Carrier sales of phone-location data is illegal, FCC plans punishment
arstechnica.comPresumably this only happened because the :
> lawmakers in November accused[1] the FCC of failing to protect consumers’ privacy, and said that major wireless carriers were disclosing real-time location to data compilers without consumers’ consent or knowledge. The information could be obtained by companies including bounty hunters, the lawmakers said in a letter.
> [1]: https://energycommerce.house.gov/sites/democrats.energycomme...
> -- as reported by Bloomburg
> https://www.bloomberg.com/news/articles/2020-01-31/wireless-...
The FCC really has become just a lobbying goat under Pai. Yikes.
> The FCC really has become just a lobbying goat under Pai. Yikes.
Who could’ve predicted that, given he was a lobbyist for Verizon.
Fair, though Tom Wheeler (previous chairman) was also a lobbyist and he turned out really well.
What does a lobbyist even do? I can't even imagine the scene, they go in a politician's office and just start with "ok hear me out" or am I being naive and it just means finding ways to pay them money?
There's a lot they can do. Lobbyist at a minimum have the same access to a politician as you do. They can make phone calls, send letters, attend and speak at legislative hearings, or try to be involved in the right social circles. Building this social element is important for their continued success and gives them access beyond what a typical person could normally obtain.
More importantly they have influence because some group has a moneyed interest in legislation. This can give them the resources to do the above regularly. They might hire legal counsel to sue governments. They may be able to lend support to pet projects and gain support for their own goals.
I always assumed there was a lot of talking. Most politicians are inclined to want to help businesses anyway, as they provide jobs and generate tax revenue. If the lobbyist can come in and say “here’s what the cell phone providers nationwide need to stay in business and continue to generate good returns to shareholders and low prices to customers,” then that’s a powerful message - especially when the counter-argument is a pile of faxes and postcards from constituents that don’t tell a coherent story.
The money certainly doesn’t hurt, though.
The argument to that is communism basically does this and capitalism lets companies do whatever they want as long as they don't harm consumers and play fair
They organize ways for their clients to bundle significant financial contributions to politician's campaigns so that when they "talk", they can point to significant past contributions or promise future contributions. Or threaten contributions to challengers.
Although individual contributions are limited in theory, bundling allows vast contributions in practice. For example, a CEO can persuade senior execs to donate the maximum to a candidate. Or someone can host a fundraiser at their home (or wine cave) and "encourage" many acquaintances to attend. They get credit with the politician for the total raised.
Finally, Political Action Committees can take unlimited contributions from anyone so long as they don't "coordinate" with a politician's campaign. In practice they can of course be very helpful to a candidate's campaign, and lobbyists will use that to influence.
Biggest industry affected is the banks. They’ll ping your phone location if you make out of area purchases as a part of fraud detection. If your bank doesn’t require travel notices, they are probably pulling mobile location. Some don’t, I know chase uses mobile app to determine location.
The saddest thing about this is that my bank no longer requires notification for international travel, but still does for travel within the US. I've had my card shut off for fraud a few times while traveling in the US. Once when I had almost no gas and was outside of cell service, thanks for that.
This is presumably due to all transactions outside of the US requiring chip, but those in the US only requiring swipe.
Wait, the US is still on magstripe? Isn't that literally just a bar code? No challenge-response, or encryption? Fraud detection seems like the wrong thing to be focusing on if that's the case...
In my area, almost everything has been chip for the last couple years, except gas stations. My local gas station just installed chip readers a few months ago.
Yeah, it's even worse than that. I was recently in the bay area and I went to pay for a burger with my Canadian chip&pin card and when I the card in the transaction was automatically approved with no need to enter the pin.
This was quite alarming.
Germany here, there is a lower limit, below which we do not have to enter a pin. Maybe the same for you?
Yeah, we do chip, and maybe signature if we feel like it
"feel like it" is practically never. I haven't had anyone ask to see my physical card to compare signatures in over five years.
Isn't this really in service of the customer to not waste their time? The store is the one shouldering the risk because if it turns out to be a thief using the card the store loses money/goods. The more they try to verify you are who you say you are the less risk they are incurring. That's a benefit of credit, it's less risky for the consumer in the end.
Absolutely. Just providing information posters like the one above who don't live in the US and might be surprised that no authentication happens here.
Switch banks? I have never once had American Express decline a charge domestic or international. Highly recommend!
Opposite position here - American Express was the one card I could not use anywhere in my first European trips 20 years ago (don't know it that's changed) - ditched it forever then. MC and Visa works for me. Never looked back.
20 years is a long time! I suggest you give them another shot. I have their Platinum card and the service has been top notch (although paying for their charge card is not required if you pick a product with no annual fee).
carry cash? no one is going to not accept that
Gas pumps will sometimes work after hours even if a clerk isn’t on duty. Same with other self service situations where a card might be your only payment option. Carrying cash is a last resort; you risk losing it or not having enough.
How often do you lose your wallet? If I lose mine, I won’t be stressing about the $200 inside.
But true enough on the unmanned gas stations.
Some places don't accept cash to reduce the risk of theft--we don't carry cash, you can't steal from the cash register.
actually this isn't true - i was in Seattle and there's at least one cashless Starbucks and one restaurant (Kati Vegan Thai); when i asked at both places they patiently explained that they couldn't accept cash at either one.
Make a point of carrying a spare card from a different bank and maybe a different payment network. In my experience, you’re always going to hit random declines from time to time.
Also some emergency cash up to $100 hidden in the car where only you would know where to look is worth the peace of mind knowing technology is not infallible.
Yes, I was assuming some cash as well. Appropriate currency, dollars in particular most places, is always useful when traveling. But if you’re at a supermarket checkout and your card is randomly declined (has happened to me) it’s nice to be able to pull out another card.
This isn’t a carrier selling the data issue. In the mobile app case you install the app and authorize location tracking.
They can just ping their banking app on your phone and estimate your geolocation via ip address. No network provider level snooping needed.
I think you're confused. Banks aren't buying location information from carriers.
This has nothing to do with them being able to get your location from their app.
Some banks get it off the app like Chase. Some don’t and pull E911 location on out of the area auth for a card present transaction.
They'll ping your phone? Are you kidding me? You mean they'll look up records right, not a realtime query of device location? How is that legal?
E911 location is real-time.
Yeah...but I assumed banks are not part of E911
Carriers were selling the data E911 location. That’s what this article is about. If you want to research further look up the companies that offer mobile location like Jumio, LocationSmart or Zumigo.
Thanks
Do banks actually buy location data from carriers?
I think they can just tell the zip code where you use the card.
Right, they know where the transaction is taking place. The point is that they can have much higher confidence that the card hasn't been stolen (or cloned, in the case of mag stripes) if your phone is also in the same zip code.
Or, you know, hedge funds.
I note that only REAL TIME location data is illegal, if I want to do most marketing things data from several days ago is perfectly usable.
Are there even laws anymore? It seems like the law only applies to non-corporate entities and citizens. If you're in politics, law enforcement, or the Fortune 500, expect zero consequences for breaking the law. Exceptions exist but aren't the rule.
This, so much.
Bounce over to this comment on another front page post for another great example:
So it's okay for the carriers to provide the phone-location (and other metadata) to government entities without a warrant, but it's not okay to sell it commercially? I'd love to see a legal analysis of that argument.
The Supreme Court ruled in 2018 that obtaining phone location data requires a warrant. [1] So no, neither one is okay.
[1] https://en.wikipedia.org/wiki/Carpenter_v._United_States
They (NSA / govt) still warehouse it. They just don’t access it without a warrant. That is the current legal fiction they operate the surveillance state under.
Does that matter to the legal theory though? Like they’re free to pass a law that says that carriers have to keep logs for X years and then get a warrant anytime they want them.
Like if you don’t trust the government to follow their own rules then why do the rules matter?
NSA monitors foreign traffic.
On paper. How do you know it’s foreign? That’s why they warehouse it. As much as they can. Figure out if it’s foreign later on. Don’t underestimate the laws they will skirt to collect data.
Look up how 5 eyes works.
They were once caught doing that, which caused a shit show. It doesn't mean they are currently doing that. Maybe they are, I don't know, and neither does you, asserting that they do it only spreads panic and misinformation
Why would they ever stop? No one made them stop. They were cleared to operate under that legal theory. Go back and review the exhaustive testimony from that period and you will find they were never forced to stop collecting “potentially” domestic communications. I think its best to assume they are.
Edit: start with Hayden. They admitted exactly how it all works and what the judges allowed. Read up on the many EFF lawsuits that were shut down.
So this Supreme Court ruling has eliminated all use of Stingray-like equipment by all law enforcement agencies unless they have a warrant? Wow! Looks like Harris will be going of business soon, and no more DRT boxes flying over cities?
> The Court did not expand its ruling on other matters related to cellphones not presented in Carpenter, including real-time cell site location information (CSLI) or "tower dumps"
Obtaining phone location data is different than a stingray. Not saying it is ok, just totally different.
Triangulation, signal strength, etc.
0 effective difference.
No, a stingray is an active surveillance method... the authorities deploy it and can get information from that point on. It is generally used for an active investigation against a target; of course, it is super problematic because it also intercepts innocent people's calls and can track them, and it is also being used for more and more cases where it is not justified.
However, it is still not the same as the phone company selling location data. They have EVERYONE's location data for all time; it is not like they have to 'turn it on' for you and then are only able to spy on you going forward. They just have all of it, all the time.
The difference is that a stingray is like one cell tower being able to spy on people... the phone company is ALL THE CELL TOWERS being able to spy on you... and not only being ABLE to, are just always doing it no matter what, for everyone.
How did you get from “mobile company providing location data” to “law enforcement use of stingrays to obtain location data”?
Not much of a difference really. Mainly just that LE uses their own equipment instead of that of the carrier. This brings up a separate FCC issue: Why is it okay for LE to transmit on the cellular bands for this purpose, when it provably can interfere with emergency communications (such as a 911 call)?
It’s a huge difference. The technical difference is that law enforcement is doing an end-run around the carrier to have phones just give up information. Carriers have zero control over that.
Sure they do! (Assuming you're not kidding.)
Make the cell connections a secure protocol, instead of something any asshole with an antenna can spoof & create a portable "cell tower".
> Sure they do! (Assuming you're not kidding.)
> Make the cell connections a secure protocol, instead of something any asshole with an antenna can spoof & create a portable "cell tower".
A single carrier likely couldn't do that without coordinating with other carriers (as a client roams to a new net).
Yes, they could have that control. But they currently do not.
Why are you being downvoted for pointing out mass surveillance and extremely targeted surveillance are both still legal and frequently used.
Because it's hyperbolic, sarcastic, and unhelpful. Your question rephrased as a statement is completely fine: "Unfortunately, mass surveillance and extremely targeted surveillance are both still legal and frequently used."
As you pick up on, the question was just used to make a statement, not gain information. That could be considered bad-faithy. But at the very least it annoys with its overused tone of sarcastic outrage, especially because it was the second such comment in the thread, made after the first was already shown to be entirely wrong.
On its merits, the accusation of hypocrisy is also a non-sequitur: from "one bad thing is stopped" never follows "all bad things are stopped". The implied expectation is impossible to fulfill.
It's also unhelpful, politically, in a way that this thread, HN generally, or even "the internet" are full of: If everyone is always assuming the worst while expecting the best, it removes all incentives for anyone in power to behave honorably. After all, if you're going to be accused to be corrupt and/or incompetent anyway, why even try?
That is in no way contradictory. I disagree with it as much as you but there's lots of stuff the government does that you can't and this isn't anything new.
As a parallel statement:
> So it's okay for defense contractors to sell tanks to the government but not commercially? I'd love to see a legal analysis of that argument.
Selling tanks is covered under ITAR. If there are Federal/State/County/Province/City regulations that cover (or mandate) providing metadata to all levels of government without a warrant, I'd like to see them (assuming they aren't classified).
I am actually OK with that. I don’t believe the government is going to routinely misuse location data, confiscate my guns, ... etc. I don’t want corporations having my tracking data.
The government, Democrats and Republicans, basically do whatever corporations want, so this action is surprising and welcome.
I see this all the time online, but rarely in the same breath. "I trust the government, which is corrupt and run by evil corporations."
There's a difference between "Corporations have too much power to influence government policy" and "The government will hand over its sensitive personal data records to corporations".
I would say the former is a much more widely held belief, although we have no way to know if the latter is actually happening.
I read the comment as that they are surprised that the government is pushing back instead of legitimizing bad behavior.
Likely explanation is the wealthy and powerful have a personal interest here. Consider the security nightmare that phone tacking poses for high wealth individuals.
Do you want the ambulance/police car dispatched for you as soon as the operator determines there is a problem, or wait for them to receive your location by you telling them? What about all the people that can't for some reason?
It's the only reason in my mind the government should have access to that info, and it's a damn good one
You are referring to the E911 location data that is provided in real-time to emergency responders. AFAIK everyone is okay with that. I was referring to archival records of all telephone use (calls, text, web).
I'll wait.
Where's the opt-out button on my device to ensure my 4th Amendment right is exercised?
Oh, right. It's forced. "Freedom".
E911 is one of those rare, valid exceptions to the bill of rights. Do you think people should be able to falsely yell "Fire!" in a crowded movie theater too?
Plus, it's probably arguable as to whether or not your cell providers' location data on you constitutes a "search" or not. Unless E911 works by transmitting your devices' GPS readings from its own hardware to authorities, but even then I am not sure since they are doing so as a middleman. IANAL
Also, you might wait but I'm not sure that most folk in distress would agree with you.
> Unless E911 works by transmitting your devices' GPS readings from its own hardware to authorities
That's exactly how it works:
> When the cellular phone detects that the user is placing an emergency call, it begins to transmit its location to a secure server, from which the [Public Safety Answering Point] can retrieve it. Cellphone manufacturers may program the phone to automatically enable GPS functionality (if disabled) when an emergency call is placed, so that it may transmit its location.
https://en.wikipedia.org/wiki/Enhanced_9-1-1#Wireless_transm...
> So it's okay for the carriers to provide the phone-location (and other metadata) to government entities without a warrant...
I don't see where the article addresses that point. While it has some resemblance, seems like a different issue covered by different parts of law.
Why make that leap? This is a new ruling.
Ask the FCC if they believe sharing to government is legal.
At the end of the day the government can do whatever it wants.
I'm sure the same precedent will apply for telecoms injecting ads, right?
I bet someone bought location data for legislators and showed it to them.
Why is it legal for them to collect that data in the first place? Can't sell, abuse, or accidentally leak that which you don't have.
AT&T maintain a comprehensive database of call level history dating to the 1980s.
Certainly to resolve customer billing disputes, I'm sure.
https://www.eff.org/cases/hemisphere
https://en.wikipedia.org/wiki/Call_detail_record
http://epic.org/privacy/nsa/Section-215-Order-to-Verizon.pdf
What firms were sourcing this information?
The problem is that many private companies now have the historic data. Even if they don’t receive any more in the future, most people only ever go 3-5 places. Collect data for a few years and you have the majority of the population’s locations predicted most of the time for a decade or two.
Is anything going to happen to the companies who bought the data? Is that also illegal?
What companies are immediately going to be affected by this?
Wow, I had never heard of them, and I did not like this quote from the landing page (if they got their data from mobile carriers like this): "Gain deeper insights from location data to answer questions like who visits certain places, where else do they visit, where do they come from and much more." I don't like the feeling of being spied on.
https://finance.yahoo.com/quote/T
https://finance.yahoo.com/quote/VZ
https://finance.yahoo.com/quote/TMUS
https://finance.yahoo.com/quote/S
Looks like only Sprint and T-mobile are down, and only slightly (2%).
"one or more"
hint: it's all of them
Some of the companies on this list could be hurt by this:
Alternativedata.org
Does this increase the value of this data for Google?
That would be 3d chess move by Google.
I think jailtime+fines should be the minimal remedy.
I've long believed that when companies do illegal things that would normally be punished by prison, the company should go to prison.
The company office would have to operate according to the same rules as a prison. Employees on arrival are security-checked the same way prisoners would be when they arrive for the first time. Rules about talking between cells, and device use, are the same as a prison. Once you get to your prison office, and you have your prison clothes on, you can work on paper.
I think this should be an existing prison. If a company wants to instead hire prison guards and do renovations to make their existing office work like a prison, I could be flexible to that.
Presumably all the employees would rather quit than work in prison. Sounds okay to me.
Presumably all investors would pressure the CEO to avoid getting the company put in prison because it would be a real productivity problem. Sounds okay to me.
Imagine someone time traveled here from 30 years ago first learning what cell phones are then seeing this headline. Why is this even debatable?
Boiling frog syndrome.
>The premise is that if a frog is put suddenly into boiling water, it will jump out, but if the frog is put in tepid water which is then brought to a boil slowly, it will not perceive the danger and will be cooked to death.
But if you watch the pot, the frog won't boil.
The saying is cute, but it's important to note that the frog had to be lobotomized to stay in despite the slow change.
i'm not sure what our excuse is, however.
The attention (Advertising) industry shaping our brains: https://news.ycombinator.com/item?id=22201771
Toothless fines. Indict corporate officers or employees that did it... then you’ll get change.
Unless they knowingly and intentionally broke criminal law, that's completely over the top and unnecessary.
Fines should presumably start small and have a graduated structure to prevent the "just a business expense" approach from becoming a viable one.
The current regulatory problems are due almost entirely (IMO) to lack of active enforcement; why care what the penalty is if you know it won't happen to you regardless?
You don’t have to knowingly break the law to be criminally charged. If you’re in a position where a law might apply, you should do your due diligence or get legal counsel sign off. Selling private location data should easily cause a competent executive to think twice and confirm it’s okay.
Why do you think corporate counsel didn't sign off on this?
I didn't opine on this instance wrt if legal counsel did or did not sign off. If corporate counsel signs off on criminal behavior, it should be criminally charged.
> Unless they knowingly and intentionally broke criminal law, that's completely over the top and unnecessary.
Why? If I drive drunk and a cop pulls me over, lack of knowledge is no defense. As the head of a company, why is a lack of knowledge of the goings-on of the company a defense? If you don't know the goings-on when you are in a position to, at the very least that should be categorized as criminally negligent.
Its like making a mayor liable for the crimes of their city’s residents, after a certain scale it just becomes stupid.
Now if the mayor pushes for the crime or doesn’t put policy forbidding the crime, that is a different story.
One of you is speaking of knowledge of the crime and the other is referring to knowledge of the law. Different things entirely.
Why should fines for selling private data of millions of people start small? Will they ever get large enough to get companies to care?
This is civil law, not criminal. Maybe criminal liability s needed, but it’s just not reality.
Also: beware what you wish for. Criminal law may allow your bloodlust to be satisfied. But it’s just as likely that the higher burden of proof it requires, and various other differences such as the 5th amendment, make prosecution difficult or impossible.
Not to mention when you accidentally leave some data out there with a misconfigured server you’d maybe go to jail, but in their outrage people don’t think it could happen to them, or be used by someone with other goals.
Fines don't have to be toothless.
It depends on the perspective. Imagine an FCC shopping page for businesses that says something like: "Gain ability to sell customer location data for a year: $10,000,000"
"Fine" is a euphemism for market price. If the profits outweigh the fines and the poor PR can be controlled in a timely manner, then they'll do it every time.
Markets prices work the other way too; if fines are at least perceived to be more expensive than any benefit you'll see, they are a good disincentive.
What about an FCC shopping page that says the price is “throw one scapegoat to the wolves”?
Then you just increase the fines. That’s so much more trivial than throwing people into an already overcrowded prison system and destroying their life.
This is technically true but the odds of a fine being levied which is high enough to register on huge companies like this is exceedingly low, especially since everyone involved in that decision could walk away from a bankruptcy and still be fabulously rich. Punishing shareholders has a lot of collateral damage but personal liability has almost none.
I think fines should act against the shareholders who let it happen! FCC forces more shares and acquires them, decreasing shareholder value, which is the gold standard of publicly traded companies.
And they must be worse for repeat offenses.
Depends on the size of the fine. GDPR fines theoretically hit plenty hard.
I think income-based fines are illegal under ‘cruel and unusual punishment’ though, in the United States, (not a lawyer), so maybe that won’t fly.
Thank goodness for sanity!
I'll celebrate when the money from the fines is actually sitting in the Treasury account, and not a moment before. Pai is outrageously corrupt, is best friends with telecom CEOs, and with near-certainty will cave to requests to have these punishments reduced to next-to-nothing.
Yes. Particularly given that Pai's FCC has developed a bit of a habit of levying fines and then not bothering to actually collect them.
More info about this?
0.003% of robocall fines collected so far: https://gizmodo.com/fcc-reportedly-collected-only-0-003-of-r...
But Facebook, Google, Microsoft, et al are still free to sell phone location data acquired through apps (or Android itself in the case of Google), right? I wonder if there is any hope of laws to limit the ability of companies to sell this data...
It's time to differentiate selling "Bob is in Location X" from "Show this ad to all people at location X".
The first case is a far far bigger privacy concern to me, and seems to be what mobile networks were doing. Facebook, Google, and Microsoft are doing the latter.
Yes, there are a lot of malicious actors that actually sell data (apps, browser extensions, phone carriers, potentially ISPs, finance companies, etc.). Many of these actors even sell un-anonymized data. The big tech companies are very low on the totem pole of badness and will continue to stay that way for a long time because the incentives don't align for them to actually sell data.
If you click on the ad or run its JavaScript, it has your device info matching the ad geofence
+1. I care way more about the existence of an api that tells anyone with money exactly where I am (and where I've been) than I do about one that anonymously attributes (in aggregate) my ad interaction stats to some place I was at or interested in.
No, it isn't. Both are essentially workable to do the same bloody thing, and just mean the same outcome can be achieved with the minor inconvenience of an additional layer of indirection.
Geolocation information shouldn't be considered a desirable dataasset to hold onto as a monetizable asset at all at the level of granularity that enables individual resolution.
IIRC, Google doesn't sell your personal location data: https://safety.google/privacy/ads-and-data/
Disclaimer: I work at Google.
But they buy your credit card transaction data. It takes two to tango, so while I blame Visa et al., Google buying it is just as bad as selling it.
Source: https://www.bloomberg.com/news/articles/2018-08-30/google-an...
That may be true.
But Google created the entire damned infrastructure and environment which makes precisely that effect possible, no matter how thinly you slice the hairs on what it is you call the practice.
Sorta an odd take in a thread about telecom companies selling data gathered by the telecom networks that they built.
Do you remember when telephones didn't come with embedded GPS, browser webbugs, G+ NSTIC profiles (https://old.reddit.com/r/plexodus/comments/aa6pmi/a_manhatta..., https://www.searchenginejournal.com/google-plus-history-deat...), and OS-level UUIDs?
Pepperidge Farm remembers.
This is true, although it's engaging in a bit of hair-splitting.
It's not. The extent to which old-line businesses like telcos and banks will literally sell your data is way beyond anything Google has ever contemplated. I can call a credit card data clearinghouse and order all of the transactions of every age 30-35 male in Akron, Ohio in December 2019 and they'll put that in a spreadsheet and send it to me. It really is important to distinguish between "selling your data" and what Google does in the course of business, because if you are unable to make that distinction then you aren't aware of the terrifying scale and specificity of the data provided by other industries.
In my opinion, what Google does is better than just selling raw data. But not that much better -- Google still has the raw data, after all, and other entities get most of the benefits of access to that data.
That's why I consider it splitting hairs.
> if you are unable to make that distinction then you aren't aware of the terrifying scale and specificity of the data provided by other industries.
I am aware of the difference, and you're right, it's terrifying. But it's no less terrifying that Google can still do this.
I'm more worried when I CAN'T buy that data - because then I have no idea what they're holding onto (for private deals, either with corps, defense contractors, .gov, etc).
You don't have to buy it. It's free: https://takeout.google.com/settings/takeout
Surely they wouldn't collect, or create data based on, things that aren't here!
/s
Could you please stop posting unsubstantive comments to Hacker News? You've been doing it a lot, and we're trying for a bit better than that. We've already had to ask you once before.
The idea here is: if you have a substantive point to make, make it thoughtfully; if you don't, please don't comment until you do.
Transferring data between departments costs approximately $0.
Do they refuse warrantless requests?
Telcos are regulated carriers, facegoog are not. Maybe one day they will be.
Their actions can be regulated.
They don't exist in international waters.
These companies don't sell your data and it's not in their interest to do so.
Data is the cash cow that lets them sell ads. Why would they give away the cash cow and cut themselves, the middlemen, out of the picture?