Wireless carriers are sharing your real-time location with shady third parties—and a bug lets anyone use that data to track you.
Stop me if you’ve heard this before: A giant company that relies on users to trust it with some of their most intimate personal data turns out to have been abusing that trust by passing that data on to shady third parties. And not just occasionally, but casually, and as a matter of course, on a massive scale.
The practice makes headlines only when it inevitably turns out that those third parties were quietly using the data in unauthorized and disturbing ways. And it comes to light not because the giant company discloses it but due to a leak on the third parties’ end.
That’s a rough sketch of Facebook’s infamous Cambridge Analytica scandal. But it applies equally to a new privacy scandal that’s getting far less attention—even though it potentially affects more people, involves more sensitive data, and has yet to be seriously addressed or resolved. Oh, and there’s no way to opt out of the data collection in question.
The story involves the real-time location-tracking data that the four largest U.S. wireless carriers collect on everyone with a mobile device. Basically, they know roughly where you are at all times, even if you don’t have your GPS turned on, based on the regular interactions between your phone and nearby cell towers. The carriers aren’t supposed to share that information without your consent.
But the New York Times reported earlier this month that a company called Securus Technologies was offering a service that allowed users to track people’s whereabouts in real time, using data obtained from the wireless companies through a pair of intermediaries. The Times reported that a Missouri sheriff had been using the service to keep tabs on 11 people, including fellow officers and a judge, without their knowledge and without a warrant. He’s now facing state and federal charges.
That’s just the beginning. Motherboard reported last week that Securus had been hacked, with the credentials of 2,800 authorized users stolen, most or all of them presumably working in law enforcement or at prisons. (Securus’ main business involves helping prisons crack down on inmates’ cellphone use.) It’s a safe bet that some of those users had access to the same location-tracking tools that the Missouri sheriff abused.
So how was Securus getting all that data on the locations of mobile-phone users across the country? We learned more last week, when ZDNet confirmed that one key intermediary was a firm called LocationSmart. The big U.S. wireless carriers—AT&T, Verizon, Sprint, and T-Mobile—were all working with LocationSmart, sending their users’ location data to the firm so that it could triangulate their whereabouts more precisely using multiple providers’ cell towers. It seems no one can opt out of this form of tracking, because the carriers rely on it to provide their service.
It gets worse. A Carnegie Mellon researcher poking around on LocationSmart’s website found that he could use a free trial service to instantly pinpoint the location of, well, just about anyone with a mobile phone and wireless service from one of those major carriers. He did this without any permission or credentials, let alone a warrant.
In other words, almost anyone could have used LocationSmart’s site to find the location of almost anyone else, at any time. LocationSmart subsequently shut down the service and told security blogger Brian Krebs that the vulnerability had not been exploited before Robert Xiao, the Carnegie Mellon researcher, did so. Of course, we’ve heard companies make similar claims before that turned out not to be true. (Krebs’ story is the one to read if you want to get the fullest possible picture.)