The past month has seen one blockbuster revelation after another about how our mobile phone and broadband providers have been leaking highly sensitive customer information, including real-time location data and customer account details. In the wake of these consumer privacy debacles, many are left wondering who’s responsible for policing these industries? How exactly did we get to this point? What prospects are there for changes to address this national privacy crisis at the legislative and regulatory levels? These are some of the questions we’ll explore in this article.
In 2015, the Federal Communications Commission under the Obama Administration reclassified broadband Internet companies as telecommunications providers, which gave the agency authority to regulate broadband providers the same way as telephone companies.
The FCC also came up with so-called “net neutrality” rules designed to prohibit Internet providers from blocking or slowing down traffic, or from offering “fast lane” access to companies willing to pay extra for certain content or for higher quality service.
In mid-2016, the FCC adopted new privacy rules for all Internet providers that would have required providers to seek opt-in permission from customers before collecting, storing, sharing and selling anything that might be considered sensitive — including Web browsing, application usage and location information, as well as financial and health data.
But the Obama administration’s new FCC privacy rules didn’t become final until December 2016, a month after then President-elect Trump was welcomed into office by a Republican controlled House and Senate.
Congress still had 90 legislative days (when lawmakers are physically in session) to pass a resolution killing the privacy regulations, and on March 23, 2017 the Senate voted 50-48 to repeal them. Approval of the repeal in the House passed quickly thereafter, and President Trump officially signed it on April 3, 2017.
In an op-ed published in The Washington Post, Ajit Pai — a former Verizon lawyer and President Trump’s pick to lead the FCC — said “despite hyperventilating headlines, Internet service providers have never planned to sell your individual browsing history to third parties.”
FCC Commissioner Ajit Pai.
“That’s simply not how online advertising works,” Pai wrote. “And doing so would violate ISPs’ privacy promises. Second, Congress’s decision last week didn’t remove existing privacy protections; it simply cleared the way for us to work together to reinstate a rational and effective system for protecting consumer privacy.”
Sen. Bill Nelson (D-Fla.) came to a different conclusion, predicting that the repeal of the FCC privacy rules would allow broadband providers to collect and sell a “gold mine of data” about customers.
“Your mobile broadband provider knows how you move about your day through information about your geolocation and internet activity through your mobile device,” Nelson said. The Senate resolution “will take consumers out of this driver’s seat and place the collection and use of their information behind a veil of secrecy.”
Meanwhile, pressure was building on the now Republican-controlled FCC to repeal the previous administration’s net neutrality rules. The major ISPs and mobile providers claimed the new regulations put them at a disadvantage relative to competitors that were not regulated by the FCC, such as Amazon, Apple, Facebook and Google.
On Dec. 14, 2017, FCC Chairman Pai joined two other Republic FCC commissioners in a 3-2 vote to dismantle the net neutrality regulations.
As The New York Times observed after the net neutrality repeal, “the commission’s chairman, Ajit Pai, vigorously defended the repeal before the vote. He said the rollback of the rules would eventually benefit consumers because broadband providers like AT&T and Comcast could offer them a wider variety of service options.”
“We are helping consumers and promoting competition,” Mr. Pai said. “Broadband providers will have more incentive to build networks, especially to underserved areas.”
MORE OR LESS CHOICE?
Some might argue we’ve seen reduced competition and more industry consolidation since the FCC repealed the rules. Major broadband and mobile provider AT&T and cable/entertainment giant Time Warner are now fighting the Justice Department in a bid to merge. Two of the four-largest mobile telecom and broadband providers — T-Mobile and Sprint — have announced plans for a $26 billion merger.
The FCC privacy rules from 2016 that were overturned by Congress sought to give consumers more choice about how their data was to be used, stored and shared. But consumers now have less “choice” than ever about how their mobile provider shares their data and with whom. Worse, the mobile and broadband providers themselves are failing to secure their own customers’ data.
This month, it emerged that the major mobile providers have been giving commercial third-parties the ability to instantly look up the precise location of any mobile subscriber in real time. KrebsOnSecurity broke the news that one of these third parties — LocationSmart — leaked this ability for years to anyone via a buggy component on its Web site.
LocationSmart’s demo page featured a buggy component which allowed anyone to look up anyone else’s mobile device location, in real time, and without consent.
We also learned that another California company — Securus Technologies — was selling real-time location lookups to a number of state and local law enforcement agencies, and that accounts for dozens of those law enforcement officers were obtained by hackers. Securus, it turned out, was ultimately getting its data from LocationSmart.
This week, researchers discovered that a bug in T-Mobile’s Web site let anyone access the personal account details of any customer with just their cell phone number, including full name, address, account number and some cases tax ID numbers.
Not to be outdone, Comcast was revealed to have exposed sensitive information on customers through a buggy component of its Web site that could be tricked into displaying the home address where the company’s wireless router is located, as well as the router’s Wi-Fi name and password.
It’s not clear how FCC Chairman Pai intends to “reinstate a rational and effective system for protecting consumer privacy,” as he pledged after voting last year to overturn the 2015 privacy rules. The FCC reportedly has taken at least tentative steps to open an inquiry into the LocationSmart debacle, although Sen. Ron Wyden (D-Ore.) has called on Chairman Pai to recuse himself on the inquiry because Pai once represented Securus as an attorney. (Wyden also had some choice words for the wireless companies).
The major wireless carriers all say they do not share customer location data without customer consent or in response to a court order or subpoena. Consent. All of these carriers pointed me to their privacy policies. It could be the carriers believe these policies clearly explain that simply by using their wireless device customers have opted-in to having their real-time location data sold or given to third-party companies.
Michelle De Mooy, director of the privacy and data project at the Center for Democracy & Technology (CDT), said if the mobile giants are burying that disclosure in privacy policy legalese, that’s just not good enough.
“Even if they say, ‘Our privacy policy says we can do this,’ it violates peoples’ reasonable expectations of when and why their location data is being collected and how that’s going to be used. It’s not okay to simply point to your privacy policies and expect that to be enough.”
CHECKING THE FTC’S RECORD
When the FCC’s repeal of the net neutrality rules takes effect on June 11, 2018, broadband providers will once again be regulated by the Federal Trade Commission (FTC). That power was briefly shared with FCC when the agency under the Obama administration passed its net neutrality rules with the assumption that it could regulate broadband providers like telecommunications companies.
When it comes to investigating companies for privacy and security violations, the FTC’s primary weapon is The FTC Act, which “prohibits unfair and deceptive acts or practices in or affecting commerce.” According to the FTC Act, a “misrepresentation or omission is deceptive if it is material and is likely to mislead consumers acting reasonably under the circumstances.” It also finds that an act or practice “is unfair if it causes, or is likely to cause, substantial injury that is not reasonably avoidable by consumers, and not outweighed by countervailing benefits to consumers or competition.”
It’s difficult to think of a bigger violation of those principles than the current practice by the major mobile providers of sharing real-time location data on customers with third parties, without any opportunity for customers to opt-in or opt-out of such sharing.
But it’s unclear whether the FTC would take take any action against such activity, or indeed if it has any precedent to do so. The agency had the ability to go after mobile broadband providers for privacy and security violations between 2002 and 2015, and so KrebsOnSecurity asked the commission to share how many times during that period that it took enforcement actions against broadband providers.
The list I got back from them wasn’t exactly privacy or security focused. The FTC cited a case in 2003 in which it sued AOL and CompuServe over unfair billing practices. In 2009, it helped to take down 3FN, a small, shady ISP that was based in the United States but run by Russians and hosting a stupendous amount of malware, scams and illegal content (i.e. child pornography).
In 2014, the FTC alleged that AT&T Mobility deceptively advertised “unlimited” data while throttling mobile customers who used certain amounts of data (this case is still pending but a recent appeals court decision cleared the way for the FTC to continue its lawsuit).
In 2015, TracFone, the largest prepaid mobile provider in the United States, agreed to pay $40 million to the FTC for consumer refunds to settle charges that it deceived millions of consumers with regard to its “unlimited” data service.
The FTC also cited a scolding letter (PDF) that it sent to Verizon over issues related to the security of its customer routers. No action was taken by the FTC in that case.
How eager the FTC will be to police privacy practices of broadband providers may come down to the priorities of the agency’s new leaders. The Trump administration just tapped Andrew Smith as head of the FTC’s consumer protection office. Smith is a lawyer who used to represent many of the companies that the agency is already investigating.
Smith will need to recuse himself from multiple ongoing investigations his office would normally lead, including data breaches at Equifax and Facebook, thanks to his previous work on behalf of the companies. According to The Hill, Smith testified in October before the Senate Banking Committee on behalf of the credit reporting industry as the panel investigated an Equifax data breach that compromised more than 145 million people.
Gigi Sohn, a fellow at the Georgetown Law Institute for Technology Law and Policy and a former senior adviser to former FCC Chair Tom Wheeler in 2015, said the FTC doesn’t have a strong record on broadband privacy enforcement.
Sohn said the FTC’s legal framework does not require affirmative opt-in consent for browsing history and app usage, and that a provider would only have to let you opt-out — something that consumers rarely do and which companies routinely make it hard to do. More importantly, she said, while the FCC’s rules would have protected consumers before they were harmed, the FTC can only act after harm has already occurred.
“We passed privacy rules for broadband and mobile providers that would have required them to seek customer opt-in for anything that was considered sensitive,” Sohn said of her work at the FCC under the Obama administration. “The carrier had to give you clear and consistent opportunities to opt out. It was very broad, but the definition we set for personal information was far broader than what even the FTC considered sensitive.”
REPEALING THE REPEAL OF NET NEUTRALITY
So the carriers are already reneging on their promise to customers that they won’t share location data without customer consent or a court order. But where does that leave us on net neutrality? The answer is that the major wireless carriers are already doing what was expressly prohibited under the FCC’s net neutrality rules: Favoring their own content over competitors, and letting companies gain more favorable access by paying more.
Around the time of the FCC’s repeal of the net neutrality rules last year, The Wall Street Journal prognosticated about what might happen with the regulations out of the way. To do this, it looked at some of the offerings the mobile carriers pitched before the rules were drawn up.
“One example of how things could work is the mobile wireless market, where some providers already have used pricing tactics to favor certain websites and services over others,” wrote John D. McKinnon and Ryan Knutson for The Journal:
The 2015 Obama-era rules didn’t explicitly prohibit these tactics, which generally allow customers to access certain websites without having it count against their monthly data cap. Wireless carriers, which often subject their users to strict data limits, were aggressive in experimenting with such plans, also known as “zero rating.”
Deals began emerging several years ago for inexpensive plans that offer unlimited high-speed access to popular services such as Facebook or Twitter, but limited or even restricted access to the rest of the internet.
T-Mobile US Inc. in late 2013 announced that its GoSmart Mobile brand had “become the first wireless provider…to offer free access to Facebook and Facebook Messenger for all of its wireless customers, even those without monthly data service.” The GoSmart Mobile plans started at $25 a month for “unlimited talk” with no other data service. T-Mobile has since transferred the GoSmart brand to another wireless firm.
In 2014, Virgin Mobile USA, a unit of Sprint Corp. , offered a wireless plan that cost $12, but users were only allowed to access one website: either Facebook, Twitter, Instagram or Pinterest. If they wanted all four, it was $10 more a month. Another $5 and they could access any online music streaming service.
Big internet providers also used zero-rating plans to favor their own content. AT&T Inc. gave paying customers unlimited usage of its own online video service DirecTV Now, while other video sites counted against monthly data caps. Verizon Communications Inc. did the same for its mobile video app, called go90.”
AT&T Mobility offers a zero-rating plan called “Sponsored Data” that allows content providers to pay up front to have streaming of that content allowed without counting against the provider’s monthly data caps.
Sohn said the FCC under the Obama administration initiated an investigation into AT&T’s Sponsored Data plan and Verizon for its go90 service, but that the inquiry was abandoned by the current FCC leadership.
There are some prospects for a Congressional repeal of this administration’s gutting of the FCC’s net neutrality rules. On May 16, the Senate approved a resolution nullifying the FCC’s rollback of the net neutrality rules. But the measure faces an uphill battle in the House.
“Right now we’re probably 30 to 40 members short of being able to bring a vote in the House,” Sohn said. “About 20 Democrats haven’t gotten on board, and we have no Republicans so far. But I think that’s going to change. If Congress repeals the net neutrality repeal, the next step would be to craft stronger rules [either at the FCC or Congress]. We have until the end of this Congress to get it done.”
The CDT’s De Mooy gives the effort to repeal the repeal of net neutrality rules slim chances of passage this year. But she said the prospects for revisiting net neutrality and consumer privacy in the next Congress look good, particularly if Democrats pick up additional seats in the House.
“It seems to be something the Democrats are taking up more now,” Demooy said. “So much depends on what happens in November. But that’s true of so many tech policy issues.”
SHOCK AND YAWN
When I first saw a Carnegie Mellon University researcher show me last week that he could look up the near-exact location of any mobile number in the United States, I sincerely believed the public would be amazed and horrified at the idea that mobile providers are sharing this real-time data with third party companies, and at the fact that those third parties in turn weren’t doing anything to prevent the abuse of their own systems.
Instead, after a brief round of coverage in several publications, the story fell out of the news cycle. A story this week in Slate.com lamented how little coverage the mainstream press has given to the LocationSmart scandal, and marvels at how much more shocked people were over the Cambridge Analytic scandal with Facebook.
“Privacy abuses and slip-ups by major tech companies have become so numerous, and the prospect of containing them seems so hopeless, that the public and much of the media have become nearly numb to them,” writes Will Oremus for Slate. “My data was hacked? So it goes. It may have been used in unauthorized ways by unspecified parties? C’est la vie.”
Oremus argues that what the LocationSmart scandal lacks is not import, nor the potential for serious harm, “but a link to some divisive political issue or societal outrage sufficient enough to generate visceral anger from people who aren’t privacy wonks.”
If you’ve read this far (bless you), don’t let breach fatigue and incessant media exposure of how little privacy we have harden into resignation. Yes, the prospects of any public debate about consumer privacy protections in the United States at the legislative level seem dim in a high-stakes mid-term election year. But supporters of net neutrality ideals can start getting involved by tweeting, calling and emailing the House lawmakers listed in red at BattleForTheNet.com.
While you’re at it, tell your lawmakers what you think about mobile providers giving or selling third-parties real-time access to customer location information, and let them know that this is no longer okay.
This is the second article in a two-part series. The first is here: Mobile Giants, Please Don’t Share the Where.
“Instead, after a brief round of coverage in several publications, the story fell out of the news cycle”.
If you watched NCIS more, instead of doing useful work, you would understand that “everyone knows” US government agencies can always locate anyone within seconds.
The LocationSmart problem wasn’t about law enforcement having access to it, but rather *everyone* on everyone. When companies fail to secure access to this information, effectively everyone has the same access to it.
The Locationsmart issue that is being focused on in this article is being disingenuous about the fact that it was a BUG and not done on purpose. So, while you can be upset that a developer left a backdoor open, you need to stop making it sound as if this is all part of some big tinhat scheme from these companies to steal location data, and further, you need to stop tying it to the NN repeal. It had nothing to do with that. Sensationalist articles will cause the American people to simply ignore them. SCOTUS already ruled that a person loses the expectation of privacy the moment they step off their front porch. That corresponds to location data also. Turn off your phone if you don’t like it IMO.
1. Locationsmart sells to anyone. It was not only available via a buf.
2. While we may not have a legal expectation to privacy according to the third party doctrine, recent cases considering the changung landscape in trodroduced by always on techonolgy are beginning to expand the expectation of priclvacy.
3. Even if this is not a legal right, it can still be something we want.
4. Turn off your phone?!?!?! That is your solution?!?!?! How can this possibly be your reasoned argument?
Except now they can track you on your front porch as well as what you do anywhere in your house or outside of it.
> “Turn off your phone if you don’t like it IMO.”
That’s exactly the defeatist mentality in which the post refers. Refusal to accept that technology doesn’t bring up new human rights issues is a foolish outlook. As time marches on and different technologies progress forward, so does the need for human thought and protections against malicious actors.
How can I “turn my phone off” when the its still technically active as long as the battery is in it and the battery cant be removed?
What about putting your phone in airplane mode when not using it? That turns off the WiFi and cellular. I put my phone in airplane mode at night. True, if you want to take calls during the day, you still have to have cellular access, but at least at night, when the phone is in my home, the camera and microphone can’t be turned on remotely.
That’s another reason I still have my Samsung Galaxy s5. I can easily remove the battery, and even swap it with a second one when the first runs out. So in theory not finding location when I’m recharging
The point you’ve missed is that this is about mobile carriers trading our personal information for their own profit against our wishes, not about inevitable buggy software.
Turning off the phone or taking out the battery does not turn off the beacon to cell towers and your location is still evident from what I understand. Please correct me if wrong…
Doesn’t that raise a good question? Is it better to restrict access to that data to a select few who either have the power or money to view it or is it better if everyone has access to everyone else’s data?
i don’t have a big issue with law enforcement pinging your location off the nearest cell tower, assuming they have probable cause. this article isn’t about that, it’s about your location data being available for sale to anyone willing to pay the price. and that, thanks in large part to Agit Pai and his trump overlords, that i do have a big problem with. thankfully i am at that juncture where i don’t have to re-up with Verizon. how bout one of you carriers showing me just a little respect?
The F.T.C. is a waste of time, for the U.S. consumer as in my opinion they don’t do much of anything.
Minor point: December 2016 was one month before (not after) Congress welcomed a President Trump. It was a month after his election, but a President doesn’t take office until January.
BK: “The major wireless carriers all say they do not share customer location data without customer consent or in response to a court order or subpoena. Consent. All of these carriers pointed me to their privacy policies.”
Yet, in reading the privacy policy of a non-major wireless billing provider, that uses the Sprint network, it covers “web site” only, NO MENTION of wireless device usage data.
Thus, it’d be interesting to know if the telephone number data from such a wireless billing provider was shared to “everyone”, which I’d guess was shared. If such a telephone number data was released, that’d be a release of data, in no form stated in the privacy policy of during a “business relationship” with a wireless billing provider, by a “non-business relationship” major wireless carrier.
I’m sure if I put up a site with a map of real time locations of congress members, the story would break through the news cycle and the problem would get fixed. Is there anything illegal about publishing the locations? If not, I might try it
Great idea, Mark.
Seriously.
But give me your phone# so I can track which detention facility you are in.
There was something similar done back in the W presidency where several key administration figures had their house locations and personal information published online.
Heh, heh, hmm. The location data is nothing to do with you. It has to do with a device. To get it to function. There are secure phones that do not track you until a request for service is made. Such as Sat phones. And all phones are not equal. That being said, if you use a map service, Google, Apple music, you should expect to get tracked. They want to know who, what and where you are. If not, turn it off. Enjoy the silence.
If not, turn it off. Enjoy the silence.”
LOL, I so do! I’m from a generation where we didn’t have an electronic security blanket in a cramped death grip.
However, nothing is needed that is that drastic. Turn off all device permissions that pertain to location, and that handles a big portion of the problem. My $50 Verizon ZTE has a Location entry in settings, with a big on-off button. So when I turn it off it tells me: “NO LOCATION ACCESS Device location for all apps is turned off, and you may not be able to locate your device if it’s lost.”
If Verizon hypothetically leaks my location information, and I’m the victim of a stalker or ex-spouse because they can find me due to that information leak, guess what Verizon would be liable for? Many years ago, in Colorado you could find, from a license plate number, the address of a vehicle’s owner. That’s not available any more due to similar liability issues.
The mistake you’re making is that the phone is still broadcasting your location, even when the big switch is set to “off”. The only thing that switch does is stop apps from accessing the location. The network and certain other people still know where you are (emergency services, location smart, etc.).
Krebppl:
krebppl:
Hodor…
Should I get my pager out and start using it?
Great article!
On a related note, speaking of poor application security design, the Spectrum / Time Warner reset password flow (https://registration.timewarnercable.com/password/reset) allows you to reset any account password by:
1) Providing the account email and,
2) Answering a single security question
No verification link sent through email – nothing. Shocking ignorance of super basic best practices.
I’ve emailed Spectrum and tweeted at them to upgrade this flow and was thanks for my feedback – about 9 months ago. It’s no surprise that telco websites are often caught leaking personal data when you see stuff like this!
Good point. I just did this the other day, and to be honest, I didn’t notice the lack of an email because I was in a hurry. Fortunately, the answer to my security question is so obscure, I would be shocked if my account was ever hacked that way, but it’s concerning all the same.
Thank you for taking the time to give an excellent summary of the situation and keep it in the public spotlight. Reading your post I realize I do have privacy fatigue. Is it still possible we can see the pendulum swing?
I don’t live in the US and therefore don’t face the same level of anxiety that some US citizens feel about these recent disclosures. But it occurred to me that the whole issue is pretty much device dependent, so that our use of any particular technology does open us to the use or misuse of existing or future tech and maybe that is the issue that warrants further discussion and agreement by all interested parties. In the meantime if any citizen was sufficiently annoyed about the current situation then perhaps they could ask their Representative or Senator why it is that given the US is presently waging a war upon terror, some US companies have apparently given potential terrorists something of free pass to the location of just about every US citizen who uses a mobile phone – and by implication, the whereabouts of that person’s family.
“…California company — Securus Technologies — was selling real-time location lookups to a number of state and local law enforcement agencies, and that accounts for dozens of those law enforcement officers were obtained by hackers. Securus, it turned out, was ultimately getting its data from LocationSmart… researchers discovered that a bug in T-Mobile’s Web site let anyone access the personal account details of any customer with just their cell phone number, including full name, address, account number and some cases tax ID numbers…Comcast was revealed to have exposed sensitive information on customers through a buggy component of its Web site that could be tricked into displaying the home address where the company’s wireless router is located, as well as the router’s Wi-Fi name and password.”-Krebs on Security
I am outraged at the fact location data brokers are selling that location data. I suspect that some federal or state law is being violated somewhere.
Look at HIPAA. What about tracking doctors and patients to hospital and clinics? What about the PHI and HITECH Act Privacy Requirement rules? Sell location data including addresses and phone numbers must be enforceable at some government department. The cell phone companies and location data brokers must be violating some laws.
I am all for Mark’s idea of setting up a real time cell phone tracking site of congress critters. But, don’t stop there include some FTC and FCC persons and some cell phone executives.
HIPAA and HITECH do not apply to this situation, even if they are tracking doctors and patients to hospitals and clinics. HIPAA /HITECH only apply to PHI that the covered entity (a health plan, a health care clearinghouse, a health care provider) holds, or a business associate (BA) of a covered entity. A BA is an organization that creates, receives, maintains, or transmits PHI, or that does other work on behalf of the covered entity that involves the disclosure of PHI.
Since a mobile phone service provider is not a covered entity nor a business associate, but are only providing services to the individual that is using their phone service, HIPAA and HITECH privacy and security rules do not apply.
FYI: on a C-SPAN channel tonight (May 26) was a discussion of China, and the way the Chinese leader is becoming much like Mao.
https://www.c-span.org/video/?445391-2/the-revolution
(Toward the end?) they mentioned the way cameras, etc. are set up all over China and the government is forbidding more and more actions. Such as any conversation about religion–as monitored by the cameras.
It sounded quite scary.
Brian,
I like the work you do, but I’ve got a number of concerns about this article. Please don’t get offended by my following criticisms.
You’ve conflated some issues. Net neutrality has nothing to do with mobile carriers or privacy. Similarly, privacy leaks recently in the news, including your reportinh, have been about mobile carriers, not broadband providers. It’s odd that you’d mixed them up.
Net neutrality, as it is a crony capitalism tool to create regulatory burdens on startup technology. The Internet flourished without net neutrality for more than two decades.
Net neutrality rules only served to protect the profits of the social media giants and streaming media giants on the backs of taxpayers and telecommunications companies who maintain and build broadband capacity.
Who pushed for it? The same media and technology giants who supported the liberal agenda of the Obama administration: Facebook, Twitter, Instagram, Apple, Amazon, Google, and Netflix.
Who actively fought any attempt to limit privacy invasions? The same jackals.
Who gave them what the net neutrality they wanted? Obama’s FCC.
You also mentioned the proposed mergers involving AT&T and Time Warner, and T-mobile and Sprint, suggesting that it’s the result of net neutrality repeal. What you’re missing is the correct chronology. The mergers were initially discussed after the imposition of net neutrality.
In fact, the recent news regarding attorney Michael Cohen revealed that AT&T had paid him for advice on the merger long before Trump’s FCC repealed net neutrality regulations and his DOJ blocked the merger. Similarly, Time Warner had been looking to unload its broadband unit since the net neutrality rules were first imposed, long before Trump came along.
You also have the timeline wrong on the T-mobile and Sprint proposed deal. They’ve each had long been looking for merger partners, having both been stuck behind Verizon and AT&T Wireless for the past decade. Neither had been significantly impacted by net neutrality rules, in any case, as T-mobile and Sprint don’t own the majority of the hardware behind their networks.
You forgot to mention that the FCC has only the powers granted to it by Congress and that’s limited to transmission of wired and wireless data. It never had authority to interfere with commerce by creating a doctrine of net neutrality.
In the same vein, the FTC never had authority to get involved in privacy issues. Ask Congress why.
A large number of regulations invented under Obama’s FCC, FTC, EPA, IRS, and other agencies were not backed by legislation. Whoever succeeded him would have been obligated to repeal these bureaucratic rules, so you’re being unfair in portraying Trump negatively here.
Finally, if you want to make things political, find out why the Supreme Court consistently ruled against privacy concerns during Obama’s two terms when police were involved, even though he’d appointed two of its members. You could also write about why Obama did not press for his DOJ to respect the privacy rights of defendants. Maybe you could document why Obama failed to seek consumer privacy laws from Congress.
Keep up the good work! I mean it.
And apologies for some rambling here.
I agree with you that Brian does a great job here and we owe him a debt of gratitude. I also thank you for leveling the playing field here. I agree with everything you said. I don’t think anyone is against more privacy. I know I’m not, and that can be accomplished without net neutrality. The Obama administration devised net neutrality to regulate the internet while taking care of their far left buddies like Facebook. Regulation is all about revoking the freedom that the internet represents. Is it any wonder that totalitarian regimes like China and Iran are afraid of that freedom and block connections and censor free speech? Just one thing you missed…
“…how little coverage the mainstream press has given to the LocationSmart scandal, and marvels at how much more shocked people were over the Cambridge Analytic scandal with Facebook.”
The Cambridge Analytic scandal with Facebook was something the MSM could use to suggest Trump cheated in the election, which of course he did not. The LocationSmart scandal was just another boring data and privacy compromise and could not be used to smear Trump. Go figure!
Chip,
I’ll have to disagree, in part.
First, I agree: The Cambridge Analytica/Facebook story tied in nicely with the stories of Russian Facebook ads and Russian Twitter bots. It featured liberal companies that were duped into helping the other side, or so they claim. It conveniently helps them cast shade on a US president, a UK prime minister, Brexit, and the 2016 elections.
And now the disagreement:
The mainstream media is NOT ignoring the LocationSmart/Securus story OVER POLITICAL CONCERNS. They’re ignoring it because their viewers and readers have privacy violations fatigue.
(Yes, I made up the term. Just go with it).
No one marched in Washington or London demanding new privacy laws following the Cambridge Analytica and Facebook nonsense.
No one protested at Twitter or Facebook or Apple or Yahoo, etc., over past privacy violations.
No one stopped shopping at Target or Home Depot over credit card details being stolen.
No one organized a petition demanding pardons for everyone convicted on the basis of probable cause by a K9 drug search. (How can they cross examine a dog?)
No one rallied in support of “criminals” convicted on the basis of cellular location data obtained without a judge’s warrant.
Governments track us through toll payment devices, license plate readers, audio and video recording and real-time monitoring. Where are the protesters?
There is no outrage, because we have privacy violations fatigue.
We already knew Facebook was treating users as the product, just as we knew that we end up on mailing lists because our government sells the names and addresses of licensed drivers.
Back in April 2011, we learned Apple was storing our location information. (See David Pogue’s arrogant dismissal of privacy concerns at the link below, 1).
Proof of the government always tracking every mobile user came in June 2013, thanks to the Snowden revelations. And we learned how other governments cooperate to get spying on their own citizens accomplished. (See Five Eyes below, link 2).
We eventually learned that every Yahoo account was hacked in 2013, though that corporate screw-up wasn’t revealed until 2016. (Link 3)
And Brian Krebs showed us how, when, why, and where our information gets stolen, leaked, and sold. Search his archive for breaches, leaks, and the Dark Web stuff. Read his book. And see how often this guy gets quoted. (4).
The average person is no longer surprised by vile corporate behavior, awful government behavior, evil electronic thieves, and ne’er-do-wells.
We are battered and beaten by all these privacy violations.
That is why this LocationSmart/Securus story isn’t blowing up. We have privacy violation fatigue.
Links
1. https://pogue.blogs.nytimes.com/2011/04/21/your-iphone-is-tracking-you-so-what/
2. https://en.m.wikipedia.org/wiki/Five_Eyes
3. https://www.npr.org/sections/thetwo-way/2017/10/03/555016024/every-yahoo-account-that-existed-in-mid-2013-was-likely-hacked
4. https://www.google.com/search?q=krebs+on+security and then click “news”
I get your point and I understand what you are saying. It just seems that the only attention the media gives to anything any more is if they can tie it to the president somehow. That seems to be their all encompassing mission until and if they can take him down. He is winning and they are not and it is a pleasure to watch…
DJT is like a golden goose for the media. Stories about him sell more newspapers and get better ratinga, good or bad. So it’s understandable that they want stories that tie into him.
But the lack of interest in this one, isn’t over DJT. It’s that it’s just beating a dying (privacy) horse.
Read all your comments and Chip’s with interest – thanx! Here is another explanation . . . FANG companies are accomplishing anti-trust violations two ways (1) perspective of exploiting taxpayer-funded internet and personal information without commensurate security investment, and (2) by sending their profits overseas to avoid US taxes, which weakens the agencies who regulate them from going after them!
Don’t blame the US consumer who is not tech savvy! Troubles in public education is another evidence of an under-funded government.
The US should be way ahead, based on the success of FANG giants who have made a killing off the US taxpayer-funded internet! Instead, the US has to chase tech giants with skeletal resources.
Chip,
I agree and disagree.
I posted a detailed explanation, but it may have been too long. Suffice it to say that I read your reply.
Honestly Brian, this is the most one-sided piece I’ve ever read of yours. You and I both know these merger deals , geolocation selling, and other painful initiatives didn’t start under the current FCC. @Reader is correct; get your timelines straight. But the bigger issue than who is how, given this…
“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized”. Regardless of when location data began to be up for sale, regardless of a bug in the website or not, regardless whether its “only”for law enforcement, it’s a violation of the 4th Amendment. Period. End of discussion.
Exactly right!
Ajit Pai = neofascist tool.
How sad that that was all you got out of this article…
He ain’t wrong, though.
Switzerland reporting in. Quick rundown.
Well, Mr Krebs, as usual, we here in Switzerland are a bit more pragmatic re data resale, losses, tracking and so on. (Sorry: Times have changed, just like the Swiss banking secret has been abolished.)
Two officers of the Zurich County police illegally (without authorization) purchased and used “Galileo” from “Hacking Team”. Total costs: Some SFr 1m. You see, no authorizations needed, no warrants required, no regulations and rules in place. Consequences: None.
https://wikileaks.org/hackingteam/emails/?q=Hacking+Team+Kapo&count=50&sort=0
ISMI catchers are used whenever polices deems it to be necessary. No warrant needed either.
https://www.basellandschaftlichezeitung.ch/basel/baselbiet/neue-technologie-macht-umstrittenen-ueberwachungskoffer-fuer-die-basler-polizei-nutzlos-132379639
Swiss national carrier lost 800,000 sets of customer data. So what? ***t happens.
https://securitybrief.eu/story/mega-breach-800000-telco-customers-data-stolen-hacked-partner/
Several months ago, I opened under a different name a personal health record called “Evita” (www.evita.ch), which is part of the national carrier Swisscom.
It took them a mere five minutes to send me spam about Swisscom TV to my indicated e-mail address… Well, we call that cross-selling, you know.
PS: Swisscom is the default cell provider of the country.
And you in the States kick up such a fuss about data protection and tracking?! Get over it.
1,000,000 Swiss Franc = 1,008,050.00 US Dollar
@Alex: If in your country this is possible, I can highly recommend it. However, I don’t think that the States have gotten nationwide pager coverage, so probably bad luck for you. But yes, pagers are an excellent thing and I still use one since 1991…
And now the Trump Supreme Court has put the lid on customers’ ability to file class-action litigation.
Calling it the Trump Supreme Court just is silly.
If you wanted to nickname the SC, the correct way is to reference the Chief Justice. In this period, it’s nicknamed the Roberts Supreme Court, after SC CJ John Roberts.
In the past 17 months, the SC hasn’t decided consumer rights cases.
The only recent decision related to limiting class action held that individual employees could not join together to sue employers, because they had signed employment contracts requiring arbitration.
The majority wrote that contracts “mean what they say.” Could that affect arbitration clauses in consumer contracts? Sure. But that’s not what came before the court recently.
You could read about the decision:
http://www.scotusblog.com/case-files/cases/national-labor-relations-board-v-murphy-oil-usa-inc/
>>letting companies gain more favorable access by paying more.
As long as I don’t have to pay why does that matter?
If that policy is wrong do airlines have to give up selling first class seats? Do stadiums and sports arenas quit selling hospitality suites?
Good Point!
I agree with Brian Krebs that Shock and Yawn play a big role in people being not concerned. I am sure that the Cambridge and Facebook scandal grab people’s attention more quickly. I don’t think Brian’s readers have grasp the gravity of selling real time location data to just about everyone who owns a cell phone.
In the States we have as constitution which poster Whoever notes: “…the bigger issue than who is how, given this… “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized”. Regardless of when location data began to be up for sale, regardless of a bug in the website or not, regardless whether its “only”for law enforcement, it’s a violation of the 4th Amendment. Period. End of discussion.”
I concure sale of real time location data on individual cell phone owners is an end-run on legal warrants and a danger to our legal system but it gets worse from there.
This idea probably branches into the new The General Data Protection Regulation [GDPR] rules and many other situations. If a European traveler is in the States and using his mobile phone he could be easily be real time location tracked. That would seem to break the GDPR rules. The mobile phone companies probably to not only find his location in the States but provide information on his national home address which is connected to his cell phone billing process. The European traveler could also have his credit and banking records exposed because most cell phone companies do a credit check before allowing a customer to buy a cell phone and run up monthly calling bills.
As Brian Krebs has stated some of the cell phone companies all provide not only real time location but some companies provide home addresses and even tax identification numbers to whomever is willing to buy them.
That data would essentially make up a good portion of “Fulz” or full dark web information needed to committing banking fraud including “carding” and other various crimes. The would be criminal would know approximately which zip code the individual was located in and the very minimum which is now an important piece of data in the “carding” fraud game. Banks check the area that sketchy credit card transactions occur.
Next, the physical danger of real time location data in the hands of malefactors is a danger which is am sure Brian Krebs would be aware of:
“Wyden said the LocationSmart and Securus cases underscore the “limitless dangers” Americans face due to the absence of federal regulation on geolocation data. “A hacker could have used this site to know when you were in your house so they would know when to rob it. A predator could have tracked your child’s cellphone to know when they were alone,” he said in a statement.”-APnews
https://apnews.com/a60b6c98a1ff434883313469f4487639
Or see Brian Krebs link to Wyden’s Choice words above.
The dangerous combination of real time location tracking coupled with a cell phone number which then couples to credit-banking records is an explosive brew.
Any important traveler to the USA could be tracked and exposed to fraud and physical danger described above. This doesn’t include USA military and law enforcement personnel being tracked in the USA for retaliatory purposes.
Real time location tracking data for sale is not only a danger in warrantless searches but a danger to both American citizens and foreign visitors to the USA. Sooner or later this real time location data will be used by a Nation State actor, hacker, carder or swatter for nasty purposes.
I disagree that legislators should be trying to protect people from their own apathy.
If phone customers really care about this issue, they can place heavy market pressure on the providers.
If they don’t care, then they don’t care. If you’re one of the few people who care, I’d suggest you stop carrying a location-tracking device.
Unfortunately, the barriers to entry for the mobile market include: high regulatory costs, tremendous advertising costs, technology investment, and a significant workforce investment.
That limits how many mobile carriers exist.
And that limits choice. And that means mobile companies don’t really have to obey consumer demands.
Where there is limited choice, especially when that limitation can be partially blamed on government regulations, it’s reasonable to demand that government reduce barriers to entry (to increase competition).
But they’ll never do that.
So demanding a privacy law seems like a reasonable alternative.
Usa will be near future same as soviet union.
100% for sure about this.
I agree with poster Reader and reluctantly have to disagree with poster Fred.
I would like to keep the government out of lives as much as Fred would but unfortunately it is the government that created the market for LocationSmart and Securus in the first place.
Under the noble intention of keep tabs on prisoners the government mandated cell phone location data be available to only authorized law enforcement. Securus and other took this opportunity to twist administrative policies into an unsafe surveillance business.
Electronic Frontier Foundation on cell phone location data collection:
“Securus’s Services Appear Designed to Circumvent Federal Laws that Protect Private Customer Data, Wireless telecommunications carriers are obligated by law to keep call location information so they can provide it in an emergency to first responders or the legal guardian or closest family in an emergency involving the risk of death or serious physical harm. But the same law also requires that every telco must protect the confidentiality of this information from unauthorized disclosure. FCC regulations expressly restrict telcos from sharing location information except where required by law, while providing the service for which the customer information was obtained, or with the express approval of the customer… Securus confirmed to Sen. Wyden’s office that its web portal enables surveillance of customers of every major U.S. wireless carrier. It also confirmed that, outside of a check box, it does not take any additional steps to verify that documents uploaded by law enforcement agencies provide proper judicial authorization for real-time location surveillance. Nor does Securus conduct any review of surveillance requests. That means it doesn’t matter what a Securus customer uploads to the web portal—it could be a cat video for all we know—they will still get access to the real-time location data of the target of their inquiry by checking the box—without any consequences or accountability for misuse. ”
https://www.eff.org/deeplinks/2018/05/senator-wyden-calls-fcc-investigate-real-time-location-data-sharing-all-cellphone
The government required a dubious and vast surveillance market to be created with little to no oversight. This is why the whole matter of wide spread cell phone location data brokers should be highly restricted or probably outright nixed all together by the government.
The police got along fine before this invasive real time cell phone location were available and probably can get along using standard police work without push-button widespread surveillance. At the very least a public debate should be held and all ramifications of real time cell phone location data sale including all fourth amendment ramifications of real time cell phone location data sale of possibly every American.
Correct me if I’m wrong but if I only share my Google Voice number, a Text Free Now number or any old VOIP number with everyone I’m offered some protection from this location based oversharing. The location information is based off a provider and my mobile/cell phone number – if you don’t have my AT&T/Verizon/Sprint/T-Mobile number you can’t find me.
i think that’s the point here. nobody is looking for you individually, they’re just buying the data that tracks everyone. you included, most likely regardless of carrier. i would submit that that data isn’t their’s to sell or trade or barter, regardless of how little that data tells them about me. it’s MY data, not the carrier’s. carrier feels otherwise, time to find a new carrier (talking to you Verizon).
I am not convinced net neutrality would have much bite in protecting privacy. Government has created many laws and regulation which have been ignored. The real problem is not we don’t have enough privacy laws, its that while many say they are concerned they really do not act like it. I don’t find too many leaving Facebook or Google because of privacy concerns. Google tracks precisely every Android users phone. Its sort of the pot calling the kettle black. The questions about privacy are directly related to what people agree too and how they fail at knowing what that actually is.
A large number of the comments here from various commenters read as if they’re lifted directly from telecom lobbyist talking points.
“Why Is Your Location Data No Longer Private?”
short answer:
Because under common law your location has never been private.
Sorry that I have time only for about the first 1/3 of this article, at the moment.
One problem that I noticed surrounding the discussion of Net Neutrality and its repeal is that the term refers to a handful of issues. That has created a lot of people talking past each other, using different definitions, rather than clearly discussing the different underlying issues separately and each for its own merit. Even Ben Shapiro screwed up the discussion by misconstruing the criticism of the repeal and then discussing only certain aspects of “Net Neutrality.” He, in particular, also missed that what the Obama admin. did was reclassify an existing regulation or law (not sure which) from 1996 (forgive me if I’ve got the date wrong, also I’m using “regulation” to refer to a bureaucratic requirement that Congress didn’t pass). Separating the individual issues would be much more productive than discussing NN as a whole. From what I can tell, BK has separated many of the issues here, but still discusses them as a set. Imagine each issue as a lightswitch. You may be fine with some switches on while others are a problem because they are off, or vice versa. The broad discussion has us toggling every switch to its opposite position, rather than checking each one to see if it needs to be moved and if it can be moved independently of the other switches. Hint: they can be, but we’re not doing that.
If you want your mobile phone secured while at home just put it inside the microwave oven, with the same NOT running of course. Putting your wireless smartphone inside the microwave oven completely shields it from all pinging and external system GPS location traces.
The funny thing is, if you walk into a phone store or a computer repair shop and talk to a millenial about privacy issues, they think that you must be a gangster or terrorist.