
Carrier sales of phone-location data is illegal, FCC plans punishment - Stanleyc23
https://arstechnica.com/tech-policy/2020/01/ajit-pai-carrier-sales-of-phone-location-data-is-illegal-fcc-plans-punishment/
======
stock_toaster
Presumably this only happened because the :

> lawmakers in November accused[1] the FCC of failing to protect consumers’
> privacy, and said that major wireless carriers were disclosing real-time
> location to data compilers without consumers’ consent or knowledge. The
> information could be obtained by companies including bounty hunters, the
> lawmakers said in a letter.

> [1]:
> [https://energycommerce.house.gov/sites/democrats.energycomme...](https://energycommerce.house.gov/sites/democrats.energycommerce.house.gov/files/documents/FCC.2019.11.8.%20Letter%20re%20Location%20Privacy.CAT_.pdf)

> \-- as reported by Bloomburg

>
> [https://www.bloomberg.com/news/articles/2020-01-31/wireless-...](https://www.bloomberg.com/news/articles/2020-01-31/wireless-
> carriers-violated-privacy-by-sharing-location-fcc-says)

The FCC really has become just a lobbying goat under Pai. Yikes.

~~~
taurath
> The FCC really has become just a lobbying goat under Pai. Yikes.

Who could’ve predicted that, given he was a lobbyist for Verizon.

~~~
borgel
Fair, though Tom Wheeler (previous chairman) was also a lobbyist and he turned
out really well.

~~~
JohnJamesRambo
What does a lobbyist even do? I can't even imagine the scene, they go in a
politician's office and just start with "ok hear me out" or am I being naive
and it just means finding ways to pay them money?

~~~
URSpider94
I always assumed there was a lot of talking. Most politicians are inclined to
want to help businesses anyway, as they provide jobs and generate tax revenue.
If the lobbyist can come in and say “here’s what the cell phone providers
nationwide need to stay in business and continue to generate good returns to
shareholders and low prices to customers,” then that’s a powerful message -
especially when the counter-argument is a pile of faxes and postcards from
constituents that don’t tell a coherent story.

The money certainly doesn’t hurt, though.

~~~
badrabbit
The argument to that is communism basically does this and capitalism lets
companies do whatever they want as long as they don't harm consumers and play
fair

------
adrr
Biggest industry affected is the banks. They’ll ping your phone location if
you make out of area purchases as a part of fraud detection. If your bank
doesn’t require travel notices, they are probably pulling mobile location.
Some don’t, I know chase uses mobile app to determine location.

~~~
russdill
The saddest thing about this is that my bank no longer requires notification
for international travel, but still does for travel within the US. I've had my
card shut off for fraud a few times while traveling in the US. Once when I had
almost no gas and was outside of cell service, thanks for that.

This is presumably due to all transactions outside of the US requiring chip,
but those in the US only requiring swipe.

~~~
franga2000
Wait, the US is still on magstripe? Isn't that literally just a bar code? No
challenge-response, or encryption? Fraud detection seems like the wrong thing
to be focusing on if that's the case...

~~~
Teever
Yeah, it's even worse than that. I was recently in the bay area and I went to
pay for a burger with my Canadian chip&pin card and when I the card in the
transaction was automatically approved with no need to enter the pin.

This was quite alarming.

~~~
hnuser123456
Yeah, we do chip, and maybe signature if we feel like it

~~~
cmbailey
"feel like it" is practically never. I haven't had anyone ask to see my
physical card to compare signatures in over five years.

~~~
ZeikJT
Isn't this really in service of the customer to not waste their time? The
store is the one shouldering the risk because if it turns out to be a thief
using the card the store loses money/goods. The more they try to verify you
are who you say you are the less risk they are incurring. That's a benefit of
credit, it's less risky for the consumer in the end.

~~~
cmbailey
Absolutely. Just providing information posters like the one above who don't
live in the US and might be surprised that no authentication happens here.

------
johnrgrace
I note that only REAL TIME location data is illegal, if I want to do most
marketing things data from several days ago is perfectly usable.

------
charred_toast
Are there even laws anymore? It seems like the law only applies to non-
corporate entities and citizens. If you're in politics, law enforcement, or
the Fortune 500, expect zero consequences for breaking the law. Exceptions
exist but aren't the rule.

~~~
gonational
This, so much.

Bounce over to this comment on another front page post for another great
example:

[https://news.ycombinator.com/item?id=22208260](https://news.ycombinator.com/item?id=22208260)

------
anonymousiam
So it's okay for the carriers to provide the phone-location (and other
metadata) to government entities without a warrant, but it's not okay to sell
it commercially? I'd love to see a legal analysis of that argument.

~~~
0x5f3759df-i
The Supreme Court ruled in 2018 that obtaining phone location data requires a
warrant. [1] So no, neither one is okay.

[1]
[https://en.wikipedia.org/wiki/Carpenter_v._United_States](https://en.wikipedia.org/wiki/Carpenter_v._United_States)

~~~
anonymousiam
So this Supreme Court ruling has eliminated all use of Stingray-like equipment
by all law enforcement agencies unless they have a warrant? Wow! Looks like
Harris will be going of business soon, and no more DRT boxes flying over
cities?

~~~
unapologetic
Why are you being downvoted for pointing out mass surveillance and extremely
targeted surveillance are both still legal and frequently used.

~~~
loeg
Because it's hyperbolic, sarcastic, and unhelpful. Your question rephrased as
a statement is completely fine: "Unfortunately, mass surveillance and
extremely targeted surveillance are both still legal and frequently used."

------
foota
I'm sure the same precedent will apply for telecoms injecting ads, right?

------
dv_dt
I bet someone bought location data for legislators and showed it to them.

------
admax88q
Why is it legal for them to collect that data in the first place? Can't sell,
abuse, or accidentally leak that which you don't have.

~~~
dredmorbius
AT&T maintain a comprehensive database of call level history dating to the
1980s.

Certainly to resolve customer billing disputes, I'm sure.

[https://www.eff.org/cases/hemisphere](https://www.eff.org/cases/hemisphere)

[https://en.wikipedia.org/wiki/Call_detail_record](https://en.wikipedia.org/wiki/Call_detail_record)

[http://epic.org/privacy/nsa/Section-215-Order-to-
Verizon.pdf](http://epic.org/privacy/nsa/Section-215-Order-to-Verizon.pdf)

------
PrivateRepo
What firms were sourcing this information?

------
sneak
The problem is that many private companies now have the historic data. Even if
they don’t receive any more in the future, most people only ever go 3-5
places. Collect data for a few years and you have the majority of the
population’s locations predicted most of the time for a decade or two.

------
thedirt0115
Is anything going to happen to the companies who bought the data? Is that also
illegal?

------
PrivateRepo
What companies are immediately going to be affected by this?

~~~
redmattred
[https://www.skyhook.com/](https://www.skyhook.com/)

~~~
thedirt0115
Wow, I had never heard of them, and I did not like this quote from the landing
page (if they got their data from mobile carriers like this): "Gain deeper
insights from location data to answer questions like who visits certain
places, where else do they visit, where do they come from and much more." I
don't like the feeling of being spied on.

------
paulmd
"one or more"

hint: it's all of them

------
kumarski
Some of the companies on this list could be hurt by this:

Alternativedata.org

------
dvduval
Does this increase the value of this data for Google?

~~~
jjohansson
That would be 3d chess move by Google.

------
nerpderp82
I think jailtime+fines should be the minimal remedy.

------
paulproteus
I've long believed that when companies do illegal things that would normally
be punished by prison, the company should go to prison.

The company office would have to operate according to the same rules as a
prison. Employees on arrival are security-checked the same way prisoners would
be when they arrive for the first time. Rules about talking between cells, and
device use, are the same as a prison. Once you get to your prison office, and
you have your prison clothes on, you can work on paper.

I think this should be an existing prison. If a company wants to instead hire
prison guards and do renovations to make their existing office work like a
prison, I could be flexible to that.

Presumably all the employees would rather quit than work in prison. Sounds
okay to me.

Presumably all investors would pressure the CEO to avoid getting the company
put in prison because it would be a real productivity problem. Sounds okay to
me.

------
choward
Imagine someone time traveled here from 30 years ago first learning what cell
phones are then seeing this headline. Why is this even debatable?

~~~
pinko
Boiling frog syndrome.

~~~
Nicksil
>The premise is that if a frog is put suddenly into boiling water, it will
jump out, but if the frog is put in tepid water which is then brought to a
boil slowly, it will not perceive the danger and will be cooked to death.

[https://en.wikipedia.org/wiki/Boiling_frog](https://en.wikipedia.org/wiki/Boiling_frog)

~~~
dehrmann
But if you watch the pot, the frog won't boil.

------
dd36
Toothless fines. Indict corporate officers or employees that did it... then
you’ll get change.

~~~
ska
Fines don't have to be toothless.

~~~
warent
It depends on the perspective. Imagine an FCC shopping page for businesses
that says something like: "Gain ability to sell customer location data for a
year: $10,000,000"

"Fine" is a euphemism for market price. If the profits outweigh the fines and
the poor PR can be controlled in a timely manner, then they'll do it every
time.

~~~
ska
Markets prices work the other way too; if fines are at least perceived to be
more expensive than any benefit you'll see, they are a good disincentive.

------
droithomme
Thank goodness for sanity!

------
Analemma_
I'll celebrate when the money from the fines is actually sitting in the
Treasury account, and not a moment before. Pai is outrageously corrupt, is
best friends with telecom CEOs, and with near-certainty will cave to requests
to have these punishments reduced to next-to-nothing.

~~~
JohnFen
Yes. Particularly given that Pai's FCC has developed a bit of a habit of
levying fines and then not bothering to actually collect them.

~~~
lonelappde
More info about this?

~~~
thedirt0115
0.003% of robocall fines collected so far: [https://gizmodo.com/fcc-
reportedly-collected-only-0-003-of-r...](https://gizmodo.com/fcc-reportedly-
collected-only-0-003-of-robocall-fines-1833649669)

------
parvenu74
But Facebook, Google, Microsoft, et al are still free to sell phone location
data acquired through apps (or Android itself in the case of Google), right? I
wonder if there is any hope of laws to limit the ability of companies to sell
this data...

~~~
deadmutex
IIRC, Google doesn't sell your personal location data:
[https://safety.google/privacy/ads-and-
data/](https://safety.google/privacy/ads-and-data/)

Disclaimer: I work at Google.

~~~
dredmorbius
That may be true.

But Google created the entire damned infrastructure and environment which
makes precisely that effect possible, no matter how thinly you slice the hairs
on what it is you call the practice.

~~~
dodobirdlord
Sorta an odd take in a thread about telecom companies selling data gathered by
the telecom networks that they built.

~~~
dredmorbius
Do you remember when telephones didn't come with embedded GPS, browser
webbugs, G+ NSTIC profiles
([https://old.reddit.com/r/plexodus/comments/aa6pmi/a_manhatta...](https://old.reddit.com/r/plexodus/comments/aa6pmi/a_manhattan_project_for_online_identity_nstic/),
[https://www.searchenginejournal.com/google-plus-history-
deat...](https://www.searchenginejournal.com/google-plus-history-
death/283685/)), and OS-level UUIDs?

Pepperidge Farm remembers.

