You are here

Little brother is watching: Your real-time location for sale

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

An undercover report this week accuses mobile carriers of selling your location data to brokers, some of which aren’t choosy about whom they resell it to (because of course they’re not).

Yes, they’re still at it. Despite already having promised US congresscritters that they’d stop selling location data, it’s still happening on a grand scale.

Next stop, actual regulation, as opposed to vague promises? In this week’s Security Blogwatch, we get lost.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Brian May PhD 

[ Get valuable insights to improve your SOC’s maturity and success. Download the 2019 State of Security Operations report today. ]

Geolocation for all

What’s the craic? Joseph Cox Gave a Bounty Hunter $300. Then He Located Our Phone:

He had offered to geolocate a phone for me, using a shady, overlooked service intended not for the cops, but for private individuals and businesses. … The bounty hunter did this all without deploying a hacking tool or having any previous knowledge of the phone’s whereabouts. [It] relies on real-time location data sold to bounty hunters that ultimately originated from the telcos themselves, including T-Mobile, AT&T, and Sprint.

At least one company … is selling phone geolocation services with little oversight to a spread of different private industries, ranging from car salesmen and property managers to bail bondsmen. … Compounding that already highly questionable business practice, this spying capability is also being resold to others on the black market who are not licensed … to use it, including me.

There’s a complex supply chain that shares some of American cell phone users’ most sensitive data. … Telecom companies … sell access to their customers’ location data to other companies, called location aggregators, who then sell it to specific clients and industries. … Armed with just a phone number, [they] can return a target’s full name and address, geolocate a phone in an individual instance, or operate as a continuous tracking service.

Feeling a little déjà vu? Jon Brodkin too: [You’re fired—Ed.]

Of course, mobile carriers themselves could prevent such privacy problems by not selling their customers' location data in the first place. … In June 2018, all four major US wireless carriers pledged to stop selling their mobile customers' location information to third-party data brokers.

At the time, U.S. Sen. Ron Wyden (D-Ore.) urged all four major carriers to stop selling their customers' location data. They all said that they would, with limited exceptions: for example, [for] "important, potential lifesaving services like emergency roadside assistance."

Wyden said he's disappointed that carriers are apparently still selling location data to data brokers.

“Disappointed”? Not according to Shaun Nichols—Wyden goes ballistic:

The Oregon Democratic Senator claimed major telcos and their executives, including T-Mobile US CEO John Legere, lied to him last year. … Back in the spring of 2018 it was widely documented how prison companies and other outfits were brokering the sale of customer location data from major wireless carriers.

Among those up in arms was Wyden, who floated legislation to impose penalties on carriers that sold customer data. The telcos then looked to get ahead of lawmakers by pledging on their own not to sell tracking data.

With that promise now having been shown to be utter rubbish, Wyden is renewing his calls to pass legislation.

People are shocked—SHOCKED—that corporations would sell their location. People like LucreLout:

I don't understand how it’s possible for a retailer to sell … information that would require law enforcement to obtain a warrant. Am I missing something here?

Yeah, what are we missing? nocsious tries to explain:

One common use case these geo-location services are used for is a layer of fraud detection for online [subprime] loan applications. Identifying a consumer's location and comparing it to a consumers stated address is useful in verifying that a consumer is likely who they claim to be.

It's not surprising to me that [resellers] would be using this data without the correct permissions. A consumer is supposed to agree to the tracking terms in the website privacy policies/terms of conditions when applying for credit. Clearly that isn't the case here.

And you think this is just the vague location of the cell tower your phone is talking to? Think again, says bobbied:

The cell company has more information than just what tower you are hitting or which MSC you happen to be in … including a signal strength and apparent direction from the cell tower, from which they can make a pretty good estimate of your location.

These days cell towers have electronically steerable arrays for antennas, so they can better use their available spectrum space to service more phones.

But are there other ways to get your tower ID? psergiu alleges an allegation:

You can take a SIM from the same provider, pop-it into a mobile modem, enable basic network tracing and call that number. As soon as the called number begins to ring, you'll get a packet back from the network listing among other stuff the CELLID where that phone is.

There are a bunch of websites where you can plug a CELLID which will show [the] "circle" where that cell's antenna has coverage.

Is it time for a colorful metaphor, Captain? RandomDude waxes apoplectic

I’ll ask this once, nicely, but frothing with rage—can someone please direct me to a technological solution to this? … I’m ****ing sick of this ****. If its not the phone companies abusing this, its the NSA, and now dog the **** bounty hunter.

I’m serious. I would pay for the ability to be left the **** alone. … I’ve lost count of the endless privacy violation stories due to technology through databases and cell phones over the last even two years.

I’ve had it with modern society.

Meanwhile, FozzyBear makes like some sort of furry comedic puppet:

Oh the Irony! A politician outraged at being directly lied to.

The moral of the story?

This is horrific on so many levels. Privacy violation on this scale wouldn’t be remotely acceptable in any other civilized society. Why is America so different?

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]

And finally …

What Queen guitarist Brian May knows about zodiacal dust (via FORTRAN)


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Mike Mozart (cc:by)

[ Data privacy regs GDPR and CCPA are the new norm. Learn best practices from top organizations for staying on the right side of the law. ]