Hacker News new | comments | show | ask | jobs | submit login
US telcos appear to be selling non-anonymized access to consumer telephone data (medium.com)
1273 points by benaadams 9 months ago | hide | past | web | favorite | 301 comments



EFF and other privacy groups fought against this for a long time, and eventually succeeded in having the FCC intervene to stop these practices: https://www.eff.org/deeplinks/2016/03/victory-verizon-will-s...

Then one of the first things Trump and the Republicans in Congress did after the election was repeal the FCC's privacy rules :( https://www.eff.org/deeplinks/2017/03/five-ways-cybersecurit...


On their website it shows that fiserv is a customer of theirs. Fiserv provides core banking services for almost every major bank in the US which means they know your money situation and your browser habits. Pair the two together and they basically know everything about you, lets see if they sell it to advertisers too? Or have been hacked? Or rouge sys admins? Or ...


fiserbe sells food dude


Strange that fiserv.com is all about banking IT then...


knowing what i know about fiserv your thesis is either laughable or horrifying, the truth likely lying somewhere in between as it does


That's because privacy is not a right in GOP land. It is a product. And therefore you should have to pay to get it.


I agree 100%. Privacy is sacred and a human right.

Zero Democrats voted for the PATRIOT Act and continue to support dragnet surveillance and serve on their committees, and Edward Snowden wasn't a felon under the Obama Administration.

http://educate-yourself.org/cn/patriotact20012006senatevote....

https://www.opensecrets.org/orgs/recips.php?id=D000000461&ch...

...

Oh, shit. It's almost like both parties are bought and paid for... which is why even when a Democrat is the President, Wall Street never actually goes to jail for destroying the economy, unprecedented tracking and harassment of journalists, and gleefully continues (and increases!) smuggling guns into Mexican drug cartel hands which were used for an incalculable amount of murders (including one confirmed US border patrol agent). All we need to end all these evil acts... is more Democrats. Then everything will be fine.

Except it wasn't. They told us things would change, smiled, and then kept on with business as usual and corporations getting even more power. He said he'd close Guantanamo, but didn't even to bother telling us there was one (we didn't even know about yet) in Chicago. ("Chicago black site.") He decried the Iraq war, and then started a few of his own. He ran on a platform of government transparency and then oversaw the largest expansion of classified documents in the history of the USA. (Google it.)

So forgive me, as someone who watches the news, that I'm not getting my hopes up that simply electing another Democrat (instead of enacting broad, sweeping a changes to the foundations of the system) will somehow save us and undo all the bad aspects of our country.

Jimmy Carter was right when he said "The USA is now an oligarchy with unlimited political bribery power."

https://www.ecowatch.com/jimmy-carter-the-u-s-is-an-oligarch...

But you can be forgiven for not knowing about this story, because a simple Google will review that NONE of the MSM outlets actually covered it. You know, because what's "news" about an ex-president saying "the entire system is corrupt." Surely, Pokemon and thigh-gaps are more important to the political discussion.


Which country are you from where privacy is a right?


California Constitution. Article 1, Section 1: "All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy." https://leginfo.legislature.ca.gov/faces/codes_displaySectio...

(not a country of course, but somewhere privacy is a constitutional right. question then is how a state can protect this right)


To be fair, the "pursuit" of those things are considered natural rights. Not the things themselves.

Not saying that a right to privacy doesn't exist. I think it exists because a combination of other rights DO exist. But rights can't obligate others, and if your information ends up in the public sphere, I don't believe you have a natural right to have it taken down.

If you contracted with a third party, and as part of that exchange, your info was supposed to be secured, you have a right to secure damages within the scope of that contract.


"...pursuing and obtaining..."


Yep, that's what the legal language says.

It's obviously not workable, though; you can see that the goal listed before "privacy" which all Californians have the legal right to obtain is "happiness". This would appear to imply that you have the same legal rights against someone who violates your privacy as against someone who makes you unhappy.

http://www.theonion.com/article/proposed-bill-would-bring-40...

> The bill, H.R. 702, stipulates that immediately upon its passage into law, the 4,000 brave soldiers who have lost their lives in Iraq come marching triumphantly over the horizon, directly into the arms of their loved ones, looking the same as they did on the day they left home.


So if you pursue but don't obtain happiness, due you get to sue the State of California for infringing on your inalienable and guaranteed state rights?


Does this mean Telcos/payfone can be sued in CA for being in violation of the constitution?


No. Federal preemption.


That does not preclude anyone from filing regarding violations of the state constitution. There's that whole right to address ones grievances that gets in the way.


Unfortunately, it does.[1] See the Supreme Court decision in Cellco Partnership d/b/a Verizon Wireless v. Hatch. [2] FCC-regulated entities are not subject to state consumer protection laws.

[1] https://www.wileyrein.com/practices-federal-preemption.html [2] http://sblog.s3.amazonaws.com/wp-content/uploads/2012/12/11-...


I didn't say anything about consumer protection laws - I explicitly stated violations of the state constitution.


California isn't a country, no matter how much their government wishes they were.


Privacy is a fundamental right of EU residents (it’s in the fundamental charter)


It's Article 8 of the European Convention on Human Rights (ECHR)[0]

[0] https://en.wikipedia.org/wiki/Article_8_of_the_European_Conv...


Yep, my operator isn't allowed to give out any information without my written consent. And you actually have to OPT IN for the phonebook service. Most people don't.

And the sky hasn't fallen, my service is quite good and the telcos are still making profits.

Thing is,the US Constitution as brilliant as it is was written a long time ago and nobody wants to update it. And Capitol Hill seems preoccupied.


Don't want to remind the states that they have the option, they might vote in term limits or remove money from politics.


Which is why every European country except Germany has dozens of cameras on every corner?


But (at least in most countries) these records are only available to police and with written request, one by one basis.


or to anyone connected to the internet


You can't leave unprotected access by law, because you, as a camera owner, are responsible for personal information stored as a record. If you talking about hacking, I wouldn't worry too much -- anything can be hacked and there are much more cost effective ways to obtain personal information in millions than hacking cameras one-by-one.


You can't leave unprotected access by law

Yeah, nice theory :)

---

I wouldn't worry/care about individual hackers, but even if you have complete trust in everyone who has or will have legal access there are a lot of organizations for which hacking cameras one-by-one (even if hacking is actually needed) is well worth the effort.


This is simply false


Do you have any substantiation of "except Germany"?


Those corners would be public spaces, right?


You have a messed-up idea of privacy, there can be various degrees of it and having a few people see you in a certain place at a certain time has a slightly different impact than having someone (potentially) analyze what you do in a large amount of your life, even if that happens in "public spaces".

I know your idea is the same as that of the USA law, but that really doesn't make it right


Not OP, but in the United States, Americans' right to privacy is protected by the Fourth Amendment to the U.S. Constitution.


Unfortunately, the relevance of the Fourth Amendment to informational privacy within cyberspace has been significantly diminished due to piecemeal legislation that has not been internally consistent and a fundamental misinterpreting of what constitutes private information. As it stands, informational privacy in the U.S. is severely lacking in constitutional protections. States do attempt to fill these holes with statutes but even then their conceptual frameworks are based on an understanding of privacy that isn't directly applicable to the digital world.


From the government. It’s a small, but important distinction.


I'd say that in Germany if it's not a de jure right it's very much a de facto one.


With the NetzDG things have pretty much changed IMO. Your privacy can be invaded without any "proven" reason.


Does a right need to be written down to be a right? Perhaps some human rights transcend the legal system of any specific country.


They went ahead and wrote it down.

Universal Declaration of Human Rights, Article 12

> No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

http://www.un.org/en/universal-declaration-human-rights/


Without a way to enforce a right, it's worthless. Is the UN going to come to my rescue over this?


The US Constitution says no. That’s basically what the 9th and 10th amendments mean. The framers knew they couldn’t explicitly list every conceivable right, so they just said , ‘and, etc.’


All of the ECHR countries?

cmurf 9 months ago [flagged]

Roe v Wade, law of the land. One of the reasons why GOP hate it is it makes privacy a right rather than a product.

The "correct" way is, if a black man knocks up a guy's white daugher, he puts her on a plane to a state where abortion is legal. But in his own state, he fights for it to be illegal, so all the poor people have to have babies, and stay poor. Because classism is good. It makes sure some products can only be afforded by some people. Better people. And better people have more money, and buy more and better things.

Free market means being free to pay as little as absolutely possible for labor. And for that you need a lot of poor people. Everyone becoming wealthy is bad for better people. What's the point of being better if you can't be wealthier than most other people?

And if you think a white wealthy GOP dad won't overnight their daughter to a state to get an abortion, especially when it's from a brown dad, then you're ignorant to the point of cultural blindness.


Could you please refrain from posting inflammatory partisan comments, like we've asked before? You have to do a better job of maintaining an insight/provocation ratio that can sustain a civil conversation.

https://news.ycombinator.com/newsguidelines.html


I just emailed this company at general@danalinc.com (which is the address stated in their privacy policy [1]) to remove all of my information from all databases/backups and to never collect it again. Came back undelivered with a 550 error (Recipient address rejected: Access denied).

[1] https://danalinc.com/privacy-policy/ - "Danal is committed to ensuring that the information we obtain and use about you is accurate for its intended purpose. You can contact us at general@danalinc.com at any time to review, update, delete or correct (for future use) your personally identifiable information maintained by Danal. We will reply to your request within thirty (30) days of submission. You can help us maintain accurate records by informing us of changes or modifications to your personal information."

Edit: For payfone: https://www.payfone.com/company/privacy-policy/ - info@payfone.com


Received an almost immediate message back from payfone:

"Hi [my name],

While we should explain more clearly that these services are used to protect consumers from fraud, with one's consent, you can set up what you are asking about with your phone company. We can send you the procedures to do that. I'd like to go a step further and see if we can just opt you out entirely across the board. I should also note that we do note store any current or historical personally identifiable data. Hold on for more info."

As an aside, I didn't provide [my name] with my request - of course they looked it up based on the phone number provided.


>"While we should explain more clearly that these services are used to protect consumers from fraud."

So if my someone's phone is lost or stolen they won't be able to use their credit card or debit card? Wow that sounds like quite a service - losing access to your phone now means losing access to your money? So your card is blocked because of a fraud alert and you have no ability to call your bank or credit card company. You better hope you are not by yourself when this happens.

I would close or cancel any account or card if they ever put me in such an imposition as a result of using this service.


Roger responded a week later after I sent him a reminder note:

> ...thank you for checking in. We have notified your phone company based on the phone number provided, to opt you out. We do not store any of your data. So we have done what you have asked. Thank you.

And my mistake: although he may have, he likely didn't need to look up my name as I just realized the email account I sent it from included it.


CEO of payfone is attempting damage control on twitter @twtt


The email I received was directly from him: https://twitter.com/twtt


I mean, honestly, I don't blame these companies. I blame the carriers.


They are willing accomplices and deserve all the blame.


Blame them both.


"It's 4 security."


In addition to both sites correctly showing my full name, phone number, mailing address, and e-mail address, (and the Danal site showing my T-mobile phone plan info) the Payfone site shows this ominous description:

https://i.imgur.com/WkPj5Gb.png

I've had someone tell me they visited a shopping site once and without giving the company any information, they got an e-mail from that company a day later. I told them it wasn't really possible (from just the browser's perspective) and that they must have been tracked through some 3rd party cookies.

Apparently that was false and it's totally possible for a site to use one of these APIs and instantly get your full name, phone number, e-mail address, and physical address just by looking up your IP, and then track you across "switching carriers, changing phone numbers, upgrading devices, and replacing lost devices". Scary shit.


MEO does that in Portugal. With your phone you visit (probably) an ad on a website and you're automatically subscribed to some 3rd party service that charges 3€ a week from your mobile operator credit.

Then you call MEO to cancel the service and then you learn they're not refunding your money and that instead of this 1€ call you could have disabled the 3rd party services through their web login.

It's incredibly hostile, and there are more dirty tricks they use.


Yikes, a chargeback would have to hit your phone carrier directly.

Did you try calling your phone carrier? No way this is legal.


MEO is the phone carrier. They're the largest one in Portugal, previously called TMN. They're the ones I called.

I can't edit to make my post clearer. I'm also not their customer anymore.


Do you have any source for this that I could look at?


I've found some reddit threads (in Portuguese):

https://www.reddit.com/r/portugal/comments/4hj1l7/servico_de...

https://www.reddit.com/r/portugal/comments/4nchbc/subscrição...

This is not new. TMN/MEO subscription shit has been going on for more than 10 years, but before widespread mobile internet it looked more like a SMS fishing attempt to get you subscribed.


MEO is now a subsidiary of Altice, a French company.


I believe Altice bought Optimum/Cablevision earlier this year.


> I've had someone tell me they visited a shopping site once and without giving the company any information, they got an e-mail from that company a day later.

I had this once from a Cisco reseller in Glasgow. It looked like they done a reverse DNS lookup on our office IP, then a Whois on the domain and just spammed the crap out of me. They started calling a day or two later. When I told them how creepy and inappropriate it was, they actually seemed proud of the lead gen system they subscribed to.

They emailed the admin contact of the domain, which is what tipped me off.


Clearbit sells a basic IP lookup system like this


I really hope that the EU slashes these companies once its 2018.


Shit like that is blatantly illegal under current EU laws already


AT&T’s privacy policy states:

“We will not sell your personal information to anyone, for any purpose. Period.”

How is this not contrary to that?

Additionally, they define personal information as:

"Personal Information: Information that directly identifies or reasonably can be used to figure out the identity of a customer or user, such as your name, address, phone number and e-mail address. Personal Information does not include published listing information."

http://about.att.com/sites/privacy_policy


Looking into the full policy, they seem to punch some pretty big loopholes in it

> Here are just some of the ways we use it. To: > Deliver Relevant Advertising; > Create External Marketing & Analytics Reports;

http://about.att.com/sites/privacy_policy/full_privacy_polic...


You can opt out of the advertising collection here:

https://cprodmasx.att.com/commonLogin/igate_wam/cmpmobile.do


What about for Verizon?


thank you sir


It won't matter, since the data will have already been sold. And 'services' will fallback to a different provider.

American databrokering is a really mature industry after all.


As a data collector, they can rent access to the data via their ad inventory and technically not be "selling your personal information."


Probably by legalese.

"We're not selling it, we license it."


Or its given away for free as part of a "data sharing" agreement. Or really any number of ways your data isn't directly being paid for.


Maybe these are considered "business partners" and not "anyone"? :P


Holy cow. This is scary.

With T-Mobile USA, the 2nd link correctly identified my phone number.

In the 2nd link though: name, current address, email address, phone number, how long I've had the account, when it renews, who my previous carrier was, my phone hardware details and my current latitude/longitude!

This is scary that anyone can access this with just a site visit.


I have T-Mobile prepaid and they have all my info except my first/last name. They must have collected this info when I used my credit card for refilling.


Even in the US, I always thought it was illegal to use payment information for anything other than payment processing. Evidently that is not the case.


What is considered cardholder data may surprise you. I’ve implemented many integrations. It’s very specific and requires the primary account number. For example if the PAN is stored separate the name and/or expiration data isn’t considered cardholder data.

For the record storing this information would be folly - can’t lose what you don’t have. Let the payment processor assume the responsibility by storing and handling that if needed.


(PAN = credit card number, for those outside the industry)


I have T-mobile prepaid and my caller ID info pops up as someone else's name. I've called to complain but they claim it's not possible to fix this for prepaid plans. I'm sure it's a massive E911 violation but, you know, computers are hard.


Is it possible that you gave them your info to disable the web content filter, which is forced on unless you give them a bunch of PII?


No, I don't know anything about such a filter, and did not give them any PII.


> This is scary that anyone can access this just a site visit.

Well, anyone using your phone on LTE.


Any script running on your phone with LTE.


Well, any website that you connect to while on LTE should have access to this data, no?


Yep. Or any app that runs on your phone that makes even 1 outgoing API request can get all of this info.


So literally - and I use the word literally correctly - any of the thousands of shady, useless, scammy apps can get my name and current coordinates?

The ONLY thing this advertising-surveillance industrial complex is missing is a sample of my DNA!


23andme got you covered


Ajit Pai is stoked about this.

If you work for AT&T, Verizon, etc you have a responsibility to stop this even by sabotage.


So are the 45% or so of voters who picked Trump knowing he opposed internet privacy.


Having moved to the south, and in an area where the percentage of Trump voters (and current supporters) are the VAST majority, they don't know about this stuff. And if you try to explain what data can be gathered they don't really believe you. Let alone saying what can be done, or the damages of that data being hacked. Though this Equifax thing has been helping me convey the importance to them.

tldr: They aren't aware. They aren't techies.

P.S. We're in a two party system. Just because you agree with some policies doesn't mean you agree with all policies.


I think a large part of your problem is your voting system. Representative democracy with proportional representation and no gerrymandering is what is needed, imho.


Most of those voters probably have a very poor or non-existent understanding of internet privacy and an even poorer understanding of government's impact on internet privacy.


I think some gross generalization. Reddit's Trump community were pretty strongly supportive of privacy and net neutrality but just decided Trump was ok anyway.


Reddit's Trump community? So basically, you're talking about the top 0.001% of Trump voters in tech savviness, just by virtue of them being on reddit.


My theory is that right wing voters do not really care about policy. They seem to respond more the displays of strength.


That's a bingo. Exhibit A is Trump giving the keynote at the Values Voters Summit.


Or they do not care about privacy, they only care about their taxes being lowered while believing that voting GOP will get them lowered taxes.


Yep. Software engineer at Google in Mountain View here. I voted for Trump.

I literally do not give a damn about anything else other than lowering my taxes. I don't care about climate change (it is being accelerated by humans, I agree) and I literally don't care about BART or SF public transit or homelessness. Just give me my clean air vehicle tag so I can drive in the carpool lane as a single driver in my Model S.

Yes, there are tens of thousands of people like me in the bay area.


You are quite right to point this out so explicitly. It is something we all have to deal with -- the way that wealth and power and privilege insulate people from having to care about anything other than their own excess and immunize people against normal human emotions like empathy, kindness, the ability to recognize and appreciate your own luck and consider the misfortune of others, etc.

STEM folks are the most susceptible to this, I think -- working in a technical field tends to isolate you from other people. Being wealthy and working in a technical field is horribly alienating. You literally, over time, lose the capacity to understand others or consider them as people.


Double for working in the valley which is like a giant tech worker gated community.


Out of curiosity, do you not care about breathing unhealthy air? Are you aware we just had 5 or so days of unhealthy air (worse than Beijing air quality) because of the wildfires to our north, which are being worsened and increased by climate change? -- https://www.theatlantic.com/science/archive/2017/09/why-is-2...


Trump's base is white people, not (necessarily) dumb people.


That's facile and incredibly trite. His base is voters, regardless of creed, race, colour or intelligence.

I'm not a Trump fan (nor even American) but I think your analysis of skin colour based demographics is probably flawed in some way.


People aren't dumb for having a poor grasp on internet privacy.


True! I should have been more specific about the form of ignorance.


A large portion of those voters are paranoid about the government taking their stuff and keeping lists.

Yet if it's privatized it's ok.


Oh, as opposed to all the internet privacy the last administration(s) gave us?


Setting the whataboutism aside, you're also wrong.

I think it's fair to say that the (potential for) harm wasn't sufficiently strong in the public psyche to justify White House-level attention prior to (and probably including) W Bush. Also, the distinction between ISP and Telco was still sufficiently weak that existing Telco regulations designed to protect consumer privacy still had teeth when applied to ISPs. It wasn't until the Obama admin that ISPs starting suing to disentangle themselves from Telco regulations.

As for Obama, well... if you haven't heard net neutrality described as "obamacare for the internet", then you're not paying attention. But there's only so much anyone can do with out controlling the Legislative branch.


This is about privacy, not net neutrality. I wouldn't conflate the two.


Again, you're just wrong. Selling/sharing consumer browsing activity were both components of the FCC net neutrality rules.


Did you actually read the article, or are you just really stretching to be able to say 'wrong'...


> Did you actually read the article, or are you just really stretching to be able to say 'wrong'...

No, really, your assertion that Obama-era Net Neutrality rules and privacy rules are disconnected is simply wrong! See "What does that have to do with privacy? " on https://www.epic.org/privacy/netneutrality/

When people talk about rolling back FCC rules on net neutrality, they are -- by definition! -- talking about rolling back these privacy protections. There's no debate to be had here.

More generally, you may be confused by timelines. Hopefully this will help:

pre-2014: Phone companies and ISPs begin tracking customers.

2014 - 2016: FCC begins process of cracking down on this sort of behavior (e.g., see top comment on this story).

2017: FCC reverses course on that crackdown.

Perhaps you are claiming that there wasn't a substantive change in valence on the issue of consumer privacy within the FCC and other regulatory agencies over the past six months. And perhaps "net neutrality" means something very specific do you. But that doesn't mean that late Obama-era net neutrality rules weren't aimed and strengthening privacy protections. They were.


> Ajit Pai is stoked about this.

This seems like an unfair claim. Since you didn't provide a citation, I looked for one. I found plenty of articles insisting that Ajit Pai and through association that Trump are both out to harm privacy online, but this is typically an inference based on the fact that Ajit is blocking more regulations placed on ISPs. His reasoning has consistently been anything that makes it harder to compete (the context is in small-medium businesses, think tiny companies trying to upset Comcast or AT&T) is bad, and specifically in this case that extra regulations on ISPs that businesses (read: the entities that actually have virtually all of your data) are not required to follow is unnecessarily limiting to competition. That's really not the same as "Ajit Pai is stoked about this." I will thus consider this bullshit until someone actually asks him what he thinks about this and whether he supports it. I doubt he does, because I doubt anyone does, and because it appears it may already be illegal.

The DNS entry for this site is already gone, though I can't tell if it was an action by GoDaddy or if it was explicitly removed to hide the page. In either case, that kind of response indicates guilt to me, and unless the ISPs are explicitly informing people that this is happening, it may already be illegal. I'd expect a class action lawsuit to determine that, and legislation to make it illegal for ANY ENTITY, be it a business operating on the internet or an ISP, to do this without consent from the user, which is what we really need.

I've been very annoyed at businesses like Spokeo that operate entirely in the realm of selling information about people, and they're fueled by shit that Facebook, Google, and friends freely offer about people, and now worse what about cross-referencing what they already have (everything in this case plus things like residential history, criminal history, etc) with your entire credit history and SSN and more thanks to Equifax and even hashed passwords due to the dozens of leaks we get every year.

I don't think this belongs in the FCC's wheelhouse, this belongs in Congress, because this kind of shit is getting out of hand, and it's not just ISPs.


Last year he voted against regulations that made this illegal: http://www.npr.org/sections/thetwo-way/2017/03/23/521253258/...

Voting against the regulations means he did not want them to pass, but they did. They were repealed this year, which logically he must have been happy about. Unless he publicly states otherwise, it is fair to conclude that he is happy with the most direct obvious consequences of the repeal.

In theory it's possible that Pai supports the goals of the regulations but disagrees with the means, but has stayed completely silent about his support and made no effort to accomplish the goals through more appropriate means. There is no meaningful difference between that and simply opposing the regulation because he doesn't like its goals.



[flagged]


It's different being the top-management vs working there. You can't generalize all of them as not having soul or is evil. Seriously. Unless you have been in their situation, you cant judge. Not everyone would get the freedom to work at their dream role/job/company.


Within the last year, I took a 20% pay cut to move to a company I felt more ethically comfortable with, and I still feel good about the decision.

It's not about one's dream role/job/company. It's about whether one is willing to tolerate something that makes one ethically uncomfortable for a number on a check... or not.

And although everyone's circumstances are different, I know far more people who work for shady companies and live in McMansions than ones who do it to support their family.

Judgy? Absolutely. But there are a lot of jobs out there: if you work at Comcast / US NSA / Chinese Bureau of Public Information and Network Security Supervision then it's because you don't have a problem with how they conduct business.


I don’t agree, it’s still worth reaching out to these people.


Granted as possible, I'd just offer the following points.

(1) These companies (as far as I know) tend to be technically and creatively conservative (in the sense that they don't like new ideas). (2) They have a captive market and effective monopolies. (3) The type of engineer likely to work at such a company values stability over risk. (4) There is C-level and down support for policies / products like the original article that generate profit. (5) It's a small enough industry (in terms of number of companies) that getting blackballed is feasible.

In that context, I don't foresee a logical person making an ethical decision (for leaking or sabotage) when it goes against his or her employer's wishes.


Should google employees? Facebook? Twitter? Chrome devs?


Realistically, why would the answer be no? We've not established thoroughly that programmers have a duty to refuse to commit crimes or at least carry out morally bankrupt plans, but I don't think that people will or should be less critical when the hammer comes down. Just look toward the VW case. Is it worth risking your job to do the right thing?

In my opinion, the answer is never no. I speak as someone who has actually refused to implement functionality on the basis of ethics before.


People have as much morality as they can afford.


I think that, as a coworker of mine has suggested, the situation will improve as programming matures as a field of work. Something like a professional's association could work wonders if well executed. I'm not looking forward to all of the associated crap, but you win some, you lose some.


There is too much growth and change in the industry at the moment. One might argue that growth and change are inherent to ICT, but maybe that's just us hyping our own field.

In any case, the market is moving way to fast for professional licensing. Both when it comes to total demand of coders, and when it comes to the churn in required knowledge. A licensed coder that thinks jQuery is the best way to write a web-app is not going to be hired over an unlicensed coder with experience in angular/react.


Great way of putting it.


Yes, all devs should stand up to their moral beliefs. Web analytics isn't necessarily evil, but something like this article is pointing is definitely coming pretty close.


Coming pretty close? They have definitely crossed a lot of lines at that point. They give your personal information, your name, email and even phone number, just because you have visited some site? I don’t have a problem if a websites checks how many times I log in, and do stuff. That is reasonable to accept. Tracking me across multiple different sites is morally questionable but giving you my freaking private information to anyone who asks and pays even though I have never agreed to that is just morally wrong. And that comes from my carrier whom I expect to take care of my personal information, because they have complete control over my internet and can even see what I’m doing on the internet (yes even encrypted traffic can tell you a lot about someone). It’s not like I really have a choice which Carrier to use because there are so few out there and each one of them is a different kind of shady.


Evil is a pretty strong word. I just wasn't sure if this is evil or just dishonest and super super shitty.


What the telcos are doing here is crossing the line by a mile. A case can be made for anonymized bulk analytics. Stalking individual users like this is totally unacceptable. The executives who came up with this and the engineers who implemented this are absolutely in the wrong, and should be held responsible.


Evil is a pretty strong word. I just wasn't sure if this is evil or just dishonest and super super shitty. They've definitely crossed the acceptability line.


After saying it once in the thread, it is not useful to repeat a comment one minute later in a new post. I see that you added a sentence, but this does not suddenly make the previous word-for-word reiteration a new idea.


I agree that it clutters the thread, but the flip side is that many people don't come back to the full thread and only view replies.


Yes.


Anyone with a sabot to throw, and a brain at this point.


What’s a sabot?


https://en.wikipedia.org/wiki/Sabot_(shoe)

It's where the word sabotage comes from.


An adaptor fitting, intended for kinetic energy penetrators which occupy a smaller diameter caliber than the barrel of the ballistic weapon they are being fired from.


Used in modern anti-tank rounds.

The DSAT in the name of these rounds stands for

Discarding

Sabot

Anti

Tank


A French wooden shoe.


So now I need a VPN for my cellular data connection. What happened to privacy laws? You could quickly grab highly personal identifying information by setting up an encrypted wifi network at a business with plenty of foot traffic and no open wifi networks. Then you could have a sign or placard directing passerbys to visit a URL of your choosing to get the wireless password. Then you'd implement this API on your website.

Now you've got their personal info. Scary..


No, this doesn’t work on Wifi.

The claim is you need to be on the carrier’s mobile data network, the carrier gives you an IP address, then a website owner asks the carrier who is at that ip address and then the carrier gives the website owner the data that it has on you (your real name, the address where they send the bills, the phone number they assigned to you, etc)


Just a word of warning, long term this may not always be a safe assumption.

For supporting technologies like wifi offload, VoLTE, etc the phone can be told to tunnel traffic back to the carrier network, even when using wifi. This is to support features like using wifi to complete voice call's, but could be used for IP mobility as well (keeping you're IP address as you switch access networks).

I'm a bit rusty as I've been out of the industry for a year now and didn't work on this directly, so I forget how the phone get's this configuration. I think it might be an APN setting to connect back to the ePDG when on other access networks, but I could easily be mistaken.


You misunderstood: the commenter said they'd provide a passworded wifi network and a sign somewhere saying "visit this URL to get the password for the wifi!"

People would visit that URL using mobile internet...


This is exactly what I was describing. You'd visit the site while on cellular data to get the password.


Yeah, that's what GP is describing, I think - people would visit the evil URL while on a cellular connection in order to, ostensibly, get the password for the secured WiFi connection.


This happens in several parts of Europe as well. It's part of the telcos' billing infrastructures, and many operators for example have middleboxes which allow TCP streams to be looked up against the billing system.

I believe the original idea was to allow companies selling ring tones to able to bill customers who downloaded their ring tones directly on the customers' telco bill.

From a privacy standpoint it's been a catastrophe. There are countless of operators who have been caught decorating customers' outgoing HTTP traffic with their mobile number or personal details. It's just a few years since one operator was caught doing this in Denmark [1].

Again, just a few years ago, in Sweden, a company setup porn sites and pretty much blackmailed their mobile visitors into paying $$$ for porn they supposedly had agreed to download. This company was using operators' billing APIs to lookup subscriber details from the IP:port numbers of connections to their porn sites [2].

In Norway, a company called MobileTech, use the same APIs to improve unreliable web tracking using cookies. By using these billing APIs they can assign a unique identifier to a particular subscriber regardless if this subscriber clears their cookies or share the connection across multiple devices. Their tracking script (b.mobiletech.no iirc) is embedded on many popular nordic sites. Their improved visitor tracking and demographic data is also sold to third party marketing companies such as Research International.

[1] https://www.version2.dk/artikel/mobilsurf-danske-teleselskab...

[2] https://www.svt.se/nyheter/lokalt/skane/fangelse-for-skaning...


So what happens now? They shut down the scary demo site, keep selling the information, and the new administration's FCC won't do a thing about it.


Best case scenario - the story picked up by the media. If somehow this is not covered by the TOS, an entrepreneurial lawyer will file a class action lawsuit. And we will get $10 credit for our service after the settlement. And then this 'service' will become a part of the telcos TOS.


What's the worst case scenario Mr. Cynic?

This is not Equifax-big so apart from the outrage by all the nerds nothing will happen and we will all be here next year outraged at some new privacy-raping revelation.


I have Verizon Wireless and have opted out of all of the options on their account privacy page a long time ago (at least a year), but I still show up in these tests.

What recourse do I have?


A VPN. ISPs and Telcos have made it abundantly clear that without significant legal and financial pressure, they will never respect the slightest modicum of consumer privacy.


And how do I know the VPN is trustworthy?


One option would be paying for a VPS on AWS or Linode or DigitalOcean or Vultr or any number of similar providers - pick the lowest spec machine, raw network throughput is not very hardware dependent - and set the VPN up yourself.

Streisand is pretty useful for this purpose.

https://github.com/StreisandEffect/streisand


If you go that route, please set up hosts-based adblocking as a FU to the advertising industry.


Why is a random VPS provider's ISP more trustworthy than your own?


Not intrinsically, but the VPS providers ISP has less knowledge about me than my home ISP. And I have a lot more choice between VPS providers than home ISPs.


You could run your own off of a cheap VPS (e.g. DO, Linode, Vultr, etc.), or your home router if it has that ability (e.g. openWRT). This is getting to be ridiculous.


I have long felt that opt outs are not respected.


This is a race to the bottom. This industry is neck deep in perpetuating a culture of surveillance that most here benefit from, and see no problem in stalking people around. So much for techies improving the world.

That's why moral and ethical posturing must be met with ridicule and skepticism. When it comes to actual action most people are much more narrowly focused with a unique ability to live in dissonance and hand wave and brush away nearly anything.

Only regulation with laws and consequences works.


So how do we get this voted for by the people of the US? This whole hackernews thread is full of nerds confirming if the lookup worked for their account. But what do we do?


Tell your Representatives and Senators you want a data-protection law.


Shamelessly plugging the Librem 5 [1] here, as this article demonstrates precisely why we need a privacy-focused, FOSS phone. While the carriers having access to some of this information would not be prevented on a carrier-based data plan (and I personally am not yet ready to switch to WiFi-only), using a non-proprietary Linux distro means much simpler VPN support (one year of free VPN is also one of the stretch goals!). It might also be possible to compartmentalize PII availability by using WiFi only with an external data hotspot (e.g. the ones sold by FreedomPop), perhaps in conjunction with a VPN.

[1] https://puri.sm/shop/librem-5/


You can already vpn pretty easily on an Android phone. The bigger issue is how do we know that the VPN is trustworthy?


One fairly trustworthy solution is to just set up a DigitalOcean droplet ($5/month) (or any other cloud provider, I just prefer DO), and host your own VPN. DO provides a guide at https://www.digitalocean.com/community/tutorials/how-to-set-...

With regards to setting it up on Android, that does alleviate this specific privacy concern, however it is still entrusting your OS to Google and our carrier, neither of which have the best track records in consumer information privacy. Android also has limited app access controls and frequently comes with carrier-required bloat/spyware.


FWIW, DO can still see who is connecting to your droplet and what your droplet is connecting to. That's probably fine for staying out of sight from your mobile carrier. But many of the top VPN hosts now explicitly offer "no logging" as part of their services, like Private Internet Access.

Don't forget that Android is open-source, open-source, non-backdoored versions of Android exist.


I used to set up my own VPN server. As I don't trust the firmware (that was trying to send the data to the manufacturer) I have implemented a whitelist-based proxy that would allow connecting only to approved sites. Pretty inconvenient to be honest because sites often pull content from many domains including numerous CDNs with long meaningless host names. A web version of Skype uses some 20 domains if I remember correctly.


I wonder if this is behind so many of the stories about seemingly impossible de-anonymization by Facebook.


Probably more to do with horrible opsec and machine vision than anything. Even pornhub can process their content to identify actors. FB buys a ton of data and accumulates from public sources. Other advertising companies do similar things by partnering with creditors. A use for this is matching sales with lead origination. Grocery stores do this with coupons.


Well, Google Fi does not seem to be selling my information . . . Externally


Same here, I'm on Google Fi and none of my information comes up. Only a "Joe Consumer". Ironic?


The second link worked for me. However, I only switched my number from Virgin Mobile to Google Fi about 6 months ago, so I guess the data might be old data from Virgin Mobile. I'm really disappointed in whichever of those two companies is doing it.


My Google Fi number brings up my name and location as a T-Mobile account.


Same here. On Fi and don't see any personal information there.


Or those site builders didn't care enough to make the API calls?


BTW, it doesn't make much sense for Google to sell this information anyway. They build vertical products on top of this information. If a third party wants identity verification, they can use Google account. If they want to sell ads, they can use Google ads. By providing information directly, they will be undercutting themselves. It doesn't make sense.


How is Google Fi? Is it a full replacement for Verizon and others?


Yes. It's basically an MVNO that resells on Sprint, TMO, and US Cellular, while trying hard to keep calls and data going over WiFi. As a consequence of that, it only works on newer phones that can do fast handoff between WiFi and cell. I use it. It works pretty well. My wife is still on Cricket and she got better coverage in the mountains of Colorado this summer, but I've been happy everywhere else.

The pricing is very as-you-use it, which works well for some people and not as well for others (it's great for people who use very little data but want flexibility; the international data roaming is amazing; it's more expensive than other plans for multiple-GB/month users). I put together a spreadsheet (copyable, google sheets) for comparing price vs GB/data used when I was trying to figure which carrier to use. If it's useful - https://da-data.blogspot.com/2015/10/comparing-prepaid-cell-... (Updated: I just updated the pricing, since it was getting a little stale.)

(Ob disclaimer: I'm part time at Google, but have no beans in the cellular stuff.)


Absolutely. It uses T-Mobile's network most of the time and T-Mobile has improved a lot in the past few years. Sprint and US Cellular are good fallbacks for rural areas.

Another perk is unlimited international data roaming at the same price as regular data, and at decent speeds too.

Billing is simple, support is great. The one downside is data is a bit on the expensive side. But since you actually pay per GB, the GBs are yours. There are no arbitrary limits or throttling that I'm aware of, tethering is allowed, etc. Also you don't have to predict your usage ahead of time to choose a plan. You only pay for what you use no matter how much or how little.

Disclaimer: I work for Google (but not on Fi)


> Another perk is unlimited international data roaming at the same price as regular data, and at decent speeds too.

IMO this is the killer feature rather than merely a perk. Otherwise, in most of the country, you're basically just paying quite a bit more for a slightly better payment experience and equivalent actual service.

(I'm a Fi user).


Also, you can order up to 9 other data sims which share the same plan at no extra cost. This allows you to utilize a cellular iPad or other devices with worldwide LTE data.


Under the hood it uses Sprint and T-Mobile's cell networks, so you're not completely free of them. But otherwise, yes it's a great replacement and the billing/plan is much better than the regular carriers.


After reading every comment here, I decided to read the actual post and found the links were obfuscated by bitly links. Since I think that is BS:

http://democf.danalinc.com/sphere/

https://dev.payfone.com/test/mobileauthentication/


> obfuscated

I was reading the article on my laptop and had to type the URLs into my phone, so I appreciated the bit.ly links.

Besides, "obfuscated" is a bit strong -- as evidenced by your post, no information is hidden.


Even if you provide a shortened link, nothing would stop one from adding the longer link, too.

> as evidenced by your post, no information is hidden

"not made obvious is a bit of a strong word, as your comment indicates, it does actually exist"

It kind of helps when you don't move goal posts mid sentence.


I think the purpose of these "obfuscated" links were to make them easier to type into you phone, if you happened to visit on your desktop.


Yeah, so like, we passed this bill this year:

https://www.usatoday.com/story/tech/news/2017/04/04/isps-can...

And Trump signed it:

https://www.nbcnews.com/news/us-news/trump-signs-measure-let...

Hey Republicans in the audience, can you at least acknowledge that on this issue, the GOP may have gotten things wrong?


Any way to opt-out of this?

I tried both demos mentioned in the article. The first loaded some generic looking data. The second pulled my phone number, name and address correctly.


There's a response at the bottom of the article (click "Show all responses") which indicates there's an opt-out mechanism.


Only for AT&T, and there's a response to that response that suggests that the opt-out is ineffective.

I noticed some weasel words in a bank's ToS back in January that should have been a harbinger of this kind of 'service'. I wrote to my carrier's privacy team, and of course, heard complete radio silence in return. Here's what I sent them:

> Hello,

> I recently opened an account at MEGABANK, and read through the opening documents. Towards the end of the documents is this paragraph:

> You authorize your wireless operator (AT&T, Sprint, T-Mobile, US Cellular, Verizon, or any other branded wireless operator) to use your mobile number, name, address, email, network status, customer type, customer role, billing type, mobile device identifiers (IMSI and IMEI) and other subscriber status details, if available, solely to allow verification of your identity and to compare information you have provided to MEGABANK with your wireless operator account profile information for the duration of the business relationship.

> You may opt out of this information sharing by contacting your wireless operator directly.

> Googling phrases in this paragraph shows many banks and other companies that have identical or very similar language in their terms of service or privacy policies.

> I tried to contact customer service to opt out of this sharing (I absolutely do not want to share this with anybody,) but they were unable to help me. Can you please let me know how to opt out of this information sharing on all lines on my account and to provide me with any other details you have available on it?

This has been a thing for at least this entire year, and the "opt-out" mechanism appears to be completely ineffective.


You left the name of MEGABANK in your second paragraph


Now we know where he banks. Neat.


At one of the five MEGABANKS or their subsidiaries?


Well this is scary. We should see more concentration on privacy/security at the mediocre tech companies (because engineer pay is a decent indicator of privacy standards and security strength), ISPs, health care companies and financial companies. They have very personal data and many of them actually sell the data (and apparently even unanonymized data).

I feel that all the talk of privacy at the big tech companies like Google, FB, etc. is unwarranted compared to the threat. They have solid security and don't actually sell data. Letting advertisers target viewers based on demographic data is different from providing anonymized data to people and they have policies that make sure that advertisers can't get too narrow with their targeting.


The dev link appears to be down. I guess someone shut the door or the API crashed.


Not Ting! I tried the first one expecting a spook, but Ting fed it bogus data:

https://i.imgur.com/woOZumM.jpg

ETA: The second one choked up a Wordpress error. So, not sure what to make of that.


I'm on Ting (GSM). The second link had my number, name, and address.


I'm on Ting, CDMA (Sprint) and neither link worked. Not found errors.


Well crud.


FWIW, both sites showed my real information initially, and now one of them shows that bogus info. I think they're just showing that default data due to load problems.


Values with a * are simulated values it seems, which means those values are unavailable, as per the footnote in there. Not bogus data from your ISP atleast.


Ting is so awesome

-a happy customer


try the second link :)


What does this mean for an average person like me? Based on the comments, I can opt out from those specific site but not from the phone company making data available to who ever purchases it? Am I better off going back to no SIM and only Google voice number pointed to a phone? (I did this for some time and recently put a SIM card back in.)


Wasn't it difficult living without data or a mobile phone connection?


The future is in empowering local communities and decentralizing power, via:

solar power generation

mesh networking

local social networks

identity that you control on your own phone

hopefully the phone hardware and security will be commoditized and auditable.

Here is what I'm talking about https://www.youtube.com/watch?v=WzMm7-j7yIY

Edit: why the downvotes? I am genuinely curious. Can people who feel this way explain?


I think you are being downvoted because you aren't actually answering the parent's question but instead are using the opportunity to sell some vision of the future that might be overly optimistic and in fact might present the parent's concerns as less critical than they should be.


But it does answer the root of the question!

"Based on the comments, I can opt out from those specific site but not from the phone company making data available to who ever purchases it?"

Well you can opt out of the phone company once people decentralize the stuff I mentioned. And then I said the same can be done for power generation companies and so on.

But anyway, even though I disagree with it, at least that is a possible reason I was downvoted.


Impressive; it managed to pull my phone number, my current address, my previous address, all without any info at all (I didn’t provide any info in the first link, just in case that was somehow priming the second one).


And scary.

Any code running on your phone has access to all this information, with just a few HTTP calls, when your phone is on cellular data.


I know a person in a telecom company in Analytics (Digital and CVM). They have the ability to see the phone number (only encrypted) browsing their current website. This information is part of clickstream but it is not shared with any third party because it's a confidential information that if shared without customer consent will bring loads of issues to company. The recent GDPR is one thing that keeps companies on their toes.


They’ve been doing this for years. You can also license real-time GPS and WiFi location. Perfect for geotargeted ad campaigns.


Can a telco access those things? My understanding was that this would need to come from the phone’s OS (or an app with appropriate access).


If you’re connected to the cellular network, they know where you are.


They aren't not talking about cell towers like the article mentions. They said GPS.


Many telcos have their own "customized" version of the OS.


How about iOS, can a telco access GPS location if there’s no telco app installed?


At the very least, they can use Cell-ID


Is anyone else getting NXDOMAIN for democf.danalinc.com?

Is that perhaps an "Oh, shit. They found us!" move?


Yes. But I think it's more likely they got contacted by some legal department.


Also getting an NXDOMAIN.


Insane to think an app on your phone can request the demo page to see the details.

I assume they have CORS setup properly to not allow any old JS to scrape it, they would have to explicitly allow origins access for that.


I believe a native mobile app would be able to make the request and scrap the data, regardless of CORS. Because basically no suspicious information is transmitted, it'd be pretty easy to squeeze past an app store review.

Of course, you could buy one of these services and have access, too.


CORS is strictly browser-side enforced, so yes - any app can make this query and scrape the response.


It looks like both demo services have been taken down.


Is this service available to personal developers? Do they prevent perverts/psychopath/criminals from using the service?

If a malicious stranger on a dating site sends you some link where he gets your IP addres. Using that service, he may be able to collect your phone, full name... and billing address so he can eventually knock at your door a few minutes/hours after your visited the link... How scary...


This is everywhere. Here in Eastern Europe they go as far as giving away your mobile phone number when you browse (or at least encoded token for spamming you via operator). I was able to opt out though.


What? Where exactly in Eastern Europe? I'm deeply concerned by this.


In Germany, this would be illegal without a very explicit opt-in. While the German data protection laws are stricter than the EU ones, this still surprises me to hear.


What are the chances that you accidentally "consented" in one of the myriad cookie popups clicked away each day?


None that would be lawfully binding. For stuff like this content must not be "surprising" or its void and courts interpret this very strictly.


Do you have any source for this that I could look at?


How does it work? I mean, most carrier here in Wurope don't give you an ip, your phone has an internal (10.xxx most of the time but also IPv6 only) ip and you are behind a NAT, which means hundred (up to PAT scalability) of devices may share a common IP. Those API would need the source port number in addition to the IP, is it the case?


One way, although I suspect it's dieing, is some of the network equipment supports header injection. So what will happen, if you go to an approved URL, the network will inject headers into the HTTP request that contain you're 10.xx IP address, IMSI, etc, which can allow it to survive a NAT.

This tends to get used mostly for internal traffic and partners where an agreement exists, although I think I read once that a US carrier messed up their configuration once and the header injection was happening on every site.

For encrypted traffic, I'm not sure what's happening these day's.


Caller ID is available via Twilio here:

https://www.twilio.com/lookup

Unlisted users might be able to present any data they please here:

https://www.listyourself.net/ListYourself/listing.jsp


What the hell can we do?

Cancel phone contracts and just rely on WiFi?

Other options?


VPN, with a local server for speedy access.


Local, meaning like in my car?


Local like in "your city", to reduce latency.


VZW (in .us):

First link: Didn't work, kept saying my billing zip code was incorrect.

Second link: "We used our mobile authentication to instantly discover your mobile phone number from the phone network." but it didn't show any information.


Verizon here and everything worked, all info. US


Verizon on the first link worked just fine here, but they made up porting dates and a few other things.


So when their service gets hacked two weeks from now, we can see the locations of VIPs? Celebrities? Rich people? When they hear about this (after their locations are leaked...) they’ll make telcos fix it, right?


AFAIK the carriers require a double opt-in for this.

The first opt-in, which the Medium article describes, can be online with boilerplate language. But then you have to opt-in a second time by replying to an SMS sent directly to the device by the provider with language pre-determined by the carrier. The user has to reply YES to the text message, and you have to keep auditable records of these things.

If these 2 providers aren't requiring the second opt-in step, I expect they'll be kicked off the platform pretty quickly.


I just visited both sites and both showed my full name, e-mail address, physical address, and T-Mobile billing plan information. I never opted into anything on T-mobile's site (and I can't find any opt-outs that I don't already have), I never opted into a text message, and only one of the sites required any other info (my zipcode).


I'd assume that's because the site in the article is a demo; the requesting and user IPs are the same. If they're different, then verification comes in.


If these 2 sites aren't following the carriers' policies, others aren't either. If these two sites exist, it doesn't look like the carriers are actively auditing for policy violations.

If true, it appears that any applicable carrier policies are not being effectively enforced. This is dangerous as it leaves the door open for selective enforcement of such policies by the carriers.


If that's the case, why don't the carriers do the second step themselves?

That's the very least they could do to protect their customer's privacy.


They're not trying to protect your privacy, they're trying to leave no money on the table. Selling your data is obvious, it's all they have above the commodity of a properly working dumb pipe.


Why do they care? They are selling access to your information.

More

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: