Everyone Knows Where You Are
It seems like just another data breach story of corporate carelessness and individual incompetence until you read what kind of data was leaked. Then comes the surprise, followed by shock and outrage: Anyone on the Internet could track the location of any phone. Read on...
There Oughta Be a Law...
Security guru Brian Krebs reported that LocationSmart, a U.S. firm, was caught by leaking the real-time locations of nearly every cellphone user in the world. Anyone on the Internet could track any phone served by AT&T, Verizon, T-mobile, or Sprint, pinpointing the target’s physical location and movements to within a few hundred feet.
The leak was in a page of LocationSmart’s Web site that gave prospective buyers or this data access to it for demonstration purposes. The demo page did not require a password or any other authentication process to ensure that “only” authorized sales prospects could access a phone's location, and only temporarily. If you knew the URL, you could get access. All a visitor had to do was enter a phone number and the location of that phone popped right up.
Krebs charitably described LocationSmart’s foulup as a “buggy component of its Web site,” But I can imagine the following conversation during the creation of that page. Programmer 1: “Shouldn’t we put some kind of password protection on that?” Programmer 2: “Why? It only reveals the location of one phone at a time. It’s not like someone could rip off our whole database.”
Someone totally missed the point. If you know my current location, you can do me physical harm. If you know my kids’ phone numbers, you can kidnap them. If you know anyone’s location history, there’s a good chance you can blackmail them, or build a criminal case, force a divorce settlement favorable to your client, or just send them a message that scares the bejeezus out of them. That’s what is worth the two minutes it would take a programmer to “put some kind of password protection on that thing.”
LocationSmart took that “buggy component” offline after Krebs contacted them, then promptly clammed up. Of the Big Four carriers, only T-mobile would admit to Krebs that it sells customers’ real-time location data to LocationSmart. But they all do it. Doing so is perfectly legal; you gave permission when you accepted your carrier’s terms of service. It’s right there on page 197, paragraph 16, subheading T.
Hold onto your indignation; it gets worse.
The phone companies provide this information under the rationale that it will be used by law enforcement to determine the whereabouts of a suspected criminal. But Krebs found that some of LocationSmart’s customers have been reselling the location data they buy to firms that resell it again. This is just like the identity theft business in which “used” data is sold for less than it costs, and gets cheaper each time it’s resold again. Actually, LocationSmart’s business is like ID theft in more ways than this. Nobody consciously gave consent to be tracked, let alone to have their location data sold or resold to a limitless number of entities. But it’s all perfectly legal.
But we're safe now, since LocationSmart has disabled that "buggy component" of their site, right? That's unlikely, because we don't know how many other companies besides LocationSmart are receiving real-time location data from the phone companies. We don't know how those companies protect that information, or with whom they may share it. Krebs says that to be certain that you are not being constantly tracked "the only thing you can do is remove the SIM card from your mobile device."
It gets even worse.
Predictably, at least one of LocationSmart’s customers put several databases of location histories on cloud storage servers without any password protection. For a while, anyone could download the location histories of 38,000 police officers; you can imagine what organized crime would pay and do with that sort of thing.
The Fourth Amendment to the U.S. Constitution states: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
Police forces nationwide are tapping into commercial location history services in efforts to get around that pesky 4th Amendment warrant requirement. An outfit called Securus is selling to police the ability to look up the location history of any mobile device served by one of the four largest carriers. Of course, no police officer ever abused such privileges.
Only stern laws with heavy penalties can put an end to this invasion of our most important privacy right: the right to be secure in our persons, to be left alone physically. Without that right, all of the others are pointless.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 23 May 2018
|For Fun: Buy Bob a Snickers.|
Are Premium Malware Suites Worth Their Price?
The Top Twenty
Ready for a Digital Driver's License?
There's more reader feedback... See all 24 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Everyone Knows Where You Are (Posted: 23 May 2018)
Copyright © 2005 - Bob Rankin - All Rights Reserved