A new breach involving data from nine million AT&T customers is a fresh reminder that your mobile provider likely collects and shares a great deal of information about where you go and what you do with your mobile device — unless and until you affirmatively opt out of this data collection. Here’s a primer on why you might want to do that, and how.
Telecommunications giant AT&T disclosed this month that a breach at a marketing vendor exposed certain account information for nine million customers. AT&T said the data exposed did not include sensitive information, such as credit card or Social Security numbers, or account passwords, but was limited to “Customer Proprietary Network Information” (CPNI), such as the number of lines on an account.
Certain questions may be coming to mind right now, like “What the heck is CPNI?” And, ‘If it’s so ‘customer proprietary,’ why is AT&T sharing it with marketers?” Also maybe, “What can I do about it?” Read on for answers to all three questions.
AT&T’s disclosure said the information exposed included customer first name, wireless account number, wireless phone number and email address. In addition, a small percentage of customer records also exposed the rate plan name, past due amounts, monthly payment amounts and minutes used.
CPNI refers to customer-specific “metadata” about the account and account usage, and may include:
-Called phone numbers
-Time of calls
-Length of calls
-Cost and billing of calls
-Service features
-Premium services, such as directory call assistance
According to a succinct CPNI explainer at TechTarget, CPNI is private and protected information that cannot be used for advertising or marketing directly.
“An individual’s CPNI can be shared with other telecommunications providers for network operating reasons,” wrote TechTarget’s Gavin Wright. “So, when the individual first signs up for phone service, this information is automatically shared by the phone provider to partner companies.”
Is your mobile Internet usage covered by CPNI laws? That’s less clear, as the CPNI rules were established before mobile phones and wireless Internet access were common. TechTarget’s CPNI primer explains:
“Under current U.S. law, cellphone use is only protected as CPNI when it is being used as a telephone. During this time, the company is acting as a telecommunications provider requiring CPNI rules. Internet use, websites visited, search history or apps used are not protected CPNI because the company is acting as an information services provider not subject to these laws.”
Hence, the carriers can share and sell this data because they’re not explicitly prohibited from doing so. All three major carriers say they take steps to anonymize the customer data they share, but researchers have shown it is not terribly difficult to de-anonymize supposedly anonymous web-browsing data.
“Your phone, and consequently your mobile provider, know a lot about you,” wrote Jack Morse for Mashable. “The places you go, apps you use, and the websites you visit potentially reveal all kinds of private information — e.g. religious beliefs, health conditions, travel plans, income level, and specific tastes in pornography. This should bother you.”
Happily, all of the U.S. carriers are required to offer customers ways to opt out of having data about how they use their devices shared with marketers. Here’s a look at some of the carrier-specific practices and opt-out options.
AT&T
AT&T’s policy says it shares device or “ad ID”, combined with demographics including age range, gender, and ZIP code information with third parties which explicitly include advertisers, programmers, and networks, social media networks, analytics firms, ad networks and other similar companies that are involved in creating and delivering advertisements.
AT&T said the data exposed on 9 million customers was several years old, and mostly related to device upgrade eligibility. This may sound like the data went to just one of its partners who experienced a breach, but in all likelihood it also went to hundreds of AT&T’s partners.
AT&T’s CPNI opt-out page says it shares CPNI data with several of its affiliates, including WarnerMedia, DirecTV and Cricket Wireless. Until recently, AT&T also shared CPNI data with Xandr, whose privacy policy in turn explains that it shares data with hundreds of other advertising firms. Microsoft bought Xandr from AT&T last year.
T-MOBILE
According to the Electronic Privacy Information Center (EPIC), T-Mobile seems to be the only company out of the big three to extend to all customers the rights conferred by the California Consumer Privacy Act (CCPA).
EPIC says T-Mobile customer data sold to third parties uses another unique identifier called mobile advertising IDs or “MAIDs.” T-Mobile claims that MAIDs don’t directly identify consumers, but under the CCPA MAIDs are considered “personal information” that can be connected to IP addresses, mobile apps installed or used with the device, any video or content viewing information, and device activity and attributes.
T-Mobile customers can opt out by logging into their account and navigating to the profile page, then to “Privacy and Notifications.” From there, toggle off the options for “Use my data for analytics and reporting” and “Use my data to make ads more relevant to me.”
VERIZON
Verizon’s privacy policy says it does not sell information that personally identities customers (e.g., name, telephone number or email address), but it does allow third-party advertising companies to collect information about activity on Verizon websites and in Verizon apps, through MAIDs, pixels, web beacons and social network plugins.
According to Wired.com’s tutorial, Verizon users can opt out by logging into their Verizon account through a web browser or the My Verizon mobile app. From there, select the Account tab, then click Account Settings and Privacy Settings on the web. For the mobile app, click the gear icon in the upper right corner and then Manage Privacy Settings.
On the privacy preferences page, web users can choose “Don’t use” under the Custom Experience section. On the My Verizon app, toggle any green sliders to the left.
EPIC notes that all three major carriers say resetting the consumer’s device ID and/or clearing cookies in the browser will similarly reset any opt-out preferences (i.e., the customer will need to opt out again), and that blocking cookies by default may also block the opt-out cookie from being set.
T-Mobile says its opt out is device-specific and/or browser-specific. “In most cases, your opt-out choice will apply only to the specific device or browser on which it was made. You may need to separately opt out from your other devices and browsers.”
Both AT&T and Verizon offer opt-in programs that gather and share far more information, including device location, the phone numbers you call, and which sites you visit using your mobile and/or home Internet connection. AT&T calls this their Enhanced Relevant Advertising Program; Verizon’s is called Custom Experience Plus.
In 2021, multiple media outlets reported that some Verizon customers were being automatically enrolled in Custom Experience Plus — even after those customers had already opted out of the same program under its previous name — “Verizon Selects.”
If none of the above opt out options work for you, at a minimum you should be able to opt out of CPNI sharing by calling your carrier, or by visiting one of their stores.
THE CASE FOR OPTING OUT
Why should you opt out of sharing CPNI data? For starters, some of the nation’s largest wireless carriers don’t have a great track record in terms of protecting the sensitive information that you give them solely for the purposes of becoming a customer — let alone the information they collect about your use of their services after that point.
In January 2023, T-Mobile disclosed that someone stole data on 37 million customer accounts, including customer name, billing address, email, phone number, date of birth, T-Mobile account number and plan details. In August 2021, T-Mobile acknowledged that hackers made off with the names, dates of birth, Social Security numbers and driver’s license/ID information on more than 40 million current, former or prospective customers who applied for credit with the company.
Last summer, a cybercriminal began selling the names, email addresses, phone numbers, SSNs and dates of birth on 23 million Americans. An exhaustive analysis of the data strongly suggested it all belonged to customers of one AT&T company or another. AT&T stopped short of saying the data wasn’t theirs, but said the records did not appear to have come from its systems and may be tied to a previous data incident at another company.
However frequently the carriers may alert consumers about CPNI breaches, it’s probably nowhere near often enough. Currently, the carriers are required to report a consumer CPNI breach only in cases “when a person, without authorization or exceeding authorization, has intentionally gained access to, used or disclosed CPNI.”
But that definition of breach was crafted eons ago, back when the primary way CPNI was exposed was through “pretexting,” such when the phone company’s employees are tricked into giving away protected customer data.
In January, regulators at the U.S. Federal Communications Commission (FCC) proposed amending the definition of “breach” to include things like inadvertent disclosure — such as when companies expose CPNI data on a poorly-secured server in the cloud. The FCC is accepting public comments on the matter until March 24, 2023.
While it’s true that the leak of CPNI data does not involve sensitive information like Social Security or credit card numbers, one thing AT&T’s breach notice doesn’t mention is that CPNI data — such as balances and payments made — can be abused by fraudsters to make scam emails and text messages more believable when they’re trying to impersonate AT&T and phish AT&T customers.
The other problem with letting companies share or sell your CPNI data is that the wireless carriers can change their privacy policies at any time, and you are assumed to be okay with those changes as long as you keep using their services.
For example, location data from your wireless device is most definitely CPNI, and yet until very recently all of the major carriers sold their customers’ real-time location data to third party data brokers without customer consent.
What was their punishment? In 2020, the FCC proposed fines totaling $208 million against all of the major carriers for selling their customers’ real-time location data. If that sounds like a lot of money, consider that all of the major wireless providers reported tens of billions of dollars in revenue last year (e.g., Verizon’s consumer revenue alone was more than $100 billion last year).
If the United States had federal privacy laws that were at all consumer-friendly and relevant to today’s digital economy, this kind of data collection and sharing would always be opt-in by default. In such a world, the enormously profitable wireless industry would likely be forced to offer clear financial incentives to customers who choose to share this information.
But until that day arrives, understand that the carriers can change their data collection and sharing policies when it suits them. And regardless of whether you actually read any notices about changes to their privacy policies, you will have agreed to those changes as long as you continue using their service.
How do you opt out?
the article describes how for a few providers…
.I HAVE STRAIGHT TALK HOW DO I OPT OUT
no need to yell Michele, goddamn
No need to use profanity, OB. Unless, of course you are incapable of communicating without it.
Please standby. Brian Krebs will be right along to let you know. Or… you know, Google.
A simple way out is to dump your current provider and go with tingmobile dot com
Ting is a canadian phone company with a ‘Bring Your Own Device’ philosophy and even provide factory support to help you root your phone. They provide unlock codes on request, free of charge. Their plans are very reasonable. Mine is one of the older plans, so I typically only pay about $35/month with no limits
SIM swap attacks are virtually impossible at Ting, and they never sell data to 3rd parties
Great comment, Phil. I’ve switched to Ting a couple of years ago on the advice from Consumer Reports and am very pleased with them and their service. I bought an unlocked phone, and after signing up with Ting, they sent their SIM chip for me to install. Very easy. I wonder how their privacy policies compare to the major carriers Brian is discussing, since they use their networks.
I don’t think so.
At https://ting.com/terms, there’s no mention of CPNI.
Ting is a US company. Not Canadian.
And although they own and maintain their own database on customers for billing… the network they operate on, T-Mobile, still has all the same call records and usage data.
Ting is owned by Dish Wireless. I’ve been using them since 2013 and been very happy with their service. I have written them today asking about the issue raised in this article. https://en.wikipedia.org/wiki/Ting_Mobile#:~:text=Ting%20Mobile%20is%20an%20American,accounts%20use%20the%20Verizon%20network.
OK, a compelling WHAT & WHY… Where’s the HOW to do it?
Again, thank you for keeping an eye on nefarious tech for us.
I have an AT&T SIM card. My carrier is Consumer Cellular. Do I have to be concerned with this?
Thanks for the heads up. I checked the settings on my t-mobile account and discovered I had already done this.
If I were in charge, any company leaking, exposing, losing, data or suffering a breach of any other kind would, as part of its punishment, have to go to an all opt-in model, and consider all of its current data to have been opted out automatically.
They can probably think up dire consequences of that, but it’s better than none of us really knowing what they are spreading about us.
how about just have everyone opt-in
also, as a white hat hacker, i feel attacked by your username >:(
Maybe have a law to restrict selling of private data? Ohh wait, there’s money in it…capitalism at it best!
What about pre-paid services? Are they not privy to this since it’s effectively “burner” phones?
Or the opposite, you can’t opt-out without making an online account w/ PII?
POTS = plain old telephone service (CPNI dates from this time)
Phone Books are a Registry or Library Card Catalog. The problem is you can either believe the Registry or believe the bot (ChatGPT, Social Media, etc.) because you’re only “working” the “last mile”.
https://theconversation.com/ai-information-retrieval-a-search-engine-researcher-explains-the-promise-and-peril-of-letting-chatgpt-and-its-cousins-search-the-web-for-you-200875
—————— My Comment —————–
Right, it’s hard to tell where the Machine Learning ends and the “Artificial Intelligence” (guesses) begin.
The Library analogy is apt … for check-out minimally, but for check-in a ginormous hot mess: imagine that you redacted all the metadata from the book before returning it. Remember to scrape the Dewey Decimal off the spine …
Now imagine you work at the Dead Letter Office at the Post Office: same chore but Post Office jobs have better pay, health care and benefits …
I have H2O Wireless. Is there a way to opt out of CPNI use from them and the underlying providers like ATT who actually provide the service infrastructure?
I have same question regarding consumer cellular using att sim card
In TMobile I had to go into numerous places to opt out. There does not appear to be a single opt out choice. For example, I needed to opt out separately from selling personal information, using data for research, sharing aggregated data, and sharing relevant data for ads. Then I needed to go to a separate page to opt out of having data given to external ad sources. That page never loaded. And, in order to update my marketing preferences I needed to re-log in. Still not sure if I turned everything off.
I’m suspicious of the durability and longevity of such opt outs. I think they are good to setup but don’t put much faith in them.
I take a different approach. I have apple devices and use the following to limit PII transfer:
– turn off remote content in Safari;
– Apple Hide My Email (for a random unique email address for the profile on each site). If you have a long time dem address that is something like firstname.lastname@xyz.xy replace it for entities (like friends) that don’t need it.
– Apple iCloud (2-hop) Private Relay for simple anonymity when I’m using Safari. Set it to he less specific country any time zone);
– Practice PII minimization on all websites. E.g. remove phone number where it not needed for 2FA (i.e. use 2FA via Apple Authenticator or email where offered. Pro-tip: where google auth or Authy is suggested, Apple’s authenticator works fine too),
– Shorten your name where not necessary, or if not a critical site give yourself a fictitious name and birthday; don’t enter your address it’s not needed. Obviously some sites need a full suite of Pii but the vast majority don’t.
– although it doesn’t apply to the man in the middle spying or breaches, if you use the Apple authenticator, copy recover codes and paste in the little notes section for each site in the Keychain. Similarly, for sites that still use challenge questions, use nonsense answers and document them in the Keychain’s notes section as well.
You can go a long way toward upping your security and privacy game if you do these things.
–
You cannot opt out of the third-party caller ID processors that all mobile providers use, and it is not mentioned in their privacy policy. So every call or text you get, and your contact list, third parties have access to that, and likely share without your consent.
Does no one ever read TOS? Look at what Netflix is doing on your network. (Blocked in my house)
ok, i just read it. nothing nefarious there.
I had already done what you mentioned for T-Mobile, but I hadn’t gone to here: https://www.t-mobile.com/dns and enabled
“Do not sell or share my personal information”.
CPNI for Verizon does NOT “apply” to residents of Arizona….hmmm…why?…..
Not sure it’s a complete answer, but look at this:
https://azcc.gov/utilities/telephone/customer-proprietary-network-information
If I the read it right, the Arizona Corporation Commission barred the use of the “opt out” approach to CPNI in the mid-2000s. Verizon is using “opt out” everywhere else but they have to use “opt in” in Arizona.
Burner phone aka pre-paid with cash. That is how you protect your privacy. Everything else from the government (aka corporate shills) is kabuki theater.
I have found an Att&T family app on my cell phone. I uninstall it and it comes right back. It is a hidden app and wasn’t easy to locate. Att&T isn’t my service provider for my cell phone. The app states that it allows the “parent” to control and see all aspects of the device. It’s a nightmare. I am now a victim of identity theft and I still can’t get rid of the app. Att&T also showed 2 accounts with the same account number through Direct TV and were double billing me each month. When trying to discuss this issue with them it became clear that due to overseas communication call centers I was fighting a loosing battle. I had the service disconnected and they are calling me almost two years later to try and collect more money from me. I also received a welcome packet from ATT & T welcoming me to their phone service. The letter was not in my name but my address and social security number. A few days later I received a sim card to put into my “new Att&t phone” that I didn’t have nor did I sign up for.
Very useful information. Thanks Bryan.
It seems like the proposed fcc rule “…seeks comment on the following issues as they relate to TRS providers: Whether to adopt a harm-based trigger for breach notifications”
If they adopt a harm based rule I bet that would limit notifications.
Also, I tried for a whole 5 minutes before giving up on trying to post a comment with the FCC prior to the comment period expiring on the 24th. Brian, I encourage you to (continue to) help educate your readers on how to take action regarding the things you report on. The articles I find most engaging are those where I take some further action after a good read.
Thanks for this one Brian!!!
Thanks Brian this is a good one! You are indispensable Sir
Thank you, Brian. This is a very useful article.
I have AT&T and got notice of that breach. I thought this article was great and I used the link to limit use at AT&T.
It refused me and said my account “was not eligible”?! WTH?!
Another example of corporate America’s great efforts to protect consumer data. The level to which a corporate America will protect your data is all based on financial decisions, ethics and logic have nothing to do with the equation.