[–] jandrewrogers link

I can confirm this is happening, I designed some of the analysis systems used. Contrary to what many people assume, this is not just a US thing. It is done throughout the industrialized world to varying degrees, including countries where most people believe privacy protections disallow such activity. Governments tacitly support it because they've found these capabilities immensely useful for their own purposes.

reply

[–] stef25 link

> for their own purposes

Such as?

If this also happens in the EU and is as blatant as you say it is and with GDPR and all, surely this is just waiting to blow up?

reply

[–] noir_lord link

Parralel construction.

You pull the phone location records of everyone near a protest without a warrant (and no intention of using the location data in court) then you dig into them to find something unrelated to the protest you can nail them on.

That way you take out key players without it looking like a political crackdown.

reply

[–] twostoned link

Based on the discussion in this thread doing such a thing seems relatively easy.

Obligatory Orwell:

“The most gifted of [the Proletariate], who might possibly become a nuclei of discontent, are simply marked down by the Thought Police and eliminated.”

reply

[–] noir_lord link

Yep, that's on the simpler end of the spectrum, they can/could be far more insidious and subtle.

It's horrible but beyond supporting ORG, EFF and writing to my MP (I'm in the UK) not sure what else I can do, even if I protect myself from it my family and friends are still potentially fucked.

reply

[–] Jill_the_Pill link

Advise everyone you know to keep their phones in foil potato chip bags?

https://www.thedailymeal.com/australian-man-fired-potato-chi...

reply

[–] Lionsion link

> ORG

What's ORG?

reply

[–] cryoshon link

show up to a protest. bring your family and friends.

encourage everyone to boycott american companies.

reply

[–] ende link

It’s not just American companies.

reply

[–] Yhippa link

That's absolutely a chilling effect. Just thinking about this I'm thinking back on events I've been to what what the government can infer from that. And they can probably nail us for anything now whenever they want to and it will be hard to trace it back to this kind of monitoring and analysis. The only way to avoid that would be to leave your phone at home and hope nobody records you or takes photos.

reply

[–] tgsovlerkhgsel link

That assumes use by a malicious government, but what was described above was illegal use by private entities.

I'm pretty sure that in Germany, some of the described activities could be punished with prison time (and they certainly should).

reply

[–] stef25 link

So this is just a way to bulk identify people in a certain location at a certain time. Fairly efficient I guess but could bring up a lot of false positives, like passers by, journalists etc

reply

[–] coldacid link

I would think that the people who would want to bulk identify people at certain events wouldn't consider tracked journalists to be false positives.

reply

[–] losteric link

Yes, these applications are blatantly violating the GDPR: https://www.gdpreu.org/the-regulation/key-concepts/personal-...

reply

[–] OldSchoolJohnny link

Then it's going to get very costly for them when the EU goes after some more of that sweet sweet penalty money.

reply

[–] sfrancisbjr link

I am a journalist and want to know more about how hedge funds use/abuse this. Please get in touch if you have first-hand knowledge: fbajak@ap.org.

reply

[–] pcarolan link

You and op work for companies you seem to fundamentally disagree with. Can you say why you don’t leave? Asking not out of judgment but to understand.

reply

[–] mywittyname link

Because they will just hire someone else.

reply

[–] throwawaymsft link

But where does that line of reasoning end? If asked to join a gang, do you agree because they'll simply find someone else?

reply

[–] noodels link

I think if you work in tech and you're not super made then you've just got to choose a few things you absolutely wont do and compromise on the rest. I don't even think this is the most sinister of stuff out there so personally I'd probably take the job in this case.

reply

[–] sfrancisbjr link

I am a journalist and would like to know more. Reach me at sfrancisbjr@gmail.com if you can help.

reply

[–] Mononokay link

Do you feel guilt over creating them?

reply

[–] 394852034 link

I know TV and movies have imparted upon people that there is some kind of feeling of immense guilt, or maybe you are just dishing the ubiquitous passive aggressive shaming as a weak attempt at social control, but fact of the matter is that today's devs (yes, many if not all of us here) have exponentially less qualms about what we do and support and develop (let alone even fully understand the ramifications, as has become apparent to me) on a day to day basis, than any of the soldiers or henchmen or perpetrators of the favorite historical villains we are trained to hate from early on. Reality is that to the vast majority of people that are swept up in the cult mania and are essentially blindly and instinctually following their most basic herding impulses, the actions they are taking and the things they are doing are just fine as they say "it doesn't look like anything to me".

We have thoroughly entered a pathway with an ever more narrow set of possible outcomes, none of which are good, but just as all the other past events that all the "smartest" people were warned about well in advance and who self-magnanimously proclaim how the inevitable outcomes "could not have been predicted" in to protect, at all and any cost necessary, the most important thing there is ... something so important and sacrosanct that reality and fact and intellect and rationality will be suffocated and smothered and exterminated and sacrificed the very microsecond it potentially could even maybe rear its head .... their ego and incomprehensible notion of having to admit fault or infallibility.

It is utter hubris that will be bringing about the inevitable next calamity that will, due to the ever growing and expanding size of the house of cards, collapse under it's own self-deluding weight.

Remember kids, tech fraud valuations were based on sound business and house prices could only go up; and those were just the early tremors of what is to come ... unfortunately. All manias invariable are followed by crashes, regardless of how they manifest themselves. What goes up must come down and down, farther and harder, it will come crashing the higher it climbed into the sun. Lest us forget Icarus

Icarus (IK-uh-rus) Son of Daedalus who dared to fly too near the sun on wings of feathers and wax. Daedalus had been imprisoned by King Minos of Crete within the walls of his own invention, the Labyrinth. But the great craftsman's genius would not suffer captivity. He made two pairs of wings by adhering feathers to a wooden frame with wax. Giving one pair to his son, he cautioned him that flying too near the sun would cause the wax to melt. But Icarus became ecstatic with the ability to fly and forgot his father's warning. The feathers came loose and Icarus plunged to his death in the sea.

The folly of Daedalus to not be mindful of the foolish youth of Icarus. But, do tell us of how the young of today will not cause the calamities of past generations of young who thought the too were infallible from their unearned privilege, pampered, and hedonic existence.

reply

[–] fixermark link

Should they? The vast quantity of users find it incredibly useful and have no reason to be concerned about governments or third parties being able to determine their geographic location, because governments or third parties don't generally care.

reply

[–] hanbura link

>have no reason to be concerned about governments ...

Many aren't, but everyone has reason to.

Governments change. Telling your government your religion in 1920s Germany was harmless, in 1940 many would have preferred if the government didn't have their religion on file.

Circumstances change to. In 1920 being a Japanese in the US wasn't special. After Perl Harbor came the internment camps.

And then there's the mundane stuff. You protest a government policy, someone in the government takes issue and tries to put some of these annoying people in jail.

Given that you don't know when you might become an enemy of the state it's always a good idea to keep the power of the state over its citizens in check.

reply

[–] undefined link
[deleted]

reply

[–] gordyf link

You can be upset about an aspect of a product, and seek to change that aspect, without abandoning use of the product. For example, 1.3 million people are killed by cars every year, and while we recognize the risk, we also constantly improve them through safety regulations, training and improved technology. Just because people use cell phones and apps today doesn't mean we're okay with the downsides and should stop trying to improving them.

reply

[–] fixermark link

It's an interesting example you've chosen, since one of the dimensions along which car safety improvement is being researched is ubiquitous GPS signalling to share data about road and traffic conditions (and since every self-driving car is basically a panopticon and recording device rolled into one).

reply

[–] OrganicMSG link

Mass surveillance is not really for investigating individuals.

The game being played is not '1984', it is 'Foundation'.

It is for steering entire societies, and this works far better on the boring people who think they have nothing to hide as they are the easiest to model

reply

[–] AlexCoventry link

I agree the greater emphasis is Foundation-style analysis, but really, it's for both.

reply

[–] OrganicMSG link

I've been working a theory that what we are seeing in the last 10 years or so is the escape of these techniques from government into private industry.

With a single powerful player, you get a consistent, but slightly false narrative. If you have lots of players though, you get multiple competing narratives and the news stops making sense.

Is partly why I still think Gibson is one of the people who got it closest to the mark.

reply

[–] undefined link
[deleted]

reply

[–] 908087 link

If they "don't generally care", they wouldn't be collecting that data to begin with.

reply

[–] wilsonnb link

It's possible that they care about the aggregated data and not about the individual data.

reply

[–] fixermark link

They collect the data because they can find themselves needing to care in the future, at which point nobody wants to be kicking themselves for failing to collect the data.

reply

[–] ionised link

So they do care.

reply

[–] trendia link

Cambridge Analytica did far more with far less.

reply

[–] hanspeter link

Did they? They're sales pitch claimed they could but what we've heard of actual methods and impact didn't appear more effective than regular FB ads.

reply

[–] CamperBob2 link

It's not about being able to track everybody. You're right, nobody cares about that.

It's about being able to track anybody.

reply

[–] jadedhacker link

1) Users get no benefit from information resale. 2) COINTELPRO

reply

[–] fixermark link

Keep in mind: most users are not part of a domestic political organization targeted by the FBI, so again, when the rubber hits the road, they'd rather not be inconvenienced for a risk that applies to other people. They don't care about COINTELPRO (disregarding, of course, the percentage of the population that actually thinks the FBI digging into "subversive" groups is part of its job).

Users get no benefit from the information resale directly, but they also aren't generally harmed by it. And the benefit they get from having a ubiquitously-connected device in their pocket outweighs the (apparently calculated to be low) per-person cost to their information being resold. The fact that you or I may do the calculus differently for ourselves (because we have different risk sensitivity) doesn't impact those who don't reach the same conclusions.

reply

[–] jadedhacker link

What I'd say is that until somewhat recently, I was interested in politics but not engaged. I took your position during that part of my life. Now that I'm actually engaging in political activities, COINTELPRO and its current incarnations scare the bejesus out of me, and I'm not doing anything that radical, just left of the Democratic Party. YMMV.

There may come a time in your life when you wish to have a say in the political system or are wronged by a powerful corporation. You'd care in that case. When your political rights disappear, they aren't easy to get back.

reply

[–] fixermark link

I agree that one in that context cares, but I think you can agree that most people are not in that context. So on the whole, they receive benefits from deep data integration and no immediate downsides.

Which circles back to the original question: should a person feel guilt over creating tools that help the average user and harm the political dissident? Seems an open question. Perhaps one heavily dependent upon whether the actor agrees with the political dissident's position.

reply

[–] rosser link

A potential victim's ignorance of their risk doesn't mean they aren't at risk.

Because I'm not specifically aware there's a cross-town bus with my name on it, I'm somehow not about to get pancaked?

reply

[–] drb91 link

Any source for this claim?

reply

[–] fixermark link

The general public and repeatedly-reported-upon understanding of how data collection can be leveraged to find unexpected insights not obvious from the data, coupled with the Snowden leaks, coupled with the ever-increasing user count for cellphones, Facebook, Twitter, and the Internet in general.

If people were deeply individually concerned about the risks vs. rewards of these technologies, they'd stop using them. That's the rubber-meets-the-road calculus I see.

reply

[–] losteric link

Do you trust the public is informed about these technologies? I think you might be overestimating individuals... most folks still don't know about Cambridge Analytica.

reply

[–] undefined link
[deleted]

reply

[–] OrganicMSG link

> "If people were deeply individually concerned about the risks vs. rewards of these technologies, they'd stop using them."

Why do you think that? It clearly doesn't apply to stuff like oil, for instance.

I could give up my phone, but I would be in deep shit if I did it tomorrow. It would take a lot of arrangement to do so and it would piss off my family and lose me work.

reply

[–] fixermark link

Actually, I'd argue that it does apply to stuff like oil.

People say they're concerned. But the actual number of people attempting to zero the amount of oil they use? Much lower than claimed concern.

Words are easy. Actions have costs that people would prefer not to take on.

reply

[–] OrganicMSG link

>the actual number of people attempting to zero the amount of oil they use? Much lower than claimed concern.

How do you know how many there are? Anyone doing that couldn't travel except by foot, buy any commercial products or use any available communication services.

edit - alternatively, there are loads of people attempting to zero the amount of oil they use. They are just using oil to get there.

reply

[–] rosser link

Tu quoque.

See also: "Ayn Rand collected Social Security benefits." (And I abhor her oeuvre and "movement".)

reply

[–] fixermark link

Tu quoque requires someone to have made a claim in the first place.

I'm saying people make the claim on the average person's behalf that they want privacy and information such as their location (as triangulated by cellphone towers) kept generally secret from governments and corporations who can offer them benefits, and that claim is not actually supported by much evidence. I think the digital intelligentsia cares deeply; the average cell user, not so much.

reply

[–] rosser link

And I'm saying that lack of care is a product of ignorance — ignorance in no small way imposed upon them by the shady behavior of the people who are doing this. As such, it can't be reason to blame them for that "choice". It's a passive choice. It's opt-out, without being told there's a option. And there isn't actually an option.

That is, if Verizon was unambiguous with Joe Customer, "We may sell your real-time location information to companies known to re-sell that kind of information to the government, and you can't do anything about it" how many of them would be pissed? Isn't the state being restrained from un-warranted — literally — snooping into people's lives a core American value?

Your position is that most people would "meh". I think you're wrong. You're probably right that there's scant evidence either way, though.

reply

[–] Floegipoky link

Kind of like how automobiles are a luxury, and if people cared about the 4th Amendment they just wouldn't drive anywhere. Nevermind that our way of life is literally not possible without the technologies in question.

Every single one of the revelations you've mentioned was met with public backlash, followed by either a misinformation campaign or intense dog-wagging. This is called manufactured consent. For example, let's look at Cambridge Analytica. When it was revealed that a military contractor was hired to subvert the 2016 Presidential election, the dominant story in the alphabet-soup media was a twitter tantrum from Trump. As it became clear over the next few days that the story wasn't going to be buried easily, the narrative was quickly shifted away from the subversion of democracy to blaming Facebook for leaking user data, culminating in parading The Zuck before Congress. He played his part perfectly: no bread, but enough circus to keep the masses from thinking too hard about what it means for an election to be free.

reply

[–] fixermark link

You'll have to unbox how driving is related to the 4th Amendment; I would have assumed you were going to observe people continue to drive even though 40,000 people a year die in car accidents.

People do the calculus to decide if risk is greater than reward all the time. It appears ubiquitous connectivity, for most people, is far more rewarding than risky.

reply

[–] gowld link

In short, doing anything that requires a Driver's License severely restricts your freedom from search and seizure while traveling on public highways. To gain those rights back, you have to (de facto) forfeit your Driver's License and stop driving on public highways.

reply

[–] haZard_OS link

>People do the calculus to decide if risk is greater than reward all the time.

Technically you're right but what you seem to be missing is that people (in general) suck at risk assessment. Although they are doing "the calculus", most of their calculations are based on heuristics that just don't reflect a rational analysis.

That is why so many people fear plane travel more than car travel, immigrants more than cigarettes, and pharmaceuticals more than "raw water".

reply

[–] TechieKid link

Several recent HN stories have had this kind of comment (first noticed with the Securus submission) that's a weird mix of "You have nothing to fear if you have nothing to hide" and "They will never come for you, you're too unimportant." Is this a sustained campaign or just a way for folks who have contributed to these issues to feel good about themselves?

reply

[–] dang link

> Is this a sustained campaign

This breaks the site guidelines. Could you please read and follow them when commenting here? https://news.ycombinator.com/newsguidelines.html

Insinuations of astroturfing or shilling without evidence (an opposing view does not count as evidence) are an internet toxin that turns out to be worse than the things it insinuates, because it's so widespread. I've written a ton about why we don't allow that here, if anyone wants to read more: https://hn.algolia.com/?query=by:dang%20astroturfing&sort=by...

reply

[–] TechieKid link

Welp, sorry.

reply

[–] wilsonnb link

It's just how a lot of people feel about the issue.

I'm not sure why you would jump to concluding that it's a sustained campaign or some kind of reaction to guilt.

reply

[–] pubutil link

Wilsonnb hit the nail on the head, it’s just how some people feel. Though I don’t doubt that some people involved in the creation of this phenomenon use the argument to justify their work.

I had a hard time understanding why people wouldn’t be more conscientious of their privacy, until I had discussions about the issue with people close to me.

My folks had a very similar sentiment to the typical “if you have nothing to hide, then why do you worry about it”. My girlfriend had the same thought, but took it a step further and asked why I cared so much about people uninvolved in my life knowing personal details about it, then said I was “the most paranoid person [she’d] ever met”

Once the Cambridge Analytica scandal broke, they all understood my point. I think the majority of people who don’t work in tech don’t understand the massive implications that our lack of privacy has. They don’t know how cookies or backends or tracking pixels work, and may not even know they exist. They imagine an NSA agent sitting in a room looking for keywords, not companies that they entrust their digital lives to selling off every little piece of info about them. It’s so much more than your Facebook or Twitter posts being public, it’s data that we might not even know about ourselves being kept in the hands of unknown entities.

To sum up this rant, some people have to see it to believe it because this is outside their scope of knowledge

reply

[–] gleenn link

I'm surprised you've had conversations with tech laymen that understand what Cambridge Analytica is guilty of. Everyone I talk to, even reasonably tech-literate people, still don't understand the repercussions. I even point out the possibility of throwing a presidential election, and my mother said, "so what, isn't that just people pushing for the guy they want?"

reply

[–] 8bitsrule link

It would be better if they did, yes.

reply

[–] tzahola link

Thank you for your contributions in making the world a little more shitty! /s

reply

[–] dang link

This breaks the HN guidelines. Please read and follow them when commenting here.

https://news.ycombinator.com/newsguidelines.html

Edit: you've repeatedly posted unsubstantive comments and we've asked you to stop before. We ban accounts that do this, so would you please not do it anymore?

reply

[–] heurist link

I'm in the space as well. I've tried telling my congressmen but they ignore me. I'm waiting for the backlash, especially will all the recent privacy issues. It hasn't happened yet and the problem is so large that I honestly doubt whether the public will ever truly grasp what the scope.

The advice I always give when this topic comes up us to be very careful with what you install on your phone. The least expensive mobile location data tends to come from random apps collecting the data to sell it, and ad networks. Permission to use your GPS is permission to track you until you uninstall the app.

reply

[–] ethbro link

If you're willing to have your name attached to this, if / when it does finally blow up, please make an effort to talk to news organizations about who and when you initially reached out to congress people.

If you're not comfortable with your name being publicly attached, at least give news orgs the information and request confidentiality.

Part of the reason congress people can punt is that the cost of inaction < cost of action before it penetrates media.

A big part of shifting that equation is starting to publicize "You had all the information available now on X date and did nothing" as loudly as possible. Naming and shaming has been healthy for vulnerability disclosure.

reply

[–] 88e282102ae2e5b link

Are you able to send them a copy of their individual location data, or the location data of their staffers/friends/family? That might make for a potent wake up call. Though, you'd want to run that by an attorney first.

reply

[–] lallysingh link

Screw that. Put together a consumer stalking website, sell the data directly. Advertise, make tons of money, and let the outrage from that bring light to the entire industry.

reply

[–] ZainRiz link

And then be the only one sent to jail as the scapegoat for the rest

reply

[–] i_cant_speel link

It's not illegal.

reply

[–] api link

Do it on the dark web.

reply

[–] code_duck link

Move to Myanmar first?

reply

[–] mygo link

To get initial traction, you can even call it “where’s waldo” to get the publicity of a trademark suit. go for broke — you’d be going to jail anyway once any meaningful legislation is put into place

reply

[–] lallysingh link

The point is to encourage legislation. So happily shut down on a pile of money.

reply

[–] michaelt link

  I'm in the space as well. I've tried telling my
  congressmen but they ignore me.
If you have hard evidence, forward it to the journalist or newspaper that broke a similar recent story, or whose reporting of that story you respected.

Maybe you can find a journalist you respect for their reporting on Cambridge Analytica, the Paradise Papers, Edward Snowden and so on?

reply

[–] mickael-kerjean link

It's not that easy when you're not in their network. I've tried to contact a few journalists recently as I discovered twitter knows everything about youporn's user which considering their track record in term of security and the amount of politician in there could have some pretty bad effects.

It goes like this: https://pbs.twimg.com/media/DczGQICUQAA9ljF.jpg

The domain "syndication.twitter.com" tracks everyone but the page says: "Sorry, that page doesn’t exist!". The point is I haven't been able to run the story so far

reply

[–] sfrancisbjr link

Seasoned cybersecurity journalists use Securedrop, Signal, Jabber and the U.S. mail to protect sources, among other tools.

reply

[–] gcb0 link

that's only the low end. app gps usage shows up on the UI.

the article discusses when the ISP/telco sells the data that you have zero visibility on. there's no way to get around this.

btw, apple and google ad spyware process (google play service) will collect gps and wifi data without any user visible UI, not to mention download ads in the background.

reply

[–] willstrafach link

> btw, apple and google ad spyware process (google play service) will collect gps and wifi data without any user visible UI, not to mention download ads in the background.

Would be nice to see actual proof of this. I am very familiar with all network traffic an iOS device may emit and do not know what you are referring to here.

reply

[–] sizzle link

Thanks for the tip. I've made a habit of turning off location services on Android once I'm done using navigation (Waze), do you know if this sufficiently blocks all background tracking for apps I've consented to allow GPS location tracking? Thanks.

reply

[–] spacemanmatt link

Carrying a cell transmitter allows them to triangulate your position. It's not as awesome as GPS but it still meets a lot of needs.

reply

[–] Frondo link

What about a state senator or representative? Could your state start enacting a privacy framework, that would apply to businesses that wanted to do business in your state? Sort of like California emissions for cars.

reply

[–] undefined link
[deleted]

reply

[–] hunter23 link

Can you name and shame the congressmen that ignore you?

Or can you make a tip to one of the newspapers? Given the facebook privacy news saga this might get picked up.

reply

[–] criddell link

I don't think naming and shaming will do anything, but maybe when somebody's location data embarrasses them, they will do something about it. I think a good analogy is the Video Privacy Protection Act.

reply

[–] heurist link

I'm a liberal in Texas so being ignored by politicians is nothing new to me.

reply

[–] undefined link
[deleted]

reply

[–] apozem link

Talk to a congressperson who knows about cyber like Ron Wyden.

reply

[–] ethbro link

FFS. "Cyber" is an adjective. Not a noun.

Just because the less-technically adept parts of the infosec community & even more hapless government workers wanted to sound cool doesn't suddenly make it right.

reply

[–] King-Aaron link

That's how colloquial language develops, however.

reply

[–] ethbro link

This is true. But it doesn't make every new development an intelligent or useful one.

But then I also just enjoy responding with "Cyber what?" whenever someone uses it as a noun. The correlation between people who are asked and can then provide a relevant noun has not been high.

reply

[–] d0lph link

Seems kinda useful, to group knowledge regarding computers & the internet, and how they impact other industries.

reply

[–] Intermernet link

Language just got cybered.

reply

[–] gruez link

>It's not just your cell carrier. Your cell phone chip manufacturer, GPS chip manufacturer, phone manufacturer and then pretty much anyone on the installed OS (android crapware) is getting a copy of your location data. Usually not in software but by contract, one gives gps data to all the others as part of the bill of materials.

so what's the flow here? is it something like this?: phone gps -> manufacturer installed crapware app -> crapware server -> (various third parties)

wouldn't this be mitigated if you use a custom ROM like lineageos?

reply

[–] dude123456 link

some of crapware can be avoided by using custom ROMs, but not all of it. For example: Qualcomm IZat location services and other location-based trustzone applets remain running even on custom ROMs.

reply

[–] userbinator link

You seem to be quite familiar with Qualcomm, but do you know if there's anything similar in Mediatek SoCs? They do have assisted GPS ("A-GPS"/"EPO") but from the info I can find (including leaked very thorough datasheets and programming manuals), it does nothing more than downloading already-public ephemeris data from an FTP server periodically. I've also inspected the firmware, and there doesn't appear to be any traces of the TrustZone/Trustonic stuff that you mention is present for Qualcomm; AFAICS the only thing running on the main CPU cores is Android itself, the modem runs its own baseband firmware, and the GPS/WiFi/BT/FM combo chip (which is a physically separate part, accessed over a serial interface with no direct DMA capabilities) runs a third firmware. Any "secure boot" features in MTK SoCs are (fortunately?) not very secure, so it's all quite easy to inspect.

There's some bits of interesting info here:

https://github.com/cyrozap/mediatek-lte-baseband-re

https://postmarketos.org/blog/2018/04/14/lowlevel/

reply

[–] Illniyar link

How is it sending the data though? if it's using mobile plans, wouldn't it be noticeable on the data usage plan? (or is it that manufacturers have agreements with carriers to not charge for it?)

reply

[–] striking link

> IZat location technologies use a network of cloud-based assistance servers that provide industry-leading location performance for any mobile device, on any network, in any environment.

https://www.qualcomm.com/products/izat

reply

[–] gowld link

Location data is what, maybe 1kB per sample, including lots of overhead? 100 samples/day is 3MB/month. It's not going to affect your mobile data budget.

reply

[–] pbasista link

Some people do not have a mobile data plan. Using mobile data in such case would typically be rather expensive. Unexplained mobile data charges, however small, would raise questions.

reply

[–] yyx link

Can confirm. Chinaphone used mobile internet every day sending bytes. Tried using firewall, then butchered settings altogether.

reply

[–] mehrdadn link

This is my question too... nobody has explained this part.

reply

[–] gruez link

>Qualcomm IZat location services

did a quick check, it's not on my phone (SD 820 SoC).

>other location-based trustzone applets remain running even on custom ROMs.

I have no doubt some proprietary blobs still remain on custom ROMs, but do those actually send back location data to the OEM?

reply

[–] dude123456 link

You have a Qualcomm Snapdragon 820? Oh yes, IZat is definitively there, along with other interesting trustzone applets :)

It is running under QSEE (Qualcomm) and/or MobiCore (Trustonic) OS, which is separate from your Android OS. It is left untouched by custom ROMs.

reply

[–] Someone1234 link

While most of the terms there aren't Google-able (QSEE, MobiCore, trustzone applets, etc) the IZat page seems to almost boast about the core argument:

https://www.qualcomm.com/products/izat

Scroll down to "Cloud-Based Assistance" and "Built Right In."

reply

[–] pbasista link

I do not understand.

Even if there was a separate OS running in parallel with Android, how could it access the wireless-networks-based and satellite-based location data? I thought that access to these things is controlled by Android.

In other words, when I turn off e.g. satellite location data in Android, can IZat (which, according to your post, runs outside of Android) or other similar spyware keep secretly using it anyway? That would be quite worrying.

I suppose that the location data can be collected by sniffing the low-level communication between the radio device and Android kernel, provided that it has been enabled in Android first. But even then, how could this location data be transferred out of the device? Are these "parallel-running" OSs also able to somehow "tap into" Android's network layer and send the collected data out?

reply

[–] rsync link

Oh, sweet summer child ...

"Even if there was a separate OS running in parallel with Android, how could it access the wireless-networks-based and satellite-based location data? I thought that access to these things is controlled by Android."

There is a separate OS running in parallel with Android and it is running on the very hardware that makes the network connections to the cellular network that you are speaking of.

In fact there are two - the OS and software stack that run on the baseband processor and the OS and software (java apps) that run on your SIM card, which is a full blown computer with its own memory and processor, etc. In fact, your carrier can upload new java programs to your SIM card without your knowledge at any time.

Your final question is a good one - many (most ?) implementations give the baseband processor DMA to the main, application processor. So you are hopelessly owned. Deeply, profoundly, hopelessly owned.

reply

[–] dude123456 link

True++ there are at least 4-5 OSes on Qualcomm with direct access to the Internet:

1. Linux Kernel / Android OS, running on main ARM CPU in "normal mode"

2. QSEE or Trustonic OS, running on main ARM CPU in "trusted execution environment" mode, in parallel with "normal mode"

3. OKL4 / REX Kernel + AMSS OS, running on the baseband CPU (modem)

4. SIM card processor, although it is very limited (typically 32k RAM) and acts only as a MITM for SMS's, not cellular data

5. The OS running on the Wi-Fi card

reply

[–] jcfrei link

Do you happen to know if Apple phones are any better with regards to privacy?

reply

[–] com2kid link

Remember back when people got upset over Intel CPUs having a unique ID in them? Remember when people got upset over tracking pixels?

Since then, things went really bad, really fast, just no one noticed.

reply

[–] Intermernet link

We noticed, but wailing and gnashing teeth doesn't achieve much. Unfortunately, without widespread education and outrage, nothing achieves much.

That's why I don't mind being "that guy" in social situations when these issues are brought up.

reply

[–] pests link

You seem flabbergasted so I wanted to directly answer your questions.

> how could it access the wireless-networks-based and satellite-based location data?

The OS is either running on the same hardware as Android or has the same direct hardware connections.

> I thought that access to these things is controlled by Android.

Only for things executing within Android. This is just a fancy UI - Android doesn't actually control the hardware.

> In other words, when I turn off e.g. satellite location data in Android, can IZat (which, according to your post, runs outside of Android) or other similar spyware keep secretly using it anyway?

Yes.

> I suppose that the location data can be collected by sniffing the low-level communication between the radio device and Android kernel, provided that it has been enabled in Android first.

You shouldn't think of it as between the radio device and Android but rather between the radio device and the CPU. A CPU that another OS can and is running on. Android is not special here.

> But even then, how could this location data be transferred out of the device?

The same way Android sends data out of the device. The OS asks the CPU asks the radio to transmit some data. Bog standard.

> Are these "parallel-running" OSs also able to somehow "tap into" Android's network layer and send the collected data out?

Yeah but like I said its not Android's network layer. Android is a guest on top of the system just like any other OS running.

reply

[–] cptskippy link

Most cellular devices have a Baseband processor with RTOS or run a hypervisor that runs a RTOS and your phone's operating system.

These OS images are untouched by your custom ROM because they're black box.

https://en.wikipedia.org/wiki/Baseband_processor

reply

[–] paulmd link

The SIM card is a separate OS that gets underneath the SOC's OS. It can run its own applets without the knowledge or permission of the SOC OS.

https://www.youtube.com/watch?v=31D94QOo2gY

The baseband is a completely different RTOS as well. And then there's also TrustZone running in the SOC as well.

reply

[–] gruez link

Are you sure? According to https://forum.xda-developers.com/android/software-hacking/ar..., they have corresponding apps running in the main OS as well.

reply

[–] SSLy link

what about exynos chips?

reply

[–] everdrive link

It uses these domains:

http://xtrapath1.izatcloud.net

http://xtrapath2.izatcloud.net

http://xtrapath3.izatcloud.net

I'm not sure what part of the OS is sending it, but it's definitely happening (and is block-able!)

reply

[–] tgb link

> did a quick check

How? Thanks.

reply

[–] gruez link

searched up the package name, and according to https://forum.xda-developers.com/android/software-hacking/ar..., it's installed at /system/priv-app/xtra_t_app, which was not on my phone.

Also noticed that most posts had mentions of IZat in their location settings, which my phone did not have (in lineageos or stock)

reply

[–] dude123456 link

You're looking in the wrong place.

TrustZone OS is started during SBL2 (secureboot level 2), running in hypervisor mode, while you're looking at the Android OS started during SBL3 (secureboot level 3). You cannot see hypervisor processes & apps from your vantage point (the android kernel).

The trustzone OS is usually located in TZ partition, and it uses some additional partitions for custom TZ apps and data persistence.

The hypervisor has independent access to the internet, the wifi card (for indoor location), and more.

Qualcom boot process, showing SBL1, SBL2 and SBL3 stages:

https://forum.xda-developers.com/showthread.php?t=1769411&pa...

It goes without saying that without TrustZone OS, the phone won't boot to Android OS (won't proceed to SBL3).

reply

[–] newnewpdro link

You don't seem to appreciate the fact that the OS you interact with on a modern smartphone is essentially a guest.

There's a world of proprietary complexity you have zero visibility into, and much of it is running with direct access to hardware the application OS you interact with can only partially make use of.

reply

[–] random6547545 link

Hopefully this shows people how deep it is.

reply

[–] mickael-kerjean link

If all that is claim in here isn't conspiracy, how can it stay a secret? Isn't it the reason wikileaks was created in the first place?

reply

[–] com2kid link

It isn't a conspiracy, it is just unnoticed, I'd argue due to news fatigue.

Heck, it has a hompage. https://www.trustonic.com/solutions/trustonic-secured-platfo...

reply

[–] Filligree link

How is it a secret? We're talking about it right now.

reply

[–] godelski link

I think the issue is that most people end up just thinking "so what? What can they do with it?" and only think "I'm not doing anything wrong" (hate that phrase and origin). The consequences of this type of thing may be apparent to tech people, but not most of the public.

reply

[–] wpietri link

For those who want to try out LocationSmart, you can use it here: https://www.locationsmart.com/try/

They were about two blocks off, and located me by cell tower. Apparently they don't have (or at least don't admit to having) A-GPS level data for me.

reply

[–] ballenf link

Tested and same result.

I have a strong suspicion that it intentionally places you some distance from where it knows you actually are. Unless there is some underlying reason why it would never be 100% accurate -- I've seen dozens of people post their results and every time it's 1-300 meters off.

And it's not just "no one tests while under the cell tower" because the location it gave me was 150 meters in the opposite direction of the cell tower that I can see out my window. And the location it gave was smack in the middle of a neighborhood I know well and know to be free of cell towers. Or I'm just paranoid.

reply

[–] mastofaces link

I just used the internet site it said up to 14 miles off in accuracy on the results page. It was actually 4 miles off with my wifi off and GPS off and ZLAT off. I'm also pretty sure the location it picked is very close to an existing cell tower.

reply

[–] forapurpose link

What is ZLAT?

reply

[–] SahAssar link

I'm guessing s/he meant IZat: https://www.qualcomm.com/products/izat

reply

[–] Distribution link

Did you have WiFi on? Several companies have basically mapped (wardriving) nearly every wifi spot in the US and have correlated that with GPS. The vast majority of these wifi spots never, or rarely, move. By using several known wifi locations and their given latency, you can accurately predict location without cellular or GPS, like, down to the tens of meters.

reply

[–] dmichulke link

I'm somewhat weary. This might be the final missing piece to connect your mobile phone number to your mobile browser user agent, or even worse, your desktop browser agent.

reply

[–] lotsofpulp link

If the mobile carriers are selling your real time location data, I don't think there is much stopping them from also selling your browser user agents.

reply

[–] tome link

I believe that dmichulke means that when the phone number is linked to the user agent it's much more dangerous than when they are sold without that connection being known.

reply

[–] tome link

*wary

reply

[–] RobotCaleb link

Or leery

reply

[–] tome link

Interesting. I wonder if the mistaken use of "weary" comes from a combination of "wary" and "leery"! I always assumed it was because "wear" is pronounced the same as the first syllable of "wary". Unfortunately "weary" is already a word and "I'm wary of X" has a different meaning from "I'm weary of X", but similar enough that a lot of confusion could result.

reply

[–] sjs7007 link

Just tried it and was pretty accurate for me as well. How is it even legal for our cell phone providers to sell this data...?

reply

[–] kalleboo link

You agreed to it when you signed the terms of service

reply

[–] PeterisP link

Laws can and should override terms of service. The question of why it's legal isn't about contracts, but about basic privacy rights enforced (or not) by the legal system.

reply

[–] kevcampb link

Can you post the SMS opt-in message you received? Curious as to whether this is exploitable as well

reply

[–] johnpowell link

LocationSmart: Reply YES or YES LS to confirm consent for cloud location & messaging demo. Reply HELP for help, Reply STOP to cancel. Msg&Data Rates may apply.

That is what I was sent.

reply

[–] kevcampb link

I'm betting the opt-in is something along these lines

"FirstName LastName wants to obtain your location..."

Also betting that you can put 160 characters into those fields, so effectively a blank SMS is received

Betting further still that you can just spoof the SMS reply

reply

[–] bgw link

mine was 4.5 miles off

reply

[–] satariano link

I'm a journalist interested in learning more. Please reach out. Will keep confidential. adam.satariano@nytimes.com

reply

[–] robk link

^^^ this is what to do if you've got info relevant

reply

[–] raesene9 link

if you want to get it to blow up then (based on past experience of what seems to catch regulator/legislator interest) I'd say that someone tracking the locations of a load of politicians for a while, finding things of interest about places they've visited and then publishing on a news outlet would do the job.

reply

[–] tzs link

Your approach starts off by making the very politicians that you want to help you extremely pissed off at you.

More effective would be to track a few key politicians, such as those on the committees that would deal with regulating these things, and also a few reporters who have agreed beforehand to participate.

Then the tracking on the politicians is turned over to the politicians, but NOT made public. The reporters write stories about this, illustrating the tracking detail by publishing what it showed about them.

This approach gets the news out to the public, personally shows the key politicians the scope of the issue (and that they are vulnerable too), and lets the public know that the politicians have seen proof of how serious the issue is so that the politicians know that they need to get to work on this because their opponents come the next election will certainly be gearing up to use it as an issue if they do not.

reply

[–] raesene9 link

Expose's by investigative Journalists have often made politicians angry, but they have also effected change.

My idea is based on the fact that in my experience people rarely really care about privacy until it personally affects them.

reply

[–] zhengyi13 link

Note for example Feinstein's reactions to domestic spying generally, and then spying on her specifically.

reply

[–] erw1 link

Will it blow up, even if the public is aware?

When Snowden revealed the extent of NSA activities, it caused a momentary uproar but the people moved on pretty quickly after that. As far as I know (and let me know if I am wrong!!), there was no fallout for the government, and business continues as before.

So I am not sure if people will care this time either.

reply

[–] raesene9 link

Snowdens' revelations had a massive effect on the tech. sector.

It provided security people with ammunition to push things like encryption of data over "private" network connections, which prevented their misuse by governments (or at least made it harder)

It also pushed tech. companies to publicly take positions on government spying, in general by insisting they wouldn't co-operate.

reply

[–] Intermernet link

Cynically, it moved the goalposts, but didn't solve the problem. This is still a positive outcome in the big picture.

reply

[–] forapurpose link

Snowden's revelations arguably were a significant factor in EU privacy law, including GDPR. In the U.S., government has been unable to regulate big business for awhile, about privacy or anything else.

reply

[–] dredmorbius link

We, and the media mainstream, are still discussing Snowden, five years on.

reply

[–] ajb link

Malta Spitz (German politician) did this to himself in 2010: http://www.dw.com/en/german-politician-reveals-six-months-of...

reply

[–] fhood link

Good way to loose your job very quickly. I don't think we should have to rely on somebody sacrificing themselves to make a difference.

reply

[–] raesene9 link

Not sure anyone would lose their jobs.

1) Be an investigative Journalist

2) Purchase access to these location vendors data

3) Correlate data with known mobile numbers of politicians

4) Find things in data that might be of interest to readers (e.g. "politician x was noted to be in the same place as Lobbyist y on 5 different occasions")

5) Publish Story :)

reply

[–] georgek link

The more titillating version would be to crawl Backpage or similar successor service for phone numbers of escorts and correlate that with known phone numbers of public figures such as politicians to determine when both were in the same place at the same time. Then publish client lists, with links back to original escort ads for extra sensarionalism.

reply

[–] cryoshon link

pay me the cost of a data set plus 6k for a month's labor and i'll do it.

still need an outlet for the story though

reply

[–] dserodio link

The Intercept would probably be interested in publishing something like this

reply

[–] cryoshon link

yeah, but we'd need to make it first. like i said, i'd do it myself if i didn't have to maintain my moneymaking elsewhere.

reply

[–] undefined link
[deleted]

reply

[–] throwaway413 link

Why not? How do you think change comes about, by complaining about it on a tech forum?

reply

[–] fhood link

I you are willing to be blacklisted than more power to you. I wouldn't want to force that on someone.

reply

[–] throwaway413 link

I agree, wouldn't want to force that on someone either. However I am sure there are plenty of people willing to sacrifice for the "greater good" (such as myself - I have quit a job before citing ethical reasons). People have different risk tolerances, and also current life situations - understandable. Just don't think the expectation should be set that change will come around from anything less than drastic action.

reply

[–] mLuby link

Not if precautions are taken, and even if someone did, such a patriotic disclosure (if done responsibly a la Snowden) would put that person is very esteemed company.

reply

[–] Alupis link

Yes, but Snowden is currently living in exile, and there's no end to that in sight.

Few have the stomach for that sort of thing...

reply

[–] godelski link

That's more because he released government secrets, not corporate. If the gov wasn't after him I'm pretty sure quite a few big companies would try to hire him.

reply

[–] sydd link

And how can I buy this realtime data? Also

> Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go.

Any articles/webpages about this one? Or a company name who is doing it?

reply

[–] throwawaymath link

Pinsight is a big one.

But there are too many to name. In 2018, you should assume that any free service (Unroll.me), web/mobile SDK (Slice), email client (Airmail), personal finance tracker (Mint), integration API (Plaid), geolocator (Foursquare), etc is monetized by selling your data en masse for market research.

It's not just location data. Dig into the TOS of free services you use. It's your receipts, your transactions, your subscriptions...all are "anonymized" to varying degrees of success. Even Meraki, the network router/switch company, sells location data.[1]

____________________________________________

1. https://meraki.cisco.com/technologies/location-analytics

reply

[–] chatmasta link

Link to pinsight: https://pinsightmedia.com

> Ever wonder what your consumer thinks minute-by-minute? Pinsight’s ID Suite gets behind the lock screen to understand the mindset of your best customer. Leveraging 24/7 insights from the mobile device, we uncover new audiences and discover new market opportunities so you can engage with consumers in ways that matter.

“Gets behind the lock screen”

Jeez that is some brazen marketing.

reply

[–] r00fus link

I hear "groping inside the knickers".

It's blatant and normalized.

reply

[–] krrrh link

Assuming you’re talking about Airmail, the iOS and Mac mail client[1] (which is not a free app), do you have any reference to back up this claim? Their privacy statement states:

> Airmail does not share your information with any third parties. We are not in the business of selling your data. However, we may disclose information if we determine that such disclosure is reasonably necessary to comply with the law.

They also state that they do not send information to their servers unless you enable push notifications, store data only for this purpose, and delete the data when you disable this setting.

[1] http://airmailapp.com

reply

[–] throwawaymath link

Yes I think you're right, sorry. I'm thinking more of the email clients like Edison [1] and Astro[2]. It gets hard to keep all of these apps straight :)

_____

1. https://trends.edison.tech and https://mail.edison.tech

2. https://www.helloastro.com/privacy/

reply

[–] adamson link

Hasn't Foursquare been doing this and nothing but this for ten years now?

reply

[–] heurist link

Foursquare is selling business services based on the data they collect, not the data itself (as far as I know).

reply

[–] throwawaymath link

They sell direct location analytics: https://www.entrepreneur.com/article/290543

This is mostly a distinction without a difference, because for firms that do this, one of those "business services" is providing a thin layer of analysis over the underlying data.

reply

[–] heurist link

What I'm saying is they don't sell the raw location data they've collected. There is a huge difference between derived analytics and the raw point-by-point device-linked location data. It's a reduction of multiple terabytes of data down to a few kilobytes of identity-obfuscating information. I am not affiliated with Foursquare but I appreciate the direction of their pivot.

Honestly, since my line of work is similar (tangential) to what they do, my opinions are probably quite different from the moral majority who might read about this kind of issue without understanding the range of applications. I'm not sure what the solution is but I think there is a regulatory solution that preserves both consumer privacy and the extraction of economy-benefiting value. And I do think something needs to be done to protect privacy, even if it means negative impacts to the commercial space I am in.

reply

[–] dude123456 link

Any company that sells you access to ad real-time bidding. You connect to a event fire-hose that gives you a nice standardized json for each ad target, with plenty of data about the user (including geolocation), and you choose whether to bid or not on each ad, in realtime.

It is an open standard:

https://www.iab.com/guidelines/real-time-bidding-rtb-project...

reply

[–] chatmasta link

Do you get that data before you place the bid? Can you can just bid the minimum amount so you never actually buy an ad, but get the tracking data anyway?

reply

[–] dude123456 link

You get all the data (geo, user's year-of-birth, user interests, device type, etc) before you place the bid. All the json data fields are defined in the standard. I can see iOS and Windows-phone in the feed, it's not limited to Android phones.

https://www.iab.com/wp-content/uploads/2015/05/OpenRTB_API_S...

You don't actually have to bid.

(HN is rate-limiting me) edit: Data is pushed to you as fast as you can process it. It's a firehose.

reply

[–] geostack link

To get a seat on the exchange, you need to bid, and exchanges also don't allow you to store data of bid requests that you don't win for purposes other than bid algorithm optimization in their terms and conditions, since that's stealing data. If they find out you're freeloading, they'll cut you out.

Also, most of the data on it is pretty shitty with lots of fraud since the publishers want to get more money. The geo data is often fraudulent (https://en.wikipedia.org/wiki/Geographic_center_of_the_conti...), and that's why companies that bid hire data scientists to sift through the fraud.

There's also rarely, in my experience, year-of-birth or any personally identifiable data.

reply

[–] dude123456 link

In a typical bid entry there are between 500 and 5000 bits of information relating to an individual, per the definition of GDPR. And that's not including the dreaded "IFA", which uniquely identifies the individual.

I don't agree with your claim that "the geodata is often fraudulent".

Anyone can read the linked pdf specification (above), download sample data from the exchanges, and judge for themselves.

reply

[–] chatmasta link

Is it pushed to you or do you pull it? Is there no rate limiting?

That’s really creative honestly.

reply

[–] meritt link

Advan, Reveal Mobile, QuestMobile, Pinsight, Streetlight Data, RootMetrics, OpenSignal, SafeGraph are a few of the companies selling various forms of mobile user location data.

reply

[–] pteredactyl link

Most funds actively try to stay out of the media. For some it's a core strategy.

( "Out of sight, out of mind" )

reply

[–] r00fus link

Crawling under the rock safe from the light of day.

reply

[–] pteredactyl link

On some level I don't blame them as our national media discourse is at a 5th grade level.

reply

[–] Lionsion link

>> Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go.

> Any articles/webpages about this one? Or a company name who is doing it?

Foursquare does it, there were some articles last year about how they pivoted to providing that data. They were able to accurately predict Chipotle customer declines after their food contamination scandals.

I'm not sure if they use this carrier location data, or just the data from the people who are still using their app.

Edit: here's one: https://www.washingtonpost.com/news/innovations/wp/2016/04/2...

reply

[–] rinze link

> This data is sold to whoever wants it. Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go. This isn't fantasy, it's what happens every day.

I initially thought this was too far fetched but then I started duckduckgoing* and found this: https://www.fnlondon.com/articles/regulators-campaigners-sou...

* If 'googling' is a verb, why not this.

reply

[–] hbosch link

I read just recently that one of Foursquares biggest revenue slices is selling their users check in data to hedge funds. On a previous HN post, one commenter claimed the app Robinhood sells their order flow through clearing houses, which the net result is hedge funds and other such firms trade off of — under the assumption that Robinhood investors are emotional rather than educated.

Hedge funds in general seem like a major consumer of retail data, which makes sense. Home Depot just announced earnings: imagine if you knew exactly how many people went into Home Depot, walked out empty handed, and then went to Lowe’s... how you could profit off that data in the market.

reply

[–] sfrancisbjr link

I am a journalist and want to know more about how hedge funds use/abuse this. Please get in touch if you have first-hand knowledge: fbajak@ap.org.

reply

[–] tekstar link

Is this happening with iPhone as well, or primarily android due to the third party nature of the hardware?

reply

[–] matwood link

The problem is once it's at the cell carrier level it doesn't even matter if you use a dumb phone. They know roughly where you are based on tower triangulation.

reply

[–] stef25 link

That's always been common knowledge, the shocker is that it's being transmitted to "everyone and their dog" or even being sold. Afaik that was never the case with dumb phones.

reply

[–] fixermark link

A dumb phone can be localized by cell triangulation. The US military disclosed that it was using such a technique in Afghanistan to locate Al-Qaeda targets (they disclosed this because Al-Qaeda had gotten so paranoid about he accuracy of US military operations that they had assumed they had human spies on the ground feeding the US information and began killing civilians on suspicion of spying).

reply

[–] forapurpose link

> A dumb phone can be localized by cell triangulation. The US military disclosed ...

In the U.S., aren't dumb phones (or 'feature phones') locatable for E911 service?

reply

[–] joe5150 link

if it doesn't have GPS, it doesn't have GPS

reply

[–] PeterisP link

Using your phone's GPS requires cooperation from your phone, however, triangulation by timing is not only possible, but even required by the GSM standard, the signal continuously measures and encodes your "latency" to the tower needed so that you'll start transmitting your block slightly earlier if you're farther away so as not to overlap with the time slot possibly allocated for some other device.

It's not as accurate as GPS, but it gives a solid estimate of your location that neither you nor your phone can prevent unless you totally disconnect.

reply

[–] CamperBob2 link

There are several ways to implement E911-like service, and at least one of them doesn't require GPS. Your phone can usually be seen by multiple cell sites, so it's just a matter of accurate timing.

reply

[–] stef25 link

What I meant was that selling location data obtained by triangulation wasn't / isn't done and would require different methods anyway.

reply

[–] BurningFrog link

...or maybe they had a lot of human spies to protect by telling tech stories.

reply

[–] nyolfen link

> A dumb phone can be localized by cell triangulation. The US military disclosed that it was using such a technique in Afghanistan to locate Al-Qaeda targets (they disclosed this because Al-Qaeda had gotten so paranoid about he accuracy of US military operations that they had assumed they had human spies on the ground feeding the US information and began killing civilians on suspicion of spying).

they absolutely had spies on the ground who were likely civilians, eg the doctor who got bin laden's family's dna under the cover of a vaccine program. the narrative that they were only using cell tower triangulation may have a seed of truth but it sounds a lot like counterintel meant to throw off the trail to me.

reply

[–] fixermark link

To my understanding, the reveal of the use of cell triangulation was specifically to minimize civilian casualties, not to throw Al-Qaeda off the trail of spies.

I'm sure they also had spies on the ground, but I believe the explanation that innocent bystanders being killed was something they'd prefer to avoid.

reply

[–] e_proxus link

Not my area of knowledge at all, so perhaps someone who knows radio better could chime in: Would it be possible to fool the triangulation from the device, by arbitrary (or intelligently) delaying the mobile radio signals? Or are they too dependent on timings and such to work?

reply

[–] sangnoir link

> Would it be possible to fool the triangulation from the device, by arbitrary (or intelligently) delaying the mobile radio signals?

Not without messing up your ability to make and receive calls. Cell towers use precise timing and power-level measurements in order to do things like decide which cell-site is best, and to hand-over your call from one tower to the next without breaking your call or glitching.

Edit: Even if you were to play around with timing of responses of the radio signal, you have no control over how it radiates in free space. The time-delta between reception of the same signal by 3 towers at known locations is enough to triangulate your position. Maybe a unidirectional antenna pointing to just one tower might work, if there are no other towers within the beam behind it and no sideway leakages.

reply

[–] jusssi link

With highly directional antenna and carefully selecting your position, you could try to have your signal only to be heard by a single cell tower at the time. The network would get your distance from the tower, but with direction info from just one tower would be less accurate.

Expanding this, you could have N directional antennas pointed to N cell towers, and some individual delays on each of those antennas, it might be possible to fool the network triangulation. Such a setup would look highly suspicious if you were carrying it around, and it definitely wouldn't fit in your pocket.

reply

[–] superkuh link

There are no available cellphone radio baseband computers/transceivers that allow you do do things with that. You would literally have to implement the entire cell baseband from scratch with a software defined radio. It would be a very non-trivial project.

And it'd be useless unless you had many of these custom transmitters faking your signal spread out over large physical distances.

reply

[–] namibj link

OsmocomBB and LimeSDR would like a word with you. Yes, the former is limited to GSM, the latter doesn't come with a TX amp and you'll need to supply suitable mid-power RF (no cooling for passives, carefull cooling of actives) antenna circulator/filter/switch, if you want to use your new amp. The hardware should be under 2k$ manufacturing in single-unit quantities, but it is HF design, including some distributed-element filters and power-handling at low GHz frequencies. Nothing particularly trivial to design, though the requirements in precision are not too stringent, so you won't need someone who can demand >100$/h while working outside of a major metropolitan area.

TLDR: GSM+LTE open-source SDR/hacked dumbphone baseband exists, suitable hardware is COTS for sub $2k.

reply

[–] crankylinuxuser link

As an amateur radio operator, I would expect nothing less for carrying a highly networked radio transceiver with loads of sensors including geopositioning.

Simply put: don't want to be tracked? Put your phone in a lead sealed box or leave it at home. Tracking only tracks the phone , not your person.

reply

[–] sp332 link

Yeah they know where you are at any given moment, but they don't have to record it. And they especially don't have to sell it to third parties. That's what we mean by "tracking".

reply

[–] codedokode link

So basically either give up your right for privacy or don't use any new technology? That doesn't look practical. A better idea would be to ban cell carriers (and anyone else) from using location data for anything except explicitly permitted by law, like help in emergencies or conducting investigations.

reply

[–] mdhardeman link

What would be most effective would be a pair of rules in tandem:

1. Allow the location data to be utilized by the cellular carrier only for legitimate engineering purposes relevant to the delivery of the cellular services. (The network needs to know your location in real time in order to route calls to you.) Also, allow the use of real time location data for emergency services in response to an emergency call. Potentially also allow the use of emergency services initiated real time locations, with a non-suppressible UI required to be presented to the user if this is performed.

2. Require that the cellular service providers purge / NOT retain this location data for any longer than is literally required to provide proper service.

The data retention policy #2 item here is essential in preventing temptation to come up with end-runs for the first rule. It's important that historic data that has no legitimate use under rule #1 not be preserved so that there isn't a mound of accumulating data of theoretically increasing value if only we could change / get rid of rule #1. That sort of thing will create ever mounting incentive to repeal / replace rule #1.

reply

[–] apk17 link

> The network needs to know your location in real time in order to route calls to you.

At least for GSM, that isn't as true as you say it. It only needs to know in wich group of cells you are, as as re-registering with each cell change was deemed too heavy on the battery, and they rather page for your phone in the entire location area.

Likewise, triangulation requires the phone to send something, which means that you can notice that, and also that continuous triangulation will drain your battery.

(Which brings up the question of how often and how smartly google sends updates for the traffic density map.)

reply

[–] fixermark link

For communications technology: yes, that seems to be the norm.

Don't like the rules of the road, don't drive.

Don't like that your data goes over a third-party's network to get to its destination, don't put your data on a third-party's network.

Bans "by law" only work until the people making the law become people interested in your location and they change the law.

reply

[–] codedokode link

Doctors for example are not allowed to tell everyone about your health problems. I don't see why the same rules cannot work for telecoms.

reply

[–] AndrewKemendo link

So basically either give up your right for privacy or don't use any new technology?

I think this is probably correct.

The problem with the ban you suggest is that it will degrade service in many instances. Some level of location tracking is necessary for all cellular phones to make a smooth handoff between towers or for example to load balance connectivity between different towers.

In the end the more personalized the service you want to have, the more "invasive." Opt in is probably the best total solution, however it quickly becomes an education game if you want it to be effective, and most people don't have the time or technical understanding to put up with a dozen different opt ins.

reply

[–] wcarron link

Uh, not really. They can still utilize location data to make smooth handoffs and the other services you mention without bending us over and fucking us with a rusty chainsaw.

They do not need to sell location data to other parties in any way, shape, or form.

reply

[–] mindcrime link

A better idea would be to ban cell carriers (and anyone else) from using location data for anything except explicitly permitted by law, like help in emergencies or conducting investigations.

That doesn't do anything to protect your data from being accessed by the State, which is actually the bigger problem.

reply

[–] rectang link

If it does great harm for the state to have this data, and also great harm for the cell carriers to have this data...

Why thwart one great harm yet happily tolerate the other?

reply

[–] mindcrime link

Does it cause "great harm" for private businesses to have access to this? I'm not sure sure. After all, there is a qualitative difference between the State, which employs men with guns and arrogates to itself the right to use force to impose its will on people, the right to jail people, etc.

If Starbucks knows my location, they can send me a coupon if I enter a Dunkin' Donuts store. If the State knows my location they can falsely accuse me of a murder that I just happened to be near the location of and - if I'm unlucky or have a bad lawyer - execute me for it.

That's not, of course, to say that there aren't some cases where a private business having access to my location could have a deleterious effect. But here's the rub: if you rely on regulation to prevent those cases, you're right back to needing to trust the State, which is - IMO - a foolish proposition.

reply

[–] newnewpdro link

It doesn't really matter, if a business has the data and the state wants it, the state gets access to the data via the business.

The division is so trivially violated it's pretty much irrelevant.

reply

[–] newnewpdro link

Securus is in the news today [1], an excellent example of how irrelevant it is that the private sector vs. the government is performing the surveillance. It's just information, information knows no boundaries.

But those largely cosmetic boundaries certainly play a large role in public perception and acceptance of living in a surveillance state.

[1] https://motherboard.vice.com/en_us/article/gykgv9/securus-ph...

reply

[–] rectang link

> Does it cause "great harm" for private businesses to have access to this?

Wide availability of tracking data facilitates domestic violence and stalking, for starters.

Say that someone gets killed by their ex who found them through tracking data leaked by some irresponsible and/or profiteering company. How do we hold that company accountable? How can we prove that it was them who leaked the data, when it's everywhere?

We can't hold the credit authorities like Equifax accountable today for the identity theft they facilitate. This is the same problem. The aggregation of our individual data by companies causes massive negative externalities, borne by individuals.

reply

[–] rectang link

Another example: widespread availability of tracking data lets burglars know when they should break in and rob you.

Again, this cost is not borne by the data aggregator -- it's a negative externality borne by individual citizens. Good luck suing them.

reply

[–] pacala link

Whataboutism. Yes, there is a bigger problem. No, that should not prevent us from solving the smaller problem first. With regard to the bigger problem, we build checks and balances in the legal system.

reply

[–] ad-hominem link

That doesn't mean banning corporations from exploiting your location is a bad idea, even if it's not the optimal privacy-enabling solution.

reply

[–] mindcrime link

I don't think we want an outright ban. I certainly have the right to allow a corporation to access my location if I choose to. There may be cases where an individual would judge it in their interest to allow a corporation to have such access.

The problem with the current setup is that we don't know who's gaining access, when they're gaining it, what they're doing with it, etc. Once the cell carriers have it, there's no easy way of knowing who they are selling the data to, and who that entity sells it to in turn, and so on.

Sadly, I don't see a good way to resolve this at the moment. If you use a cell-phone the carrier can always get your (at last approximate) location through triangulation. And regulation only makes sense if you trust the State, and I would like to think we've all learned better than to do that by now. So what do we do?

reply

[–] crankylinuxuser link

Define me the following then about the metadata:

Who does your cell phone's location belong to?

Who does the tower's connection data belong to?

Who does the multitude of tower signal strengths belong to?

Who does the user's cell phone data belong to if allowing multiple apps to use it?

Answer: User's location data belongs: to the user, 3rd party apps they have allowed, and terrestrial cell companies that run towers with the appropriate frequencies for your phone.

The technology isn't the right area to change it. In the end, you're doing stupid stuff with encryption and still emitting point-source radiation that can and will be triangulated.

reply

[–] wilsonnb link

The best option would be to require the data be properly anonymized before being stored, used, or sold. That way the companies can still sell it for profit, the buyers can still gain useful insights from the data, and the users location is not available to anyone with enough money.

I'm not sure how possible it is to anonymize that kind of data in a way that prevents it from being deanonymized, or how useful the anonymized data would be to the buyers, but this seems like a better solution than a blanket ban to me.

reply

[–] aquadrop link

There's no need for lead sealed box, Faraday cage will do. :) I think they even sell phone casing Faraday cage nowadays.

reply

[–] ballenf link
[–] gebeeson link

Even simpler: don't want to be tracked? Don't have a mobile phone.

reply

[–] jstarfish link

It doesn't help.

Your next car will support telemetrics. Your insurer will know how fast and how often you drive. Your wife will know where you've been going after work. The cloud will gather and retain everything else of non-obvious value, up to the point where it all magically disappears when your self-piloting car drives itself through a schoolyard at recess and the company claims they don't have enough data to determine their responsibility, and insinuates that perhaps it was your fault.

All your future appliances will be factory-bugged so Amazon can listen to you arguing with your wife and sell you marital counseling books. Or they sell you imported counterfeit electronic shit, leaving bored interns with unchecked privilege (or strangers poking around on SHODAN) to activate those products' extraneous cameras to spy on your daughter undressing.

The ubiquity of cellphones in the hands of the masses mindlessly recording every droll moment of their lives in public for a chance at YouTube fame, combined with better and better facial|licenseplate|whatever-recognition algorithms means you're always on a camera somewhere, your movements being tracked and your identity easily annotated. Your wife's divorce lawyer will have a field day with this.

Don't want to be tracked? Hoard cash and modify the serial numbers. Throw away everything with a network interface or bidirectional antennas of any kind. Don't leave the house. Slap tinfoil on your windows. Make yourself a nifty pirate hat with the remainder. Your friends and neighbors will think it's endearing for a while, then they'll stop coming around for some reason.

Just don't take a selfie of yourself in your fortress of solitude without scrubbing the geolocation data from the EXIF tags!

reply

[–] bscphil link

Parts of your analysis are hyperbole, clearly, and I think that undercuts what are several very important points.

There are still areas in which you can make choices. You can still buy appliances with no internet connections at all, or buy open hardware and run open source software. This is what I currently do.

Surely inexpensive and/or used cars will dispense with GPS and other high tech features; in addition, I wouldn't be surprised if (should this become a regular problem) a modding community develops around car ownership (ownership in the sense of right-to-modify).

This doesn't change the fact that it is incredibly concerning that always on tracking run for-profit is becoming the default, but I think it's too early to say we can't opt out. That's why I think cell phones are qualitatively more worrying. They're quickly becoming necessary devices for anyone in a salaried job, and they represent an always-on tracking device that's effectively glued to my hip. It is absolutely crucial that something be done abut these privacy violations, if not through legal means, then through hacking. If that turns out to be impossible I'm going to have to find a way to stop carrying a phone.

It would be nice to see Purism respond to this report given their work on the librem 5.

reply

[–] pixl97 link

>You can still buy appliances with no internet connections at all, or buy open hardware and run open source software

For a little bit. As you say, bad money pushes out good money. Most people will buy devices with tracking. Since more of them will be made, their prices will be lower than devices without tracking. Especially since the tracking will be profitable for the companies making the devices. Eventually you'll find all devices have tracking hardware and on some it will just be disabled. Either unplugged physically, or turned off via software.

reply

[–] api link

What's hyperbole? I heard all this predicted when smart phones came out, and people said it was paranoid hyperbole then. It wasn't.

If anything the parent's predictions are probably conservative.

reply

[–] jstarfish link

The thing is, we've already been there and done that. You think you have choices, but you won't for long. We're all boiling one degree at a time.

> You can still buy appliances with no internet connections at all, or buy open hardware and run open source software.

Maybe, if you know what to look for. Most consumers don't. They'll buy a Dell and not realize Computrace exists. I work in the field and I don't even know a fraction of what I don't know. I'm just one asshole defending against legions of better-paid actors with an infinite capacity for insidiousness.

Just wait until some well-meaning, progressive state like California decides to legislate that all houses must be smart-conforming. All aspects of your house will have a network interface whether you like it or not. How many homeowners are capable of setting up VLANs for their lightbulbs? How many homeowners are going to deconstruct every (networked by default!) smart-item they purchase and check for motion sensors, cameras and microphones? The NSA backdoored smart TVs already. Huawei backdoored routers, and Blu sends god-knows-what to China in the background. It's happening.

In this day and age, you may as well assume every product that comes out of Silicon Valley is a glorified exfiltration agent. If you give anything a network interface, by god it's going to use it to report something, and you don't know that it's happening or what's being communicated. You-have-no-control.

Given the recent interest in mesh networking I expect that to become a new vector-- install enough Huawei appliances in an area (give them away for free, or undercut competing vendors), each serving as a wireless mesh node, and you only need one internet-facing node (like a Huawei cellphone or router) in that mesh to be able to command and control any of the devices or peripherals around it. If anybody questions why a digital pictureframe is emitting wireless signals, it's for the discovery service, of course. It has to get updated weather information from somewhere, right? Consumers will accept that. And thus you invite a decentralized botnet into your home.

> Surely inexpensive and/or used cars will dispense with GPS and other high tech features; in addition, I wouldn't be surprised if (should this become a regular problem) a modding community develops around car ownership (ownership in the sense of right-to-modify).

Used cars will, until that pool dries up, yes. How many cars can you find that still use carburetors in favor of ECU-controlled fuel injectors?

We lost the right-to-modify battle the day ECUs became standard in all cars, inexpensive or not. Without proprietary knowledge, you can dink around with the oil and tires, but you can't fundamentally change how the car works. You can't even change the brake fluid on some cars without a proprietary command telling the pump to expel it. The war for right-to-modify will be lost when we're all driving Teslas (or John Deeres).

You can hack it, sure, about as competently as you can hack a PS4 or iPhone. The day will inevitably come where you want to use a particular app or service you paid a premium for (like warranty repairs, autopilot, PS Online or iTunes) and they'll tell you to pound sand unless you install their factory-certified firmware that opts-in to tracking. Or new games/features will simply refuse to work on your hacked firmware. You will be left in the dust.

That also assumes your insurer doesn't find out you tampered with an otherwise autonomous car, potentially impacting its safety features by refusing OTA updates and putting you in a higher risk pool. They may decline to insure you altogether.

There are consequences for not complying with progress; you yourself mention one of them. I'm disappointed you think it's hyperbole-- this attitude is why things have degraded to the current state of affairs.

reply

[–] jdhn link

>You can't even change the brake fluid on some cars without a proprietary command telling the pump to expel it.

What car brand does this? The only thing that came up on a Google search was a comment on Quora that said that mechanics can command the ABS to go into a self bleed cycle to purge air (no brand was mentioned). Is this what you're referencing?

reply

[–] Jill_the_Pill link

Unless your car has similar technology.

reply

[–] random6547545 link

It's android for the hardware manufacturers and OS crapware getting location data.

For iOS, assume every app using your location is selling the data. That means every app using a map or location smoothing SDK (GPS jumps around, there are services to smooth it out), since the map SDK providers (and there's not many) are selling your data even if the app itself isn't.

Google, Apple, Microsoft etc are pretty careful for good reason. Anyone below that is probably selling it.

reply

[–] chatmasta link

Every app that has access to nearby WiFi SSIDs (or even just the one you’re connected to) can also turn this data into location data.

In fact I don’t think that is even a gated permission on iOS.

reply

[–] gergles link

This isn't a user-gated permission but an Apple-gated one. Apps can't retrieve the nearby SSID list unless they have the "Hotspot Helper" entitlement from Apple. https://developer.apple.com/documentation/networkextension/n...

reply

[–] chatmasta link

Good to know, but that’s only marginally better, as a malicious app developer only needs to come up with a legitimate reason for the entitlement.

reply

[–] 205guy link

The original article seems to be saying that the carriers track and sell phone location by cell triangulation ("less accurate than using GPS, but cell tower data won't drain a phone battery"). This is less accurate, as seen by the example of "within a city block."

The parent comment seems to be saying that the OS and apps use the internal GPS data to get a much more accurate location, which is then freely transmitted somehow and shared and sold. My question is to clarify that this more accurate data, needed to enable the "walk into specific store" scenario, can only be obtained via data (eg 3G, LTE, or wifi)?

Therefore not buying a data plan or turning off cellular data manually should prevent the GPS-accuracy tracking, but the only way to prevent the less accurate cell-tower tracking is to use a faraday cage.

reply

[–] mr_toad link

Or just turn off location services when you’re not using them.

Turning off Google Now & location services will radically improve battery life on standby.

reply

[–] tomaskafka link

No. Search this thread for Qualcomm, QSEE or IZat.

reply

[–] bgw link

That has no affect on this tracking.

reply

[–] thsowers link

The tracking seems to be happening below that level. I had all location services turned off, it dropped a pin on the very room of the house I was in

reply

[–] stef25 link

Allow me to ask some questions :)

> It's not just your cell carrier

No reason to think this is only US right?

> cell phone chip manufacturer, GPS chip manufacturer

How & when is this transmitted and what other data apart from lat & long?

> pretty much anyone on the installed OS [...] is getting a copy of your location data

You mean the devs of whatever app is installed on the phone? The outgoing data should be visible in things like Charles proxy, right?

Is this analogous to FB data being available to any dev that gets permission to access your profile?

> It's normal to track hundreds of millions of people a day and trade stocks based on where they go

Whaaa ... ? Do explain, fascinating.

Can this all be mitigated by those smartphones-hardened-for-criminals type devices?

reply

[–] com2kid link

> Whaaa ... ? Do explain, fascinating.

The stock trading I've heard of, and even seen news articles about before.

Location tracking lets stock traders know how well a store is doing well before public results are announced. If foot traffic is down at a store, time to sell off (or short) the stock before it becomes publicly known.

reply

[–] Darthy link

This is a problem with the GSM/UMTS standards themselves. Carriers always know where you are, but one could create a standard where they wouldn't have to know unless you make a call. With enough encryption and effort, I'm pretty sure one could even create a standard where carriers would never know where you are, even while you are using services.

reply

[–] codedokode link

Would not it be easier to ban anyone from using this location data for anything except explicitly permitted by law? The problem is not with standards, the problem is with people.

reply

[–] Daycrawler link

Banning things works relatively well for people because they fear having trouble with law and justice. Doesn't work that well for corporations whose law department is just like any other department. In this case you must assume that if it's technically possible then it's done.

reply

[–] codedokode link

This argument can be used against any law, like antitrust law. Having a law department doesn't give you a free pass to break laws.

reply

[–] brewdad link

Unless we start throwing the legal department and higher ups into prison then it basically becomes a free pass to break laws. Currently, we assess fines to corporations that violate these laws.

It then becomes a cost/benefit analysis weighing the likelihood of getting caught * cost of potential fine vs business value of ignoring the law. Ignoring the law is frequently the correct decision.

reply

[–] pteredactyl link

Agreed. There needs to be criminal liability for folks like Stumpf and other big bankers/corporate overlords.

But do you think our government will ever stand up? Doubtful

reply

[–] monetus link

Maybe not, but when the cost of breaking the law is less than the gain, it seems logical. A law department is probably better equipped to make that calculation.

edit: Reading into the context of 'too big to fail' and 'collateral consequences' reveals exactly that kind of behavior.

reply

[–] gm-conspiracy link

No, but when there are only civil penalties at risk, it becomes a business decision, not a moral one.

reply

[–] pteredactyl link

Exactly. I assume that's part of the point.

But having a law doesn't mean people or corporations won't break it out of the 'kindness of their heart'. Or because they're 'good people'.

For example, look at 'No gun zones'. You think a criminal is not going rob a bank at gun point because the bank is a no gun zone? If anything it incentivizes them because they know they'll have a monopoly of force upon entering ( if they have a gun, and can fairly assume no one else will because of 'no gun zone' policy )

reply

[–] api link

They will just move it all offshore.

reply

[–] droopybuns link

How does one determine which tower to route an incoming call through, in your model? How could roaming work?

Spoiler: I don’t think doing what you are describing is feasible.

reply

[–] voodootrucker link

I can't find a link, but this problem was foreseen and solved by Robert Morris Jr. He wrote a paper on how users could register their location with a 3rd party using a hash of their IP address. When someone wanted to call them, they would contact that 3rd party for the location then route to the cell. The cell knew someone was there, it just didn't know who. And each 3rd party only had info on a few users, and no choice over which ones it had, if I recall correctly.

Looks like there is info here:

https://en.wikipedia.org/wiki/Robert_Tappan_Morris#Later_lif...

This is the way we should have designed these networks from the beginning. It was inevitable that the stuff in TFA would happen, given the interests of the companies involved and no regulation to prevent it. Same with FaceBook and Cambridge Analytica.

reply

[–] striking link

Couldn't you build a lookup table that reverses hashes back into their IP addresses? It might not be worth it for IPv6, but it would probably work for IPv4.

reply

[–] awelkie link

Calls could be done over IP, and as long as you could anonymously authenticate to the tower then you could be granted a new IP address at each tower via something like DHCP. I imagine roaming and handovers would have to be done on the end-device though; the end-device would need to proactively associate to new towers and both ends of the voice call would need to agree to switch to the new IP address.

But if the tower operators collude then they can still track you across towers by localizing the physical source of the end-device's signal.

reply

[–] ethbro link

If you really wanted to do this, a more secure approach is onion routing. It's essentially the same problem -- attempting to preserve anonymity in the face of adversarial network hardware, while being limited by a requirement to enter / exit through certain nodes.

So you'd want a mesh network, formed adhoc out of currently in range cellular device neighbors, with packets re-encapsulated and encrypted at each hop, eventually hitting the tower from a random device.

Authorization would be impossible (the intent of the scheme) without a side channel (as you can't simultaneously have individual authorization and individual anonymization). Which makes it a non-starter for commercial use.

reply

[–] awelkie link

Oh yeah, that's an interesting solution.

I'm not sure simultaneous authorization and anonymization is impossible. Couldn't you use something like Chaum's e-cash to obtain tokens that guarantee the holder the right to use the network for some amount of data, but these tokens are tradeable and therefore the spender doesn't have to be the same as the buyer. Then you could spend this token in the network to get access and the network could authenticate the token without identifying the spender. I'm guessing something like zcash could be used as well...

reply

[–] ethbro link

That's what I meant by side channel. So yes, you can split authorization responsibilities into a different entity, but then that entity is going to be able to deanonymize you.

And it wouldn't play well with billing accounts being deactivated / reactivated.

And... now that I think about it, given the tower:location mapping, you'd also have to include bouncing traffic back out to a non-tower-sharing peer and then back into their tower w/ randomized timing, else outer layers of encapsulation would still identify tower association.

Which means latency would be utter crap.

reply

[–] Natanael_L link

Anonymous attestation protocols is a thing

reply

[–] ethbro link

"without a side channel"

Do you have any links where this is done without a third party?

reply

[–] namibj link

Blockchain? No, seriously, just a block-oriented write-ahead-log replicated to the towers, allowing them to cheaply-ish verify a proof-of-traffic quota.

reply

[–] namibj link

Proving to the tower that you are a paying user should be easy, but routing the data securely will not be as easy. You'd probably need some kind of onion routing or similar on the back haul, unless you want to forego incoming calls. I would not like to have to forego those. Also, why even bother with DHCP, just say that the tower assigns you an IP, without knowing your MAC, right after you were able to prove that you are a paying customer. Handling data quota is going to be non-trivial there, as you'd either need to route everything to the provider anyway, or have a DoS-proof way of decreasing your remaining quota, e.g. by signing a new value with some key of yours, ensuring that the tower can't use that as your ID (maybe don't tell him or so), and then have to prove to the tower that your quota really got diminished, preferably without revealing how much is remaining, and just telling the tower that you still got something to spare. The main issue seems to be that you'd have to hold a session with each tower where you got quote allocated, as you can't re-run that quote proof for each packet. The finest granularity that seems remotely reasonable would be like 16kiB of traffic, which you would deduct form your account, let it get claimed by the tower, and then be required to repeat for each successive block (obviously you could assign larger blocks, but a block, once assigned, can't be put back without serious unnecessary cryptographic hurdles.

I am not well-versed enough in these cryptographic details to tell you how one could do this exactly, but I doubt it's impossible/infeasible to create a cellular protocol technically as powerful as LTE, but without tracking ability by the tower or the provider (byzantine fault tolerance, stochastic).

reply

[–] Darthy link

Off the top of my head, you could have this system: you use a new id that authenticates you with the carrier every n packets, and you do the routing from the source to your id on a server that you control yourself.

reply

[–] pacala link

Spoiler. The utility of the live call is overstated. Most of the people I interact via a phone vastly prefer async SMS over sync voice calls. We can do SMS via polling, the network doesn't need to push anything to us.

reply

[–] lotsofpulp link

People text so much because there is an expectation the other person is going to respond pretty quickly. There is definitely value derived from having people accessible all the time, and I doubt a service would sell if people weren't.

reply

[–] pacala link

Poll every X seconds if the last message was is no older than Y minutes. Poll every Z minutes otherwise.

reply

[–] Gaelan link

> where they wouldn't have to know unless you make a call

Presumably this is actually "unless you make a call or use data"?

reply

[–] sp332 link

They have to know your location if you want to receive a call.

reply

[–] jakeogh link

With the current setup, sure, but that's by design. The cellular modem could stay off until you decided to take the call if there was a nationwide page circuit listening, the user would get the ring, see the number the page sent, and if desired, answer, which powers on the modem, hits a tower and connects to a backend system that sent the page which took the incoming call.

Page messages are in-the clear, but that's fixable by (gasp) OTP.

reply

[–] sp332 link

You want every single cell phone call in the world to send out a signal over every single cell tower?

reply

[–] mdhardeman link

No. But at a certain point, with the high speed modulations we have today, it is totally feasible to broadcast these passively to a multi-state region encompassing a radius of hundreds of miles.

There's not a legitimate engineering reason that the network needs to maintain constant fine-grained location data for each registered device at this point. The scope of the registration can be far more widely cast.

This would even have upsides for the devices and users. As check-ins to the network in which the device must transmit to the network would be far reduced, battery life improvements can be had.

Yes, this increases the amount of "broadcast" traffic, but honestly, even for some of the busiest telco switches in New York or LA, those data streams don't even approach the throughput requirements of a single HD Youtube stream...

reply

[–] jakeogh link

/napkin overestimate using US 6B/calls/day with a nationwide 256B packet each, that's roughly a 100Mbps broadcast channel, which is ~5 digital TV channels, or one geostationary satellite's half-duplex bandwidth if it could see the entire US. As mdhardeman points out, it's easier than that, and there is plenty of room for re-transmission.

What is the passive bitrate of a tower->cell connection? LTE/GSM whatever.

reply

[–] sp332 link

With everyone's phones receiving and parsing that, batteries would die very quickly.

reply

[–] jakeogh link

Pagers parse every single page. They only alert you when it's to your address. /napkin is just that, if you designed the protocol this would be very doable. The receiver can passively listen quite cheaply energy wise. This is nothing like decoding a video stream.

reply

[–] facetube link

And ethernet and 802.11 receive every frame, whether it's addressed to the equipment or not.

reply

[–] avoutthere link

How can one prevent this and still carry a cell phone? Would keeping one's phone in a faraday bag defeat this constant tracking?

reply

[–] awelkie link

I don't think it's possible through technological means to avoid being tracked and still use a wireless network. Even if you could anonymously authenticate to the network, if the base stations have a large number of antennas then they can locate the physical origin of your signal and track you that way.

It may be possible of course through other means, like government regulation or only using carriers that have some guarantee of privacy.

reply

[–] vertexFarm link

I mean unless you've got a ham license and bounce your signal through your own network of relays using a different band than the final signal to the cell tower. But I don't think that's going to work as a popular solution. Would be a really fun experiment to build though.

I wonder if you could still use latency timing to get a rough fix on location through a secondary network like that. Not that anyone would be trying to.

reply

[–] ttsda link

I'm pretty sure in most countries you can't carry encrypted traffic through ham packet radio.

reply

[–] mr_overalls link

A good start would be using a prepaid mobile phone (paid with cash, via an intermediary to avoid appearing on store CCTV), plus using phone apps that are not tied to your real identity. A Faraday bag for the phone when it's not in use.

Honestly, it just depends on how paranoid you want to get, and who your adversary is.

reply

[–] bschwindHN link

> using a prepaid mobile phone (paid with cash, via an intermediary to avoid appearing on store CCTV)

Nathan Fielder provides a good demonstration on how to properly do this:

https://youtu.be/N9gbdv5cXKg?t=51s

reply

[–] ramphastidae link

If your goal is to simply avoid your location being sold by your carrier for marketing purposes, an intermediary seems a little excessive, no? Unless you have reason to believe that your local pharmacy or cell shop is selling facial recognition data as well ...

reply

[–] pacala link

Selling facial recognition data is the next big revenue stream. There is a reason the Googles of the world are gushing over installing internet connected surveillance cameras on every block [0].

[0] https://nest.com/cameras/

reply

[–] metalliqaz link

Last I heard, buying a "burner" phone in this way has been outlawed in many states.

reply

[–] Theodores link

I have been 'caught' buying a burner phone - many years ago - and since then I have thought about why it is that anyone can buy a burner phone without having to produce their mother's birth certificate and many years of bank statements. You would think 'terrorists' and drug dealers should be banned from such purchases.

However, if you have a burner phone for whatever reason, you are tracked and it is a relatively simple task for a three letter agency to see when that burner phone swaps cell towers and what other phones swap cell towers at the same time.

Consequently, for tracking purposes, letting anyone have a phone is what they want.

Even with the best efforts at 'operational security' a mere mortal is going to end up getting tracked.

Think of it a bit like 'shadow Facebook profiles'.

For instance, in the drug dealer scenario, the guy has one phone to speak to his mum and girlfriend and another set of interchangeable burner phones for his customers. It is all too easy. I am sure that the agencies can turn on the cameras too, fortunately the police still run Windows XP and have too much paperwork to fill in for this type of stuff.

After reading this article I am not so sure this will be the case for long.

Regarding the 'nothing to hide' rationale, if anyone has had a sick, crazy psychopath stalker pursue them for YEARS then being on the electoral roll or being on Facebook can be as good as fatal. There are good reasons to not want to be tracked, even if you have one stupid person focused 24/7 on stalking you rather than an agency/police force doing it.

reply

[–] facetube link

I buy burner phones and SIMs all day every day as test equipment because I develop for mobile equipment. Sue me, assholes.

reply

[–] checkyoursudo link

Yes, electrostatic shielding will stop the signal, which will also prevent incoming calls/msgs/etc.

reply

[–] beamatronic link

Taking the battery out?

reply

[–] codedokode link

Switch to flight mode.

reply

[–] ThrustVectoring link

Removing the battery is a better choice.

reply

[–] gm-conspiracy link

I have an iPhone, you insensitive clod!

reply

[–] random6547545 link

Yes. But switching off location will probably do it too.

reply

[–] SketchySeaBeast link

Carriers will still be able to track you via the cell towers you're connected to. I'm sure they can triangulate based upon signal strength, and that's strictly using your cellphone as a dumb phone.

reply

[–] xtrapolate link

> "But switching off location will probably do it too."

Wrong. Phones can be triangulated by the carriers regardless.

reply

[–] sevensor link

Can we trust the GPS receiver to be powered down when we the OS tells us it's powered down? I know Android keeps listening for WiFi stations even if you tell it to turn off the antenna. Might it do the same thing with GPS?

reply

[–] chinathrow link

No switching off location would not do it - why would it? Cell tower data is sold at the carrier as per the article.

reply

[–] random6547545 link

I'm focused on GPS data which is a free for all. Sure, cell towers have location too just not quite as accurate.

reply

[–] mszkoda link

It may help in regards to your exact location via GPS, but cell companies can still triangulate your location based off how strong your signal is to certain towers in the area and which towers you have connected to recently.

reply

[–] cryoshon link

okay, so, to cut to the chase here: how do we disrupt or destroy the companies doing this?

it isn't acceptable that they are taking advantage of us in this way.

we can't expect any political solution to the problem, which leaves us to pursue other means if we want to protect ourselves.

is there a way to introduce fake data or noise? what about opting out?

is there a law being broken here that we can make into a lawsuit? i wonder if there is a precedent regarding restraining orders or unwanted surveillance by private entities...

reply

[–] joshdance link

I agree some of this is happening but some things don't add up.

Is there a huge delay in this data? Because why don't law agencies use it to find criminals? Like I have 2 crimes at these two locations. Who was around these 2 locations at these times etc.

But if hedge funds are trading on it, they need very low latencies?

reply

[–] reverend_gonzo link

> But if hedge funds are trading on it, they need very low latencies?

Not quite. Hedge funds aren't trading real time on this data. They use this data to essentially figure out how a business is doing before they announce that information. Essentially, if x% of our data went to Chipotle in 2016 and y% went in 2017, and y >> x, then we expect Chipotle's earnings to be higher.

reply

[–] Jill_the_Pill link

Law agencies are using it, with some controversy:

https://www.wral.com/Raleigh-police-search-google-location-h...

reply

[–] nlowell link

You might be confusing hedge funds in general with the strategy of high frequency trading. Not all funds trade at high frequency.

reply

[–] polishflash link

I am a journalist for a major news organization and would like to know specifics about hedge funds and the like and how they use this data. Reach me at sfrancisbjr@gmail.com

reply

[–] vertexFarm link

Making a cell phone out of a pi with a sim card and gps daughter board is sounding less and less crazy each day. Really looking forward to when the librem phone starts shipping. I wonder if they've really been thorough enough vetting hardware for those bare-metal security issues.

This is at once staggering and completely unsurprising that companies would violate user trust in such a way and sell data without proper vetting that exploits people and could potentially put them in danger. Yet another episode in the misadventures of techno-illiterate regulation and totally unread TOS agreements.

reply

[–] xyzzy_plugh link

Even a RPI won't help you unless you can build all of the software for the microprocessors which drive the wireless stack. Even then, vendors (e.g. Qualcomm) will already have their software on the chip when you get it.

A completely open spec, open source set of components is what the community has desired for a long time. As standards get more complex and evolve faster, 4G and beyond, it becomes less possible to keep up in the open.

reply

[–] vertexFarm link

True, but at least you'd have somewhat more granular control and be able to do things like put a hardware switch on the transceiver. Crude, but it would at least work for when you're not actively using it.

I guess that's no different than a faraday pouch though.

reply

[–] trophycase link

And the complicit employees letting them get away with it.

reply

[–] nerdponx link

> This data is sold to whoever wants it. Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go. This isn't fantasy, it's what happens every day.

Honestly, this is the least bothersome part of the whole thing. The only problem is that there's no way I trust anyone involved to properly anonymize and secure the data in question.

reply

[–] sfrancisbjr link

I am a journalist and would like to know more. Reach me at sfrancisbjr@gmail.com if you can help.

reply

[–] yawz link

Isn't this covered under CPNI [1]? Something that consumers can opt out?

[1] https://www.wikiwand.com/en/Customer_proprietary_network_inf...

reply

[–] L_Rahman link

How much of this data is archived and searchable?

Most of the descriptions of the service so far indicate a real time or near real time feed. I'm curious if it's possible to go take a phone number and ask "give me location data for this person around xx:xx at yyyy-mm-dd."

reply

[–] baxtr link

Wow, thanks sharing. Does it make a difference if I use an Android phone vs the iPhone?

reply

[–] JTbane link

These days it seems like you need to remove all the batteries from your phone/smartwatch/assorted botnet devices to get any sort of privacy.

And then you'd still have a half dozen CCTV cameras on you.

reply

[–] totalrobe link

>Almost every web/smartphone mapping company is doing it

Are you aware of any device vendors and/or providers that aren't doing this?

reply

[–] jakubp link

What specific data about the person is traded alongside their location history in the... schemes that you describe? (name? Some govt ID number? Phone number? Address? ....)

reply

[–] ddtaylor link

Likewise ISPs are selling sensitive DNS data like crazy and most users probably think the green lock keeps them safe from that.

reply

[–] Ntrails link

> That's why Apple is trying hard to restrict it without scaring off consumers.

Do you have any details on this?

reply

[–] willstrafach link

No, that is an entirely different matter regarding far more precise location information.

reply

[–] foobaw link

Ah yes I've personally seen this while working at an OEM. There are a lot of other insane things happening on a phone like CIQ. FYI, listening to users via microphone is one thing that actually does not happen.

reply

[–] justaguyhere link

Is it this bad in other countries too? Or just U.S?

reply

[–] dcreemer link

The article mentions Canadian carriers too.

reply

[–] jiveturkey link

i’m not quite following. are you saying that individual,identifiable location data is being collected and sold?

reply

[–] throw000013 link

Defense contractors have been using this capability for competitive intelligence for the last few years. Namely performing surveillance of contractors both internal and external to their company. Private investigators are using the same capability for similar purposes, especially for litigation support. “How” is never required to be revealed in court because the primary purpose is to find information that will “encourage” the other party to not go to court. If there was a way to audit queries/lookups performed against specific telephone numbers I think a lot of people would be shocked.

reply

[–] random6547545 link

Throwaway account.

I work in location / mapping / geo. Some of us have been waiting for this to blow (which it hasn't yet). The public has zero idea how much personal location data is available.

It's not just your cell carrier. Your cell phone chip manufacturer, GPS chip manufacturer, phone manufacturer and then pretty much anyone on the installed OS (android crapware) is getting a copy of your location data. Usually not in software but by contract, one gives gps data to all the others as part of the bill of materials.

This is then usually (but not always) "anonymized" by cutting it in to ~5 second chunks. It's easy to put it back together again. We can figure out everything about your day from when you wake up to where you go to when you sleep.

This data is sold to whoever wants it. Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go. This isn't fantasy, it's what happens every day.

Almost every web/smartphone mapping company is doing it, so is almost everyone that tracks you for some service - "turn the lights on when I get home". The web mapping companies and those that provide SDKs for "free". It's a monetization model for apps which don't need location. That's why Apple is trying hard to restrict it without scaring off consumers.

reply

[–] limsup link

Wow. The fact that they can just get this with "oral approval" (relayed by them to your carrier) is shocking to me. This is ridiculous.

reply

[–] mdhardeman link

The other respondents to this message more or less have it right.

The way this stuff works is that when GEICO signed the deal to get access to this, they pinky-swore in a contract to only use the data certain ways.

Often, the representatives on both sides of such transactions even have a wink-wink nod-nod deal going which is different from what the contract materially represents.

Importantly, these contracts virtually always avoid talking about mechanisms for tracking such usage, auditing such usage, and even any remedies for violations (beyond discontinuing the service access - and then only if it's egregious).

You'd be amazed how much in the telecom world is handshake and contractual with no technological enforcement and often neither side of these agreements are incentivized to enforce the terms laid out.

The parts of these agreements that are solid is how transactions, events, etc are measured and what these cost and who pays and how. Shocking, that.

reply

[–] forapurpose link

> when GEICO signed the deal to get access to this, they pinky-swore in a contract to only use the data certain ways.

Like Cambridge Analytica's deal with Facebook.

reply

[–] facetube link

Exactly. Telcos recover damages, the products (read: users) who were damaged get nothing.

reply

[–] jellicle link

They don't need oral approval or any approval. GEICO is only asking so that their customers won't freak out when GEICO magically knows where they are. The customer service rep probably had the data up on their screen already when they asked.

reply

[–] trendia link

I wonder if they use this data to price insurance -- they would easily know when their drivers are going over the speed limit (or, if such data is not so precise, if their average speed over 10 minutes exceeded the speed limit).

reply

[–] ThrustVectoring link

More likely is approximating number of miles driven and price discriminating based off that. More miles driven = more risk of an auto accident. Basically pay-per-mile car insurance, but hidden.

reply

[–] pathseeker link

How do they know you are driving? Seems too error-prone to be useful.

reply

[–] ThrustVectoring link

They don't need to know you are driving to do price discrimination. They could just as well take the zip codes where you live and work and assume you're driving, and make a profit giving discounts to folks with a shorter commute regardless of whether or not they actually drive it.

reply

[–] lutorm link

They might know how fast you're traveling, but they don't know who's driving.

reply

[–] jstanley link

Just because it's not 100% accurate doesn't mean it's 0% accurate.

There's still value in a noisy signal.

reply

[–] addflip link

That was my concern.

reply

[–] adrr link

You need approval from the customer if you're using a data provider that is pinging E911 location of the phone. Carriers require it. E911 location isn't that precise, its not like GPS and can be a mile or so off. It's good for detecting travel(banks) and roadside service.

reply

[–] addflip link

It's funny that this is coming up now. The other day I was on the phone with Geico's roadside assistance and they wanted to know my location. I told them I didn't have their app downloaded, they said it wasn't a problem and they could get it without it. Sure enough they could. I checked their disclaimers [1] and they purchase the data from my cell carrier. They didn't even have to know which one.

[1] https://www.geico.com/web-and-mobile/mobile-apps/roadside-as... (see disclaimers at the bottom)

reply

[–] aarongray link

I think the ACLU did a report a while back and Cricket Wireless was the best largeish cell phone provider.

Provider comparison: https://privacysos.org/blog/how-long-does-my-phone-company-s...

Study details: https://privacysos.org/blog/att-stores-either-five-or-twenty...

reply

[–] 8_hours_ago link

Cricket's Privacy Policy looks much better than T-Mobile's or Google Fi's:

"We will not sell your personal information to anyone, for any purpose. Period." https://www.cricketwireless.com/privacy

But they also say that they may share personal information (which may include location??) to 3rd parties with user "consent":

"Do you share my Personal Information with other companies for them to market to me?

We may share your Personal Information with AT&T and other AT&T affiliates for a variety of purpose, including so that they can market products and services to you. Except for AT&T and other AT&T affiliates, we will not share your Personal Information with other companies for them to use for the marketing of their own products and services without your consent."

Can someone with Cricket Wireless see if LocationSmart has access to their location https://www.locationsmart.com/try/ ?

reply

[–] moduspol link

I'm on Cricket Wireless and I tried at your link, but I'm not getting the SMS message.

reply

[–] 8_hours_ago link

That either means LocationSmart doesn’t have access to location data from Cricket, or it’s not working for some other reason.

LocationSmart’s website says they can get location of 95% of cell phones in the US. I’m tempted to try and call their sales department and see if they would tell me which carriers they don’t support...

reply

[–] bootlooped link

I think a big question is since Cricket is an MVNO that runs on AT&T's network, is AT&T able to sell a Cricket customer's location data?

reply

[–] 8_hours_ago link

Looks like Cricket will give personal information to AT&T:

"Cricket is an AT&T company and we share your Personal Information with AT&T and other companies in the AT&T family, commonly referred to as affiliates, for a variety of purposes, including the marketing of products and services to you." https://www.cricketwireless.com/privacy

The "variety of purposes" is what concerns me, and is why I have learned to hate trying to understand Privacy Policies. There are too many potential loopholes. Of course, I am not a lawyer, so my interpretation may be incorrect.

reply

[–] 13of40 link

Did T-Mobile have a breach recently? I got malware on one of my machines a year or so back and had to change my passwords everywhere, and T-Mobile was one of the two sites that was so assed-up I couldn't actually change it. I clicked your privacy link earlier and had to go through two separate SMS verifications and change my password because they said it was "old".

reply

[–] mohaine link

Well, the locationsmart fails completely on my Google fi phone.

reply

[–] 8_hours_ago link

Switching from T-Mobile to Google Fi might be jumping out of the frying pan and into the fire ;)

The Google Fi Terms of Service says they are collecting location data:

"When your device is turned on or when you use the Services, we may collect and process information about your actual location. This may include information about your current activity (e.g., driving, running, walking, etc.), which lets us know when you may be moving between different mobile and Wi-Fi networks." https://fi.google.com/about/tos/#project-fi-privacy-notice

I'm okay with Google collecting location information, insofar as they only use it to provide cell service, and not for advertising and don't provide it to 3rd parties. Unfortunately, their Privacy Policy states that they can use it for advertising:

"We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content – like giving you more relevant search results and ads ." https://policies.google.com/privacy?hl=en&gl=us#infouse

And they can provide it to 3rd parties. Note that they require "consent", just like T-Mobile's privacy policy:

"We will share personal information with companies, organizations or individuals outside of Google when we have your consent to do so." https://policies.google.com/privacy?hl=en&gl=us#nosharing

So even if they are not currently providing information to LocationSmart, according to my understanding of their privacy policy, they are able to.

reply

[–] dylz link

Are you using your Google Voice number? Fi numbers are GV and in cloud.

Somewhere in your sim/about under settings you can find your underlying phone numbers for Sprint/TMO that you can look up.

reply

[–] 8_hours_ago link

I would be interested to know about that... I don't see anything mentioned in the Project Fi Terms of Service (https://fi.google.com/about/tos/) about Sprint, T-Mobile, or US Cellular. I assume that by signing up with Fi you are also subject to each of their privacy policies, but I'd be happy to be corrected!

reply

[–] dylz link

My fi number has always been blocked from everything (banking, paypal, whatsapp, etc) for being VOIP. Doing some xda-dev stuff, I see two separate underlying numbers for the two profiles. I can't receive texts on either of them.

reply

[–] e40 link

I'm on Project Fi and it worked for my phone.

reply

[–] thsowers link

Same here

reply

[–] mohaine link

Well, now it works on my phone as well. I wonder if it is only when on/near my work campus. I was outside but they do have some repeaters for some carriers. (I often get a message saying my carrier has "disabled voice services" when on campus)

reply

[–] drbawb link

... well now I'm wondering if I should have stuck w/ my Pixel + Fi instead of the S9 + T-Mobile plan I signed up for today. Whoops.

reply

[–] tomaskafka link

You are chosing between spyphone on spynet and spyphone on spynet.

reply

[–] byproxy link

I imagine Google wants sole access to your location.

reply

[–] 8_hours_ago link

I believe the relevant T-Mobile privacy policy (that I definitely read before signing up...) is:

"With your consent. We may provide location-based services or provide third parties with access to your approximate location to provide services to you." https://www.t-mobile.com/company/website/privacypolicy.aspx

That is why a text message confirmation is required to get a cell phone's location from https://www.locationsmart.com/try/

For those on T-Mobile, there are privacy settings that can be adjusted here: https://my.t-mobile.com/profile/privacy_notifications/advert... I already had all of them disabled, and I was still able to get the location of my cell phone from LocationSmart.

I chatted with T-Mobile support yesterday to see if I could opt-out of them sharing my data. Not surprisingly, the support agent was less than helpful. "Don't worry, your data is secured"

Are there any US carriers that respect privacy and do not share private information with 3rd parties? Or is that a pipe dream?

reply

[–] dwighttk link

I'd rather them try to do end-runs around the law than run it up the gut... (If I had to choose)

reply

[–] risotto_groupon link

Just think of how amazing the museum will be for your great grandkids when we completely dismantle them when, inevitably, their stated mission goals supersede common sense and a responsible relationship to the American public.

reply

[–] nojvek link

I doubt any of the privacy invasions are going anytime soon.

The big tech cos pull in ~100B in revenue precisely because they can capitalize on the data.

As long as there is crazy amount of money to be made, it will keep on getting worse. Having hope on the US govt to do anytime is wishful thinking. Govt and corporations are hell bent on knowing everything about you. It gives them the power.

reply

[–] wmeredith link

False dichotomy. There are a million choices.

reply

[–] emodendroket link

What if they were simply held to a higher standard and not allowed to operate with practical impunity?

reply

[–] emodendroket link

> Kevin Bankston, director of New America's Open Technology Institute, explained in a phone call that the Electronic Communications Privacy Act only restricts telecom companies from disclosing data to the government. It doesn't restrict disclosure to other companies, who then may disclose that same data to the government.

It seems like intelligence services spend a lot of their time dreaming up ways to do an end-run around the law. This is the same reason US intelligence does partnerships with foreign intelligence services.

reply

[–] kevcampb link

I just discovered this treasure trove from the UK house of commons in 2006

https://publications.parliament.uk/pa/cm200506/cmhansrd/vo06...

"To extend that to adults, The Guardian journalist Ben Goldacre showed recently that someone needs possession of another person's mobile phone for only a couple of minutes to appear to give the consent required under mobile phone companies' current procedures. The person he was tracking never got any of the warning messages that were meant to have been sent to her. Even more scarily, a hacker's website has recently published information telling how to spoof consent without even having to have temporary possession of the target's phone; all that is needed is the number. If someone has a person's number, he can track them. It is not a problem. I know where the website is, but I am not going to tell Members. It is possible to track people just through their phone numbers."

reply

[–] fixermark link

Is it even considered an exploit?

It's a cell carrier providing data about the radio communications between hardware they own and someone else. At a moral level, seems somewhat equivalent to a web server providing data about clients that access the server.

To opt out, stop using some third-party corporation's owned hardware to route your communications near lightspeed around the world. Hey, the Amish communities may have something in their overall philosophy of "Don't be beholden to strangers who aren't part of your community."

reply

[–] kevcampb link

I'm not clear if you missed the point here? This isn't aggregate data, it's obtaining the location of a specific individual just by knowing their phone number. It can be done without their knowledge or consent.

By your webserver analogy, the equivalent would be more akin to google publishing the contact details and search queries of anyone using the service.

reply

[–] kevcampb link

Carriers have been providing these services to 3rd party providers since at least 2006

https://www.theguardian.com/technology/2006/feb/01/news.g2

A few points to note:

* Obtaining consent is entirely left to the provider to implement. It does not appear to have any auditing. A provider can query any number they like.

* The opt-in process used by many providers is easy to exploit, by spoofing SMS replies or abusing the SMS template so that the surveillance target does not get notified

* The providers have are well aware of the potential to exploit this and have been for some time. It has never been resolved in over 10 years.

reply

[–] trystero link

Terms of Service; Didn't Read (https://tosdr.org)

TOSBack, the gitified version (https://tosback.org)

A new version of ToS;DR is also in development: https://github.com/tosdr/phoenix

reply

[–] Sharlin link

One of the things that GDPR requires is real informed consent, small print hidden inside a thirty-page EULA is not acceptable.

reply

[–] mtgx link

And unlike some of the recent proposals in the U.S., it's generalized to all industries.

reply

[–] xexers link

You would need 76 work days per year to keep up with reading all of your TOS

http://techland.time.com/2012/03/06/youd-need-76-work-days-t...

reply

[–] reustle link

And that was 6 years ago. I'd imagine it's quite a bit worse now.

reply

[–] emodendroket link

Is that possible? Yes, but it's not in their interest to do.

reply

[–] itchyjunk link

Maybe by some 3rd party then? Maybe an application of all the fancy natural language processing or some other ML. I visit the site, paste the TOS or maybe there is a list of TOS that has been translated and i get a nice gist.

reply

[–] emodendroket link

I think a more realistic option is Congress imposing a requirement on them, the way the terms of a loan have to be presented in a standard form.

reply

[–] itchyjunk link

I am starting to wonder what all have I consented to? Every week I learn I have consented to this and that because of a news article as I never read those contracts or TOS. I wonder if there will be a way to phrase long contracts into bullet list of ideas for someone simple minded like me in the near future.

reply

[–] code4tee link

I was aware the cell phone companies were selling anonymized data for some time (not revealing the numbers and adding some jitter to the location data to avoid identifying users).

This is the first I’m hearing that they’re releasing detailed personal tracking by phone number. When I sat in on a recent presentation with Verizon execs they flat out said they were not doing this. Oops.

reply

[–] rinze link

A while ago I thought of a very neat 'future job': you walk around town with somebody else's phone. So if you 'need to be' somewhere, you just hire this service, deliver your phone, which will be returned to you, and there goes your track record.

reply

[–] eximius link

That's fairly easily detectable through analysis, though.

reply

[–] gm-conspiracy link

Not if you use a clowder of feral cats.

reply

[–] pavel_lishin link

It would probably be more detectable, since a cat's movement pattern would likely be very different from you or a stranger you hired.

reply

[–] metalliqaz link

yeah but... then the customer doesn't have their phone

I need my phone, especially when I'm out

reply

[–] cpeterso link

Use a drone to fly your primary phone to the location and relay the call to your secondary phone on your person.

reply

[–] stamps link

I'm hoping the Librem 5 succeeds. I think disabling the baseband would be a solve and at least slightly more trustworthy than airplane mode.

Right now I think you're right, there's no defending against it without turning off devices.

reply

[–] Skunkleton link

> more trustworthy than airplane mode

All airplane mode does is turn of transmitters. There is no reason that the firmware should stop caching GPS data for later transmission

reply

[–] yborg link

That probably won't do much for you in many urban areas in many countries. Municipalities are routinely maintaining data captured from license-plate scanners and some cities now have CCTV networks with facial recognition software. So unless you don't drive and walk around with a new rubber mask on every day you are still subject to the panopticon.

Most businesses these days have some kind of camera system for security, it won't be too long now before someone starts buying these video feeds from say Starbucks, etc. running recognition AI on them, tagging individuals, and selling this aggregated location data, maybe even realtime. At the moment, I don't think this would even violate any privacy laws.

reply

[–] ClassyJacket link

>So unless you don't drive and walk around with a new rubber mask on every day you are still subject to the panopticon.

Gotta invent that Scramble Suit!

reply

[–] erikpukinskis link

What about a decentralized networks over 802.11?

It wouldn’t be a total solution, because access points get hacked, etc. but it would make the data a lot fuzzier.

reply

[–] superkuh link

The reason that cell phone networks actually work (they're effectively decentralized networks) is that they pay the big bucks to rent space on high towers, building roofs, etc.

The only thing that matters for radio communications is line of sight. The only thing that gives you line of sight is relative height. The only thing that gives you consistent height is money.

reply

[–] erikpukinskis link

Voice over WiFi definintely works. I don’t think “works” is the word you are looking for. “Won’t have great coverage” is maybe what you were going for.

A WiFi-based network with stronger privacy characteristics would be valuable to the small part of the market who cares more about privacy than coverage. Those people exist, ya?

reply

[–] superkuh link

By works I mean, doesn't cut out permanently and from then on at every small hill or rise in the ground. I've done a lot of real implemention of 900 MHz and 2.4 GHz mesh wireless networks.

I currently operate a 5 MHz channel at 910 MHz using broadband hamnet firmware on ubiquiti transceivers. This is for between home (custom antenna up on a tall 10m pole on my apartment) and my car (custom antenna popping up through the sunroof). By work, I mean, work at all for more than the first slight change in elevation. I've even tried using custom FPV narrowband solutions (56k SLIP) at 433 and 900 MHz and those do not better. The first slight rise in the ground kills you after a block or two. And I'm not in a super-hilly region.

I have no confidence than any ad-hoc deployed mesh network of 2.4 GHz is going to be good for anything but within a single home or building.

reply

[–] komali2 link

>The only thing that gives you consistent height is money.

Or long rope, a balloon, and a heat source ;)

reply

[–] Lionsion link

> Or long rope, a balloon, and a heat source ;)

Good luck if a storm hits.

reply

[–] komali2 link

Fishing reel.

reply

[–] adventured link

Until/unless they modify the law - turning off your phone thwarts it. While your phone is powered off, it has no ability to track & record your location movements. Obviously your active location will then be picked back up after you power it on, it won't have a record of anything inbetween.

A simple example of limiting the invasiveness using this approach, would be to have your phone on only at work & home, or similar. In absence of phone snooping, someone can already easily locate you at those two standard destinations, and can easily discover when you'd typically be at those places (ie you're not giving them much by using your phone there under normal circumstances).

reply

[–] gm-conspiracy link

So, use Google voice or setup your own w/ Twilio (try all numbers), and have a work cellphone and a home cellphone, a one-way pager (for when you are traveling), and another travel phone without a battery that you would use if necessary, based on the pager message?

reply

[–] jstanley link

Does turning the phone off actually turn the baseband off though?

How could we possibly tell?

reply

[–] undefined link
[deleted]

reply

[–] xfitm3 link

While unreliable it wouldn't be unrealistic to use wifi in densely populated areas. It looks like the pager industry is still alive, too.

reply

[–] delecti link

Most wifi hotspots have location information anyway, so your phone will know where it is, and then one of the many apps on your phone can report back with that information.

And isn't a pager just a really simple cell phone? I'm not sure how that's a solution if cell towers can triangulate your position.

reply

[–] xfitm3 link

I should have been clearer: One way pagers seem to still exist. They do not transmit.

reply

[–] ghostly_s link

Isn't this just a billing distinction though? A 'receive only' pager still needs to announce itself to the cell tower to have messages routed...pretty sure they're not just multicast across the entire global cell network?

reply

[–] pdkl95 link

> cell network

Pagers do not use the cellular network. (some cellular networks do provide paging-style services, but that is a later development that is unrelated to traditional pagers)

> A 'receive only' pager still needs to announce itself

A traditional pager doesn't have a radio transmitter.

> they're not just multicast

The message is broadcast region-wide using very low-bandwidth protocols[1]. A pager will generally only work inside the region it is registered with. To compensate for the lack of ACKs, the message is usually repeated several times; it will missed if the pager is off for all of the transmissions.

[1] https://en.wikipedia.org/wiki/FLEX_%28protocol%29

reply

[–] pdkl95 link

Dan Geer (CISO at In-Q-Tel, has been warning about the dangers of surveillance for years) has spoken about how he uses a pager instead of a cell phone.

https://www.washingtonpost.com/news/the-switch/wp/2014/08/11...

reply

[–] toufka link

I wonder if even an old iPod Touch withought a cellular chip would actually be a useful decice for this kind of wi-fi-only connectivity.

reply

[–] jakobdabo link

You still can't be sure. Your car may contain a SIM card nowadays, always connected, for your protection, sure thing.

reply

[–] Qwertie link

The worst part is there isn't any possible way I know of to defend yourself against this other than not having a phone.

reply

[–] entrypoint0 link

Two related stories:

I went to a recruiting event in 2013, or 14 perhaps, for a major telecom network in Canada. They were proudly showcasing their ability and interest to analyze people's data. I was shocked, so I spoke to the hiring manager:

"You should be concerned about google and Microsoft, they have much more data" he said. They do, but much less sensitive data. And I am paying you! And google gives me free excellent services. You are an expensive oligopoly with not the best customer protection track record.

2. I had a free modem from a major network that came with the internet. I used the modem at another location while I was away. I got charged for my usage! The modem was not just a modem, it was sensing more information to their system. That is how they tracked my usage, if that is the only thing they tracked. Their technical customer service avoided any form of discussion. Cancelled my internet line with them, and using VPN for trackable stuff ever since.

I am seriously considering cancelling my cell phone until their practices changes.

reply

[–] pdkl95 link

The most obvious use is insurance companies looking for excuses to deny claims.

reply

[–] chillingeffect link

Or maybe parallel construction used to deny/approve loans. E.g. I can't weight the loan approval negatively specifically bc the person is black, but the GPS information suggests they frequent black areas.

But really every use of this information is highly assymetrical. If they're using it to trade stocks, while regular people are using traditional means, it's an advantage we don't have access to. This is basically the virtual castle walls keeping us peasants out in the fields. Modern feudalism.

reply

[–] dspillett link

As blocking fraudulent claims could remove a reason for my premiums to he higher, I can't say I'm against that.

With the caveat, for course, that people are not always where their phone is so this taken on its own would be circumstantial evidence: one would hope decisions are not made directly based on this information.

reply

[–] nojvek link

It’s not in the interest of insurance companies to lower premiums. They only do it if competition is eating them alive. Geico has been raising their margins ever so slightly. I bet they are also the purchasers of ungodly amounts of data for targeting marketing.

Insurance companies #1 goal is to make maximum profits for their shareholders without getting caught with their pants down.

reply

[–] vuln link

GEICO is a private company. There are no shareholders. GEICO is owned by Birkshire Hathaway which is owned by Warren Buffett.

I am sure your point is still valid with publicly traded insurance companies.

http://investsnips.com/complete-list-of-insurance-companies-...

reply

[–] jogjayr link

> GEICO is owned by Birkshire Hathaway which is owned by Warren Buffett.

Berkshire Hathaway is publicly traded. Warren Buffet owns 36.8% of it.[1]

1. https://en.wikipedia.org/wiki/Berkshire_Hathaway

reply

[–] mostlyskeptical link

Mine go down fairly regularly. I have even been cut a check for adding cars to my insurance.

reply

[–] brewdad link

Are you changing insurance companies regularly? Why would an insurance company have any reason to reduce your rates unless legally required to? Even if they've been overcharging you for years compared to competitors, if you aren't calling them up and threatening to change insurers, why would they ever give you money back?

reply

[–] frockington link

Probably the same reason airplanes have frequent flyer miles. If a customer has proven to be low hassle you don't want to lose them

reply

[–] extr link

Yes, if it gets to the point where they've already shopped around you're going to be paying a much higher price to retain that customer, than if you simply gave them a reasonably competitive premium or deserved discount. Insurance companies are not like cable, customers are free to switch to one of many options at any time. Acquisition and churn costs are huge problems.

reply

[–] whatshisface link

Does it bother you that you're being tracked?

reply

[–] assblaster link

Yes, I am greatly bothered by it, especially because I am not aware of the extent that my information is being distributed.

On the one hand, I opt-in to location tracking for apps and services such as Google services, because I genuinely believe that I benefit greatly from location-targeted information. On the other hand, I would opt out of any other location tracking of my cellphone to companies that I do not see the benefit of having. I want fraud-protection and no liability when it comes to fraudulent purchases (opt-in for credit card companies and banks), but I don't want the government/Facebook/retailers/insurers to have this access without permission.

reply

[–] wilsonnb link

I'm not the person you're asking this question to, but I thought I'd reply anyways.

No, it doesn't really bother me. Why would anyone care that I get up around 7AM on weekdays, drive to work around 9, stay there until 5, and then drive home?

On weekends they will see me going to Target and the grocery store. Sometimes another store. Sometimes I go to visit my family in another city.

I really don't care if people have that information. Many people (not me) post that information freely on Facebook, Instagram, or Twitter.

There are some future situations in which I might care that I am being tracked. If that were the case, it's highly unlikely I would bring a phone with me.

Would I prefer not to be tracked? Probably. Does it bother me that I am being tracked? Nope.

I suspect these views line up with the majority of people in the US.

reply

[–] King-Aaron link

I wonder how many of the 16-million East Germans had this same utopian outlook on it..

Edit: While things are "good", I'm sure you and a lot of others don't see an issue. But you're giving yourself a lot of rope to be hung on if ever things become hard.

reply

[–] wilsonnb link

I guess my view of the situation is that the massive collection of data only becomes a problem in situations where we can absolutely not trust our government, and if things get that bad then we have much bigger problems than the government having a lot of data about us. At that point they don't need evidence of wrongdoing to drag people into the street and shoot them, so it doesn't matter to me if they have it.

reply

[–] krageon link

The trouble is that they might target a group that you are logged to be a part of. For a concrete example, the reason the Nazis were so successful in finding Jews in the Netherlands is because the government there kept (and keeps, if I'm not mistaken) a list of people and which faith they belong to. That list was then handed over to the invaders, who made really good use of it in the time after.

Nobody before that point really stopped to consider whether or not it was a good idea this data existed in the hands of the people that had it. If they did, they probably thought there was nothing to hide (or even that it was a good idea, perhaps). At this point, we should know better. For the ones targeted, there were no bigger problems than the fact that someone had this data about them.

reply

[–] staplers link

  Why would anyone care that I get up around 7AM on weekdays
No one does. But let's assume you suddenly won the lottery. Now a lot of people care, and they're able to perfectly plan when exactly to rob your house as you are gone.

Just because you have no self-esteem doesn't mean other important people shouldn't have rights.

reply

[–] alphydan link

Sorry. In your years of volunteering with the homeless you rubbed shoulders with the wrong people. Our data says you are Islamofilic. Please present yourself at the interrogation booth March 1st 2025. That's why.

reply

[–] wilsonnb link

At that point, what's to stop them from forcing me to present myself at the interrogation booth anyways? Does it matter if they have data "proving" that I've done something wrong, or if they just make it up?

reply

[–] whatshisface link

The "evil government" can't actually gain anything by targeting people completely at random. They'll have some class of political enemies and be very happy if they have a way to identify them.

The problem is that, today, you can't predict what will get you in trouble tomorrow. So even if you intend to live your entire life in complete compliance with whatever the current government wants, you won't be able to live in compliance with what the next set wants in the future. You can't simulate liberty by keeping your head down - eventually you will disagree with the government.

To a lot of people, "disagreeing with the government" means convincing a population that is largely happy with the way things are that something unjust or wrong is happening. That's the pattern of civil rights, environmentalism, and other activist movements that we have had in the West. This is not the whole story: in countries and times with poorer situations, disagreeing with the government can mean a conflict with your own practical (economic) well-being, as a member of no particular minority. In fact it is all of this bean counting about rights an liberty that keeps us away from "disagreeing with the government" in ways that are easier to convince people about the significance of.

reply

[–] ihsw2 link

How do you expect this data to be used in your favor? If there is a technical glitch/human error and your data is intermingled with someone else's, it will be used against you silently and you will have no recourse.

reply

[–] jobigoud link

Do baks sell customers location data?

reply

[–] assblaster link

The most obvious use of the data appears to be by credit card companies to detect fraudulent use of a card and decline those transactions. This is something I'm relatively comfortable with, though it's plainly in the interests of the bank and I only indirectly benefit from the tracking.

reply

[–] lolc link

The way I understood it is that the requester of the location is trusted to have gotten consent from the subject of the query. The providers will answer any queries.

So Securus works on the "we're sure our customers are getting consent for their inquiries" presumption. What are the consequences if a company is found to not have gotten consent? Business sense dictates there to be no consequence at all if Securus can avoid it.

The way this should work is that the carriers can get permission to share location data with third-parties. They should not do it without having gotten permission from their customer. But then they probably get that when you sign the contract. Or do they just not mention it?

reply

[–] bscphil link

>Not only this but late last year all 4 of the major US carriers are offering APIs to convert mobile IP to a billing record (name/address/phone number).

That's terrifying. Do you have a source I can look at for this? It might be time to always-on VPN my phone.

reply

[–] cascom link

This is even more disconcerting - just out of curiousirty what does this cost?

reply

[–] knodi link

9c on the high end, under a 1c on the low end (with volume/long term commitment)

reply

[–] knodi link

Carriers are also selling your billing records. They offer a service to return the carrier billing address/name based on the mobile number.

Not only this but late last year all 4 of the major US carriers are offering APIs to convert mobile IP to a billing record (name/address/phone number).

reply

[–] rando444 link

If you take that cell phone home with you regularly and don't live in a multi-unit building, it would be relatively trivial to figure out your identity using this data.

reply

[–] braunshedd link

Undoubtably. Not a strong protection against doxxing, but might offer some semblance of protection from 'drive-by-lookups'. With a modern smartphone and location services, there's only so much you can do.

reply

[–] fapjacks link

Just a heads up: Twilio now offers a metric fuckton of services geared towards SIM-enabled IoT. You can order SIM cards by the pile and then bind them to a Twilio number by activating it in the UI (or via API). So now instead of (or in addition to) simply forwarding traffic from garbage numbers to your real number, you can get Twilio numbers that are registered on T-Mobile's network via an actual SIM card, making it much easier to send from your Twilio number than it used to be without it bound to a SIM card. Fairly good price, too. Unfortunately, I'm not sure what happened to Twilio's API as it's now as opaque and awkward as any AWS API (almost as though someone on Twilio's engineering team made the decision to model their API after the way AWS builds their APIs), but the services they offer are as compelling as they always were. I'd give Twilio a solid D for what the API has turned into, but A+ for service innovation.

reply

[–] reustle link

Last time I checked the data price for twilio sim was not good for daily use. Far cheaper to use something like Google Fi and a data only sim.

reply

[–] fapjacks link

Yes, but the whole reason for using Twilio is so you can hack your telephony just the way you like it. Google Fi does not also have a ton of cool services you can take advantage of. You get a phone number and that's that, you're subject to the same old POTS-like restrictions. I don't suggest people use their Twilio SIM card for data like you would on your regular phone, even though when you look at IoT data services offered by companies that aren't also enormous wireless providers, Twilio's prices are relatively pretty good. And also calling and texting is dirt cheap but again, not like with your regular phone. I have a phone with two SIM card slots, and so I've got my regular stupid phone provider's SIM card in one slot and the Twilio SIM in the other. New versions of Android give you tremendous granularity of control with multiple SIM cards, so I can be hyper-specific about which activities should be using which SIM cards. And this granularity is very well-designed from a UX perspective, making it almost effortless to override my preferences e.g. for making a single phone call or using one specific app for a short time.

reply

[–] discussedbefore link

Service Meant to Monitor Inmates’ Calls Could Track You, Too https://news.ycombinator.com/item?id=17046632

reply

[–] braunshedd link

Previously discussed yesterday, and again two days before that: https://news.ycombinator.com/item?id=17069459

This is one of the reasons I use a public-facing Twilio number, which forwards to a private number which I never hand out.

This isn't something that people should have to do to opt-out of tracking like this, but it doesn't seem like there are many other reliable options.

reply

[–] chillingeffect link

Through FISA, all foreigners are legal monitorable, no matter what.

This is part of how US mass surveillance works. We record everything and if it turns out to be a citizen, we're supposed to throw it out. Of course in reality, it goes to the Parallel Construction Department who uses the information to build a case against someone through other means, knowing the answer in advance.

reply

[–] willstrafach link

> Of course in reality, it goes to the Parallel Construction Department

Not the case. US Person Information cannot be queried. You are referring to a practice used against foreign targets to obfuscate methods of surveillance (Reasonable folks can object to this as well of course - my only point is that your portrayal is not accurate).

reply

[–] a_imho link

Why do you assume European carriers do not do the same?

reply

[–] einfach link

Maybe [1]. I wouldn't count on being protected while outside the EU.

Art. 3 GDPR Territorial scope

Article 3(1) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

Article 3(2)(a) - the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or Article 3(2)(b) - the monitoring of their behaviour as far as their behaviour takes place within the Union.

Article 3(3) This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

[1] https://gdpr-info.eu/art-3-gdpr/

reply

[–] John_KZ link

Practically you're just going to get extra tracked because you're a foreigner. Also if the articles about TSA borrowing your phone to clone it real quick or forcing you to log into facebook are true, I wouldn't expect them to abide to GDPR.

reply

[–] tome link

Does GDPR even protect against this inside the EU?

reply

[–] emodendroket link

I doubt you get extraterritorial protection.

reply

[–] baxtr link

What if I as an European visit the states? Am I protected by through some agreements with my local provider or even GDPR?

reply

[–] TangoTrotFox link

Another 'fun' implication of this are the increasingly large number of sites that try to obtain your phone number either through SMS messages during account setup, two factor authentication, or any other number of ways. The accounts you have on those sites link directly to your physical presence. Taking it one small step further, any accounts on other sites you have linked to those accounts are similarly effected. Taking it one step even your dynamic IP address at any given moment can end up working as a physical identifier.

The amount of information the NSA has on people is going to be phenomenal. It'd be interesting to be able to glimpse the data just to see how much we all give away. Here's to hoping we never once ever end up putting a 'bad' person in high office because the amount of targeted damage somebody could do with this information is just staggering to even consider.

reply

[–] wpietri link

A friend of mine just got back from NYC and then received a fake call from an NYC area code. I get several every day from random area codes, and we had to wonder whether it was coincidence or not.

reply

[–] kurthr link

I wondered how the spam callers knew what area code I was in while traveling out of state.

I would assume that through clustering analysis (eg coworkers/friends travel together) even fairly coarse position data can allow you to construct relationships. Then they can spam/fish both you end your coworkers with the same fake number. That makes it seem more important to answer and more organic.

reply

[–] facetube link

Hope you like short battery life and warm pockets.

reply

[–] undefined link
[deleted]

reply

[–] rojobuffalo link
[–] dhimes link

Would airplane mode work?

reply

[–] JetSpiegel link

It is implemented below the kernel, nothing you can do in the OS can touch it.

reply

[–] metalliqaz link

Airplane mode would work, yes. But it only works against the cell provider. The on-phone GPS can still work and sync the data later.

reply

[–] hanspeter link

I would imagine the airplane mode deactivates GPS signal recipience?

reply

[–] ThinkingGuy link

I can confirm that it doesn't, at least on the iPhone 7. I recently took one on an overseas trip and left it in airplane mode the whole time. The photos I took during the trip were all properly geotagged.

reply

[–] undefined link
[deleted]

reply

[–] paulmd link

GPS is passive, so there's no need to disable it in airplane mode.

reply

[–] gm-conspiracy link

Why?

Would it only prevent transmission of radio signals, not reception of them.

Just the TX, not the RX.

reply

[–] 8bitsrule link

Inside of a faraday cage, there is no GPS reception.

reply

[–] luxpir link

The off button/battery out is a simpler solution. You won't be receiving calls anyway.

reply

[–] undefined link
[deleted]

reply

[–] undefined link
[deleted]

reply

[–] howard941 link

Way to disrupt the market for RFID-blocking wallets

reply

[–] jobigoud link

Problem is now you can't receive calls.

reply

[–] GFischer link

Many would see that as another plus :) . (I've just received a call from "Scam Likely")

reply

[–] throwaway413 link

I’d buy a pair.

reply

[–] wmeredith link

Anyone have a link to jeans with faraday pockets?

reply

[–] erikpukinskis link

Send a letter to their legal department requesting the information.

reply

[–] cyanbane link

Does anyone know of a way you can request consent status from your service provider?

reply

[–] RubenSandwich link

Part of the American mythology is that government involvement is always bad. It's hard for me to know if this developed because of the myths of the America Revolution, that a small colony won it alone and not because of external factors, and how much is due to people preaching small government politics. Regardless a distrust of the government seems to be ingrained in the American psyche IMO.

reply

[–] brightball link

Small government just means localized government.

At a more local level, people have much more influence and ability to change problems that they see. At a more federal level, policy is imposed without localities having much/any influence.

That centralization and imposition of policy that half the country opposes is the reason for the political divide that we see today. If the same policies that we argue about so much were implemented at a state level, people would have the ability vote with their feet.

That doesn’t mean some legislation shouldn’t be federal, but there is a reason that the intention was for federal policy to be overwhelmingly agreed upon rather than forced in along party lines.

reply

[–] Clubber link

This is a good summary. The US was designed similar to the EU; each "state" is autonomous, but some things are shared, like currency, etc. Allowing frictionless movement between states is also paramount (and explicitly defined).

The logic being, if a state starts to get out of control, you can just move to another state. This allows states to experiment with various laws specific to the population.

Most of this was undone with the Civil War. As abhorrent as it was, the federal government had no legal power to ban slavery outside a constitutional amendment. The 13th-15th amendments actually banned slavery after the war, not the Emancipation Proclamation. Today, the federal government bans whatever it pleases and uses the commerce clause to skirt the constitution.

Take the drug war for example. Because a group of drugs was federally banned, states were powerless to do anything about it. I think most people would agree that federally banning all drugs ended up being a terrible idea and ruined many lives and families over the course of it's execution. It continues to do so today. If the constitution was actually followed, each state can determine which drugs it would allow. As far as I know, Colorado hasn't devolved into a cesspool of depravity since it legalized pot. Imagine all the hell that could have been avoided if states were allowed to decide which drugs to ban rather than the federal government.

Of course a strong federal government has some plusses as well. It was hotly debated during the country's inception, but the ultimate compromise all the states agreed to is what we got.

reply

[–] stevehawk link

Ahaha what? There's no myth that we won it alone. Elementary school texts on the subject lay it out fairly clearly that we did it with the French.

reply

[–] RubenSandwich link

They may talk slightly about the French help but none talk about The Spanish[1] also England was having trouble recruiting for the unpopular war so much so that about ~1/3 of the British fighting forces were mercenaries[2]. The Revolutionary war was won basically because the British Empire was starting to show it's cracks and other countries jumped at the chance to speed up it's demise.

[1] https://en.wikipedia.org/wiki/Spain_and_the_American_Revolut... [2] https://en.wikipedia.org/wiki/American_Revolutionary_War#Rec...

reply

[–] specialp link

There's no doubt that those were factors that aided. As always nothing in world history happened due to a singular factor or cause. But it is not mythology that a lot of brave and enlightened people fought an empire and have become a very successful country. What next? Are we to discount the Allies win over the Axis because well the Third Reich was worn down due to fighting in Russia? I am a US born citizen and criticize our country quite a bit, but it is insulting to say that the uprising here wasn't the main factor in us achieving our independence.

reply

[–] emodendroket link

Until the levee en masse in France pretty much all European armies consisted of mercenaries, criminals, and various other people considered the dregs of society, rather than patriotic citizens devoted to the cause.

Also the British Empire lasted significantly longer and a big factor in pulling out was protecting the Caribbean possessions from the French.

reply

[–] lostcolony link

There are a worrying number of people in the US who believe in American exceptionalism. When the French are brought up by them, it's generally in the context of "We saved their asses in WWII", not "They were vital in our war of independence".

reply

[–] adventured link

Trump just spent his formal state visit with Macron repeatedly extolling the role the French played in American independence. Trump addresses almost everything he does to the same audience that elected him (the same people that your premise would imply don't understand how vital France was to US independence). It's blatantly clear that average Americans for two centuries have understood the very important role France played. It is taught in all schools in the US.

Just about all nations believe in their own exceptionalism. Ask a person from Scandinavia what the best nations on earth are sometime. You really don't need to ask, they'll start all of their replies with: in Sweden we are bestest. Ask a French person how glorious their culture is. Ask a person from China how extraordinary their nation is and about how it's going to dominate the world in the future. Ask a German who makes the best cars on earth (they'll volunteer that, you know, Americans should make better cars if they want to fix the trade deficit, snark snark, chortle). Ask a Canadian if their country provides for a superior way of life vs the US - they won't hesitate for a second to proclaim that as a matter of fact their way of doing things is superior. Ask a Japanese person, off the record, if they're superior to the Chinese.

America's exceptionalism, is that it's the only nation aggressively called out for believing it's exceptional.

reply

[–] lostcolony link

'Generally'.

Also, a severe lack of commentary on those who live in other countries believing in their own exceptionalism. So not sure what you're responding to.

reply

[–] emodendroket link

Probably a bigger myth is that farmers hid out in trees and picked off stuffy Englishmen foolishly clinging to warfare in lines (so why was von Steuben important, then?), which only comes close to describing reality in places like Kentucky where a bunch of partisans were participating in what we might today call guerilla warfare. But even in that case it was less picking off soldiers and more killing your loyalist or patriot neighbors. Warfare in lines was completely logical given the weapons available at the time.

reply

[–] dragonwriter link

> There's no myth that we won it alone.

Yes, there is.

> Elementary school texts on the subject lay it out fairly clearly that we did it with the French.

Textbooks are a mixed bag, but most I've seen at K-12 levels do mention that the French eventually were involved in some way, but very few give a real idea of the nature, extent (material or temporal), and criticality of French aid. E.g., approximately zero note that France started covertly arming and funding independence-minded Americans before the Declaration of Independence.

But even if the textbooks told the whole story, that wouldn't disprove the existence of a popular myth, it would just make it's persistence more remarkable.

reply

[–] delecti link

Even if it were factually accurate that we won it alone, the story of the revolutionary war has still taken on mythic status in our society. The revolutionary war is just as much a mythic story as many religious stories.

reply

[–] prklmn link

Another part of the American mystique is that every politician is for sale via legal bribery where companies donate to their campaigns and get them to do mostly whatever the company wants, totally contrary to the interests of the public.

reply

[–] SketchySeaBeast link

And somehow people trust those bribing companies more than the politicians?

reply

[–] erikpukinskis link

They do, some folks.

The idea is companies, caring only about their own revenue, are purer of heart than politicians who are interested primarily in their own social status.

... that a kind of bulk morality emerges from many individuals all working to maximize a single product’s sales.

reply

[–] SketchySeaBeast link

Some say "bulk morality", I say "immoral, unrelenting, greed". Not exactly a benevolent goal.

reply

[–] undefined link
[deleted]

reply

[–] rectang link

It's reasonable and wise to distrust government. What is unreasonable is American blind faith in private industry.

This tracking is a great example of the threat posed by industry to individual citizens.

reply

[–] dredmorbius link

The term "big business" preceded "big government", and has been far more prevalent.

Big government arose as a response to and check on big business.

https://books.google.com/ngrams/graph?content=big+business%2...

reply

[–] malvosenior link

You leave out another option: Americans distrust government because we see it fail us every day. Corruption, police brutality, inefficiency, politician sleaze baggery...

In general corporations provide a much higher quality service than the government in the US.

reply

[–] SlowRobotAhead link

It always boggles my mind how 1/2 the people that realize and complain about those things go on to recommend more government and that only they should have effective guns.

reply

[–] erikpukinskis link

It’s not half, it’s a tiny percent who recommend those things.

Saying half the country wants those things because they vote D is the same as saying half the country wants to ban Muslims because they vote R.

You can’t treat populations as individuals. You can’t take the many desires of a group of people and expect them to make sense as if they were one mind.

This mindset is the reason political discussion has broken down in this country. Rather than treat each other as individuals with diverse opinions, we treat each other as mini clones of the nonsensical amalgam of the worst aspects of half the country.

reply

[–] chillingeffect link

You make a good point about the government, but I don't agree it extends to corporations. Corporations do much of the dirty work of the government.

Defense contractors and mining concerns operate hand-in-hand with the government, training police, researching weapons, running prisons, crunching data. Look at the story of this article: it's corporations doing the dirty work the government isn't technically allowed to do.

Furthermore corporations only submit to greatly reduced requirements for attending to those with special needs, like in wheelchairs, deaf, etc. There are some valuable services provided to them, like closed captioning, but only under passioned support from idealists and with profit incentive.

If we left it all to corporations, only the most able-bodied and well-off people would run the country for the most able-bodied and well-off, forming tight-knit circles to maintain their power and never perceiving the world as a place for living, only protecting power.

reply

[–] aerotwelve link

> ...There are some valuable services provided to them, like closed captioning, but only under passioned support from idealists and with profit incentive.

It's worth noting that video closed captioning had to be mandated by law (Telecommunications Act of 1996) before it became universal[1]. Some broadcasters were ahead of the curve & implemented it prior to the legislation, but it was rarely comprehensive.

Of course, this just underscores your point that disabled consumers were not a large enough group to have their needs met by market forces alone.

[1] https://www.fcc.gov/general/telecommunications-act-1996-and-...

reply

[–] tinus_hn link

The clever part is that the government in turn is allowed to purchase data from the other companies.

reply

[–] codedokode link

Also, if a government employee does a lookup in their spare time as a private person out of curiosity, it is ok? Or if they ask their friend to do the lookup?

reply

[–] stevehawk link

Why? Releasing the data to the government creates Big Brother. I thought we were all against that?

reply

[–] izacus link

Now you've created a corporate Big Brother, who is hell bent on pure profits and doesn't even have to answer to you in the elections. Is that better?

reply

[–] stevehawk link

Yes? Government Big Brother can put me in jail just because a cell phone record said I was near a crime while being committed. Corporate Big Brother can only make money from me.

reply

[–] distances link

Here the difference shows pretty clearly, as I would trust the government more than any company. Government serves the people, while companies mostly care just about profit. Any of companies' privacy concerns are related to legal and PR risks.

Being from Northern Europe, I do feel I have a good reason to trust the government. It's a machine that is working for my benefit, with my tax money, and is held accountable via my votes.

reply

[–] gowld link

If your local government is full of such good people, why aren't your corporations?

reply

[–] SlowRobotAhead link

“Here the difference shows pretty clearly, as I would trust the government more than any company.”

What the?

”Government serves the people”

Wait seriously?

”Being from Northern Europe,”

OH. Yea, I’m pretty sure there is a cultural difference we just aren’t going to agree on. I don’t know what country you are from but I’m going to guess it’s population is pretty small and what you effectively have is small government anyway.

reply

[–] Smoofer link

Whether or not they live up to that purpose is another discussion, but at a base level the government exists to serve the people while (for-profit) corporations exist to make money. Regardless of cultural differences.

reply

[–] gowld link

Government doesn't exist to serve all the people, it exists to serve the continuity of the government.

reply

[–] facetube link

Corporate big brother will actually help them put you in jail if it's profitable.

reply

[–] willstrafach link

> Corporate Big Brother can only make money from me. reply

Equifax is a private corporation yet can do more harm than just making money, with little accountability.

reply

[–] codedokode link

What stops Corporate Brother from voluntarily sharing/selling/giving data to the government out of patriotism? Or for some help in exchange. Especially if done unofficially.

reply

[–] josefresco link

Two big brothers: Government and Corporate - lately, in some cases, these brothers have merged.

reply

[–] undefined link
[deleted]

reply

[–] ahartmetz link

There is this old theory about that: https://en.m.wikipedia.org/wiki/State_monopoly_capitalism The Marxist as well as the libertarian theories about it probably contain a few valuable insights and a few terrible ideas for fixing the situation, as usual for radical political theories.

reply

[–] eeZah7Ux link

Contrasted to Palantir, Facebook, cambridge analytica and private firms working for NSA?

Ironically, governments are somewhat still under democratic control... somewhat.

Corporations are completely authoritarian, and by design.

reply

[–] gpvos link

Well, such a release should of course be limited, regulated and with oversight. But I'd argue that at least police should have some possibility to get at customer data, even without opt-in.

Release of privacy-sensitive data to other companies should strictly be by clear customer opt-in, with clear limits on its use. And even some of that should be forbidden for semi-monopolies such as telecom providers.

reply

[–] drderidder link

Releasing the data to corporations creates a different Big Brother.

reply

[–] kevin_b_er link

To corporations, you have no inalienable rights. They're just more things to be bought and sold.

reply

[–] dredmorbius link

Actually, not true by the defnition of inalienable right: something of which you may be deprived, but no other person may gain.

It is possible to take from you real or chattel property, funds, papers, etc., and give them to another. Your life (though no longer your organs and tissues), your liberty, your happiness, not so.

Those are inalienable in that they cannot exist seperate frome you.

reply

[–] dredmorbius link

Definition of inalienable:

That cannot be transferred to another or others: inalienable rights.

https://www.thefreedictionary.com/inalienable

Not subject to sale or transfer; inseparable.

That which is inalienable cannot be bought, sold, or transferred from one individual to another. The personal rights to life and liberty guaranteed by the Constitution of the United States are inalienable. Similarly, various types of property are inalienable, such as rivers, streams, and highways.

https://legal-dictionary.thefreedictionary.com/Inalienable+r...

reply

[–] random_moonwalk link

What would stop the government from just getting this stuff from a third-party who has purchased it?

reply

[–] move-on-by link

Nothing, that's one reason why these companies exist. Its corporate surveillance

reply

[–] tome link

Probably the same above-named act.

reply

[–] itchyjunk link

But that act says it's telecoms that can't sell it to the government. Doesn't the government purchase data from other 3rd party entities anyways?

reply

[–] tome link

I've never read the act but such a hole would be so gaping that it would even embarrass congress and telecoms lobbyists. I can't possibly imagine that they didn't close it.

EDIT: Maybe I was too optimistic: https://news.ycombinator.com/item?id=17082213

reply

[–] dwighttk link

I'd say only half the wrong way.

reply

[–] gpvos link

> the Electronic Communications Privacy Act only restricts telecom companies from disclosing data to the government. It doesn't restrict disclosure to other companies

Clearly the US has their priorities completely the wrong way.

reply

[–] Horatio9000 link

There was mild discontent when the Data Retention laws [1] were being rolled out across the EU in the early 2010s. This was a legal harmonization of existing collection practices for law enforcement purposes. It did receive a lot of press coverage and some small protests (even though in reality the collection was already widespread).

In 2009, Malte Spitz (German Green Party politician) sued his telecom provider for all the information they had stored on him in the last 6 moths. He and others made a good (and spooky) visualization showing how it tracked his entire life [2]. He did a TED talk about it [3], which received a spirited applause and unfortunately minor press coverage.

I think many naively bought the idea that all this detailed data was only for LE (maybe a side effect of all the reporting on the Data Retention Laws?), despite constantly seeing clauses in their EULA's saying their data will be shared with third parties.

----

People only care about these issues once they become evident and widespread, and they personally are affected. I remember the shock my friends had when Google Maps released the location history feature. Up until then, its just a theoretical concern.

Good demonstrations, hard hitting expositions and good press coverage are essential.

----

[1] - https://en.m.wikipedia.org/wiki/Data_retention

[2] - https://www.zeit.de/digital/datenschutz/2011-03/data-protect...

[3] - https://youtu.be/Gv7Y0W0xmYQ

reply

[–] noobermin link

Turns out that Stallman was right.

reply

[–] mancerayder link

The individual rights under the Constitution have been deemed, in the U.S., to only apply to government and government institutions.

The private companies are exercising their free market rights, unfettered by inconveniences like privacy rights, and thus can (as per the article and the random65... whistleblower user at the top of this thread at the time of this writing) track behavior and sell the data.

Therefore, does it follow that government canNOT be the buyer of such data? That police departments or the FBI or others cannot access this data?

Is there a Chinese Wall in place to prevent such things from happening. Or...?

reply

[–] jiveturkey link

> one of the biggest gaps in US privacy law.

Gaps? How about lack of?

https://content.next.westlaw.com/6-502-0467?transitionType=D...

General Laws: Not Applicable.

Sectoral Laws: There is no national law.

----

How outrageous and disgusting that congress can make a big show of questioning facebook over privacy, when they don't have the courage to pass even moderate data privacy laws. How much do you want to bet this location data will be ignored by congress?

reply

[–] turdnagel link

I met a high-level executive at Ericsson who told me that he had met with Tim Armstrong (CEO of AOL) could make $5 billion more a year if he had access to location data with <50m accuracy.

reply

[–] undefined link
[deleted]

reply

[–] fixermark link

So as a private citizen, I can pool some money and get the same level of tracking that American intellignece services have of individual cell hardware?

Sounds like a win for the citizens.

reply

[–] Steeeve link

It's funny to me that this is news to anyone. This has been going on for quite some time - at least the length of my career. For the longest time it was wide open for anyone to access who had an inkling of knowledge about how mobile devices worked.

Did this _never_ come up at defcon or in an issue of 2600? Are people really _that_ focused on web security?

reply

[–] jhowell link

> Cook: What would he do if he were Facebook CEO Mark Zuckerberg? His answer: “I wouldn’t be in this situation.”

Sounds like one of those situations to me...

reply

[–] yawz link

Isn't this covered under CPNI [1]? Something that consumers can opt out?

[1] https://www.wikiwand.com/en/Customer_proprietary_network_inf...

reply

[–] BigBalli link

After reading this post a couple hours ago, I was able to play around with LocationSmart's API. Indeed seems quite powerful/comprenhensive. As of an hour or so, they took down their try/demo webpage and related open API.

reply

[–] _o_ link

I think that Snowden comment fits here:

"Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say,"

reply

[–] trystero link

Have you heard of our lord and saviour, GDPR?

reply

[–] wpdev_63 link

This article is about the US telecoms

reply

[–] wpdev_63 link

When are we going to wake up and reform privacy laws?! This cannot be the new norm.

Something about this has to be illegal.

reply

[–] willstrafach link

You are referring to the command used to request where to route an SMS message, I assume? If so, carriers can (and have been albeit very slowly) restrict this activity so it is less of a free-for-all.

That said, it seems they are intentionally selling this data as well, which is a whole new issue.

reply

[–] undefined link
[deleted]

reply

[–] Rjevski link

This exploits a vulnerability in the SS7/MAP protocols that power mobile networks worldwide; the cooperation of the carrier isn't even required (even if carriers were against this; bad actors can and will get this data anyway).

reply

[–] kylehotchkiss link

Don't banks use this data when you create an account nowadays too? I just created a capital one account and they were actually pretty transparent that they'd be checking the location of my phone via carrier.

reply

[–] g8oz link

I assume this is how we get real-time road traffic information, is it not?

reply

[–] mastofaces link

I tried location smart website said location accuracy was up to 14 miles off. They were really 4 miles off. So not that accurate. If it was 2 blocks like other poster I'd be worried.

reply

[–] dredmorbius link

How much do you typically move in 30 minutes?

reply

[–] JudasGoat link

It is very tempting to go full "tin foil hat" at this point. I am seriously considering removing my cell battery and powering it up semi hourly to check for messages.

reply

[–] thsowers link

No, I tried with my number, all location data off. GPS landed right on my house, very room phone was in.

reply

[–] AlexCoventry link

Does disabling the location data via the settings make any difference, and is there an app which will turn off location data after a set period?

reply

[–] jobigoud link

The article mentions banks tracking your credit card usage to detect fraud. Are there known instances of banks reselling this location data?

reply

[–] mLuby link

I see a lot of suggestions about reducing or shutting off your signals, but what about boosting them in certain directions? As far as I understand cell tower triangulation, having a stronger signal in one direction might offset your calculated position in that direction. I wouldn't expect that to decrease connectivity, just require special equipment and more battery life.

reply

[–] yosito link

Interesting concept, although I don't even want my general vicinity to be tracked or shared without my consent.

reply

[–] John_KZ link

There's no way to do this without using your own antenna network. Even then, you need encryption just to anonymize your calls, but if you end up talking to people subscribed to the same carriers you're trying to avoid, you can trivially be de-anonymized by timing attacks. So there's no good solution, unless you're willing to turn your calls to voice mail.

More practical solutions would include:

-(physically) Powered off radio unless you want to make a call. A clear drawback is that you can't receive calls.

-Satphones. I'm pretty sure satellite phone providers aren't in this yet. They could be, but my guess is that they wouldn't want to waste bandwidth triangulating their users. Also satellite-based triangulation would be much harder and less accurate, and if you use your own directional antenna and sat-tracking mount, you can avoid this altogether. Until they start installing phased array antennas or something.

-Finding a provider that doesn't sell your data to third parties. Probably the hardest of all, and you have to rely on their word.

reply

[–] yosito link

It used to be possible to buy prepaid SIM cards with cash and not have to provide any identification. AFAIK, this isn't possible anymore. Does anyone know for sure?

reply

[–] John_KZ link

The providers in our country require ID. I think there was an EU directive in 2006 that gradually forced all providers to require identification. Of course this doesn't stop criminals in the slightest, they just get second hand SIMs registered by homeless or just SIMs from outside the EU, so it was a pointless law with regards to reducing crime, but if the goal was more surveillance they did ok.

reply

[–] netsharc link

Laws are everywhere to prevent this, because without ID, a terrorist can buy a SIM card and put it in his GSM-controlled IED. Not sure how strong it is being enforced though, the terrorist can just give a homeless guy a few bucks to buy a SIM card for him. IIRC when I bought a SIM card in an Asian country I went to visit, the seller just entered her ID number into the system.

reply

[–] freeflight link

The real question being: How hard is it to bypass/cheat the identification requirement? Especially considering the US doesn't even have something like an official ID card.

They also changed this in Germany. Now you have to fill out a form to activate your SIM, but afaik nobody ever checks if the information in the form is actually yours.

reply

[–] wmeredith link

If it's happening at the carrier level (triangulation via towers) there's zero you can do at the client (your phone) besides stop transmission by turning it off or placing it in a faraday cage.

reply

[–] whatshisface link

It sounds like GPS units are also involved: tower triangulation is inaccurate so by carrying a phone that has no GPS you would be able to claw back a few meters.

reply

[–] codedokode link

Change the law (don't know if it is practical though).

reply

[–] bradlys link

Out of all the solutions suggested - this is the most practical. This would actually fix the problem at hand. Make it illegal for them to either obtain and/or sell this data.

reply

[–] emodendroket link

Don't use a cell phone, I guess.

reply

[–] upofadown link

There is a reason that pagers are popular with drug dealers...

Assuming that you can actually get pager service where you are... Then you only get tracked when your phone goes hot and you access the network to return a call.

reply

[–] bckygldstn link

Use a service like Twilio or Google Voice.

reply

[–] yosito link

This occurred to me. It solves part of the problem, in that your phone number isn't tied to a physical location anymore. But it creates a new problem in that you don't actually have a cellular connection.

reply

[–] Skunkleton link

And also your phone is still collecting GPS and Wifi information, which is better than tower information anyway.

reply

[–] 8bitsrule link

Unless those have been disabled.

reply

[–] yosito link

Has anyone suggested a practical way that people can avoid being tracked? (Aside from Airplane Mode or keeping your phone in a Faraday Cage)

reply

[–] undefined link
[deleted]

reply

[–] 8bitsrule link

Once the books are all burned, there will be no more book-burnings.

reply

[–] Someone1234 link

Carrier IQ was far more invasive than just location. Their "Experience Manager" was supposedly tracking every app launch, time spent in that app, metrics on key & button presses within that app, and other misc interactions.

They got accused of being a "keylogger" which they rightly said they weren't, but that ignores how invasive and creepy Experience Manager was (is?). Their whole argument was that carriers can use this app data to see what apps are draining battery, which is kind of bs since carriers are in no position to resolve battery issues or advise customers.

The reality is that carriers wanted more information on how customers were using their devices, Carrier IQ provided that raw data, and both got rich. They survived the scandal because the critics focused on keylogging, instead of the highly invasive usage analytics which it really was.

reply

[–] m3kw9 link

Isn’t carrier IQ been always doing that?

reply

[–] goda90 link

You don't have to use a Google powered phone. But the modern economy almost demands you have a cell phone.

reply

[–] 0xb8000 link

We don’t have a problem when google does it ?

reply

[–] noetic_techy link

RMS = Richard Stallman?

reply

[–] reustle link

Correct

reply

[–] wilsonnb link

Stallman is not a prophet and there are many valid arguments against his views.

reply

[–] pathseeker link

Not really "valid arguments" but differing opinions. If you are fine with closed systems and surveillance states then everything RMS says against these systems will sound wrong to you.

reply

[–] OldSchoolJohnny link

Yeah him and every tin foil hat guy have been ranting about this for years. Doesn't make it not true, but RMS? Really? That guys is a certifiable nut job and we would all do well to let him lapse into the dust of history.

reply

[–] arca_vorago link

One of these days, most of you will finally understand just how right RMS was and is...

It's just a shame so many can't see it, and worse, give those of us who do shit.

reply

[–] rectang link

This tracking abomination is an emergent phenomenon of the merger of private industry and government in the US. See for example both legalized bribery (a.k.a. unlimited campaign contributions by corporations thanks to Citizens United) and outright bribery (Cohen) by telecoms like AT&T, ensuring that they will have the flexibility to perpetrate such garbage as this tracking data sale.

Why not distrust both government and industry? The rule "power corrupts" holds in either case.

reply

[–] 18pfsmt link

Are you saying AT&T bribed Cohen in order to have the Justice Dept. sue AT&T over its acquisition with Time Warner?

reply

[–] rectang link

I'm saying AT&T bribed Cohen, which is what we have evidence for so far. Perhaps there will be additional communiques exposed later which reveal specific requests.

They did not get the outcome they wanted with the acquisition, but there was also the matter of the administration wanting to punish CNN. Maybe AT&T should have paid more.

But AT&T has still done remarkably well vis a vis the FCC's selective deregulation of net neutrality, which makes it much easier for existing ISPs to leverage their quasi-monopolies and compete unfairly within other verticals.

The American system of legalized bribery needn't produce a bill of sale for regulatory capture.

reply

[–] emodendroket link

Alright, but distrusting all parties doesn't suggest a way forward.

reply

[–] rectang link

Why not? Both government and private industry bring innumerable benefits to humanity. But we can and should view them both with constant skepticism and exercise vigilance. Why should holding one accountable mean that we can't hold the other accountable?

If you're looking for someone to root for, I'd suggest the individual citizen.

reply

[–] emodendroket link

The individual citizen has practically no power against large institutional actors.

reply

[–] rectang link

That's like saying voting is pointless because individual votes don't matter.

https://en.wikipedia.org/wiki/Paradox_of_voting

reply

[–] emodendroket link

All voting can do is steer the course of the government, which you've just cast as nothing more than a villain.

reply

[–] rectang link

Since I said that government brings "innumerable benefits to humanity", and you've characterized that as "nothing more than a villain", I think we're done with this thread.

reply

[–] emodendroket link

Why wouldn't you have expected that?

reply

[–] wpietri link

I think it depends a lot on the kind of capitalism you have. There's what I think of as small-business capitalism, where business owners in a community naturally take the community's interest into account because that's where they live.

I think that's distinct from American MBA capitalism, which is the increase-shareholder-value, up-and-to-the-right, maximize-short-term-cash-gains kind.

The former is positive-sum, the latter can easily be negative sum. And I think the latter, because it doesn't include any humanity in its calculus, is perfectly capable of profitable tyrrany.

reply

[–] dredmorbius link

Go read some history. Power is Power, and will wear any damned guise it wants.

Corporations, criminals, monarchies, democracies, Fascists, Communists, Catholics, Protestants, Jews, Muslims, Hindus, Confucists, Goths, Huns, Romams, Macedonians, Persians, Greeks, Trojans, Hittites, Israelites, etc., etc., etc., have slaughtered, sacked, enslaved, oppressed, or dehumanised others, all in the name of temporary gain.

The British East India company had armies. Wyoming cattlemen funded a mercenary army in the Johnson Count War. Coal wars in Apallachia and Colorado. U.S. Steel, Standard Oil, the Pullman Company, the L.A. Times, Union Carbide in Bhopal, oil companies throughout the US, Middle-east, Indonesia, and Africa. Fruit companies in Latin America. Sugar, tobacco, and cotton plantations. Coal mines in Wales. The Kochs today.

reply

[–] fixermark link

> Hopefully there will be a way to opt out

Don't use a cellphone.

See also: the FBI can't wiretap your phone lines if you never use a telephone.

reply

[–] emodendroket link

Live in a cabin in the woods and never have contact with anyone. Now your surveillance worries are solved.

reply

[–] brewdad link

We have satellites to monitor those people.

reply

[–] ataturk link

It's so strange--I never would have expected the boot of tyranny to come from private corporations, but here we are. And what all this proves is that technology is value-neutral and can wipe us all out, or just make us incredibly miserable, if we let it.

Hopefully there will be a way to opt out. Otherwise, I should start selling faraday bags for devices. Probably should anyways.

reply

[–] 5064364100 link

Very much a tangent, but this song is the perfect soundtrack for privacy / tracking articles like these: https://www.youtube.com/watch?v=8ttTf8N7Bwg

"The Hymn Of Acxiom"

Somebody hears you. you know that. you know that. Somebody hears you. you know that inside. Someone is learning the colors of all your moods, to (say just the right thing and) show that you’re understood. Here you’re known.

Leave your life open. you don’t have. you don’t have. Leave your life open. you don’t have to hide. Someone is gathering every crumb you drop, these (mindless decisions and) moments you long forgot. Keep them all.

Let our formulas find your soul. We’ll divine your artesian source (in your mind), Marshal feed and force (our machines will) To design you a perfect love— Or (better still) a perfect lust. O how glorious, glorious: a brand new need is born.

Now we possess you. you’ll own that. you’ll own that. Now we possess you. you’ll own that in time. Now we will build you an endlessly upward world, (reach in your pocket) embrace you for all you’re worth.

Is that wrong? Isn’t this what you want? Amen.

reply

[–] undefined link
[deleted]

reply

[–] OnlyRepliesToBS link

Class Action Status: One dollar for every minute per person per conversation captured.

reply

[–] draw_down link

Other companies are selling access to this and other info too. Check out Urban Airship’s Connect product.

reply

[–] swerveonem link

How do I get into this business? PM me if you want to collaborate.

reply

[–] thr0waway999 link

Isn't this how teralytics.net gets the data it sells?

reply

[–] forgottenpass link

We don't _all_ work in adtech, you know?

reply

[–] trophycase link

And thank god for that...

reply

[–] Spooky23 link

I’m shocked that anyone is shocked about this! Transportation departments have been buying this data since the late 90s.

More creepy are the planning solutions for commercial development. You can buy datasets that will tell you the average income of drivers on larger highways in hourly buckets.

reply

[–] goda90 link

Unless I misunderstood, this has nothing to do with what apps you use to communicate. It has to do with connecting to the cellular network at all. I think the only way around this would be to run airplane mode with wifi only, and then taking lots of steps to keep your wifi use private too.

reply

[–] faitswulff link

While it is true that Signal's call quality is great, this doesn't seem relevant to the fact that cell providers can track you regardless of what apps you use.

reply

[–] privong link

> Signal calls are encrypted, so you effectively give nothing to the cell carrier when you make a call through it (except that you used some data).

Maybe not to your carrier, but presumably Google could capture some form of metadata.

reply

[–] Negative1 link

I've just started using Signal and was surprised by how good the call quality is. For those that aren't aware, Signal calls are encrypted, so you effectively give nothing to the cell carrier when you make a call through it (except that you used some data).

reply