by Karl Bode – Wed, Jun 20th 2018
When the Facebook, Cambridge Analytica scandal broke, we noted that however bad you thought that scandal was (and it certainly was bad), it couldn’t hold a candle to the routine privacy abuses that have occurred in the telecom sector for the better part of the last few decades. From charging consumers hundreds of additional dollars annually to opt out of snoopvertising, to the use of private user financial data to justify providing even worse customer service, the broadband industry has long been the poster child for privacy abuses without much in the way of practical public penalty.
It’s just as bad on the wireless side, where carriers like Verizon have routinely have been caught modifying user data packets to track users around the internet (without telling them or providing opt out tools), and selling user browsing, app-usage and location data to everyone that comes calling. That’s before you even touch on the fact that these companies are practically bone grafted to the NSA and other intelligence services.
As such, we noted how if you were part of the #DeleteFacebook set but were still rolling around using a stock phone on an incumbent carrier network, you failed to understand that Facebook’s casual treatment of private consumer data was the cross-industry norm, not some errant exception.
The Location Smart and Securus scandals (which exposed the data of 200 million cell users) quickly proved our point. Thanks to lax handling of private location data by cellular carriers and third-party brokers, those scandals quickly highlighted how anonymized data isn’t really anonymous, and this data can and is routinely abused by everybody in this chain of dysfunction (including law enforcement). Oddly, even in the wake of those reports, people still seemed to view the Cambridge, Facebook fracas as somehow far more scandalous, most likely because of that particular story’s political undertones.
Clearly hoping to get ahead of the scandal before the press, public and regulators realized the depths of this particular rabbit hole, Verizon proclaimed that the company would be ending all sales of location data to third party data brokers. The company announced the decision (pdf) in a letter responding to inquiries by Senator Ron Wyden, who had begun to apply some pressure on mobile carriers. From the letter:
“We conducted a comprehensive review of our location aggregator program. As a result of this review, we are initiating a process to terminate our existing agreements for the location aggregator program. We will not enter into new location aggregation arrangements unless and until we are comfortable that we can adequately protect our customers’ location data through technological advancements and/or other practices.”
Verizon announced it would be suspending all data sales to location data brokers like LocationSmart and Zumigo, which the company acknowledged sold that data in turn to a roster of more than 75 different companies. And, in short, it’s promising to suspend such data sales at least until it can ensure that data is actually secure (what an incredibly novel idea). Who’ll actually confirm this data is secure before the program is restarted isn’t clear; you’ll apparently just have to trust a company with a several-decades history of severe privacy violations and blatant false statements.
Like the Facebook scandal, there wasn’t much in place to really ensure that often real-time data remained protected, something made clear when the LocationSmart scandal revealed that one Missouri Sheriff routinely (ab)used the system to spy on Judges and fellow law enforcement officers without much legitimate justification (or pesky warrants). In subsequent statements to the press, Verizon has tried to argue that the company quickly took steps to thwart the abuse:
“When these issues were brought to our attention, we took immediate steps to stop it. Customer privacy and security remain a top priority for our customers and our company. We stand-by that commitment to our customers.”
But again, this was Verizon only acting after the horses escaped from the barn, suggesting that no, privacy and security was not a top priority. If Verizon’s self-auditing was so stellar, it seems curious it never self-identified the potential for the kind of abuse the LocationSmart and Securus scandals revealed. Or the self-audits did reveal problems, but the money made from selling this data made actually fixing them a low priority. Knowing Verizon pretty well, it seems clear it wouldn’t be taking this kind of financial hit if its lawyers didn’t realize the company was potentially facing some pretty steep penalties here.