A company just bought all the location data for most minors in Dallas TX, supposedly to figure out where to drive ice cream trucks, but this particular ice cream business doesn't exist, it's a kidnapping ring. They know more about where your children are than you do. You can thank the telecom industry for the next 400 kids to vanish it TX.
anyone need a kidney or heart?
(yes I made that all up - but it's only a few dollars away from reality, if not already)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
