I work in location / mapping / geo. Some of us have been waiting for this to blow (which it hasn't yet). The public has zero idea how much personal location data is available.
It's not just your cell carrier. Your cell phone chip manufacturer, GPS chip manufacturer, phone manufacturer and then pretty much anyone on the installed OS (android crapware) is getting a copy of your location data. Usually not in software but by contract, one gives gps data to all the others as part of the bill of materials.
This is then usually (but not always) "anonymized" by cutting it in to ~5 second chunks. It's easy to put it back together again. We can figure out everything about your day from when you wake up to where you go to when you sleep.
This data is sold to whoever wants it. Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go. This isn't fantasy, it's what happens every day.
Almost every web/smartphone mapping company is doing it, so is almost everyone that tracks you for some service - "turn the lights on when I get home". The web mapping companies and those that provide SDKs for "free". It's a monetization model for apps which don't need location. That's why Apple is trying hard to restrict it without scaring off consumers.
I can confirm this is happening, I designed some of the analysis systems used. Contrary to what many people assume, this is not just a US thing. It is done throughout the industrialized world to varying degrees, including countries where most people believe privacy protections disallow such activity. Governments tacitly support it because they've found these capabilities immensely useful for their own purposes.
I'm in the space as well. I've tried telling my congressmen but they ignore me. I'm waiting for the backlash, especially will all the recent privacy issues. It hasn't happened yet and the problem is so large that I honestly doubt whether the public will ever truly grasp what the scope.
The advice I always give when this topic comes up us to be very careful with what you install on your phone. The least expensive mobile location data tends to come from random apps collecting the data to sell it, and ad networks. Permission to use your GPS is permission to track you until you uninstall the app.
If you're willing to have your name attached to this, if / when it does finally blow up, please make an effort to talk to news organizations about who and when you initially reached out to congress people.
If you're not comfortable with your name being publicly attached, at least give news orgs the information and request confidentiality.
Part of the reason congress people can punt is that the cost of inaction < cost of action before it penetrates media.
A big part of shifting that equation is starting to publicize "You had all the information available now on X date and did nothing" as loudly as possible. Naming and shaming has been healthy for vulnerability disclosure.
Are you able to send them a copy of their individual location data, or the location data of their staffers/friends/family? That might make for a potent wake up call. Though, you'd want to run that by an attorney first.
I'm in the space as well. I've tried telling my
congressmen but they ignore me.
If you have hard evidence, forward it to the journalist or newspaper that broke a similar recent story, or whose reporting of that story you respected.
Maybe you can find a journalist you respect for their reporting on Cambridge Analytica, the Paradise Papers, Edward Snowden and so on?
that's only the low end. app gps usage shows up on the UI.
the article discusses when the ISP/telco sells the data that you have zero visibility on. there's no way to get around this.
btw, apple and google ad spyware process (google play service) will collect gps and wifi data without any user visible UI, not to mention download ads in the background.
Thanks for the tip. I've made a habit of turning off location services on Android once I'm done using navigation (Waze), do you know if this sufficiently blocks all background tracking for apps I've consented to allow GPS location tracking? Thanks.
What about a state senator or representative? Could your state start enacting a privacy framework, that would apply to businesses that wanted to do business in your state? Sort of like California emissions for cars.
>It's not just your cell carrier. Your cell phone chip manufacturer, GPS chip manufacturer, phone manufacturer and then pretty much anyone on the installed OS (android crapware) is getting a copy of your location data. Usually not in software but by contract, one gives gps data to all the others as part of the bill of materials.
so what's the flow here? is it something like this?: phone gps -> manufacturer installed crapware app -> crapware server -> (various third parties)
wouldn't this be mitigated if you use a custom ROM like lineageos?
some of crapware can be avoided by using custom ROMs, but not all of it. For example: Qualcomm IZat location services and other location-based trustzone applets remain running even on custom ROMs.
I have a strong suspicion that it intentionally places you some distance from where it knows you actually are. Unless there is some underlying reason why it would never be 100% accurate -- I've seen dozens of people post their results and every time it's 1-300 meters off.
And it's not just "no one tests while under the cell tower" because the location it gave me was 150 meters in the opposite direction of the cell tower that I can see out my window. And the location it gave was smack in the middle of a neighborhood I know well and know to be free of cell towers. Or I'm just paranoid.
I'm somewhat weary. This might be the final missing piece to connect your mobile phone number to your mobile browser user agent, or even worse, your desktop browser agent.
if you want to get it to blow up then (based on past experience of what seems to catch regulator/legislator interest) I'd say that someone tracking the locations of a load of politicians for a while, finding things of interest about places they've visited and then publishing on a news outlet would do the job.
Your approach starts off by making the very politicians that you want to help you extremely pissed off at you.
More effective would be to track a few key politicians, such as those on the committees that would deal with regulating these things, and also a few reporters who have agreed beforehand to participate.
Then the tracking on the politicians is turned over to the politicians, but NOT made public. The reporters write stories about this, illustrating the tracking detail by publishing what it showed about them.
This approach gets the news out to the public, personally shows the key politicians the scope of the issue (and that they are vulnerable too), and lets the public know that the politicians have seen proof of how serious the issue is so that the politicians know that they need to get to work on this because their opponents come the next election will certainly be gearing up to use it as an issue if they do not.
When Snowden revealed the extent of NSA activities, it caused a momentary uproar but the people moved on pretty quickly after that. As far as I know (and let me know if I am wrong!!), there was no fallout for the government, and business continues as before.
So I am not sure if people will care this time either.
> Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go.
Any articles/webpages about this one? Or a company name who is doing it?
But there are too many to name. In 2018, you should assume that any free service (Unroll.me), web/mobile SDK (Slice), email client (Airmail), personal finance tracker (Mint), integration API (Plaid), geolocator (Foursquare), etc is monetized by selling your data en masse for market research.
It's not just location data. Dig into the TOS of free services you use. It's your receipts, your transactions, your subscriptions...all are "anonymized" to varying degrees of success. Even Meraki, the network router/switch company, sells location data.[1]
Any company that sells you access to ad real-time bidding. You connect to a event fire-hose that gives you a nice standardized json for each ad target, with plenty of data about the user (including geolocation), and you choose whether to bid or not on each ad, in realtime.
Advan, Reveal Mobile, QuestMobile, Pinsight, Streetlight Data, RootMetrics, OpenSignal, SafeGraph are a few of the companies selling various forms of mobile user location data.
>> Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go.
> Any articles/webpages about this one? Or a company name who is doing it?
Foursquare does it, there were some articles last year about how they pivoted to providing that data. They were able to accurately predict Chipotle customer declines after their food contamination scandals.
I'm not sure if they use this carrier location data, or just the data from the people who are still using their app.
> This data is sold to whoever wants it. Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go. This isn't fantasy, it's what happens every day.
I read just recently that one of Foursquares biggest revenue slices is selling their users check in data to hedge funds. On a previous HN post, one commenter claimed the app Robinhood sells their order flow through clearing houses, which the net result is hedge funds and other such firms trade off of — under the assumption that Robinhood investors are emotional rather than educated.
Hedge funds in general seem like a major consumer of retail data, which makes sense. Home Depot just announced earnings: imagine if you knew exactly how many people went into Home Depot, walked out empty handed, and then went to Lowe’s... how you could profit off that data in the market.
The problem is once it's at the cell carrier level it doesn't even matter if you use a dumb phone. They know roughly where you are based on tower triangulation.
It's android for the hardware manufacturers and OS crapware getting location data.
For iOS, assume every app using your location is selling the data. That means every app using a map or location smoothing SDK (GPS jumps around, there are services to smooth it out), since the map SDK providers (and there's not many) are selling your data even if the app itself isn't.
Google, Apple, Microsoft etc are pretty careful for good reason. Anyone below that is probably selling it.
The original article seems to be saying that the carriers track and sell phone location by cell triangulation ("less accurate than using GPS, but cell tower data won't drain a phone battery"). This is less accurate, as seen by the example of "within a city block."
The parent comment seems to be saying that the OS and apps use the internal GPS data to get a much more accurate location, which is then freely transmitted somehow and shared and sold. My question is to clarify that this more accurate data, needed to enable the "walk into specific store" scenario, can only be obtained via data (eg 3G, LTE, or wifi)?
Therefore not buying a data plan or turning off cellular data manually should prevent the GPS-accuracy tracking, but the only way to prevent the less accurate cell-tower tracking is to use a faraday cage.
The stock trading I've heard of, and even seen news articles about before.
Location tracking lets stock traders know how well a store is doing well before public results are announced. If foot traffic is down at a store, time to sell off (or short) the stock before it becomes publicly known.
Defense contractors have been using this capability for competitive intelligence for the last few years. Namely performing surveillance of contractors both internal and external to their company. Private investigators are using the same capability for similar purposes, especially for litigation support. “How” is never required to be revealed in court because the primary purpose is to find information that will “encourage” the other party to not go to court. If there was a way to audit queries/lookups performed against specific telephone numbers I think a lot of people would be shocked.
This is a problem with the GSM/UMTS standards themselves. Carriers always know where you are, but one could create a standard where they wouldn't have to know unless you make a call. With enough encryption and effort, I'm pretty sure one could even create a standard where carriers would never know where you are, even while you are using services.
Would not it be easier to ban anyone from using this location data for anything except explicitly permitted by law? The problem is not with standards, the problem is with people.
I don't think it's possible through technological means to avoid being tracked and still use a wireless network. Even if you could anonymously authenticate to the network, if the base stations have a large number of antennas then they can locate the physical origin of your signal and track you that way.
It may be possible of course through other means, like government regulation or only using carriers that have some guarantee of privacy.
A good start would be using a prepaid mobile phone (paid with cash, via an intermediary to avoid appearing on store CCTV), plus using phone apps that are not tied to your real identity. A Faraday bag for the phone when it's not in use.
Honestly, it just depends on how paranoid you want to get, and who your adversary is.
okay, so, to cut to the chase here: how do we disrupt or destroy the companies doing this?
it isn't acceptable that they are taking advantage of us in this way.
we can't expect any political solution to the problem, which leaves us to pursue other means if we want to protect ourselves.
is there a way to introduce fake data or noise? what about opting out?
is there a law being broken here that we can make into a lawsuit? i wonder if there is a precedent regarding restraining orders or unwanted surveillance by private entities...
> This data is sold to whoever wants it. Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go. This isn't fantasy, it's what happens every day.
Honestly, this is the least bothersome part of the whole thing. The only problem is that there's no way I trust anyone involved to properly anonymize and secure the data in question.
I agree some of this is happening but some things don't add up.
Is there a huge delay in this data? Because why don't law agencies use it to find criminals? Like I have 2 crimes at these two locations. Who was around these 2 locations at these times etc.
But if hedge funds are trading on it, they need very low latencies?
> But if hedge funds are trading on it, they need very low latencies?
Not quite. Hedge funds aren't trading real time on this data. They use this data to essentially figure out how a business is doing before they announce that information. Essentially, if x% of our data went to Chipotle in 2016 and y% went in 2017, and y >> x, then we expect Chipotle's earnings to be higher.
RE: "That's why Apple is trying hard to restrict it without scaring off consumers"
Don't you understand why Apple V-2 (the one who works for shareholders, not users as Apple V-1 did) is trying to restrict APPs from selling your information?
Its because they are competing with Apple, who is trying to sell the same information for maximum revenue.
Everything at Apple V-2 is driven by greed and profit. If looking good publicly is needed to generate sales, they'll also try to do that. But what happens behind closed doors doesn't necessarily match the promoted image.
(yes I'm cynical. I've been around long enough to recognize the BS happening).
Making a cell phone out of a pi with a sim card and gps daughter board is sounding less and less crazy each day. Really looking forward to when the librem phone starts shipping. I wonder if they've really been thorough enough vetting hardware for those bare-metal security issues.
This is at once staggering and completely unsurprising that companies would violate user trust in such a way and sell data without proper vetting that exploits people and could potentially put them in danger. Yet another episode in the misadventures of techno-illiterate regulation and totally unread TOS agreements.
Even a RPI won't help you unless you can build all of the software for the microprocessors which drive the wireless stack. Even then, vendors (e.g. Qualcomm) will already have their software on the chip when you get it.
A completely open spec, open source set of components is what the community has desired for a long time. As standards get more complex and evolve faster, 4G and beyond, it becomes less possible to keep up in the open.
Most of the descriptions of the service so far indicate a real time or near real time feed. I'm curious if it's possible to go take a phone number and ask "give me location data for this person around xx:xx at yyyy-mm-dd."
I am a journalist for a major news organization and would like to know specifics about hedge funds and the like and how they use this data. Reach me at sfrancisbjr@gmail.com
What specific data about the person is traded alongside their location history in the... schemes that you describe? (name? Some govt ID number? Phone number? Address? ....)
Ah yes I've personally seen this while working at an OEM. There are a lot of other insane things happening on a phone like CIQ. FYI, listening to users via microphone is one thing that actually does not happen.
It's funny that this is coming up now. The other day I was on the phone with Geico's roadside assistance and they wanted to know my location. I told them I didn't have their app downloaded, they said it wasn't a problem and they could get it without it. Sure enough they could. I checked their disclaimers [1] and they purchase the data from my cell carrier. They didn't even have to know which one.
The other respondents to this message more or less have it right.
The way this stuff works is that when GEICO signed the deal to get access to this, they pinky-swore in a contract to only use the data certain ways.
Often, the representatives on both sides of such transactions even have a wink-wink nod-nod deal going which is different from what the contract materially represents.
Importantly, these contracts virtually always avoid talking about mechanisms for tracking such usage, auditing such usage, and even any remedies for violations (beyond discontinuing the service access - and then only if it's egregious).
You'd be amazed how much in the telecom world is handshake and contractual with no technological enforcement and often neither side of these agreements are incentivized to enforce the terms laid out.
The parts of these agreements that are solid is how transactions, events, etc are measured and what these cost and who pays and how. Shocking, that.
They don't need oral approval or any approval. GEICO is only asking so that their customers won't freak out when GEICO magically knows where they are. The customer service rep probably had the data up on their screen already when they asked.
For those on T-Mobile, there are privacy settings that can be adjusted here: https://my.t-mobile.com/profile/privacy_notifications/advert... I already had all of them disabled, and I was still able to get the location of my cell phone from LocationSmart.
I chatted with T-Mobile support yesterday to see if I could opt-out of them sharing my data. Not surprisingly, the support agent was less than helpful. "Don't worry, your data is secured"
Are there any US carriers that respect privacy and do not share private information with 3rd parties? Or is that a pipe dream?
But they also say that they may share personal information (which may include location??) to 3rd parties with user "consent":
"Do you share my Personal Information with other companies for them to market to me?
We may share your Personal Information with AT&T and other AT&T affiliates for a variety of purpose, including so that they can market products and services to you. Except for AT&T and other AT&T affiliates, we will not share your Personal Information with other companies for them to use for the marketing of their own products and services without your consent."
Did T-Mobile have a breach recently? I got malware on one of my machines a year or so back and had to change my passwords everywhere, and T-Mobile was one of the two sites that was so assed-up I couldn't actually change it. I clicked your privacy link earlier and had to go through two separate SMS verifications and change my password because they said it was "old".
Switching from T-Mobile to Google Fi might be jumping out of the frying pan and into the fire ;)
The Google Fi Terms of Service says they are collecting location data:
"When your device is turned on or when you use the Services, we may collect and process information about your actual location. This may include information about your current activity (e.g., driving, running, walking, etc.), which lets us know when you may be moving between different mobile and Wi-Fi networks." https://fi.google.com/about/tos/#project-fi-privacy-notice
I'm okay with Google collecting location information, insofar as they only use it to provide cell service, and not for advertising and don't provide it to 3rd parties. Unfortunately, their Privacy Policy states that they can use it for advertising:
"We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content – like giving you more relevant search results and ads ." https://policies.google.com/privacy?hl=en&gl=us#infouse
And they can provide it to 3rd parties. Note that they require "consent", just like T-Mobile's privacy policy:
Well, now it works on my phone as well. I wonder if it is only when on/near my work campus. I was outside but they do have some repeaters for some carriers. (I often get a message saying my carrier has "disabled voice services" when on campus)
> Kevin Bankston, director of New America's Open Technology Institute, explained in a phone call that the Electronic Communications Privacy Act only restricts telecom companies from disclosing data to the government. It doesn't restrict disclosure to other companies, who then may disclose that same data to the government.
It seems like intelligence services spend a lot of their time dreaming up ways to do an end-run around the law. This is the same reason US intelligence does partnerships with foreign intelligence services.
Just think of how amazing the museum will be for your great grandkids when we completely dismantle them when, inevitably, their stated mission goals supersede common sense and a responsible relationship to the American public.
* Obtaining consent is entirely left to the provider to implement. It does not appear to have any auditing. A provider can query any number they like.
* The opt-in process used by many providers is easy to exploit, by spoofing SMS replies or abusing the SMS template so that the surveillance target does not get notified
* The providers have are well aware of the potential to exploit this and have been for some time. It has never been resolved in over 10 years.
"To extend that to adults, The Guardian journalist Ben Goldacre showed recently that someone needs possession of another person's mobile phone for only a couple of minutes to appear to give the consent required under mobile phone companies' current procedures. The person he was tracking never got any of the warning messages that were meant to have been sent to her. Even more scarily, a hacker's website has recently published information telling how to spoof consent without even having to have temporary possession of the target's phone; all that is needed is the number. If someone has a person's number, he can track them. It is not a problem. I know where the website is, but I am not going to tell Members. It is possible to track people just through their phone numbers."
It's a cell carrier providing data about the radio communications between hardware they own and someone else. At a moral level, seems somewhat equivalent to a web server providing data about clients that access the server.
To opt out, stop using some third-party corporation's owned hardware to route your communications near lightspeed around the world. Hey, the Amish communities may have something in their overall philosophy of "Don't be beholden to strangers who aren't part of your community."
I'm not clear if you missed the point here? This isn't aggregate data, it's obtaining the location of a specific individual just by knowing their phone number. It can be done without their knowledge or consent.
By your webserver analogy, the equivalent would be more akin to google publishing the contact details and search queries of anyone using the service.
I am starting to wonder what all have I consented to? Every week I learn I have consented to this and that because of a news article as I never read those contracts or TOS. I wonder if there will be a way to phrase long contracts into bullet list of ideas for someone simple minded like me in the near future.
Maybe by some 3rd party then? Maybe an application of all the fancy natural language processing or some other ML. I visit the site, paste the TOS or maybe there is a list of TOS that has been translated and i get a nice gist.
I was aware the cell phone companies were selling anonymized data for some time (not revealing the numbers and adding some jitter to the location data to avoid identifying users).
This is the first I’m hearing that they’re releasing detailed personal tracking by phone number. When I sat in on a recent presentation with Verizon execs they flat out said they were not doing this. Oops.
A while ago I thought of a very neat 'future job': you walk around town with somebody else's phone. So if you 'need to be' somewhere, you just hire this service, deliver your phone, which will be returned to you, and there goes your track record.
That probably won't do much for you in many urban areas in many countries. Municipalities are routinely maintaining data captured from license-plate scanners and some cities now have CCTV networks with facial recognition software. So unless you don't drive and walk around with a new rubber mask on every day you are still subject to the panopticon.
Most businesses these days have some kind of camera system for security, it won't be too long now before someone starts buying these video feeds from say Starbucks, etc. running recognition AI on them, tagging individuals, and selling this aggregated location data, maybe even realtime. At the moment, I don't think this would even violate any privacy laws.
The reason that cell phone networks actually work (they're effectively decentralized networks) is that they pay the big bucks to rent space on high towers, building roofs, etc.
The only thing that matters for radio communications is line of sight. The only thing that gives you line of sight is relative height. The only thing that gives you consistent height is money.
Until/unless they modify the law - turning off your phone thwarts it. While your phone is powered off, it has no ability to track & record your location movements. Obviously your active location will then be picked back up after you power it on, it won't have a record of anything inbetween.
A simple example of limiting the invasiveness using this approach, would be to have your phone on only at work & home, or similar. In absence of phone snooping, someone can already easily locate you at those two standard destinations, and can easily discover when you'd typically be at those places (ie you're not giving them much by using your phone there under normal circumstances).
So, use Google voice or setup your own w/ Twilio (try all numbers), and have a work cellphone and a home cellphone, a one-way pager (for when you are traveling), and another travel phone without a battery that you would use if necessary, based on the pager message?
Most wifi hotspots have location information anyway, so your phone will know where it is, and then one of the many apps on your phone can report back with that information.
And isn't a pager just a really simple cell phone? I'm not sure how that's a solution if cell towers can triangulate your position.
Readit News
I work in location / mapping / geo. Some of us have been waiting for this to blow (which it hasn't yet). The public has zero idea how much personal location data is available.
It's not just your cell carrier. Your cell phone chip manufacturer, GPS chip manufacturer, phone manufacturer and then pretty much anyone on the installed OS (android crapware) is getting a copy of your location data. Usually not in software but by contract, one gives gps data to all the others as part of the bill of materials.
This is then usually (but not always) "anonymized" by cutting it in to ~5 second chunks. It's easy to put it back together again. We can figure out everything about your day from when you wake up to where you go to when you sleep.
This data is sold to whoever wants it. Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go. This isn't fantasy, it's what happens every day.
Almost every web/smartphone mapping company is doing it, so is almost everyone that tracks you for some service - "turn the lights on when I get home". The web mapping companies and those that provide SDKs for "free". It's a monetization model for apps which don't need location. That's why Apple is trying hard to restrict it without scaring off consumers.
Such as?
If this also happens in the EU and is as blatant as you say it is and with GDPR and all, surely this is just waiting to blow up?
Dead Comment
The advice I always give when this topic comes up us to be very careful with what you install on your phone. The least expensive mobile location data tends to come from random apps collecting the data to sell it, and ad networks. Permission to use your GPS is permission to track you until you uninstall the app.
If you're not comfortable with your name being publicly attached, at least give news orgs the information and request confidentiality.
Part of the reason congress people can punt is that the cost of inaction < cost of action before it penetrates media.
A big part of shifting that equation is starting to publicize "You had all the information available now on X date and did nothing" as loudly as possible. Naming and shaming has been healthy for vulnerability disclosure.
Maybe you can find a journalist you respect for their reporting on Cambridge Analytica, the Paradise Papers, Edward Snowden and so on?
the article discusses when the ISP/telco sells the data that you have zero visibility on. there's no way to get around this.
btw, apple and google ad spyware process (google play service) will collect gps and wifi data without any user visible UI, not to mention download ads in the background.
Deleted Comment
Or can you make a tip to one of the newspapers? Given the facebook privacy news saga this might get picked up.
Deleted Comment
so what's the flow here? is it something like this?: phone gps -> manufacturer installed crapware app -> crapware server -> (various third parties)
wouldn't this be mitigated if you use a custom ROM like lineageos?
They were about two blocks off, and located me by cell tower. Apparently they don't have (or at least don't admit to having) A-GPS level data for me.
I have a strong suspicion that it intentionally places you some distance from where it knows you actually are. Unless there is some underlying reason why it would never be 100% accurate -- I've seen dozens of people post their results and every time it's 1-300 meters off.
And it's not just "no one tests while under the cell tower" because the location it gave me was 150 meters in the opposite direction of the cell tower that I can see out my window. And the location it gave was smack in the middle of a neighborhood I know well and know to be free of cell towers. Or I'm just paranoid.
More effective would be to track a few key politicians, such as those on the committees that would deal with regulating these things, and also a few reporters who have agreed beforehand to participate.
Then the tracking on the politicians is turned over to the politicians, but NOT made public. The reporters write stories about this, illustrating the tracking detail by publishing what it showed about them.
This approach gets the news out to the public, personally shows the key politicians the scope of the issue (and that they are vulnerable too), and lets the public know that the politicians have seen proof of how serious the issue is so that the politicians know that they need to get to work on this because their opponents come the next election will certainly be gearing up to use it as an issue if they do not.
When Snowden revealed the extent of NSA activities, it caused a momentary uproar but the people moved on pretty quickly after that. As far as I know (and let me know if I am wrong!!), there was no fallout for the government, and business continues as before.
So I am not sure if people will care this time either.
> Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go.
Any articles/webpages about this one? Or a company name who is doing it?
But there are too many to name. In 2018, you should assume that any free service (Unroll.me), web/mobile SDK (Slice), email client (Airmail), personal finance tracker (Mint), integration API (Plaid), geolocator (Foursquare), etc is monetized by selling your data en masse for market research.
It's not just location data. Dig into the TOS of free services you use. It's your receipts, your transactions, your subscriptions...all are "anonymized" to varying degrees of success. Even Meraki, the network router/switch company, sells location data.[1]
____________________________________________
1. https://meraki.cisco.com/technologies/location-analytics
It is an open standard:
https://www.iab.com/guidelines/real-time-bidding-rtb-project...
( "Out of sight, out of mind" )
> Any articles/webpages about this one? Or a company name who is doing it?
Foursquare does it, there were some articles last year about how they pivoted to providing that data. They were able to accurately predict Chipotle customer declines after their food contamination scandals.
I'm not sure if they use this carrier location data, or just the data from the people who are still using their app.
Edit: here's one: https://www.washingtonpost.com/news/innovations/wp/2016/04/2...
I initially thought this was too far fetched but then I started duckduckgoing* and found this: https://www.fnlondon.com/articles/regulators-campaigners-sou...
* If 'googling' is a verb, why not this.
Hedge funds in general seem like a major consumer of retail data, which makes sense. Home Depot just announced earnings: imagine if you knew exactly how many people went into Home Depot, walked out empty handed, and then went to Lowe’s... how you could profit off that data in the market.
For iOS, assume every app using your location is selling the data. That means every app using a map or location smoothing SDK (GPS jumps around, there are services to smooth it out), since the map SDK providers (and there's not many) are selling your data even if the app itself isn't.
Google, Apple, Microsoft etc are pretty careful for good reason. Anyone below that is probably selling it.
The parent comment seems to be saying that the OS and apps use the internal GPS data to get a much more accurate location, which is then freely transmitted somehow and shared and sold. My question is to clarify that this more accurate data, needed to enable the "walk into specific store" scenario, can only be obtained via data (eg 3G, LTE, or wifi)?
Therefore not buying a data plan or turning off cellular data manually should prevent the GPS-accuracy tracking, but the only way to prevent the less accurate cell-tower tracking is to use a faraday cage.
Turning off Google Now & location services will radically improve battery life on standby.
> It's not just your cell carrier
No reason to think this is only US right?
> cell phone chip manufacturer, GPS chip manufacturer
How & when is this transmitted and what other data apart from lat & long?
> pretty much anyone on the installed OS [...] is getting a copy of your location data
You mean the devs of whatever app is installed on the phone? The outgoing data should be visible in things like Charles proxy, right?
Is this analogous to FB data being available to any dev that gets permission to access your profile?
> It's normal to track hundreds of millions of people a day and trade stocks based on where they go
Whaaa ... ? Do explain, fascinating.
Can this all be mitigated by those smartphones-hardened-for-criminals type devices?
The stock trading I've heard of, and even seen news articles about before.
Location tracking lets stock traders know how well a store is doing well before public results are announced. If foot traffic is down at a store, time to sell off (or short) the stock before it becomes publicly known.
Spoiler: I don’t think doing what you are describing is feasible.
Presumably this is actually "unless you make a call or use data"?
It may be possible of course through other means, like government regulation or only using carriers that have some guarantee of privacy.
Honestly, it just depends on how paranoid you want to get, and who your adversary is.
it isn't acceptable that they are taking advantage of us in this way.
we can't expect any political solution to the problem, which leaves us to pursue other means if we want to protect ourselves.
is there a way to introduce fake data or noise? what about opting out?
is there a law being broken here that we can make into a lawsuit? i wonder if there is a precedent regarding restraining orders or unwanted surveillance by private entities...
Honestly, this is the least bothersome part of the whole thing. The only problem is that there's no way I trust anyone involved to properly anonymize and secure the data in question.
Is there a huge delay in this data? Because why don't law agencies use it to find criminals? Like I have 2 crimes at these two locations. Who was around these 2 locations at these times etc.
But if hedge funds are trading on it, they need very low latencies?
Not quite. Hedge funds aren't trading real time on this data. They use this data to essentially figure out how a business is doing before they announce that information. Essentially, if x% of our data went to Chipotle in 2016 and y% went in 2017, and y >> x, then we expect Chipotle's earnings to be higher.
https://www.wral.com/Raleigh-police-search-google-location-h...
This is at once staggering and completely unsurprising that companies would violate user trust in such a way and sell data without proper vetting that exploits people and could potentially put them in danger. Yet another episode in the misadventures of techno-illiterate regulation and totally unread TOS agreements.
A completely open spec, open source set of components is what the community has desired for a long time. As standards get more complex and evolve faster, 4G and beyond, it becomes less possible to keep up in the open.
Most of the descriptions of the service so far indicate a real time or near real time feed. I'm curious if it's possible to go take a phone number and ask "give me location data for this person around xx:xx at yyyy-mm-dd."
[1] https://www.wikiwand.com/en/Customer_proprietary_network_inf...
And then you'd still have a half dozen CCTV cameras on you.
Are you aware of any device vendors and/or providers that aren't doing this?
Do you have any details on this?
[1] https://www.geico.com/web-and-mobile/mobile-apps/roadside-as... (see disclaimers at the bottom)
The way this stuff works is that when GEICO signed the deal to get access to this, they pinky-swore in a contract to only use the data certain ways.
Often, the representatives on both sides of such transactions even have a wink-wink nod-nod deal going which is different from what the contract materially represents.
Importantly, these contracts virtually always avoid talking about mechanisms for tracking such usage, auditing such usage, and even any remedies for violations (beyond discontinuing the service access - and then only if it's egregious).
You'd be amazed how much in the telecom world is handshake and contractual with no technological enforcement and often neither side of these agreements are incentivized to enforce the terms laid out.
The parts of these agreements that are solid is how transactions, events, etc are measured and what these cost and who pays and how. Shocking, that.
"With your consent. We may provide location-based services or provide third parties with access to your approximate location to provide services to you." https://www.t-mobile.com/company/website/privacypolicy.aspx
That is why a text message confirmation is required to get a cell phone's location from https://www.locationsmart.com/try/
For those on T-Mobile, there are privacy settings that can be adjusted here: https://my.t-mobile.com/profile/privacy_notifications/advert... I already had all of them disabled, and I was still able to get the location of my cell phone from LocationSmart.
I chatted with T-Mobile support yesterday to see if I could opt-out of them sharing my data. Not surprisingly, the support agent was less than helpful. "Don't worry, your data is secured"
Are there any US carriers that respect privacy and do not share private information with 3rd parties? Or is that a pipe dream?
Provider comparison: https://privacysos.org/blog/how-long-does-my-phone-company-s...
Study details: https://privacysos.org/blog/att-stores-either-five-or-twenty...
"We will not sell your personal information to anyone, for any purpose. Period." https://www.cricketwireless.com/privacy
But they also say that they may share personal information (which may include location??) to 3rd parties with user "consent":
"Do you share my Personal Information with other companies for them to market to me?
We may share your Personal Information with AT&T and other AT&T affiliates for a variety of purpose, including so that they can market products and services to you. Except for AT&T and other AT&T affiliates, we will not share your Personal Information with other companies for them to use for the marketing of their own products and services without your consent."
Can someone with Cricket Wireless see if LocationSmart has access to their location https://www.locationsmart.com/try/ ?
The Google Fi Terms of Service says they are collecting location data:
"When your device is turned on or when you use the Services, we may collect and process information about your actual location. This may include information about your current activity (e.g., driving, running, walking, etc.), which lets us know when you may be moving between different mobile and Wi-Fi networks." https://fi.google.com/about/tos/#project-fi-privacy-notice
I'm okay with Google collecting location information, insofar as they only use it to provide cell service, and not for advertising and don't provide it to 3rd parties. Unfortunately, their Privacy Policy states that they can use it for advertising:
"We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content – like giving you more relevant search results and ads ." https://policies.google.com/privacy?hl=en&gl=us#infouse
And they can provide it to 3rd parties. Note that they require "consent", just like T-Mobile's privacy policy:
"We will share personal information with companies, organizations or individuals outside of Google when we have your consent to do so." https://policies.google.com/privacy?hl=en&gl=us#nosharing
So even if they are not currently providing information to LocationSmart, according to my understanding of their privacy policy, they are able to.
Somewhere in your sim/about under settings you can find your underlying phone numbers for Sprint/TMO that you can look up.
It seems like intelligence services spend a lot of their time dreaming up ways to do an end-run around the law. This is the same reason US intelligence does partnerships with foreign intelligence services.
https://www.theguardian.com/technology/2006/feb/01/news.g2
A few points to note:
* Obtaining consent is entirely left to the provider to implement. It does not appear to have any auditing. A provider can query any number they like.
* The opt-in process used by many providers is easy to exploit, by spoofing SMS replies or abusing the SMS template so that the surveillance target does not get notified
* The providers have are well aware of the potential to exploit this and have been for some time. It has never been resolved in over 10 years.
https://publications.parliament.uk/pa/cm200506/cmhansrd/vo06...
"To extend that to adults, The Guardian journalist Ben Goldacre showed recently that someone needs possession of another person's mobile phone for only a couple of minutes to appear to give the consent required under mobile phone companies' current procedures. The person he was tracking never got any of the warning messages that were meant to have been sent to her. Even more scarily, a hacker's website has recently published information telling how to spoof consent without even having to have temporary possession of the target's phone; all that is needed is the number. If someone has a person's number, he can track them. It is not a problem. I know where the website is, but I am not going to tell Members. It is possible to track people just through their phone numbers."
It's a cell carrier providing data about the radio communications between hardware they own and someone else. At a moral level, seems somewhat equivalent to a web server providing data about clients that access the server.
To opt out, stop using some third-party corporation's owned hardware to route your communications near lightspeed around the world. Hey, the Amish communities may have something in their overall philosophy of "Don't be beholden to strangers who aren't part of your community."
By your webserver analogy, the equivalent would be more akin to google publishing the contact details and search queries of anyone using the service.
TOSBack, the gitified version (https://tosback.org)
A new version of ToS;DR is also in development: https://github.com/tosdr/phoenix
http://techland.time.com/2012/03/06/youd-need-76-work-days-t...
This is the first I’m hearing that they’re releasing detailed personal tracking by phone number. When I sat in on a recent presentation with Verizon execs they flat out said they were not doing this. Oops.
I need my phone, especially when I'm out
Right now I think you're right, there's no defending against it without turning off devices.
All airplane mode does is turn of transmitters. There is no reason that the firmware should stop caching GPS data for later transmission
Most businesses these days have some kind of camera system for security, it won't be too long now before someone starts buying these video feeds from say Starbucks, etc. running recognition AI on them, tagging individuals, and selling this aggregated location data, maybe even realtime. At the moment, I don't think this would even violate any privacy laws.
Gotta invent that Scramble Suit!
It wouldn’t be a total solution, because access points get hacked, etc. but it would make the data a lot fuzzier.
The only thing that matters for radio communications is line of sight. The only thing that gives you line of sight is relative height. The only thing that gives you consistent height is money.
A simple example of limiting the invasiveness using this approach, would be to have your phone on only at work & home, or similar. In absence of phone snooping, someone can already easily locate you at those two standard destinations, and can easily discover when you'd typically be at those places (ie you're not giving them much by using your phone there under normal circumstances).
How could we possibly tell?
Deleted Comment
And isn't a pager just a really simple cell phone? I'm not sure how that's a solution if cell towers can triangulate your position.