In this case, the site was selling real-time location data from cell carriers, meaning that there was virtually nothing that an individual could use to protect themselves (short of using a burner or no phone at all).
It’s great to see some strong action is being taken here against the sale of location data, and I hope the bans can be extended more broadly (and to Canada, please!)
"Krebs went on to cite an official at the Electronic Frontier Foundation who said cellular carriers by law are required to know the approximate location of customers in the event it's needed by emergency 911 services. Whether the carriers are permitted to sell or otherwise provide the information to other third parties is less clear. Expect there to be much more scrutiny about this in the coming weeks and months."
To see this in practice, check out MVNOs offering prepaid mobile service. Some will disable certain features unless this physical E911 address is submitted by the customer.
What if there were a limitation on how that data can be used.
> Krebs went on to cite an official at the Electronic Frontier Foundation who said cellular carriers by law are required to know the approximate location of customers in the event it's needed by emergency 911 services.
IANAL but the RAY BAUM’S act (yes, it's all caps because it's a silly initialism) only applies to location data that goes "with" a particular 911 call. Not your location before the call, nor your location after the call.
So if your cell-carrier is recording your location at all moments and persisting it indefinitely, or sharing anything beyond the data generated for that particular 911 call, no law is forcing them to do that, they are choosing to disrespect your privacy for their own profits or laziness.
E911 came about to address lost and immobilized callers.
Unfortunately, it's inconsistently deployed and not universally usable. This is likely the result of a lack of a sufficiently-staffed regulatory body auditing for compliance and correctness because it doesn't work everywhere with all phones on all carriers even when there is the technical ability, e.g., phone has a fix. It hasn't delivered completely on its promise because it's an under-funded, under-audited mandate that needs serious carrots and sticks to ensure it's reliable.
Great job on exposing this. Do you think Canadian carriers are providing access to this type of information to third parties? Are there any you would expect are not, eg. who have a track record of ethical behaviour and consumer advocacy (eg. like tbe TekSavvy of carriers)?
Look around you. See all those cameras? Not just the ones above your head in the supermarket that advertise HERE I AM, I'M A CAMERA, but every camera on every phone in the hands of every person you see can identify you and identify your exact location to the meter instantly based on your face and x other biometrics.
Everytime you speak, your voice pattern identifies you instantly.
Burner phones are a thing of the distant past. The moment you speak, the moment the camera "sees" you, your burner phone's IMEI is/can be mapped to your identity in double time.
The methods in use today are just way more sophisticated than the tech you've read about.
A drone at 20,000 feet can identify you in a crowd of 2,000 people based on the sound of your heart, your respiration, the shape of your head, your ears, your nose, your face, your facial profile, the shadow your body casts at x time of day, and/or the uniqueness of your gate. Combine them altogether with a scant amount of stat analysis and you can't hide even with effort.
This is why I think technical solutions alone to privacy are mostly pointless. There’s 7 billion people in the world—at some point (if we haven’t already reached it) monitoring all of us in real-time will be trivial. Even people who live “off the grid” in a cabin in the woods will be trackable.
What’s needed is an agreement between all of us, in the form of privacy laws, that make certain uses of this data illegal.
In the future if you’re caught committing a crime by data captured in a manner illegal under these laws, it would have to be thrown out and can’t be used against you. Corps would also be banned from collecting, storing, and using personal data in an unlawful manner.
Feels like a pipe dream since there’s so much money in the industrial advertising complex, but I’m pretty sure that’s what it will take achieve reasonable levels of privacy.
"Massachusetts lawmakers are weighing a near total ban on buying and selling of location data drawn from consumers’ mobile devices in the state, in what would be a first-in-the-nation effort to rein in a billion-dollar industry.
The legislature held a hearing last month on a bill called the Location Shield Act, a sweeping proposal that would sharply curtail the practice of collecting and selling location data drawn from mobile phones in Massachusetts. The proposal would also institute a warrant requirement for law-enforcement access to location data, banning data brokers from providing location information about state residents without court authorization in most circumstances.
...
No state has gone so far as to completely ban the sale of location data on residents. The most common approach in other states is to require digital services and data brokers to obtain clear consent from consumers to collect data and put some restrictions on transfer and sale."
I think consent has proven to be a flawed mechanism on its own. GDPR’s requirements around legitimate/required processing show a way forward.
1. A site can’t require me to consent to unnecessary permissions just to use the site.
2. I can always revoke/delete my data grants and that must be transitive (the site has to delete all downstream data it shared with subprocessors, and have contractual guarantees that they can honor that before sharing any data with them).
I have to disagree with your comment regarding the GDPR. I like the concept, but the legalities could have been better. I do hope a treaty can be struck between the EU and the US, however.
Why? Pass a law with sufficient penalties (say, $10K) and include lawyer fees. This'll result in a cottage industry in any state. Enough civil litigation and companies will finally decide it's not worth it and MA billing zip codes will be excluded from sale of location data. This has worked in other industries.
the US constitution contains an Interstate Commerce clause, which bars individual states from interfering/obstructing interstate commerce. Does banning the sale of location data in Massachusetts do anything?
Short version: no. Since Wickard v Filburn, the interstate commerce clause has been a blank cheque for the federal government to regulate anything at all as it pleases, as the case allows regulation of goods down to the level of things that are made on and will never leave an individual's property.
Long version: probably. Allowing the sale of location data would be deeply unpopular among the general public. Under stare decisis, the federal government would have a good chance at beating the state in a court case, but it would still be a risk- why risk the power for an unpopular case?
See also: marijuana legalization and immigration. Arizona tried codifying the federal statutes on immigration into its own state laws- not superceding, just mirroring. The federal government took them to court and won. OTOH, marijuana is also distinctly within the federal government's purview, and Wickard would apply very easily to pot laws as well... And yet, they have done nothing at all, likely because pot is too popular to risk a court case (or an election, I suppose).
If anyone is curious, weather apps tend to be some of the most egregious and common offenders of this. Obviously people want their weather widget to update with where ever they are, and on the back end these weather apps (which are just passing you freely available NWS data) are selling everything they can on you.
This was a big reason for Apple’s purchase of the DarkSky app I believe. Fold in the tech to the native weather app to close the security hole of external apps.
> which are just passing you freely available NWS data
The Android weather widget gives more localized forecast data than the NWS web site which pretty much always locks you on to the local airport. Proximity to a great lake means that my local weather can be significantly different than the airport even though it's relatively near by. It all obviously comes from the NWS but they don't provide easy access to everything.
The NWS site may give measurements for the airport, but it'll give predictions for the much smaller area you select. It's the only site I've found I can trust for Yosemite Valley, for example, since I can have visual confirmation that it's actually talking about a narrowly defined area. Today, moving that patch of land around just slightly will show you forecasts that are 10 or 20 degrees cooler than El Cap meadow.
Unless you travel all the time, there’s no reason your weather app needs anything more than one (or two if your workplace is very far from home) static city/town/zip code. And most people don’t travel all the time.
I know this is a crazy idea but just hear me out. What if any government agency at any level were required to get a warrant signed off by a judge, that showed probable cause, before they could get your data from a 3rd party, and what if the 3rd party was required by law to notify you before turning over that data, so that you could get a lawyer and challenge the warrant?
I know, crazy, right? It’s like what if we actually honored the 4th amendment.
> The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Which part of the 4th amendment is being violated by the government in this case?
I would say we reinterpret the 18th century definition of "papers". I quite like Alan Kays comment in a talk sometime in the 1980's where he said something of the effect that a blue thought in the 1960's was to realize that paper is just computer memory you can't change.
I think if you try to define what was interpreted by "papers" in a pre-digital context you would conclude it is sufficiently analogous to many things in our modern world. By "papers" they likely meant diaries, personal mail, accounting logs, ship manifests, personal inventories, order histories, receipts for travel. All things which may have been written down on a piece of paper which are now logged on our phones.
If you take an originalist argument that the constitution is static and cannot be reinterpreted/amended you have to first justify why you think amendments like the banning of slavery or women's voting rights amendments are not legitimate in the United States. We certainly have a culture of defining rights which our predecessors did not explicitly call out in the early years of its history. Even male suffrage (non-land owning males) in the late 19th century was a revolutionary step in the definition and expansion of citizens rights.
Uh, the part where they track people’s location based on cell phone location data purchased without a warrant, for purposes of criminal investigations?
So where can I, as an individual looking to do research, purchase a data set like this? What about my company wanting to to targeted outbound sales, are we able to purchase a data set like this?
I see the headlines. I understand there are companies that offer this as a service to LEO. I believe the data would need to be de-anonymized to be useful.
Nobody sells it to individuals. Sprint sold customer location data through a subsidiary called Pinsight. Advan Research, Placer.ai, and SafeGraph are some current companies selling location data.
> I believe the data would need to be de-anonymized to be useful
I'm not aware of anyone selling person-level location data. Everyone in the ecosystem is far too scared to do that (and honestly not clear how to monetize).
It's all about foot traffic patterns and getting demographics, seeing what kind of other businesses they visit, etc IME. General location business analytics stuff.
This is the article I am building my hypothesis on. If I am able to correlate place of business with an out of town event like a conference and then further refine with gender and ethnic filters.
I understand that companies will perform this analysis on your behalf. Can anyone recommend a "reputable" one?
If you just want to track a few individuals... Enumerate all those who possess the data. Now look for data brokers that they deal with (as commenter korse said) and recurse. Find all the employees of every company in question. Muster a few hundred bucks or so, seems to be the market price, and there you go[0].
For research I dunno. You'd probably have to make a deal directly with one of these companies, one way or another, so I would start by talking to them.
This reminded me of how MA passed a right to repair law in 2020. It led me to google about it, and apparently the NHTSA has overruled it [1]. :/
It's good that states are pushing the envelope on digital rights – hopefully, this one has a brighter future. I can't think of any industry-captured federal agency that has the jurisdiction to overrule this one.
This is the laboratory of democracy. States pass a patchwork of laws which get challenged in the courts. Law is revised and the process repeats. Eventually we understand it well enough to pass similar laws everywhere or even nationally.
I find it creepy when I’m visiting a place and I start getting spam calls from that area code. It’s clear that companies (and unsavory ones at that) know I’m not home, and they know where I am.
Huh, that happens to you? I live in Seattle but I still have an Idaho number. Almost all of my spam calls come from Idaho. It's especially funny because my iPhone includes the approximate area of the calling number and Idaho only has one area code. So the calls come from numbers in towns I have never visited.
Yeah, I live in SV but when I visit other parts of CA I get spam calls from the local area code. This happens when I have not made any phone calls to local numbers.
I do sometimes get calls when I'm at home from these area codes, but when I'm traveling my spam calls are always from these area codes, which makes it very unlikely it's just random chance.
Readit News
In this case, the site was selling real-time location data from cell carriers, meaning that there was virtually nothing that an individual could use to protect themselves (short of using a burner or no phone at all).
It’s great to see some strong action is being taken here against the sale of location data, and I hope the bans can be extended more broadly (and to Canada, please!)
To see this in practice, check out MVNOs offering prepaid mobile service. Some will disable certain features unless this physical E911 address is submitted by the customer.
What if there were a limitation on how that data can be used.
IANAL but the RAY BAUM’S act (yes, it's all caps because it's a silly initialism) only applies to location data that goes "with" a particular 911 call. Not your location before the call, nor your location after the call.
So if your cell-carrier is recording your location at all moments and persisting it indefinitely, or sharing anything beyond the data generated for that particular 911 call, no law is forcing them to do that, they are choosing to disrespect your privacy for their own profits or laziness.
Unfortunately, it's inconsistently deployed and not universally usable. This is likely the result of a lack of a sufficiently-staffed regulatory body auditing for compliance and correctness because it doesn't work everywhere with all phones on all carriers even when there is the technical ability, e.g., phone has a fix. It hasn't delivered completely on its promise because it's an under-funded, under-audited mandate that needs serious carrots and sticks to ensure it's reliable.
Deleted Comment
Not carrying a phone won't help you.
Pulling the SIM won't help you.
Look around you. See all those cameras? Not just the ones above your head in the supermarket that advertise HERE I AM, I'M A CAMERA, but every camera on every phone in the hands of every person you see can identify you and identify your exact location to the meter instantly based on your face and x other biometrics.
Everytime you speak, your voice pattern identifies you instantly.
Burner phones are a thing of the distant past. The moment you speak, the moment the camera "sees" you, your burner phone's IMEI is/can be mapped to your identity in double time.
The methods in use today are just way more sophisticated than the tech you've read about.
A drone at 20,000 feet can identify you in a crowd of 2,000 people based on the sound of your heart, your respiration, the shape of your head, your ears, your nose, your face, your facial profile, the shadow your body casts at x time of day, and/or the uniqueness of your gate. Combine them altogether with a scant amount of stat analysis and you can't hide even with effort.
Think darkness will hide you? Nope.
What’s needed is an agreement between all of us, in the form of privacy laws, that make certain uses of this data illegal.
In the future if you’re caught committing a crime by data captured in a manner illegal under these laws, it would have to be thrown out and can’t be used against you. Corps would also be banned from collecting, storing, and using personal data in an unlawful manner.
Feels like a pipe dream since there’s so much money in the industrial advertising complex, but I’m pretty sure that’s what it will take achieve reasonable levels of privacy.
The legislature held a hearing last month on a bill called the Location Shield Act, a sweeping proposal that would sharply curtail the practice of collecting and selling location data drawn from mobile phones in Massachusetts. The proposal would also institute a warrant requirement for law-enforcement access to location data, banning data brokers from providing location information about state residents without court authorization in most circumstances.
...
No state has gone so far as to completely ban the sale of location data on residents. The most common approach in other states is to require digital services and data brokers to obtain clear consent from consumers to collect data and put some restrictions on transfer and sale."
In other words bury an acceptance in the ToS nobody reads anyway.
This is the benefit of incrementalism in policy making. We tried clear consent, and it was buried. Now the case is stronger for a ban.
1. A site can’t require me to consent to unnecessary permissions just to use the site.
2. I can always revoke/delete my data grants and that must be transitive (the site has to delete all downstream data it shared with subprocessors, and have contractual guarantees that they can honor that before sharing any data with them).
And your carrier will know when you're in a jurisdiction they need to care about.
Long version: probably. Allowing the sale of location data would be deeply unpopular among the general public. Under stare decisis, the federal government would have a good chance at beating the state in a court case, but it would still be a risk- why risk the power for an unpopular case?
See also: marijuana legalization and immigration. Arizona tried codifying the federal statutes on immigration into its own state laws- not superceding, just mirroring. The federal government took them to court and won. OTOH, marijuana is also distinctly within the federal government's purview, and Wickard would apply very easily to pot laws as well... And yet, they have done nothing at all, likely because pot is too popular to risk a court case (or an election, I suppose).
Did this argument go anywhere with regards to say animal welfare laws and out of state farmers?
The Android weather widget gives more localized forecast data than the NWS web site which pretty much always locks you on to the local airport. Proximity to a great lake means that my local weather can be significantly different than the airport even though it's relatively near by. It all obviously comes from the NWS but they don't provide easy access to everything.
No ads No user tracking GPS not needed Unfiltered NWS data including forecast dicussions
For example DarkSky gave neighborhood-level forecasts.
I know, crazy, right? It’s like what if we actually honored the 4th amendment.
Buy and publish all congress members location data for a long enough period and I think you'll get your wish.
Which part of the 4th amendment is being violated by the government in this case?
I think if you try to define what was interpreted by "papers" in a pre-digital context you would conclude it is sufficiently analogous to many things in our modern world. By "papers" they likely meant diaries, personal mail, accounting logs, ship manifests, personal inventories, order histories, receipts for travel. All things which may have been written down on a piece of paper which are now logged on our phones.
If you take an originalist argument that the constitution is static and cannot be reinterpreted/amended you have to first justify why you think amendments like the banning of slavery or women's voting rights amendments are not legitimate in the United States. We certainly have a culture of defining rights which our predecessors did not explicitly call out in the early years of its history. Even male suffrage (non-land owning males) in the late 19th century was a revolutionary step in the definition and expansion of citizens rights.
I see the headlines. I understand there are companies that offer this as a service to LEO. I believe the data would need to be de-anonymized to be useful.
Who or where can I source data like this from?
https://www.oag.ca.gov/data-brokers
De-anonymization shouldn't be that tough if you have the cash to pay for a handful of data sets that you think are likely to contain overlap.
I'm not aware of anyone selling person-level location data. Everyone in the ecosystem is far too scared to do that (and honestly not clear how to monetize).
It's all about foot traffic patterns and getting demographics, seeing what kind of other businesses they visit, etc IME. General location business analytics stuff.
This is the article I am building my hypothesis on. If I am able to correlate place of business with an out of town event like a conference and then further refine with gender and ethnic filters.
I understand that companies will perform this analysis on your behalf. Can anyone recommend a "reputable" one?
For research I dunno. You'd probably have to make a deal directly with one of these companies, one way or another, so I would start by talking to them.
[0] - https://www.vice.com/en/article/nepxbz/i-gave-a-bounty-hunte...
Deleted Comment
It's good that states are pushing the envelope on digital rights – hopefully, this one has a brighter future. I can't think of any industry-captured federal agency that has the jurisdiction to overrule this one.
[1]: https://www.thedrive.com/news/feds-tell-automakers-to-ignore...
This leads to an awkward situation that will likely have to be resolved in court.
I do sometimes get calls when I'm at home from these area codes, but when I'm traveling my spam calls are always from these area codes, which makes it very unlikely it's just random chance.
Every entrepreneur should be made prior to opening their business, to get a cell phone from montana.
Then, get a google voice #. That will be the burner for all random apps online.
This site can’t provide a secure connection
archive.is uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH