
Despite promises, cell carriers are still selling your real-time location data - jbegley
https://techcrunch.com/2019/01/09/us-cell-carriers-still-selling-your-location-data/
======
driverdan
This is blogspam that adds nothing new to Vice's original journalism:
[https://motherboard.vice.com/en_us/article/nepxbz/i-gave-
a-b...](https://motherboard.vice.com/en_us/article/nepxbz/i-gave-a-bounty-
hunter-300-dollars-located-phone-microbilt-zumigo-tmobile)

HN discussion here (still on the front page as of my reply):
[https://news.ycombinator.com/item?id=18857220](https://news.ycombinator.com/item?id=18857220)

It's frustrating that TechCrunch seems to get a pass on their worthless
blogspam when other blogspam posts are removed.

~~~
floatingatoll
You could email the mods at the footer Contact link and ask them to change the
link and explain why. They might say yes!

------
danso
FWIW this post is a summary of an investigation posted and discussed
yesterday:
[https://news.ycombinator.com/item?id=18857220](https://news.ycombinator.com/item?id=18857220)

(The TC summary is lengthy enough that it’s not necessarily blogspam)

------
TACIXAT
This stuff makes me so mad. It's to the point I don't want to carry a phone
anymore. Why is it that people aren't allowed to record my conversations but
they can record my real time location?

It's a problem at every level of the stack. I have a phone device that I have
very little control over (thanks Apple and Google!) that talks to service
providers who know who I am. Those service providers are shady and sell my
real time location and I have literally no choices for a cell provider who
doesn't do this. Then there is obviously a huge market for buying this
collected data.

Where in the stack do we fix this? Do we need a data custody law first so I
can track who the problem players are? Do we need devices that we have some
control over so we can manage when they beacon out? Can we simply say that we
(US citizens) have some right to privacy over our electronic data?

Seriously, these practices are abhorrent.

~~~
burtonator
I've been really getting into growth and marketing lately as I want my ideas
to take off. If I'm building a new company I want to be able to get users
quickly.

This stuff is REALLY screwing us over.

Users are insanely skeptical now. This data is insanely valuable for growth
but if the industry creates an entire generation of people who REFUSE to be
monitored we're going to be in a horrible situation.

If someone is legitimately just interested in the cities you're visiting I
don't think this is much of a problem.

For example, say their product is only available in San Francisco. It doesn't
make sense to try to recruit users in New York.

This makes it much easier so get initial users as you can just buy ads for
users in San Francisco, potentially saving a massive amount of money on your
ad campaign.

With Polar ([https://getpolarized.io/](https://getpolarized.io/)) I need to
have analytics about what users do in the editor. What they click on, etc.

Polar is a research tool for reading and annotating PDFs and caching web
content for later reading.

I get regular complains from users to disable all analytics.

I might ship it as an advanced feature for users to opt-out but I don't have
any nefarious use case here. My only goal is ti figure out if you're using
feature X or not.

~~~
elliekelly
I think there's a distinction to be made with respect to "needing" a user's
data in order to be able to provide service at all (for example, a user's age
as you cannot permit them to use your application if they're under 13) vs.
user data that makes it _easier_ to provide the service, or in your example,
advertise your service, to users. If your users are telling you they don't
want to give you that data perhaps you should consider listening to them.

------
LinuxBender
When I was in the wireless industry, we did many shady things and had all the
lawyers and lobbyists to back us up. We could change any laws that got in our
way. My employer was never remotely interested in ethical issues. They were
only interested in paying subscribers. I could go on all day with examples if
HN were interested.

As a funny side note, we would joke that our best customers were drug dealers.
They always paid on time and always in cash. They could not afford to miss any
calls.

~~~
wallace_f
Why does our society tolerate so much evil?

Most days I learn something new about how people somewhere are being evil.

~~~
toomuchtodo
Doing the right thing takes work, effort, time, and money.

------
whitepoplar
If Apple really wanted to put its cash to use, it could build its own cellular
network. Privacy focused, no surprise fees, integrated billing for
desktop/laptop/iOS/watch devices.

There's enough bad will against the existing ISPs/mobile carriers that Apple
could swoop in and gain a lot of market share very quickly. And customers
could save money by combining their home internet with their mobile plans. The
future is a singular wireless data subscription without any routers or modems.

~~~
localhost
Really love this idea. $237BB in their piggy bank according to their most
recent 10K. Since the era of carrier subsidies is more or less over in North
America, this might accelerate their transition into services company in a
major way.

~~~
whitepoplar
A buildout of a nationwide cellular network is almost tailor-made for the
amount of cash they have in the bank, and almost the entirety of their would-
be competition is universally hated. Seems like a no-brainer to me, and unlike
other things they could spend their money on, a cellular network could always
be sold off if needed. Not true for investment in A.I./self-driving
cars/marketing/failed products/etc.

------
adrr
I thought carriers required user consent to get the E911 location data? It
does have some legitimate uses. This location data is used by financial
companies and one of the reasons you don't need to do travel notices at some
of the major banks. They'll actually ping the E911 location when they see a
credit card auth in new geographic location. Check your TOS at your bank,
there's probably something buried in it about consenting to pulling mobile
phone location to prevent fraud.

~~~
guelo
That's not a legitimate use. 911 is for emergencies. Emergency, security,
terrorism are always the excuse used to strip us of our rights and our
privacy.

~~~
adrr
E911 is the data set. It's just the triangulation data from the cell towers.
There's also GPS data which is more accurate but the carrier doesn't get that
data but apps can get it.

------
mschuster91
This is why "promises" and "industry self regulation" are meaningless. People
need government to protect them from companies' greed, which here means:
regulatory agencies with teeth.

"Self regulation" only works when there is a monetary incentive for companies
to keep their word, for example in ecological agriculture.

As for mitigation, does anyone know if MVNO users are also subjected to their
data being sold?

~~~
ravenstine
Are today's government officials more starstruck with or paid off by big
corporations than they were back in the Microsoft antitrust era? Big business
gets away with so much bad behavior today but, in the US at least, it seems
like years go by and nobody cares enough to pass regulation to preserve the
basic right to privacy.

~~~
torpfactory
With notable exceptions, today's political campaigns are often financed by
wealthy individuals and companies. The type of politicians which receive
contributions are, unsurprisingly, the type whose views best align with those
individuals and companies. This funding is instrumental in lifting many of
these politicians into office. When a question of political control or
regulation of companies arises, it is also unsurprising that these politicians
often see things from a certain perspective.

~~~
rayiner
Corporations aren’t allowed to “finance” “political campaigns.” When
OpenSecrets says stuff like “Google” contributed $X million to Democrats, it’s
lying. What really happens is Google _employees_ contributed that money.

~~~
torpfactory
While on paper there is are still limits on direct contributions to campaign
organizations, the Citizen's United decision (combined with SpeechNOW vs. FEC)
enables companies to instead donate to SuperPACs which are in theory
independently controlled. I personally believe the distinction is for all
intents and purposes meaningless. Doubly so when considering how little
enforcement of the separation has actually been pursued.

So, yes, I do believe companies finance political campaigns. Whether the money
flows through campaign organizations is not an important distinction to me.

~~~
rayiner
It’s not a matter of what you “believe.” In election law, the “campaign” is a
specific thing and financing it is something with specific meaning. Having an
independent entity run ads because it happens to support that candidate is not
“financing the campaign.”

Leaving that aside, SuperPACs account for just 15% of election spending in
2016. It’s inaccurate to even suggest that corporate money and money from
wealthy donors is the dominant factor in campaigns.

------
m-p-3
The frustrating part is that you cannot protect yourself from that outside of
turning your cellphone off or putting it in airplane mode.

~~~
general8bitso
Airplane mode does not disable GPS.

It could be queuing positional and temporal data, and awaiting a connection to
later send.

~~~
lawnchair_larry
That isn’t how this data is obtained though. It’s all known on the carrier
side. It does not rely on your phone submitting it.

------
luckydata
It's pointless to think the industry will regulate itself, they can't help it.
If there's a shred of profit to be made in anything give it time and it will
be done as long as it's not illegal and often even if it is.

------
kakarot
> ...given that two-thirds of the U.S. population aren’t going to switch to a
> carrier that doesn’t sell your location data.

To be fair, what are our options, exactly? If we want anything near acceptable
coverage and price, that is.

~~~
x2f10
>To be fair, what are our options, exactly?

This is key. This is how citizens will lose their expectation to privacy. I
fear that in the near future there will be no 'safe' option and you will be
forced to forfeit your privacy rights to participate in the digital world.

~~~
kakarot
Mobile will become as essential as internet in general has become to
participate in larger society.

I see it starting at the bottom. Tired of being tracked and trapped inside
class barriers, the homeless and destitute will be the first to adopt extreme
privacy-oriented protocols such as regularly cycling burner phones, using
mobile VPNs, stripped-out GPS modules, and anonymous software such as Signal
but which don't rely on phone numbers as identifiers. The poor will stop using
phone numbers altogether. Perhaps charity services will exist which help aid
this transition.

It will also start from the top, as we already see high-level CEOs using
encrypted messaging and privacy-oriented protocols. They will see the obvious
need for such services.

The overwhelming majority, the middle class, will be the last to adopt such
practices and take back control of their privacy.

------
CarriersSuck
Of course they are. They have to show growth quarter after quarter. Until
investors stop punishing companies for not increasing growth every quarter,
this will continue. Everything is money driven. There's no thought to the
consumer any more. There doesn't have to be as there isn't any accountability
to the consumer; they have nowhere else to go.

------
kekebo
Are there any known ways to obfuscate cell location data? There are sim addons
that can change IMSI to circumvent carrier lock[0], would IMSI obfuscation be
a viable option to defend against cell tracking? [0]
[https://en.m.wikipedia.org/wiki/Turbo_SIM](https://en.m.wikipedia.org/wiki/Turbo_SIM)

~~~
roywiggins
The carrier needs to know which cell you're talking to do route calls to your
phone, and after that it's just a matter of triangulation to narrow it down.
But even without triangulation the company knows what neighborhood you're in,
by design.

------
wpdev_63
.

------
h0mEDw
US needs (something like) GDPR. 2% to 4% of revenue is a good starting point
for a penalty. In the absence of a penalty why would anyone running a Telco
company not take the extra cash from selling data.

