
US telcos appear to be selling non-anonymized access to consumer telephone data - benaadams
https://medium.com/@philipn/want-to-see-something-crazy-open-this-link-on-your-phone-with-wifi-turned-off-9e0adb00d024
======
pde3
EFF and other privacy groups fought against this for a long time, and
eventually succeeded in having the FCC intervene to stop these practices:
[https://www.eff.org/deeplinks/2016/03/victory-verizon-
will-s...](https://www.eff.org/deeplinks/2016/03/victory-verizon-will-stop-
tagging-customers-tracking-without-consent)

Then one of the first things Trump and the Republicans in Congress did after
the election was repeal the FCC's privacy rules :(
[https://www.eff.org/deeplinks/2017/03/five-ways-
cybersecurit...](https://www.eff.org/deeplinks/2017/03/five-ways-
cybersecurity-will-suffer-if-congress-repeals-fcc-privacy-rules)

~~~
ewams
On their website it shows that fiserv is a customer of theirs. Fiserv provides
core banking services for almost every major bank in the US which means they
know your money situation and your browser habits. Pair the two together and
they basically know everything about you, lets see if they sell it to
advertisers too? Or have been hacked? Or rouge sys admins? Or ...

~~~
lunarjones
fiserbe sells food dude

~~~
esrauch
Strange that fiserv.com is all about banking IT then...

------
c_prompt
I just emailed this company at general@danalinc.com (which is the address
stated in their privacy policy [1]) to remove all of my information from all
databases/backups and to never collect it again. Came back undelivered with a
550 error (Recipient address rejected: Access denied).

[1] [https://danalinc.com/privacy-policy/](https://danalinc.com/privacy-
policy/) \- "Danal is committed to ensuring that the information we obtain and
use about you is accurate for its intended purpose. You can contact us at
general@danalinc.com at any time to review, update, delete or correct (for
future use) your personally identifiable information maintained by Danal. We
will reply to your request within thirty (30) days of submission. You can help
us maintain accurate records by informing us of changes or modifications to
your personal information."

Edit: For payfone: [https://www.payfone.com/company/privacy-
policy/](https://www.payfone.com/company/privacy-policy/) \- info@payfone.com

~~~
c_prompt
Received an almost immediate message back from payfone:

"Hi [my name],

While we should explain more clearly that these services are used to protect
consumers from fraud, with one's consent, you can set up what you are asking
about with your phone company. We can send you the procedures to do that. I'd
like to go a step further and see if we can just opt you out entirely across
the board. I should also note that we do note store any current or historical
personally identifiable data. Hold on for more info."

As an aside, I didn't provide [my name] with my request - of course they
looked it up based on the phone number provided.

~~~
bogomipz
>"While we should explain more clearly that these services are used to protect
consumers from fraud."

So if my someone's phone is lost or stolen they won't be able to use their
credit card or debit card? Wow that sounds like quite a service - losing
access to your phone now means losing access to your money? So your card is
blocked because of a fraud alert and you have no ability to call your bank or
credit card company. You better hope you are not by yourself when this
happens.

I would close or cancel any account or card if they ever put me in such an
imposition as a result of using this service.

------
foodstances
In addition to both sites correctly showing my full name, phone number,
mailing address, and e-mail address, (and the Danal site showing my T-mobile
phone plan info) the Payfone site shows this ominous description:

[https://i.imgur.com/WkPj5Gb.png](https://i.imgur.com/WkPj5Gb.png)

I've had someone tell me they visited a shopping site once and without giving
the company any information, they got an e-mail from that company a day later.
I told them it wasn't really possible (from just the browser's perspective)
and that they must have been tracked through some 3rd party cookies.

Apparently that was false and it's totally possible for a site to use one of
these APIs and instantly get your full name, phone number, e-mail address, and
physical address just by looking up your IP, and then track you across
"switching carriers, changing phone numbers, upgrading devices, and replacing
lost devices". Scary shit.

~~~
ino
MEO does that in Portugal. With your phone you visit (probably) an ad on a
website and you're automatically subscribed to some 3rd party service that
charges 3€ a week from your mobile operator credit.

Then you call MEO to cancel the service and then you learn they're not
refunding your money and that instead of this 1€ call you could have disabled
the 3rd party services through their web login.

It's incredibly hostile, and there are more dirty tricks they use.

~~~
whataretensors
Yikes, a chargeback would have to hit your phone carrier directly.

Did you try calling your phone carrier? No way this is legal.

~~~
ino
MEO is the phone carrier. They're the largest one in Portugal, previously
called TMN. They're the ones I called.

I can't edit to make my post clearer. I'm also not their customer anymore.

------
randomfool
AT&T’s privacy policy states:

“We will not sell your personal information to anyone, for any purpose.
Period.”

How is this not contrary to that?

Additionally, they define personal information as:

"Personal Information: Information that directly identifies or reasonably can
be used to figure out the identity of a customer or user, such as your name,
address, phone number and e-mail address. Personal Information does not
include published listing information."

[http://about.att.com/sites/privacy_policy](http://about.att.com/sites/privacy_policy)

~~~
droopybuns
You can opt out of the advertising collection here:

[https://cprodmasx.att.com/commonLogin/igate_wam/cmpmobile.do](https://cprodmasx.att.com/commonLogin/igate_wam/cmpmobile.do)

~~~
ClayM
thank you sir

~~~
lithos
It won't matter, since the data will have already been sold. And 'services'
will fallback to a different provider.

American databrokering is a really mature industry after all.

------
nacs
Holy cow. This is scary.

With T-Mobile USA, the 2nd link correctly identified my phone number.

In the 2nd link though: name, current address, email address, phone number,
how long I've had the account, when it renews, who my previous carrier was, my
phone hardware details and my current latitude/longitude!

This is scary that anyone can access this with just a site visit.

~~~
petilon
I have T-Mobile prepaid and they have all my info except my first/last name.
They must have collected this info when I used my credit card for refilling.

~~~
nerdponx
Even in the US, I always thought it was illegal to use payment information for
anything other than payment processing. Evidently that is not the case.

~~~
artificial
What is considered cardholder data may surprise you. I’ve implemented many
integrations. It’s very specific and requires the primary account number. For
example if the PAN is stored separate the name and/or expiration data isn’t
considered cardholder data.

For the record storing this information would be folly - can’t lose what you
don’t have. Let the payment processor assume the responsibility by storing and
handling that if needed.

~~~
fragmede
(PAN = credit card number, for those outside the industry)

------
tehwebguy
Ajit Pai is stoked about this.

If you work for AT&T, Verizon, etc you have a responsibility to stop this even
by sabotage.

~~~
tootie
So are the 45% or so of voters who picked Trump knowing he opposed internet
privacy.

~~~
Bud
Most of those voters probably have a very poor or non-existent understanding
of internet privacy and an even poorer understanding of government's impact on
internet privacy.

~~~
tootie
I think some gross generalization. Reddit's Trump community were pretty
strongly supportive of privacy and net neutrality but just decided Trump was
ok anyway.

~~~
sixothree
My theory is that right wing voters do not really care about policy. They seem
to respond more the displays of strength.

~~~
tootie
That's a bingo. Exhibit A is Trump giving the keynote at the Values Voters
Summit.

------
CommentCard
So now I need a VPN for my cellular data connection. What happened to privacy
laws? You could quickly grab highly personal identifying information by
setting up an encrypted wifi network at a business with plenty of foot traffic
and no open wifi networks. Then you could have a sign or placard directing
passerbys to visit a URL of your choosing to get the wireless password. Then
you'd implement this API on your website.

Now you've got their personal info. Scary..

~~~
jpeg_hero
No, this doesn’t work on Wifi.

The claim is you need to be on the carrier’s mobile data network, the carrier
gives you an IP address, then a website owner asks the carrier who is at that
ip address and then the carrier gives the website owner the data that it has
on you (your real name, the address where they send the bills, the phone
number they assigned to you, etc)

~~~
slipstream-
You misunderstood: the commenter said they'd provide a passworded wifi network
and a sign somewhere saying "visit this URL to get the password for the wifi!"

People would visit that URL using mobile internet...

~~~
CommentCard
This is exactly what I was describing. You'd visit the site while on cellular
data to get the password.

------
sslalready
This happens in several parts of Europe as well. It's part of the telcos'
billing infrastructures, and many operators for example have middleboxes which
allow TCP streams to be looked up against the billing system.

I believe the original idea was to allow companies selling ring tones to able
to bill customers who downloaded their ring tones directly on the customers'
telco bill.

From a privacy standpoint it's been a catastrophe. There are countless of
operators who have been caught decorating customers' outgoing HTTP traffic
with their mobile number or personal details. It's just a few years since one
operator was caught doing this in Denmark [1].

Again, just a few years ago, in Sweden, a company setup porn sites and pretty
much blackmailed their mobile visitors into paying $$$ for porn they
supposedly had agreed to download. This company was using operators' billing
APIs to lookup subscriber details from the IP:port numbers of connections to
their porn sites [2].

In Norway, a company called MobileTech, use the same APIs to improve
unreliable web tracking using cookies. By using these billing APIs they can
assign a unique identifier to a particular subscriber regardless if this
subscriber clears their cookies or share the connection across multiple
devices. Their tracking script (b.mobiletech.no iirc) is embedded on many
popular nordic sites. Their improved visitor tracking and demographic data is
also sold to third party marketing companies such as Research International.

[1] [https://www.version2.dk/artikel/mobilsurf-danske-
teleselskab...](https://www.version2.dk/artikel/mobilsurf-danske-
teleselskaber-sender-dit-telefonnummer-til-hjemmesider-70145)

[2] [https://www.svt.se/nyheter/lokalt/skane/fangelse-for-
skaning...](https://www.svt.se/nyheter/lokalt/skane/fangelse-for-skaning-som-
skickade-porrfakturor)

------
QUFB
So what happens now? They shut down the scary demo site, keep selling the
information, and the new administration's FCC won't do a thing about it.

~~~
woobar
Best case scenario - the story picked up by the media. If somehow this is not
covered by the TOS, an entrepreneurial lawyer will file a class action
lawsuit. And we will get $10 credit for our service after the settlement. And
then this 'service' will become a part of the telcos TOS.

~~~
nasredin
What's the worst case scenario Mr. Cynic?

This is not Equifax-big so apart from the outrage by all the nerds nothing
will happen and we will all be here next year outraged at some new privacy-
raping revelation.

------
jimktrains2
I have Verizon Wireless and have opted out of all of the options on their
account privacy page a long time ago (at least a year), but I still show up in
these tests.

What recourse do I have?

~~~
larkeith
A VPN. ISPs and Telcos have made it abundantly clear that without significant
legal and financial pressure, they will never respect the slightest modicum of
consumer privacy.

~~~
jimktrains2
And how do I know the VPN is trustworthy?

~~~
Whitestrake
One option would be paying for a VPS on AWS or Linode or DigitalOcean or Vultr
or any number of similar providers - pick the lowest spec machine, raw network
throughput is not very hardware dependent - and set the VPN up yourself.

Streisand is pretty useful for this purpose.

[https://github.com/StreisandEffect/streisand](https://github.com/StreisandEffect/streisand)

~~~
closeparen
Why is a random VPS provider's ISP more trustworthy than your own?

~~~
detaro
Not intrinsically, but the VPS providers ISP has less knowledge about me than
my home ISP. And I have a lot more choice between VPS providers than home
ISPs.

------
throw2016
This is a race to the bottom. This industry is neck deep in perpetuating a
culture of surveillance that most here benefit from, and see no problem in
stalking people around. So much for techies improving the world.

That's why moral and ethical posturing must be met with ridicule and
skepticism. When it comes to actual action most people are much more narrowly
focused with a unique ability to live in dissonance and hand wave and brush
away nearly anything.

Only regulation with laws and consequences works.

~~~
tomger
So how do we get this voted for by the people of the US? This whole hackernews
thread is full of nerds confirming if the lookup worked for their account. But
what do we do?

~~~
rhizome
Tell your Representatives and Senators you want a data-protection law.

------
larkeith
Shamelessly plugging the Librem 5 [1] here, as this article demonstrates
precisely why we need a privacy-focused, FOSS phone. While the carriers having
access to some of this information would not be prevented on a carrier-based
data plan (and I personally am not yet ready to switch to WiFi-only), using a
non-proprietary Linux distro means much simpler VPN support (one year of free
VPN is also one of the stretch goals!). It might also be possible to
compartmentalize PII availability by using WiFi only with an external data
hotspot (e.g. the ones sold by FreedomPop), perhaps in conjunction with a VPN.

[1] [https://puri.sm/shop/librem-5/](https://puri.sm/shop/librem-5/)

~~~
jimktrains2
You can already vpn pretty easily on an Android phone. The bigger issue is how
do we know that the VPN is trustworthy?

~~~
larkeith
One fairly trustworthy solution is to just set up a DigitalOcean droplet
($5/month) (or any other cloud provider, I just prefer DO), and host your own
VPN. DO provides a guide at
[https://www.digitalocean.com/community/tutorials/how-to-
set-...](https://www.digitalocean.com/community/tutorials/how-to-set-up-an-
openvpn-server-on-ubuntu-16-04)

With regards to setting it up on Android, that does alleviate this specific
privacy concern, however it is still entrusting your OS to Google and our
carrier, neither of which have the best track records in consumer information
privacy. Android also has limited app access controls and frequently comes
with carrier-required bloat/spyware.

~~~
nerdponx
FWIW, DO can still see who is connecting to your droplet and what your droplet
is connecting to. That's probably fine for staying out of sight from your
mobile carrier. But many of the top VPN hosts now explicitly offer "no
logging" as part of their services, like Private Internet Access.

Don't forget that Android is open-source, open-source, non-backdoored versions
of Android exist.

------
confounded
I wonder if this is behind so many of the stories about seemingly impossible
de-anonymization by Facebook.

~~~
artificial
Probably more to do with horrible opsec and machine vision than anything. Even
pornhub can process their content to identify actors. FB buys a ton of data
and accumulates from public sources. Other advertising companies do similar
things by partnering with creditors. A use for this is matching sales with
lead origination. Grocery stores do this with coupons.

------
philip1209
Well, Google Fi does not seem to be selling my information . . . Externally

~~~
minton
How is Google Fi? Is it a full replacement for Verizon and others?

~~~
modeless
Absolutely. It uses T-Mobile's network most of the time and T-Mobile has
improved a lot in the past few years. Sprint and US Cellular are good
fallbacks for rural areas.

Another perk is unlimited international data roaming at the same price as
regular data, and at decent speeds too.

Billing is simple, support is great. The one downside is data is a bit on the
expensive side. But since you actually pay per GB, the GBs are yours. There
are no arbitrary limits or throttling that I'm aware of, tethering is allowed,
etc. Also you don't have to predict your usage ahead of time to choose a plan.
You only pay for what you use no matter how much or how little.

Disclaimer: I work for Google (but not on Fi)

~~~
throwawayjava
_> Another perk is unlimited international data roaming at the same price as
regular data, and at decent speeds too._

IMO this is the killer feature rather than merely a perk. Otherwise, in most
of the country, you're basically just paying quite a bit more for a slightly
better payment experience and equivalent actual service.

(I'm a Fi user).

~~~
radicaldreamer
Also, you can order up to 9 other data sims which share the same plan at no
extra cost. This allows you to utilize a cellular iPad or other devices with
worldwide LTE data.

------
libertyEQ
After reading every comment here, I decided to read the actual post and found
the links were obfuscated by bitly links. Since I think that is BS:

[http://democf.danalinc.com/sphere/](http://democf.danalinc.com/sphere/)

[https://dev.payfone.com/test/mobileauthentication/](https://dev.payfone.com/test/mobileauthentication/)

~~~
throwawayjava
_> obfuscated_

I was reading the article on my laptop and had to type the URLs into my phone,
so I appreciated the bit.ly links.

Besides, "obfuscated" is a bit strong -- as evidenced by your post, no
information is hidden.

~~~
musage
Even if you provide a shortened link, nothing would stop one from adding the
longer link, too.

> as evidenced by your post, no information is hidden

"not made obvious is a bit of a strong word, as your comment indicates, it
does actually exist"

It kind of helps when you don't move goal posts mid sentence.

------
EGreg
Yeah, so like, we passed this bill this year:

[https://www.usatoday.com/story/tech/news/2017/04/04/isps-
can...](https://www.usatoday.com/story/tech/news/2017/04/04/isps-can-now-
collect-and-sell-your-data-what-know-internet-privacy/100015356/)

And Trump signed it:

[https://www.nbcnews.com/news/us-news/trump-signs-measure-
let...](https://www.nbcnews.com/news/us-news/trump-signs-measure-let-isps-
sell-your-data-without-consent-n742316)

Hey Republicans in the audience, can you at least acknowledge that on this
issue, the GOP may have gotten things wrong?

------
pxeboot
Any way to opt-out of this?

I tried both demos mentioned in the article. The first loaded some generic
looking data. The second pulled my phone number, name and address correctly.

~~~
jfk13
There's a response at the bottom of the article (click "Show all responses")
which indicates there's an opt-out mechanism.

~~~
gergles
Only for AT&T, and there's a response to that response that suggests that the
opt-out is ineffective.

I noticed some weasel words in a bank's ToS back in January that should have
been a harbinger of this kind of 'service'. I wrote to my carrier's privacy
team, and of course, heard complete radio silence in return. Here's what I
sent them:

> Hello,

> I recently opened an account at MEGABANK, and read through the opening
> documents. Towards the end of the documents is this paragraph:

> You authorize your wireless operator (AT&T, Sprint, T-Mobile, US Cellular,
> Verizon, or any other branded wireless operator) to use your mobile number,
> name, address, email, network status, customer type, customer role, billing
> type, mobile device identifiers (IMSI and IMEI) and other subscriber status
> details, if available, solely to allow verification of your identity and to
> compare information you have provided to MEGABANK with your wireless
> operator account profile information for the duration of the business
> relationship.

> You may opt out of this information sharing by contacting your wireless
> operator directly.

> Googling phrases in this paragraph shows many banks and other companies that
> have identical or very similar language in their terms of service or privacy
> policies.

> I tried to contact customer service to opt out of this sharing (I absolutely
> do not want to share this with anybody,) but they were unable to help me.
> Can you please let me know how to opt out of this information sharing on all
> lines on my account and to provide me with any other details you have
> available on it?

This has been a thing for at least this entire year, and the "opt-out"
mechanism appears to be completely ineffective.

~~~
cbhl
You left the name of MEGABANK in your second paragraph

~~~
mrhappyunhappy
Now we know where he banks. Neat.

~~~
nasredin
At one of the five MEGABANKS or their subsidiaries?

------
home_boi
Well this is scary. We should see more concentration on privacy/security at
the mediocre tech companies (because engineer pay is a decent indicator of
privacy standards and security strength), ISPs, health care companies and
financial companies. They have very personal data and many of them actually
sell the data (and apparently even unanonymized data).

I feel that all the talk of privacy at the big tech companies like Google, FB,
etc. is unwarranted compared to the threat. They have solid security and don't
actually sell data. Letting advertisers target viewers based on demographic
data is different from providing anonymized data to people and they have
policies that make sure that advertisers can't get too narrow with their
targeting.

------
yardie
The dev link appears to be down. I guess someone shut the door or the API
crashed.

------
throwanem
Not Ting! I tried the first one expecting a spook, but Ting fed it bogus data:

[https://i.imgur.com/woOZumM.jpg](https://i.imgur.com/woOZumM.jpg)

ETA: The second one choked up a Wordpress error. So, not sure what to make of
that.

~~~
misframer
I'm on Ting (GSM). The second link had my number, name, and address.

~~~
edwhitesell
I'm on Ting, CDMA (Sprint) and neither link worked. Not found errors.

------
itchyjunk
What does this mean for an average person like me? Based on the comments, I
can opt out from those specific site but not from the phone company making
data available to who ever purchases it? Am I better off going back to no SIM
and only Google voice number pointed to a phone? (I did this for some time and
recently put a SIM card back in.)

~~~
EGreg
The future is in empowering local communities and decentralizing power, via:

solar power generation

mesh networking

local social networks

identity that you control on your own phone

hopefully the phone hardware and security will be commoditized and auditable.

Here is what I'm talking about
[https://www.youtube.com/watch?v=WzMm7-j7yIY](https://www.youtube.com/watch?v=WzMm7-j7yIY)

Edit: why the downvotes? I am genuinely curious. Can people who feel this way
explain?

~~~
ajmurmann
I think you are being downvoted because you aren't actually answering the
parent's question but instead are using the opportunity to sell some vision of
the future that might be overly optimistic and in fact might present the
parent's concerns as less critical than they should be.

~~~
EGreg
But it does answer the root of the question!

 _" Based on the comments, I can opt out from those specific site but not from
the phone company making data available to who ever purchases it?"_

Well you can opt out of the phone company once people decentralize the stuff I
mentioned. And then I said the same can be done for power generation companies
and so on.

But anyway, even though I disagree with it, at least that is a possible reason
I was downvoted.

------
matheweis
Impressive; it managed to pull my phone number, my current address, my
previous address, all without any info at all (I didn’t provide any info in
the first link, just in case that was somehow priming the second one).

~~~
pritambaral
And _scary_.

Any code running on your phone has access to all this information, with just a
few HTTP calls, when your phone is on cellular data.

------
amrrs
I know a person in a telecom company in Analytics (Digital and CVM). They have
the ability to see the phone number (only encrypted) browsing their current
website. This information is part of clickstream but it is not shared with any
third party because it's a confidential information that if shared without
customer consent will bring loads of issues to company. The recent GDPR is one
thing that keeps companies on their toes.

------
austenallred
They’ve been doing this for years. You can also license real-time GPS and WiFi
location. Perfect for geotargeted ad campaigns.

~~~
confounded
Can a telco access those things? My understanding was that this would need to
come from the phone’s OS (or an app with appropriate access).

~~~
SamReidHughes
If you’re connected to the cellular network, they know where you are.

~~~
derimagia
They aren't not talking about cell towers like the article mentions. They said
GPS.

------
rosser
Is anyone else getting NXDOMAIN for democf.danalinc.com?

Is that perhaps an "Oh, shit. They found us!" move?

~~~
alecco
Yes. But I think it's more likely they got contacted by some legal department.

------
thisacctforreal
Insane to think an app on your phone can request the demo page to see the
details.

I assume they have CORS setup properly to not allow any old JS to scrape it,
they would have to explicitly allow origins access for that.

~~~
philipn
I believe a native mobile app would be able to make the request and scrap the
data, regardless of CORS. Because basically no suspicious information is
transmitted, it'd be pretty easy to squeeze past an app store review.

Of course, you could buy one of these services and have access, too.

~~~
Groxx
CORS is strictly browser-side enforced, so yes - any app can make this query
and scrape the response.

------
nerdponx
It looks like both demo services have been taken down.

------
jknz
Is this service available to personal developers? Do they prevent
perverts/psychopath/criminals from using the service?

If a malicious stranger on a dating site sends you some link where he gets
your IP addres. Using that service, he may be able to collect your phone, full
name... and billing address so he can eventually knock at your door a few
minutes/hours after your visited the link... How scary...

------
juskrey
This is everywhere. Here in Eastern Europe they go as far as giving away your
mobile phone number when you browse (or at least encoded token for spamming
you via operator). I was able to opt out though.

~~~
cromulen
What? Where exactly in Eastern Europe? I'm deeply concerned by this.

~~~
lima
In Germany, this would be illegal without a very explicit opt-in. While the
German data protection laws are stricter than the EU ones, this still
surprises me to hear.

~~~
usrusr
What are the chances that you accidentally "consented" in one of the myriad
cookie popups clicked away each day?

~~~
Grollicus
None that would be lawfully binding. For stuff like this content must not be
"surprising" or its void and courts interpret this very strictly.

------
kuon
How does it work? I mean, most carrier here in Wurope don't give you an ip,
your phone has an internal (10.xxx most of the time but also IPv6 only) ip and
you are behind a NAT, which means hundred (up to PAT scalability) of devices
may share a common IP. Those API would need the source port number in addition
to the IP, is it the case?

~~~
kevin_nisbet
One way, although I suspect it's dieing, is some of the network equipment
supports header injection. So what will happen, if you go to an approved URL,
the network will inject headers into the HTTP request that contain you're
10.xx IP address, IMSI, etc, which can allow it to survive a NAT.

This tends to get used mostly for internal traffic and partners where an
agreement exists, although I think I read once that a US carrier messed up
their configuration once and the header injection was happening on every site.

For encrypted traffic, I'm not sure what's happening these day's.

------
rrggrr
Caller ID is available via Twilio here:

[https://www.twilio.com/lookup](https://www.twilio.com/lookup)

Unlisted users __might __be able to present any data they please here:

[https://www.listyourself.net/ListYourself/listing.jsp](https://www.listyourself.net/ListYourself/listing.jsp)

------
vermontdevil
What the hell can we do?

Cancel phone contracts and just rely on WiFi?

Other options?

~~~
DenisM
VPN, with a local server for speedy access.

~~~
rhizome
Local, meaning like in my car?

~~~
DenisM
Local like in "your city", to reduce latency.

------
jlgaddis
VZW (in .us):

First link: Didn't work, kept saying my billing zip code was incorrect.

Second link: "We used our mobile authentication to instantly discover your
mobile phone number from the phone network." but it didn't show any
information.

~~~
sbr464
Verizon here and everything worked, all info. US

------
kylehotchkiss
So when their service gets hacked two weeks from now, we can see the locations
of VIPs? Celebrities? Rich people? When they hear about this (after their
locations are leaked...) they’ll make telcos fix it, right?

------
throwaway2955
AFAIK the carriers require a double opt-in for this.

The first opt-in, which the Medium article describes, can be online with
boilerplate language. But then you have to opt-in a second time by replying to
an SMS sent directly to the device by the provider with language pre-
determined by the carrier. The user has to reply YES to the text message, and
you have to keep auditable records of these things.

If these 2 providers aren't requiring the second opt-in step, I expect they'll
be kicked off the platform pretty quickly.

~~~
lima
If that's the case, why don't the carriers do the second step themselves?

That's the very least they could do to protect their customer's privacy.

~~~
a3n
They're not trying to protect your privacy, they're trying to leave no money
on the table. Selling your data is obvious, it's all they have above the
commodity of a properly working dumb pipe.

------
subway
Is T-Mobile now blocking this? I get their DNS failure page (I'd have sworn I
opted out of that too)

~~~
dawnerd
Getting that too AND I'm using my own dns, so wonder if they just hijacked it.

------
zanedb
Well, the first demo is now returning a NXDOMAIN error.. they likely just
changed their DNS after this blew up. The second domain just returns a
WordPress error.

So, I never got to experience the data myself but I'm sure it's there.

Does anyone have a new working demo URL for either service?

------
DenisM
I got “Joe Consumer” on TMobile.

~~~
wlesieutre
Try the second demo? First one told me my zip code was wrong, second had my
phone number, email address, and physical address. Also on T-Mobile.

~~~
confounded
Second got my number, but that’s it.

~~~
lima
Bad enough.

~~~
confounded
Indeed. And of course, T-Mobile do have the rest of my details to sell, and
I’ve no idea what’s available.

------
Moto7451
Neither link were able to dig up any info on me. My current plan came from a
prepaid carrier TMobile purchased so I’m guessing I’m not properly opted in or
the TOS that I agreed to that TMobile inherited does not allow it.

~~~
morganvachon
Neither link worked for me either, but it may be because we're all hammering
the servers. Still, FWIW I'm on Xfinity Mobile for my phone (which rides on
top of Verizon's service) and Ting on my iPad (on Sprint's network). I'll try
again later today.

------
kumarski
airsage.com

Safegraph.com

Been going on for a long time. I think safegraph does it with SDK data output
or something.

------
drumttocs8
We all have a lot of outrage over this. What are we going to do about it? What
tool can we build to fix it, either on a technical level or at a social level?

------
chiefalchemist
Does anyone know how to prevent or mitigate this? For example, will my VPN
provider's app help? Or is that a false sense of security?

------
dmitrygr
Straight Talk (att mvno)

Demo doesn't work:

    
    
      You have a privacy setting on at
      Your mobile operator.
      Try this demo on another phone.

------
bogomipz
I am curious are your phone's IMSI and IPv6 address static enough on most US
carriers that this service would be reliable?

------
benbristow
Both the demos have been hugged to death

~~~
dawnerd
It worked a second ago now the first link instantly fails with a dns error.

------
knowaveragejoe
Haven't been able to use either site. Anyone know why these are down now?

------
SolaceQuantum
Neither links work for me: Wifi disabled on T-mobile iPhone 7.

~~~
matwood
Same. I think the companies shut down the APIs for damage control.

------
codedokode
Well this is how free market works, isn't it?

------
maxpert
Didn’t work for me

~~~
davidmurdoch
Same here. First link returned "Joe Consumer" for me, second link errored out.

~~~
tyingq
You do have to turn off WiFi, in case you missed that.

------
ericlamb89
looks like both links have been taken down

------
Trav5
sarcasm: It's a good thing https is becoming so prevalent to prevent man in
the middle privacy concerns.

~~~
pritambaral
Well, the classical MitM attacker is someone trying to gain/manipulate
information. In this case, the "Man" in the middle is simply giving out
information it already has.

------
SomeStupidPoint
I propose we use this technology for a lead-gen platform for a campaign about
privacy rights.

I'm sure collectively HN could sneak this technology onto enough web platforms
to reach a sizable portion of the US. So let's do it.

Let's just call everyone we can possibly get the number of and tell them
exactly how we got it -- their phone company sold it to us when they loaded a
bit of code while visiting innocuous websites.

------
OnePostWonder
Silicon Valley will have their Snowden moment.

[http://www.cultstate.com/2017/10/13/The-Butterfly-
War/](http://www.cultstate.com/2017/10/13/The-Butterfly-War/)

------
arcaster
Brb, shredding my iPhone and purchasing a DumbPhone TM.

~~~
tskaiser
Won't help. It gets the information from the telco provider, and does not
require GPS or any other fancy hardware.

~~~
chrisfosterelli
It helps in the sense that it's difficult/impossible to browse the web on
dumbphones, so they won't get your IP in the first place.

~~~
tqkxzugoaupvwqr
Might as well keep the iPhone and turn off mobile data and wifi.

------
olegkikin
That's why Ghostery is important, at least it can help with the cookie part.

~~~
dawnerd
No, it’s why a vpn is important. Ghostery does absolutely nothing to prevent
your subscriber details from being released.

~~~
olegkikin
VPN will not stop them from tracking you with cookies. So both are important.

