
Your mobile data sold, without your knowledge - gorm
https://translate.googleusercontent.com/translate_c?depth=1&nv=1&pto=aue&rurl=translate.google.com&sl=auto&sp=nmt4&tl=en&u=https://www.nrk.no/norge/xl/avslort-av-mobilen-1.14911685&usg=ALkJrhg2E3Kd2UU0k_J_BzxLhiHxavYOcA
======
surround
The article assumes that the location data must have been collected because he
gave an app permission to access his location. I bet they couldn’t figure out
which app it was because it wasn’t an app.

Cell service providers _can_ and _do_ track your cellphone location. All they
have to do is measure the signal strength of your cellphone at different
towers, and they can triangulate its position.

[https://www.vice.com/en_us/article/nepxbz/i-gave-a-bounty-
hu...](https://www.vice.com/en_us/article/nepxbz/i-gave-a-bounty-
hunter-300-dollars-located-phone-microbilt-zumigo-tmobile)

I’m not familiar with other locations, but in the US, you only have the choice
between three cell service providers. _All_ of them admit to selling their own
customer’s location data to third parties in their Privacy Policies.

AT&T
[https://about.att.com/csr/home/privacy/full_privacy_policy.h...](https://about.att.com/csr/home/privacy/full_privacy_policy.html)

Verizon [https://www.verizon.com/about/privacy/full-privacy-
policy](https://www.verizon.com/about/privacy/full-privacy-policy)

T-Mobile/Sprint [https://www.t-mobile.com/privacy-center/our-
practices/privac...](https://www.t-mobile.com/privacy-center/our-
practices/privacy-policy)

Remember, you’re _paying_ for these services. But they still sell you out.

I seriously recommend you read the privacy policy for your provider. It seems
they collect as much data as possible (not just location, also browsing
history and a whole host of other metrics) and share it with as many different
parties as possible.

If you are using a cellphone, your location is being tracked. Period. You
can’t avoid it. Even TOR isn’t gonna help you.

~~~
henriklied
> The article assumes that the location data must have been collected because
> he gave an app permission to access his location. I bet they couldn’t figure
> out which app it was because it wasn’t an app.

I worked on this story (and the others, we're still publishing [1] [2]).

The dataset we bought from Tamoco didn't contain an app name for most of the
data. So instead of guessing, we're open about the fact that we don't quite
know. Which is sort of the issue here – there's not a lot of transparency
around what is collected and by whom.

The Norwegian Data Protection Agency (DPA) has opened an investigation into
Tamoco [2] after our first story, and they want to cooperate with the UK DPA.

[1]
[https://translate.googleusercontent.com/translate_c?depth=1&...](https://translate.googleusercontent.com/translate_c?depth=1&pto=aue&rurl=translate.google.com&sl=no&sp=nmt4&tl=en&u=https://www.nrk.no/norge/mobilsporing_-8300-mobiler-
sporet-pa-sykehus-og-krisesentre-1.15008085&usg=ALkJrhgZ2TqtPraYad9xfMdQ-
upJtC-Vng)

[2]
[https://translate.googleusercontent.com/translate_c?depth=1&...](https://translate.googleusercontent.com/translate_c?depth=1&pto=aue&rurl=translate.google.com&sl=no&sp=nmt4&tl=en&u=https://www.nrk.no/norge/datatilsynet-
opnar-gransking-etter-nrk-
avsloring-1.15011535&usg=ALkJrhiYQX4OK8aXpnIVQQKJtYK4LNLffQ)

~~~
tixocloud
It could be an app - we've had startups approach us to sell location data
collected from apps so I wouldn't rule anything out at this point.

~~~
henriklied
Feel free to contact me if this is something you want to talk about!

------
indymike
Many of the apps that sell your location use location as a critical component
of the experience. Apple and Google added a permission last year - only allow
access to location when app is running (in the foreground). That change has
made a dramatic reduction in the amount of location data available.

Ultimately, free is the culprit. People like to navigate, buy stuff online,
see things on a map, get local weather, and so on - especially if it is free.
The old adage about if it is free, you are the product probably applies.

~~~
cocoa19
"Ultimately, free is the culprit. "

False... Plenty of companies take your money and still sell your data.

~~~
surround
...such as cell service providers. All of them (in the US, at least) sell your
location and browsing data to advertisers.

I would happily pay for a provider that doesn’t triangulate my location 24/7,
but none exist.

~~~
chris_va
(not defending their practices at all...)

They are required to for 911 support.

Obviously they are not required to keep the data, and especially not sell it.

(Minus maybe a sealed NSA directive, though that is pure speculation on my
part)

~~~
eru
In the EU they are required to keep some data by law. No clue about the
location data, though.

------
saagarjha
This is one of the reasons why I'm generally not OK with "anonymized" data
collection without an explanation of how it's being anonymized. It's almost
always easy, often trivially easy, to correlate the data together and
basically get a perfect recreation of whatever the original data was back.

~~~
meritt
Anonymization in the data reselling industry is often some form of
md5(lower($email)). It's a joke. They even do that for extremely small search
spaces like phone numbers. It's still provided at the individual user-level
and even if the anonymization is done in a way that's irreversible, you only
need to know a single event for a given person and you now have their entire
history.

For example, there's a popular email client that scrapes people's inboxes and
sells their purchase history to anyone willing to pay. That purchase history
is provided on an individual email level and is "anonymized". But if you know
your target has this email client installed and you know a single purchase
(e.g. a coworker saying "Oh, I bought this awesome coffee maker on Amazon last
night!") you can now access their entire individual purchase history backward
and forward.

~~~
rmrfstar
> coworker saying "Oh, I bought this awesome coffee maker on Amazon last
> night!"

This x1000.

I have seen people invite others to eat lunch at restaurants that only
accepted credit cards in order to elicit such a data sample.

~~~
panpanna
Wait, what? Please tell us more

------
chipperyman573
Wow, this article is really interesting, but one thing I noticed is that the
translation is generated and perfect! In fact if the header weren't there I'd
have thought it was written by a native english speaker.

~~~
partingshots
It’s secretly an ad for Google Translate.

~~~
jalk
That is actually a pretty good translation with few mistakes

------
cornishpixels
In Soviet Russia, your cell provider sells this data.

Wait, no, that's America. I was thinking of America.

~~~
jalk
Gramma nazi on: you mean Russia or the Russian federation if you want to be
precise. The Soviet Union collapsed almost 30 years ago.

~~~
clort
"in Soviet Russia" is a meme format

[https://en.wikipedia.org/wiki/Russian_reversal](https://en.wikipedia.org/wiki/Russian_reversal)

------
aritmo
Most likely the users installed one of those free apps that ask for location
access. Those apps collected the location, even when not ruining and uploaded
for sale.

It is a pity they did not do better forensics on the installed apps. One or
more were revealing the location.

~~~
KMnO4
It would be really interesting if each app was fed a slightly modified
location as steganography. Then the sold data could be cross-referenced to
determine which companies are selling the data.

~~~
VRay
Sounds like a waste of time to me. If you feed 5 different location streams,
you'll just find those same 5 streams for sale.. What a f---ing nightmare
we're living in

------
mirimir
This isn't likely news, for most here.

But it can't be reported enough, for the general public.

~~~
carapace
Yeah, I think this is one of those things where, when the normals catch on,
there's gonna be pitchforks and torches.

~~~
mirimir
Indeed, but what would it take?

I gather that NRK is the BBC equivalent for Norway, so it's not surprising
that Tamoco sold so much data to it. But I wonder how selective Tamoco and its
competitors are.

In particular, I can imagine that there's a substantial market for data that
facilitates tracking people. Bounty hunters. Repo agents. Private
investigators.

But also people who want to stalk others for whatever reasons. If someone
could document _that_ application, perhaps there'd be "pitchforks and
torches".

~~~
carapace
I don't know what it would take, if anything. I was talking to some twenty-
something folks in Berkeley about a decade ago and asked them what they
thought of Snowden. They didn't know who he was. When I explained, they
dismissed the whole thing. It turned out that they assumed the government was
spying on everybody anyway. I don't know what to make of that, I'm just
passing along the anecdote.

Anyway, from what I've heard these marketing companies are not very selective
at all. More precisely, they _are_ selective but don't dig too deeply. But
this is just my impression, not fact.

~~~
mirimir
> It turned out that they assumed the government was spying on everybody
> anyway.

I've assumed that since the 60s :)

Anyone remember "The President's Analyst"?

------
milankragujevic
The NY Times had a similar article recently:
[https://www.nytimes.com/interactive/2019/12/19/opinion/locat...](https://www.nytimes.com/interactive/2019/12/19/opinion/location-
tracking-cell-phone.html)

------
Cactus2018
Previous short discussion about a "foot traffic" vendor
[https://news.ycombinator.com/item?id=22704138](https://news.ycombinator.com/item?id=22704138)

------
rrix2
A vast unaccountable ecosystem of data brokers simply cannot be the way
society is forced to feed app developers.

------
ggggtez
Despite the title, it was mostly an article about location data being (no
surprise) identifying information.

------
pravda
A question for the Android experts: is it possible to block or spoof location
data, through a custom build?

Could I have an Android phone running a program that spoofs a long steady
drive from Tampa to Butte?

~~~
rmrfstar
Yes, but that does not stop the cell providers from selling your location [1].

You could also run an Android VM in the cloud and RDP to it when you want to
use sketchy (edit: free) apps. This approach could have saved Bezos some
trouble [2].

[1] [https://www.vice.com/en_us/article/nepxbz/i-gave-a-bounty-
hu...](https://www.vice.com/en_us/article/nepxbz/i-gave-a-bounty-
hunter-300-dollars-located-phone-microbilt-zumigo-tmobile)

[2] [https://www.nytimes.com/2020/01/22/technology/jeff-bezos-
hac...](https://www.nytimes.com/2020/01/22/technology/jeff-bezos-hack-
iphone.html)

~~~
oarsinsync
> You could also run an Android VM in the cloud and RDP to it when you want to
> use sketchy (edit: free) apps. This approach could have saved Bezos some
> trouble

The article also points to WhatsApp as the infection vector.

I agree that anything Facebook produces is fair game as far as being sketchy
goes, but it’s not the only messaging platform to have been exploited.

Do we run all messaging services in independent sandboxes in VMs?

------
fendmark
When I saw Foursquare transition from a B2C to a B2B focused company that is
when I finally deleted the Swarm and Fourquare Apps. I still don't fully
understand their decision to split Foursquare into 2 apps, but what I did/do
understand is that there is alot of money to be made in location data. You
just hope that the people in these businesses are ethical people.

------
soared
Isn’t data this granular illegal, at least in the US? Obviously trying to make
the data anonymous does nothing if you can still see the same user over time -
I’ve only ever seen this data with users put into groups, and data points
fuzzed.

~~~
ggggtez
>is granular location data illegal

Generally speaking, there are no laws against merely possessing data, unless
the data itself was the result of a crime.

Maybe you mean selling the data? That's nuanced. It seems to be illegal for
phone-companies to sell your real-time cellphone location... but historical
data? App developers instead of phone companies? The devil is probably in the
details in terms of what constitutes a crime and what is just shady business.
See [1] where AT&T sells your location data but insists it's not technically
illegal (but claims they stopped selling it anyway).

Many companies try to anonymise this data anyway because it's good business to
not piss off your customers.

[1] [https://www.theverge.com/2019/5/17/18629553/att-t-mobile-
spr...](https://www.theverge.com/2019/5/17/18629553/att-t-mobile-sprint-
verizon-selling-user-location-data-illegal-fcc-letters-public)

~~~
PeterisP
The article is about Norway, and there are laws against merely possessing
data, namely the GDPR. To be specific, "merely possessing" private data (the
granular movement data would qualify) by companies for business purposes is
illegal by default - there are many options that give a legal basis for
processing, and many of them do not require the user's consent, but it's upon
the company to demonstrate what gives them the permission to do that, and
having no justification (if the company "just has it") means that the
processing is illegal. And even if the company has a legitimate reason for
processing as such, doing so "without your knowledge" is generally illegal, as
even where consent is not required, they are required to _inform_ the data
subject about the purposes of processing their private data.

It's not about selling data - purchasing the data or having it or using it
also are covered.

~~~
ggggtez
The above poster's question was specifically about the US.

GDPR does not cover the US. Europe has more privacy laws than the US does.

------
vaylian
Link in the original language: [https://www.nrk.no/norge/xl/avslort-av-
mobilen-1.14911685](https://www.nrk.no/norge/xl/avslort-av-mobilen-1.14911685)

------
cosmojg
Can I legally purchase the anonymized location data of a few thousand
Americans, run that through a script which associates coordinates with
addresses, and publish the deanonymized results as an art piece like this?

If so, this could be a lot of fun. It would be interesting to see the
political backlash, especially if the published dataset includes politicians.
Perhaps, in the name of ethics, it should include _only_ politicians, and only
those who have voted against privacy legislation. Maybe we'd finally end up
with something like the GDPR here in the States.

~~~
Nextgrid
You'd presumably get in trouble because _legality_ is only part of the
equation, the other part is how big/powerful you are and whether you have
connections in the right places.

Big companies can get away with crimes while the same thing would result in
successful prosecution if a little guy does it, so you might very well get in
trouble even though you're doing exactly the same thing as an existing company
that manages to stay out of trouble.

I however support your idea regardless of its legality (and especially if the
data happens to contain details on politicians, the majority of which are
responsible for the situation being as-is) and suggest you publish it
anonymously (through Tor).

------
rb808
The real question is if you gave people a choice of paying an extra $100 a
year or having apps send tracking data, most people would pay the latter.

------
sanchay
Looks like we're moving to a Watch Dogs 2 era faster each day

------
afpx
At this point, most people seem to know that their mobile data is being used.
And, interestingly enough, they don’t seem to care.

~~~
harwoodleon
A broad statement. I’d like to see the evidence that they don’t care,
especially when faced with the level of detail collected.

I’d say they don’t care to know, not that they don’t care. Ignorance is not a
defence, even if it is temporarily a business case.

~~~
kovac
Almost everyone, I've spoken to about these (including software engineers),
know they are being tracked and they don't care. Actually, you know what, not
almost everyone, everyone I've spoken to about this.

I've got the reply "if you don't like it, stay off the internet". Well.

~~~
Jon_Lowtek
I do care. More must be done to protect consumers. I have spoken.

~~~
kovac
I agree. I find it utterly disrespectful for all the engineers who are working
their asses off to save the free internet when someone tells me to stay off
the internet if I don't want to use a Google service. It's that bad.

------
jcchapm02
Does anyone know what web framework they’re using to get the scrolling
storytelling effect? Is this just parallax scrolling?

~~~
sabujp
real questions here: [https://stackoverflow.com/questions/24239897/change-
image-on...](https://stackoverflow.com/questions/24239897/change-image-on-
scroll-position) ,
[https://www.w3schools.com/howto/howto_css_bg_change_scroll.a...](https://www.w3schools.com/howto/howto_css_bg_change_scroll.asp)
, [https://www.geeksforgeeks.org/how-to-change-image-
dynamicall...](https://www.geeksforgeeks.org/how-to-change-image-dynamically-
when-user-scrolls-using-javascript/) ,
[https://codepen.io/fabuchao/pen/xwbRaa](https://codepen.io/fabuchao/pen/xwbRaa)

------
erikbye
You have to be a special case of naive for the collection and sale of data to
be a surprise. Talk about living under a rock. As for mobile apps,
specifically, you think these shitty apps make money off ads? No, the business
model is data. GPS data alone is a multi-billion dollar industry that is
growing very fast.

------
mlthoughts2018
What I don’t get about this kind of thing is that it’s not just shady data
resellers you’ve never heard of. It’s also overt, high profile, branded tech
companies like Foursquare and Yelp, with huge amassed data sets of foot
traffic, wifi scans, battery status, often paired with demographic info or
data that can be joined by ad IDs or commercial device graphs.

If these companies are able to keep on truckin’ with massive user bases who
don’t seem to care that the entire business model rests on flagrant violation
of data privacy and data reselling, why would you ever expect anyone to care
about the long tail of scammy lesser known data resellers?

Companies like Yelp or Foursquare are essentially as scammy as it can possibly
be, with the scamminess shoved right in users’ faces, with lots of middle
fingers and half-hearted sound bytes about respecting data privacy. If users
don’t react in horror and delete accounts / stop contributing en masse in
response to that, why would you ever think an expose about something a further
ten degrees removed from the user’s immediate experiences is going to cause
any reaction?

People just don’t care.

~~~
jeffbee
The fact that Apple Maps integrates Yelp is a big red flag for me, and I think
a big hole in their privacy story. It's why I am more comfortable using Google
Maps than Apple Maps.

~~~
martimarkov
The data doesn't come directly from Yelp AFAIK. It goes throught Apple's
servers. Yelp isn't queried directly.

Again this is from my memory of MITM proxying iOS.

~~~
Nextgrid
They are still promoting that garbage company though (for a lot of other
reasons besides privacy).

