Hacker News new | comments | ask | show | jobs | submit login
Mobile customer location data is ending up in the hands of bounty hunters (vice.com)
748 points by petethomas 14 days ago | hide | past | web | favorite | 238 comments

I think we need to reassess how we treat data generated by users via phones, devices and our digital activities. We had the concept of private and public property long before intellectual property became codified by law. I believe that we are entering a new phase which may require the development of a new type of jurisprudence around things like location data.

I'm definitely not a lawyer, but I'm starting to believe there is an argument that despite the fact that mobile phones and devices facilitate the generation of location data, that does not necessarily mean that the device manufacture 'owns' that data and can transact with it as they please.

This may all be moot because most of us agree to Privacy Policy contacts, but maybe a mind shift in treating data you generate as a type of property that is covered by property law is required to change behavior.

How about we start with not allowing people to legally kidnap individuals?

I never understood the whole concept of “bounty hunters” in the US it’s not the Wild West anymore.

The problem here is that “fugitive recovery” doesn’t need to meet any of the standards normal law enforcement does and unless they kill someone or injure bystanders there likely won’t be an investigation into their conduct and even if there is one the result is often that at worse that could happen is then loosing their license. Criminal investigations against fugitive recovery agents are pretty darn rare and there is no internal affairs or any body that really investigates their conduct on a regular basis.

I’m pretty sure that a large amount of these people violate much more than the privacy of their targets on a regular basis.

> it’s not the Wild West anymore

They didn't get that memo. The mentality and folklore is that it still is. Laws, politics, government, privacy, policing, social mores, business and especially foreign policy all seem to retain the idea they are a frontier society blessed with Manifest Destiny. Their way, however flawed, is the only way etc etc.

The person writing the article was able to obtain data despite not even being a "real bounty hunter" (whatever that is). And it seems entirely plausible for a stalker/abusive ex/etc) to obtain the same data. So I think the collection and resale of the data remains an issue regardless of the bail bond/bounty hunter aspect.

The US can still issue letters of marque and reprisal:


The Fugitive: Evidence on Public Versus Private Law Enforcement from Bail Jumping


Know what's even more effective and cheap than Private Law Enforcement? Torturing suspects until they confess and shooting them on the spot if they are guilty.

My point is, this is not about effectiveness, but about legality. A constitutional democracy needs to stay constitutional and legal in its ways of delivering justice, otherwise it's not a constitutional democracy anymore but an anarchy.

Giving private individuals the right to legally kidnap people, as well as massive privacy violations like stated in the OP's article — without any oversight — at least to me looks like a massive violation of the Fourth Amendment.

The vast majority of bounty hunting cases are going to the addict/drunk’s door and reminding him he’s got a hearing to be at. The kind of glorifications you see on the teevee are virtually nonexistent.

As for the privacy aspect, well online privacy is observably a fiction and it always has been. Only naifs and fools believe otherwise in the face of overwhelming evidence. Sure there ought to be privacy online in some idealistic sense, but there isn’t in reality so act accordingly.

>The vast majority of bounty hunting cases are going to the addict/drunk’s door and reminding him he’s got a hearing to be at. The kind of glorifications you see on the teevee are virtually nonexistent.

I somehow doubt that's what they make the money on because they make money on bail skippers usually a percentage of the set bail.

In any case if you need someone to appear in court there is something we call a police force which should be used.

You do realize the fugitives in question voluntarily entered into a contract with the bondsman right? Frankly, getting driven to the court appearance is a mild and totally appropriate response to the default. It’s way better for the fugitive than having the marshals called in.

As far as I am aware the marshals are called only in federal cases or cases where state lines are crossed, in all other cases it would be your local sherif department.

We have contract law for a reason any contract can be made illegal regardless if someone has went into it of their own volition or not.

By this definition we can also legalize slavery or indentured servitude, not to mention that I wouldn't call a situation were the choice is either debt or prison having freedom.

There are one or two bounty hunters live streaming their job at twitch. The vast majority of their job is sitting in a car, driving. But it usually doesn't seem to involve showing up at an "addict/drunk’s door"

I agree with you, but that seems to be a different issue. We'd have to think about data even if bounty hunters wouldn't exist.

> How about we start with not allowing people to legally kidnap individuals?

Then you'd have to give up being able to afford bail; without bounty hunters, bondsman would have no recourse when you didn't show up to court and thus not much incentive to loan you bail money. You're not being legally kidnapped, you agreed to those terms when you borrowed the bond money for bail.

The bail system itself is abhorrent if there isn’t a reason to lock you up until trial then you shouldn’t be locked up, if there is you shouldn’t be able to buy your way out.

Most other countries have figured out how to serve justice without a system that discriminates against the poor.

Too many people can’t afford the down payment or can offer a collateral to get a bail financed those who can end up being indebted to them you are advocating for the legalization of loan sharks.

Bail is a common mechanism outside of US too.

Depositing money as part of bail is only really a practice in the U.S. and Philippines.


> "Only Duterte’s Philippines and Trump’s United States of America have money bail."

It’s not about the amount of bail but rather the price of a bond.

If the bond costs 10% then you can’t pay bail if it’s set to 10 million or even a million or even lower for most people, if it’s capped at say $100 something that even some US states do then it’s not as much of a problem.

If you look at the US bondsman industry it’s focused on the states not with the highest average bail set but those with the highest prices on bail bonds.

Most other countries don't have our intractable political system; bondsman solve a problem, they let people get out of jail when the government is being absurd.

And do you think the bondsmen don’t have an incentive to keep the status quo?

It’s a multi billion dollar industry which effectively taxes the poor.

Make bounties illegal and it fill fall, once it falls the entire bail system in the US will have to be rethought as there isn’t a way to lock so many people up, more judges will release them until trial without setting a bail which they can already legally do and do so for minor offenses.

Bounty hunters are not universal. For example, here in Oregon they are illegal.

There is also no private bail in Oregon afaik, but I think only 5 states or so are like that.

Yep, we set a bond, and you can pay 10% to the court to bail yourself out. If you skip, the sheriff is the one who will come for you. Though in practice most people are released on their own recognizance, no bond is set except for serious cases.

Also, Oregon doesn't just outlaw bounty hunters as part of our own process, we outlaw them altogether. Bounty hunting is classified as kidnapping.

While there are many things Oregon could do better, there are a whole bunch of things, like this, which I think we are absolutely right on.

You're putting the cart before the horse; until you change the government and thus the bail system, we need bondsman. Making bounties illegal won't stop judges from setting bails people can't afford and is thus not a valid solution.

There are several states with no private bail including Oregon and Massachusetts somehow I doubt that offenders in those states are worse off.

In a country where judges are elected a multi billion dollar has a lot of power in determining how bail is set by the courts.

If you think that judges that get donations from bondsmen don’t take that into account when setting bail you are very naive.

This is the exact same problem as private prisons the justice system should not be monetized for profit.

You finally explained a mystery to me why growing up in Oregon, I've never seen a bailbond place with its flashy neon signs and general run-down areas outside of courthouses. Something I became fairly familiar with moving around California.

Very dumb argument. There is no cart and there is no horse. Eliminate the bail system and something has to fill the void.

I remember seeing one in LA. I thought it was fake! Like a tourist attraction.

I grew up in a town where the mayor was the bail bondsman. His son was the district prosecutor.

A perfect, no-frills example of the typical dynamic between bail bondsmen and government.

How strange that I received the maximum possible bail amount for a crime that I didn't even commit. Surely there couldn't have been an incentive for the son of the guy who makes the laws to illegally prosecute and fine a minor whose only way to finish graduating high school is to pay the damn fine, so that the guy who makes the laws could collect that fine... That would just be corrupt.

The bail money isn't an essential part of the system either. Most other countries have radically different systems; in the U.K. it's unconditional and free for minor offenses with escalating conditions (and violence may result in no bail at all).


It's essential in a system where changes to how government operates largely aren't possible due to partisan divides; bondsman are a free market solution to absurd government policies on bail. When you can't fix the government, you go around them.

btw, that wasn't me that down voted you.

The majority of bail isn’t prescribed at the federal level plenty of states can go way with it if they wanted too.

The whole concept of bail shouldn’t have a place in a modern society.

No one said anything about the federal government; state governments are just as absurd and just as divided.

The majority of states are completely controlled by one party (the majority of the legislature and the governor are belong to the same party), and only one state has a split legislature.

> Then you'd have to give up being able to afford bail

California did this last year. People still get released pending trial, they just aren't required to pay a private party for the privilege.

Perhaps other legal systems exist around the world which have been able to deal with this over the course of history?

How come this doesn't apply to any other sort of debt this is really bad logic.

making a citizens arrest is not the same as kidnapping... anyone can make a citizens arrest if a crime is being committed, this is perfectly legal. Kidnapping is when you detain someone who has not committed a crime.

No need to invent new jurisprudence - if the location data can be used to identify an individual, it is personal data under the GDPR and enjoys all the rights and protections enabled by the regulation.

In the US it is actually a big deal because data is not a "creative work" so it is not covered by copyright protection.

Because of this, black market re-sellers can operate with relative impunity. Most data brokers have a TOS that prohibits the re-selling of their data, but there isn't any copyright protection.

For example, if a company has location data, the only way for them to be held liable is for a particular company to prove they obtained that data directly from them. Once the data has reached a minimum of two parties, everyone now has plausible deniability. If this data was under copyright, the original copyright owner would always have a claim and it would be each parties responsibility to prove they had a right to hold and distribute it.

The lack of a copyright style concept of original owner allows data to flow freely even if that transfer is violating a specific TOS.

You're trying to use the wrong kind of law for the problem at hand.

>In the US it is actually a big deal because data is not a "creative work" so it is not covered by copyright protection.

It doesn't need (and shouldn't be) "copyrighted".

It's enough that the law classifies it as private info, and protects it from any third party without an immediate consent.

As someone who has worked with a couple data aggregation startups, I find it surprising I am unaware of the laws that classify it as private info(or even the legal definition of what "private info" is).

With that said, I am certainly not a lawyer and was never directly involved. Which particular laws are you referring to?

Edit: I should mention I am aware of laws preventing the collection of certain types of data. But unaware of laws about possession of that data.

>As someone who has worked with a couple data aggregation startups, I find it surprising I am unaware of the laws that classify it as private info(or even the legal definition of what "private info" is).

As a European, I wasn't saying that you have laws that classify it as "private info".

I'm saying that you _should_ have (or get) some such laws.

Including laws about the "possession of that data" -- GDPR for example covers both collection and possession, and which cases either brushes against the law.

Ah, my apologies. I misunderstood that and thank you for clarifying. I absolutely agree. I hope we, in the US, come to a point where we treat personal info in a similar way. Best regards from across the pond.

some of us are in the USA, (including article's author). The privacy realities we face are drastically different than in the EU.

That's fine for you Europeans under GDPR. (Sure, there's careouts for weird exceptions.)

That doesn't do diddly for us US citizens living in the US. Our data policy is "we will sell your data, too bad so sad".

It is kind of our own fault, though.

Judging by the sentiment on HN when GDPR was coming into effect, if something like it came up for a vote in the US, a lot of HN users and other tech people would vote against it.

There was no shortage of angry geeks posting articles about their service turning away EU users rather than complying with GDPR.

If you work in tech or marketing your salary comes from eroding privacy. There is a lot of money at stake here and people don't vote against their interests.

Europeans aren't inherently better: if Facebook and Google were companies founded in Germany or France who knows if GDPR would exist.

Europeans aren't inherently better: if Facebook and Google were companies founded in Germany or France who knows if GDPR would exist.

The Data Protection Directive, which the GDPR merely extends and updates, is older than Google and almost as old as the web itself, and was an attempt to unify even older national laws regarding personal data. It's not a reaction to having "lost" the privacy-eroding race.

European politicians don’t have to spend 70% of their time begging corporations for campaign donation. I believe this is much more of a determining factor.

I don't know if I'd say that. "Tech" is a really big field, and most areas don't have anything to do with eroding privacy.

Unfortunately, many areas that would have been "safe" years ago, like games and standalone applications, are moving in the direction of violating privacy by phoning home and sending "telemetry" data, but there's still a lot of areas that are good.

I'm a sysad for a small company. We have an on-prem solution and a social media app.

We don't sell our data. We don't trade it. And we adhere to a fedramp medium (in spirit), even though the social media site wasn't checked for that.

Users have control over their profile, and we admins cant even read it (unless we read raw DB, and we dont). And deletion requests entail in zeroing out all user's data. The next day, zeroed data is then purged completely.

Seriously, companies can do this right. And I work for one that absolutely does this right.

Europe has had data protection laws long before Facebook and Google we’re a thing. The concept of GDPR wasn’t invented because the EU were angry at American companies; it exists because there is a need for it. Just as previous incarnations of data protection laws existed in the EU before the web was a thing too.

Also I resent being told that anyone who works in tech gets their salary from eroding peoples privacy. I can guarantee you that hasn’t been the case for any of the jobs I’ve had in my career.

Hi I work for a printing company as a full-stack developer. My work involves things like writing API wrappers to ingest order flow so our customers can print brochures, or building web UI tools to create and order print resources. The last algorithm I wrote was to generate 5000 unique BINGO cards. Please explain to me how my salary comes from eroding privacy.

I think we can agree that what you do and what your salary "come from" can be distinct and can be influenced by other things. There are engineers at FB whose sole job is maintaining REACT.js but they are paid from the money made from selling data.

Further, and I want to make it clear that I don't mean this as a value statement, but is a printing company what most of us really think of a the "tech" industry? and by extension does that really make you the subject of what you are replying to?

There is a huge amount of tech in the print industry, believe it or not

The demand from these mega companies and their pay keeps your pay high.

No it doesn't. We don't sell to any tech companies. We do like, manuals for baby seats and stuff like that.

It does indirectly because their demand inflated demand for programmer talent.

The money they have to acquire companies raises the valuation of all startups.

I’m surprised most people don’t realize this.

>If you work in tech or marketing, your salary comes from eroding privacy.

Your own inherent weakness in morality doesn't implicitly infer that this is the inherent truth for everyone else in the tech or marketing industry. (Perhaps, moreso for tech than marketing but I digress.)

Not everyone in either industry is inherently on the "I'm just in it for the money" bandwagon.

I work in tech, but my and my companies work definitely doesn't involve eroding anyone's privacy.

People living in Germany and France think differently, if Facebook had been invented there, there is IMO a good possibility it would be less privacy-invading.

That plus there are good historical reasons for our strong privacy laws.

Not all tech comes from slinging ads.

I would hope that those people would at this point realize that the upset about the GDPR was completely overblown?

Were these people that actively work on projects that depend on this data for their business to remain viable?

This is a double edged sword...in the EU it doesn't matter because they didn't have a internet economy to begin with but here in the US a lot is at stake.

So if you want better privacy laws in the US then they have to be much more clever than GDPR to not destroy the economy and global competitiveness!

BTW: Personally I think it is possible to do better than GDPR here in the US.

As a percentage of GDP the so-called "digital economy" isn't much less in the EU than in the U.S. See, e.g., https://www.imf.org/~/media/Files/Publications/PP/2018/02281...

Excluding the U.K. and Ireland (tax haven) the difference between the EU and U.S. is greater, but (eyeballing) only on the order of 30-50%--e.g. ~4% vs ~6%.

What's more surprising is how small the share of GDP is the digital economy in the U.S.

That said, "digital economy" may be a poor proxy for understanding the impact of privacy regulations. It's a superset of tech industries, including much more than those parts which broker private information and to that extent would overestimate the impact. OTOH, I presume "digital economy" excludes large parts of non-tech industries (i.e. traditional sales and marketing companies, TV and newspaper ads, etc) and thus underestimates the potential impact.

I guess it depends on your definition of digital economy...I was referring to companies of the size and influence like Apple, Amazon, Google, Facebook, Microsoft, Oracle, Airbnb, Tesla, SpaceX, etc

The subject’s location is necessary for the performance of the bond. As long as it’s clearly disclosed, there should be no problem signing over those rights as part of the contract. If there is, the bondsman can just make you wear a tracking anklet.

relevant clip:


on a more serious note, even if such data is not resold commercially, and even if more detailled surveillance by a real human analyst only occurs when automated red flags are raised, and the system was designed to only allow the analyst access to the detailed data if enough or the right combination of red flags are raised there is a remaining problem: if your job consists of interpreting all day long the details surrounding red flags concerning an individual case by case, and an individual piques your interest (legitimately or not) and if your access to detailed surveillance on this individual expires when the red flags expire (in order to keep the analyst workforce focussed on their job, not their pet theories), then it becomes trivial for the analyst to "tag" an individuall of choice (out of curiousity, fascination) or a previous target (to prolong detailed surveillance): just arrange for an automated red flag concerning this individual to go off! you don't need to guess what types of automated red flags exist since you are constantly handling cases of individuals, and the red flags that were triggered!

(Oct 15) A few months back, my sister visited me in the city I live, and at one point she asked if I could use a prepaid sim card that was soon to get expired (16 days later or valid till including Oct 31), I said I don't really need it, but if she couldn't think of anyone else I would probably use it to call some of my more remote friends (I usually text). She remarked it was stupid that she had forgotten to bring the card. I remember asking why she bought it if she didn't use it?? But she said something along the lines of "I'm not really sure", I had the impression she didn't buy it, but in turn somebody had given her the card... I also said it's OK if she gave it to someone else. At that point I assumed that was what would happen, and simply forgot about her mentioning the SIM card.

Here in Belgium, the mail is delivered "D+1", so pretty quickly..

(Oct 24) Nine days after my sister visited me, I am staring out my living room out on the street, and I see the postman going through the street and crossing to enter the apartment building I am in. After a while I notice him at the end of the street, so he already passed.

I go down to check the mail, and there's a notification card, telling me about a letter with insufficient postage, that I wasn't home, and that I can go to the post office if I wish to pay and receive it nonetheless...

Here the weight for a single post stamp is 50 grams. So thats quite a letter. I had forgotten about the SIM card and started fantasizing about a (long) loveletter from N (a girl from the past).

Obviouly I go to the post office, I say I want to pay for the postage, and I ask who the letter was from. The employee looks at me as if I don't understand the postage system and says: "If it had a return adress, it would have gone straight back to the sender. So the envellope did not state a sender, in which case the recipient can elect to pay for sufficient postage." I suddenly had a flashback to elementary school, and these once-deeply-studied facts long ignored immediately sprang alive. "Of course!" I said...

I ask when I will receive it, and he says it depends if I want to go pick it up today at the main post depot, or if I wish to receive it by mail, and in that case in just a few days. I tell him they can send it by mail.

From then on, the first thing I do upon awaking, is run down to get "N's loveletter". However no letter marked with "insufficient postage" stamp arrives.

(Nov 1) The SIM card expires.

I distinctly remember one day noticing it had already been exactly 2 weeks and I still didn't get the letter. That same day (Nov 7) I read in the papers that the national postage system starts a strike, and mail already underway will be on tine, but new mail may get delayed.

The strike is still ongoing about 2 days later, when I finally receive the letter marked with the "insufficient postage" stamp. Immediate dissapointment: it's not from N but from my sister, and it's the SIM card.

Immediately more inconsistencies pop up: 1) my sister did of course as always state her name and return address on the letter 2) the whole envellope, greeting card, unopend prepaid SIM card weigh less than 20 grams, let alone 50 grams!

So I fire up my abductive reasoning skills.

Of the hundreds of letters I receive:

What is the probability or how often do I receive a letter that is insufficiently stamped? it was my very first such letter!

Moreover what is the probability that a letter is incorrectly marked with "insufficient postage"?

Moreover what is the probability that a letter with return address is sent on to the recipient if it has "insufficient postage" ?

Those co-incident probabilities are very low indeed. And it is also the first letter I receive that contains a prepaid SIM card. Bingo! obviously authorities do not want people mailing unused prepaid SIM cards! That may re-anonymize any over-the-counter de-anonymization, like paying with card!

Probably criminals (perhaps also investigative journalists) create demand for clean SIM cards, where the cleanliness to the buyer is illustrated by the prepaid SIM card package still being unopened...

So the motive to detect and intercept SIM cards in mail exists.

Now I obviously get curious, how did they detect this in the benign case of my sister sending me her almost expiring SIM card?

The actual SIM card is to be broken out of the larger card, which states the PIN and PUK code...

This larger card has the same dimensions as credit/smart cards...

They both contain a chip under the contacts...

Some credit cards contain RFID for contactless payments...

So I postulate abductively that the larger card with PIN and PUK code contains an RFID coil, and when breaking out the SIM card, it's connection to the coil is broken!

Are these RFID tags visible with off the shelf commercial RFID readers? or are their also "secret" tags that the readers refuse to identify by design? If so, and someone finds a way to detect this secret class of RFID tags, then we may find more of these in unexpected places/locations...

I will see my sister back in a few weeks, and she will obviously ask if I made use of the SIM card. Now I hate lying, and I also hate dissappointing people when something is not really my fault, since the unjustified inssuficient postage delay caused the card to expire. Then I will ask if she actually bought the card herself, was given the card, or if she somehow found the card, for example mysteriously in her mail box...

Everybody has their own SIM card, nobody really needs an extra one, and my sister is not very sociable, she wouldn't know who to give a surplus card about to expire.

So if an analyst wanted to tag me (or her), it is entirely predictable she would ask her younger brother if he perhaps could use it! And that she would send it by mail (since we live in different cities).

Any future analyst will come to believe this red flag in the record is genuine, and not a placed one! It is entirely conceivable that there are some very unlucky people with a boatload of flags on their record, which convince the new analyst that this individual needs more tracking even if the last flag expires... so they place a new flag! and after this analyst's second term of observing the individual, he gives up, ... until next time a new analyst observes the person's record, is amazed with the richly filled flags in the past, and perhaps does the same....

Now apart from being overzealous and having pet theories, what other motivation could the analyst have to bypass the agency focus mechanism by placing tags? What about pure boredom? The first time you investigate a bunch of neo-nazi scum you are all excited, and the first time you investigate some angry muslim lowlife, you are similarily excited... but after a few weeks/months/years you realize there is nothing exciting, just the endless stream of boring as hell hitler greetings, and the boring as hell angry muslim's communicating things like "the infidel whore!" etc... It's like working at the zoo, when you are small it seems awesome, and the public part of the zoo is nice, but when you actually work there, the non-public part of the zoo is just grim walls, and shovelling different kinds of excrement. Of course the analyst / zoo employee tries to make quick work of the shoveling part, so he can spend some time checking out the lizards or whatever kind of people really fascinate him in an entertaining way!!

This is:

a) the longest comment I’ve ever read all the way through on HN

b) an interesting anecdote

but c) most likely a coincidence.

I agree that the likelihood of such a thing happening is miniscule. However, I’ve had all sorts of strange postage-system-related issues in my time (granted, I’m in the US, which has likely a much worse system) and it doesn’t seem that far out to me that such a letter would have been mishandled by what is likely an automated system.

Maybe if you buy a SIM card and send it to someone else, you can get more conclusive evidence about whether prepaid SIMs are genuinely slowed in transit or if you were just very unlucky. One occurrence does not a trial make.

a) I didn't realize how long my post had gotten in the tiny entry box, until after I had posted it... but I will gladly accept the dubious Cup of "Longest readable HN comment in the Guinnes Book of Records"

b) Yes I also think it's very interesting. Initially before coming to these suspicions, I was pissed off about having to dissapoint my sister next time I see her, and the money that was lost buying the SIM card etc, ... but the longer I thought about it and noticed all the inconsistencies in what had happened, it's actually a nice puzzle/gift to receive! Turns out the journey really is the reward after all

c) I have also thought about possible mistakes, but really there is little that can go wrong with a strain gauge! And even if the strain gauge somehow broke, there would have been a long run of letters suddenly appearing for redirection, surely this would be noticed and the letters reweighted... And even if it is incorrectly marked with "insufficient postage" both the sorting which is supposed to redirect it to the return address, as the eventual post man who did not ring failed to see the return address! And with D+1, a delay of ~20 days is totally unheard of (counting up till Nov 7th when the strike was anounced)...

in my response to a sibling of your comment I describe we can simply dissolve a fresh prepaid SIM card to detect the presence of a possible RFID loop antenna

I have no idea what your story is trying to say.

I am saying I believe the creditcard-sized card that contains a fresh prepaid SIM card, probably contains an RFID loop antenna.

This is trivial to verify or falsify, just buy some acetone in the hardware store:


I already bought the acetone, but I did not yet dissolve the SIM card, I want to do this in front of my sister, so she understands why I attach importance to finding out the origin of the unused expired SIM card she sent.

The card is supposedly expired anyway (well to be honest the validity date is printed on a sticker on the outside of the plastic foil package, so in theory it may be a still valid card with a fake early expiration date to encourage my sister to hurry with giving it away...).

I did not yet dissolve the card, but I feel pretty certain there is an RFID coil inside, and that is how they detected and stalled the letter without opening it. Stalled to determine if it is OK or not to allow the card to be sent on or not. "insufficient postage" to increase the possibility of the recipient deciding not to want the letter.

If you can't wait a couple of weeks to hear back from me if there is an RFID tag inside, you can try buying a prepaid SIM card and dissolving in acetone yourself. If you or someone tries this before february, I would like to know the result.

The whole story got me thinking that the human analysts that process and interpret red flags can easily build a repertoire of tricks to arrange for a red flag concerning a person to go off.

If my sister provides me with a name (perhaps even an address) of whoever gave her the card, I could consider tagging the person back (by sending the SIM card to him).

However I think it is unwise:

1) the person who gave it to her would not necessarily be the analyst, it may be an informant (perhaps a criminal turned informant, in which case I am effectively tagging myself into association with a criminal!)

2) if the person who gave it to her was the analyst, and I addressed the letter to Mr [name] "The Tagging Spook" [surname], and possibly arrange for the letter to have insufficient postage, while hilarious that my case file would then contain a red flag associating me with the analyst called out as a spook, it's unclear how he would react. Any future analyst could notice the burnt name of a colleague. He might need to self-report his bypassing of the automated system raising supposedly spontaneous red flags... Also, I estimate it would not be wise of me to go and poke the hornets nest. So I think I will stay with just observing and learning...



Neat read, and Godspeed.

Not sure whether your theories on there actually being an infrastructure for doing these sorts of things is correct, but even a 5 minute google search seems to suggest it is well within technical capabilities to do so.

Might do some more searching for ISO's and other Engineering standards related to them. Telephony is highly dependent on uniform technical standard adherence, so it's out there somewhere. I doubt that the RFID is in the plastic containg the card, it's probably in the card itself.

The unusual coincidences should be pretty easy to replicate with a P.O. Box, and could be consistent with holding times for information propagation or authorization.

Definitely seems like something to mess with if you are bored!

You'll be amazed the things you can find out when you start to peel back the layers, but don't be disappointed if it's just a coincidence.

>Not sure whether your theories on there actually being an infrastructure for doing these sorts of things is correct, but even a 5 minute google search seems to suggest it is well within technical capabilities to do so.

The infrastructure would just be an (perhaps surveillance grade) RFID reader and a small office or locker where the suspect letters end up at each post sorting facility, so a security officer or perhaps just the branch manager can store these until the surveillance state replies what to do with the letter.

I also believe it is probable the standards are visible somewhere, just like I remember the bulk of the surveillance state in Europe was/is visible pre-snowden in very high detail through the ETSI (european technology and standards institute) standards.

> I doubt that the RFID is in the plastic containg the card, it's probably in the card itself.

I may have used the incorrect word with "contain", so first the SIM card and the PIN and PUK card are one and the same card, before breaking out the SIM card. I mereley suspect the larger PIN/PUK card to contain the RFID coil, because the perforated C-shape around the SIM has the open part of the C directed at the closest edge. Of course it is possible that the RFID coil is in the smaller piece of SIM card itself, but I don't think so because: the contact pads would provide shielding to the coil, and to have the same total area as a 4 turns in a Credit Card size, the coil would need many more loops. As a designer I would prefer putting the RFID loop in the larger card.

So I did not mean to say that the coil is in the plastic wrap or anything, in case that was how you understood me.

It may seem weird that (if I am right) the surveillance state designed the SIM cards so the connection with the RFID coil breaks, why not design it monolithically such that you can also track used SIM cards in the mail? I simply predict that there is demand for clean SIM cards on the market, and unopened prepaid packages are considered clean, but then the coil is not broken yet... so used SIM card's may turn out safer (if the previous usage was clean)...

I agree the holding times would be roughly reproducible, but I don't want to cram my file full of red flags...

Yeah, spying involves lots of deceit, and as everyone (hopefully) rememmbers from kindergarten, the web of lies only grows (and the observable inconsistencies grow with them)

If it hadn't been stalled, I would probably have ended up calling some friends from university time, probably only spent 2/3's of the call credit before it expires, then simply went on with my life. It's their reckless tradecraft that betrayed them. I have no problem talking openly about what I suspect, I am pretty sure plenty of actual criminals have noticed this before me, but they probably don't talk about it in public fora...

Oh,no worries. I just think that SIM and handset manufacturer's are going the route of integrating NFC into handsets to support SIM stored payment credentials. I know for a fact it's a hot item in the FinTech industry.

Odds are, you could get a generic reader to get a chirp out of an RFID even without the PIN/PUK card that wouldn't be present in any other package.

IF I were an evil surveillance state taking an interest in mail borne SIM cards in ANY state (I mean think about this, if you could automate it, figuring out the networks of people who often send SIM's to each other in and of itself is a useful data point) I'd exploit using a small machine that can be innocuously placed on the sorting line to get that chirp.

Biggest problem I imagine would be possible tipping off through damage caused to EMF/RF sensitive packages, but I've not really looked up the math or engineering involved enough to make an educated guess.

Like I said. Interesting problem, and I seriously hope you're not right. That's levels of cyberpunk dystopia that just shouldn't be possible in anything remotely resembling a healthy society.


I'm afraid you accidentally posted your canned response about the GDPR next to an article that directly refutes it.

The opening paragraph of the article:

> Nervously, I gave a bounty hunter a phone number. He had offered to geolocate a phone for me, using a shady, overlooked service intended not for the cops, but for private individuals and businesses. Armed with just the number and a few hundred dollars, he said he could find the current location of most phones in the United States.

Do you own a phone?

And? That doesn't refute anything I said. And no it wasn't a canned response.

> It's not your data, it's my data about you, I own it, it's in my databases

And there you have the main difference between European and US laws and mindset. Because it is my data, you are only allowed to store it in your database as long as I say you can, and you can only use it for what I have agree on. Since it is my data you cannot give or sell it to anyone else

No, it isn't; the product of my labor belongs to me. Whether it's photographs of public spaces or data logged in public spaces, the data I put in the labor to collect belongs to me. If I write a book about you, it belongs to me, it doesn't matter that it contains data about you: you don't own everything that happens to be about you.

I don't think it's enough or sufficient to make "bad" actions against the law. It's better and more comprehensive to make it difficult to take "bad" actions and "easy" to take good ones.

People break the law all the time, and if you're high enough up the food chain Eric Holder will leave you be.

> More specifically, the screenshot showed a location in a particular neighborhood—just a couple of blocks from where the target was.

What gets me is that the writing on wall appears to be that this data did not come from an app on the phone but from the phone company themselves, data collection that is required by the government.

"A couple of blocks from where the target was" implies to me that it was locating the nearest tower. Lat/Long coordinates of the phone within 300 meters is required by the FCC to be received by the telephone companies for Phase II of Enhanced 911. They might be snapping the lat/long to the tower, and then calling that de-identified enough to sell.

If a bounty hunter can get your snapped lat/long on demand because of E911 requirements, you better believe a TLA can as well--and probably unsnapped.

The government is supposed to need a warrant post-Carpenter:


Thanks for that. The point I'm trying to make is that they create the framework for this stuff in seemingly obvious and necessary laws and regulations. Then, when it's needed, "Well look-a here! Good thing we forced that other unrelated thing. That's a nice personal locator you've got there."

Meaning: Thanks to e911, a seemingly perfectly acceptable requirement, we now carry around devices that can be used to locate us. Warrant or not. Because "Let's require everyone to carry around a transponder" doesn't work whereas "We are just trying to protect you!" does.

Phone companies were able to triangulate phones before e911, right? e911 just makes it mandatory to have the triangulation hardware/software actually deployed and linked up with 911 call centers, but (GPS aside) I would have thought telcos could have done that on their own with or without e911.

So an offence against the espionage act then - it would probably be one under the official secrets act in the UK (unless your a tabloid journalist)

Maybe we should think about location data in a similar way to photographs. Both are generated by smartphone hardware and software, but the person who presses the shutter button legally owns the copyright to the photo, not the device manufacturer or carrier.

Why don't I own the copyrights to my location data, and why doesn't the carrier need to license it from me in order to sell on to these bounty hunters?

The data is created by the phone towers that you connect to. Its a similar situation to when you visit a website and the server logs your request.

Regarding the actual copyright question: copyright requires 'creativity'.

The creative act here is my movement. If I go to an open space and walked the outline of an airplane I have created something, even if it can only be viewed in the data that the phone has collected, the creative act was mine.

One cannot copyright facts else the first one to blurt out a truth would be the only one allowed to speak it. The fact that the truth contains facts about an artistic endeavor doesn't make the actual data about reality an artistic endeavor as the recording of those facts is in no way creative.

If you filmed yourself walking around like an airplane you would own the clip. Blog about it and you own the article. But the space you occupied at 10:35AM last Thursday is a singular indisputable fact with not an ounce of creativity. In fact more to the point even what they have is actually facts about their own equipment like which tower you were close to at that time which its hard to imagine you owning.

There are laws designed keep people from collecting and misusing your data in countries not run by morons. There is no reasonable way you are going to acquire this same privacy and protection by trying to misuse copyright creatively. I'm sure actual lawyers are likely to regard interesting legal theories the same way engineers regard interesting theories on how to make engines run forever for free via magnets.

Exactly. There are a lot of people out there doing Strava art, which to me is undoubtedly a creative work, and more creative than a typical selfie or vacation shot. I believe copyright covers all photographs, regardless of their artistic merit. Why not also location data?

For those unfamiliar with Strava art: https://www.cyclingweekly.com/news/latest-news/five-best-str...

I've been saying for a while (check my profile) that user data should be treated in much the same way as nuclear raw materials.

Meaning small amounts properly contained (i.e. in a smoke detector) is fine and if you need to collect and especially concentrate larger amounts you should need to go through a whole lot of useful hoops to weed away less serious companies.

Even if the subject had legal ownership and control over their cellular location data, they would certainly have to sign it over to the bondsman. Just like you sign over the right to hunt you down and physically capture you (which could otherwise be grounds for a lawsuit against the bounty hunter).

“We had the concept of private and public property”

maybe in the western world. in a lot of other places the whole “privacy” thing is fuzzy.

It should be illegal to sell people's data without a wet ink signature. That's really the end of the story.

Adding: You should still be able to use services, without consenting to them selling your data, like you can under the GDPR.

Would your tune change if by not agreeing to sell your own data, the service charges you money?

If we're talking about the GDPR, the service can ask you to sell your data, and it can charge you, but it can't force you to choose between the two. Data ain't currency.

And what is the answer if we're not talking about GDPR?

> the service charges you money

They (mobile carriers) already do charge me money... What's your point?

Exactly this. I’m already paying them. I’d be open to a “won’t sell your data” surcharge, but I doubt that would last long due to the political implications.

Absolutely. I do this every day to avoid ads. Happy youtube red (or whatever they call it) subscriber. I'd pay most services I value to opt out of data sharing.

I know many people don't get enough value out of services like Facebook, but I do. There is a price I'd pay to Facebook to use their services to not have my data sold.

Amazing chain of data transfer there. Likely with each one obeying their individual terms but the terms being lessened at each step of the line.

AT&T/Verizon/T-Mobile --> Zumigo --> Microbilt --> Bail bond company --> Bounty Hunter --> Motherboard

This is outrageous. In the last congress Republicans voted to strip what little privacy protections we had from network providers.

Are we gonna talk about the Silicon Valley VC's investing in these shady companies?

> Zumigo is a pioneer of mobile services providing _deeper insights_ into consumer behavior to help secure transactions, devices and identities.


> Intel Capital

> Aligned Partners

Investors are gonna invest, right? They're there to make money. Presumably they believe the company's operations are legal and likely to provide returns.

VCs have a choice in whether or not to invest in unethical things. If they pay money to an unethical cause, that's them supporting it.

Criminal investigations have to stand up to court scrutiny. Fugitive recoveries do not. I expect there’s a lot more misconduct where this came from.

The whole bounty hunter system sounds like something out of a bad movie..

I would be very surprised if it wasn't full of abuse stories.

Professional law enforcement agencies are a recent development historically, and for a long time were resisted as something out of an authoritarian dystopia. Policing was the job of amateurs and freelancers for much longer than it’s been a civil service bureaucracy. Even death investigation was, until recently, a side gig for the town doctor.

Yep, and there are good reasons that policing was put into the hands of professional agencies.

London's self-proclaimed "Thief-Taker General" is a good example. A gang leader who made money through both committing and "solving" crime.


How is this relevant?

Human rights is a recent development, that does make them a bad idea? Or justify violations :)

The concept of a professional trained police force is well proven by now, I see no reason to question it :)

Parent said bounty hunting something out of a bad movie. So did institutional policing, at the time.

Its almost like we outsourced our civic duties to hired guns

Considering they tend to have names like "Dog" and "Bossk" I would agree.

Yeah, sometimes the name just says thug :)

Obligatory Dale Gribble (from King of the Hill) Reference:


"You're telling me there's a poorly trained, quasi-legal police force that operates with few, if any government controls? ... It's about time."

I wonder if any of those companies had access to, and sold, roaming European users location data. The GDPR may possibly be weaponized if it was the case...

The GDPR doesn't apply to "roaming European users."

What's your reasoning for this assertion? If the user is a European citizen, I was under the impression that GDPR was applicable. The location at which the user is at does not matter one iota.

US companies need to understand this, or risk losing trading abilities with citizens and organisations in EU member states.

No, Youre wrong, citizenship doesn't matter, the application dependeds on physical location. If youre an American in Europe the GDPR applies to you, if youre a European in America the GDPR does not



> “The allegation here would violate our contract and Privacy Policy,” an AT&T spokesperson told Motherboard in an email.

That pretty much sums up how much carriers care about this. But it is nice to see Senator Ron Wyden is still doing good work, almost restores my faith in politics.

This is why utilities need to be heavily regulated.

Selling real time location data to wholesalers in the bail bonds industry? Who would think there would be abuse?

Only license actions and criminal penalties will stop this kind of abuse.

Do we think skipping out on a bond is OK?

If you are really wanting to do that, don't carry a phone around with you.

I think that’s a scummy business known for not following the letter of the law.

It's a scummy business but without it bail bonds wouldn't exist, or at least be as widely available as they are today. Maybe there are better systems for ensuring compliance with orders to appesr in court than that of Bail but as long as the concept of Bail exists, private Bail Bonds will have to be a necessary part of the system lest lower/no-income individuals find themselves with no recourse.

> It's a scummy business but without it bail bonds wouldn't exist, or at least be as widely available as they are today.

And...is that bad? The availability of bonds factors in to the level at which bail in a money bail system is set to give reasonable assurance of compliance, so the main effect of available bail bonds is to make purchasing a bond instead of paying cash necessary by driving up money bail prices.

> Maybe there are better systems for ensuring compliance with orders to appesr in court than that of Bail

Certainly there are better ideas than money bail structured to support a commercial bond industry.

> but as long as the concept of Bail exists, private Bail Bonds will have to be a necessary part of the system

No, because bail systems outside of the US and the Phillipines (as well as D.C. and California in the US) are not money bail systems.

I wasn't aware that California eliminated the cash bail shstem last year but my cursory review of its replacement leaves me thinking its lacking in its ability to both accurately identify those who pose a risk to society or a general flight risk. Replacing a system that allows anyone granted the right of bail to obtain it (via bail bonds) with enforcement carried out via the threat of physical apprehension with one that tries to predict the risk before release leaves enormous room for error/gaps/all-other-flaws.

It sounds good on paper but how does it account for a citizen of "good" character per the algorithm being charged with a major felony or violent crime? If they are innocent, there is a meaningful likelihood they are denied release, thus ruining their life. If they are guilty, there is a meaningful likelihood they aren't reputable enough to ignore the chance to cut off their ankle bracelet and go underground.

Are there any systems that allow for something akin to "bail" (as in a way to be releaswd from custody while awaiting trial while also holding the individual accountable to return) that rely on things asids from cash or trust in an "algorithm"? I'm currently doing some reading on the subject so don't jump down my throat, I'm just skeptical of any other system's ability to balance availability with accountability for those with few to no assets.

Innocent until proven guilty is still a thing. If the judge is inclined to permit bail then the accused is likely not a danger to society. Bail is nothing more than incentive for the state to prosecute people for money.

Excessive bail is why you have bail bonds.

There are myriad ways to ensure compliance, nearly all of which would be better than enabling a privatized, unaccountable para-police force.

Even as an independent that leans a bit right, I love Ron Wyden. I feel the US would be a much better country with a congress full of his type (even if not his ideas).

Telco companies will keep selling data as long as it's profitable. If the company continues to sell data to the offending clients despite knowingly violating its terms, then a case could be made for negligence against the telco. In my eyes this practice, like many shady data-dealings, lacks legal precedence and its profitability will change as litigation mounts against the telcos. Furthermore national laws need individual cases to gain traction. Bad practices are bound to change when a few high profile cases end up in the courts. Feels funny to say this, but it seems like the world needs more lawyers.

Perhaps this is a good reason to use Google Voice and not give anyone the underlying real phone number with cell service.

I’ve set up a DID that leads directly to a voicemail box that emails me the recording.

It’s worth the $1/month expense to have a number to hand out to people I don’t want to be available to.

And, in a way, it keeps me available when I’m overseas and don’t have my usual SIM card installed.

I use VoIP.ms

What gets me are all of the places (like Venmo, et al) who pitch a fit if a user dares give them a not-a-real-mobile-number. Even if the number is SMS-capable, they complain.

I wonder if the fact that services like this won't work on VoIP numbers is a reason why. Regardless of the motivation, it's annoying because I don't give out my real mobile number to hardly anyone for this--and spam call/text avoidance--reason.

Not-a-real-phone-number accounts have a much higher than average probability of being a bot or a scammer. (That's because scammers can automate signing up for voip numbers; getting a thousand real Verizon numbers is much harder.) And Venmo had a strong financial incentive to ban signups that look like bots and scammers.

If Venmo were a brick and mortar business, they could just ask you to come by a local office so they can verify your ID in person. But they don't have a local office; so the reasonable and profitable solution is to preemptively ban you.

I fear the reason is that the pools of VoIP numbers have already been exhausted as a resource for setting up’accounts.

Ie: some firm is renting VoIP numbers for a month for $1, creating accounts on 100 services and then moving to the next VoIP number.

Perhaps the VoIP firms support this whenever they get a block of « virgin » numbers before putting them in their regular pool of numbers for rent.

This just means that phone numbers make for terrible identifiers because there's a fixed number of them and they're transient.

The transience bit is going to become a huge problem over the next decade. I've personally had 3 phone numbers since college (an out-of-state # doesn't mesh well with my career and I've moved several times) and at least one of the individuals who picked up one of my old numbers is the kind of person who has potential for serious run-ins with the law. My mother called my old # once and I guess it was auctioned to company that has a big market in prepaid "burner" phones. In the era of "Big Data" I can't even begin to imagine the sort of hilarious comedy (sarcasm) that can result from the two of us being linked together by what has become a primary source of personal identification.

I use my Russian cell phone number when the Google Voice burner won’t work.

Can you discuss how you set this up? I looked at voip.ms and it looks like it supports Asterisk and other VOIP software, how did you configure yours?


I'm not the above poster, but I also use voip.ms. I don't think you'd need any software at all to set up a phone number with voicemail that mails the recordings. If you want to place calls from your provisioned phone number, you'd of course need either a VoIP phone, VoIP software on your computer or mobile, or rely on DISA (dialing in to voip.ms's system then entering a number to dial).

I use a SIP desk phone, have calls forwarded to my mobile, and also get voicemail recordings in mail.

(Going back to the original article -- I can't say if this actually protects you from such tracking. Maybe stalkers could find your actual mobile number by some other means, or for all I know customer-identifying parameters could be used without even knowing the phone number.)

They have a configurable out-of-the-box voicemail setup option.

No software or server running on my end. It’s all on theirs.

I originally set it up when my phone provider wanted to charge me several dollars per month for a less useful voicemail system, so I set up such a thing by telling my provider to forward unanswered calls to that other DID.

Yep, I've been doing this for years. Only my wife and a few trusted friends have the real cell phone. Everyone else and their mother gets the GVoice number. I also change the underlying number occasionally just to mix it up even more (although truth be told that's to get better wireless deals, but it has a nice bonus of added security).

How do you avoid giving your mobile number to service providers on sign up (banks, paypal, uber etc)?

Usually it just works. When it doesn't I call them and tell them my phone doesn't work and ask for another way to verify my identity.

Google voice works fine for that... I do the same. It's wonderful.

Google voice used to work fine, but I've found increasingly a number of the more "serious" institutions like banks have been rejecting VoIP numbers like Google Voice occasionally. If I can recall correctly I also believe that many of the chat applications reject numbers that are not tied directly to a SIM as well. I have used my GV since it was still invite only and have had to give out my real number increasingly often.

Noticed my GV number being rejected but the main number I have in GV works. That number was ported back when you could do that (maybe you still can?)

I wonder why that is. Maybe outdated databases?

Google Voice doesn't actually provide cell service, though. Whatever telco you use with Google Voice will still have realtime access to your location.

But if you ask a telco to give you data on a number that Google Voice administers, would the telco be able to fulfill that request? I mean, obviously they could with a little digging, but would their middlemen be able to?

e.g. if my "real" email account is through Yahoo, but I tell the public about my GMail address which autoforwards to Yahoo, it wouldn't be straightforward (though it would be obviously possible) for Yahoo to deal with a request stated as "Please give me info about the email account, danspublicemailaddress@gmail.com".

well, except for one of the largest advertising and data collecting companies on the planet, that really really wants to know where you are right now.

I started doing something like this (but with a different provider) and I noticed this is surprisingly difficult:

Especially messaging providers identify users based on phone numbers, but also a lot of websites started requiring a phone number verification. Those virtual phone numbers are often rejected. This can cause situations in which you have different phone numbers on 2 services.

Only service that rejected my gvoice number was Viber, I just said fuck Viber, WhatsApp is good enough

any reason to think google doesn't sell your data

They make much more money using it for their own products. Data is Google's core competitive advantage; you don't sell your core competitive advantage to competitors.

Googlers seem to have leaky lips, so I figure if they do something shady one of them is going to go to the press.

I think the logical outcome is rather than Google avoiding ethically dubious, but highly profitable behavior, they will simply run a tighter ship of classification, isolation, and control. Companies and governments have become pretty decent at fingering over-eager leakers. And that's before you even get into who we're talking about. Google may rival even the NSA at this point in terms of the reach and breadth of their digital surveillance and data collection/categorization capacities, at least in the Western world. They're going to learn from and work against their leaks, not give up their 'ambitions'.

Consider the NSA for an example of what's possible. They were doing what Snowden outed for years. And not a peep. Actually that's not true. There were plenty of 'peeps' but they were brutally silenced. See, for instance, Thomas Drake [1]. He tried to obey the law relying on whistleblower laws and an assumption of good will from other government organizations. He got destroyed and lost everything he had, and was unable to effectively get his message out on top of it all. That's another topic though...

[1] - https://en.wikipedia.org/wiki/Thomas_A._Drake

google monetizes your data (targeting), but doesn't sell it to others.

As we seen with the Google Plus bug that exposed user data even if Google would be a nice company even they can have a bug and expose your data, this makes me think that the best solution as a user is minimize the data that is collected about you and as a company to discard any data that you don't need and anonymize the data you have to keep and can be anonymized.

Maybe not intentionally but problem is that often such data can be partially or fully de-anonymized using various statistical analysis techniques.

#1 Reason: no one can monetize that data better than Google

#2 They'd be helping their rivals with such data

#3 Sharing might kill the golden goose (bad press etc)


Reason #1 sort of invalidates Reason #2. If Google is reasonably confident that they have an unmatchable (in the short term) advantage in interpreting and monetizing your data and can also generate additional revenue by selling it to firms that can't extract the same value from it, what incentive is stopping them? If competitors start to catch up in the areas jn which they have the clear advantage, they can simply shut off the faucet and the revenue generated by selling information jn the here and now helps fund initiatives to keep them ahead in the first place.

There’s a big difference in risk between Google selling your forwarding numbers and any random person finding a corrupt bail bondsman.

If it's just a voicemail box it doesn't have your location data to leak, although a DID onto a voicemail box (and maybe a SIP trunk if you really want it) is better.

No, not particularly.

Out of the frying pan and into the fire...

All you're doing is moving that from T-Mobile/AT&T/Verizon to Google, who will sell the information at the drop of a hat for the exact same reason. You're not guaranteeing anything at all. In fact you're probably making yourself less safe as Google is going to have less protections than a cell phone company.

This is completely incorrect. Google/Facebook/etc actually have far better data privacy than the telecoms. Google/Facebook/etc all sell access to target you using the data they know about you. Telecoms literally sell your data. There's a big difference.

Google I’ll buy, but Facebook does sell your data. NYT has been hitting that story pretty hard.

Facebook does not sell your data. Facebook licensed data for very specific use cases (e.g. allowing feature phone developers to create feature phone FB apps, allowing individual apps to access data with your permission) but in both of those cases (all the NYT cases about FB data privacy in-fact) they did not get paid.

LocationSmart advertised themselves to bounty hunters[1]. This kind of unethical/illegal location sharing from other location brokers like Zumigo is unsurprising.

1. https://twitter.com/sephr/status/1082711937257893888

They're the same folks who accidentally left an API public that let literally anyone do it:


It would appear that sometimes even paying for the service doesn’t mean you won’t end up as the product anyway.

How can one avoid this kind of aggregated location tracking?

As long as you want to receive calls, the cell service provider will know your approximate location. If you have wifi available, you can mitigate this by only using a voip/messaging service like jmp.chat. You'll still be unavailable while on the road, though.

If you have tons of money, satphone is always an option.

Satphones still get your location data, although by default not to quite as precise a location. Some of them do GPS on the handset to give location data separately, and all of them can be localized pretty precisely (either to a circle or a specific location) if the operator wants, although for some networks this isn't routine. The default is just footprint and then slant distance/timing, but most systems (iridium, etc.) are more complicated.

VoIP and then VPN/tunnel/whatever (or just opportunistic wifi use) to connect and pull down messages is the only reasonable way.

There's nothing wrong with a cell phone provider collecting aggregate information on where their subscribers are on their network. Its reasonable for them to do so, as it helps them analyze how to properly prioritize network upgrades (where to build towers, add capacity, etc.) It is not reasonable for them to sell individualized data to anyone and everyone who feels like tossing them a few hundred bucks.

Its reasonable that a hospital would know a good deal about me. They'll know current diagnoses, previous diagnoses, medications, probably some generalized family medical history, extensive identification numbers, etc. Its important for them to be able to have this data for them to do their job of healing me. However, its unreasonable for them to then just sell this data on the open market. That's why we passed HIPAA/HITECH.

> How can one avoid this kind of aggregated location tracking?

Write your representatives, explain the problem, and ask them to fix it.

Do not carry a phone.

When the overarching goal is to return as much money as possible to investors quarter after quarter, this is what you get. Anything and everything is fair game now.

You guys need (something like) GDPR in the US. I believe it's a necessity.

There are lots of things needed in the US.

Meaning, GDRP will be a result of other (political) changes? I'd concur.

Yes. Instead of focusing on corporate profits the US should focus on quality of service (in every aspect of life) for citizens.

Probably, though eliminating cash bail would address this particular problem and is a good idea anyway.

It seems to me that eliminating bondsmen is better. This should coincide with actual affordable cash bail.

Unless you meant eliminating all forms of bail involving money. I actually have no idea how that works here in the Netherlands.

No we don't, it's a terrible law that unnecessarily burdens business and just makes it even harder to run a business. We don't need any more legal hoops to jump through; it's not the users data, it's our data about the user. The notion that data about you belongs to you is frankly absurd, just because the EU hopped on the crazy train doesn't mean the rest of the planet should follow them.

> it's not the users data, it's our data about the user. The notion that data about you belongs to you is frankly absurd

Interestingly, I find your viewpoint to be just as absurd. Why shouldn't data about me belong to me? Why can't I tell people not to collect data about me when they are providing me with an unrelated service?

For the same reason a photo take of you in a public place isn't yours, it belongs to the photographer. The Internet is a public space; you don't own the public space and you don't have any right or authority to tell anyone collecting public data that you own it just because you're in it. It's not your data, it's my data, I collected it. You don't want it collected, don't go spewing it out in public spaces.

You have a point, but the problem is that there's no way to not spew data out in public spaces. I'd have to cut off all of the following:

  - my mobile phone
  - my landline phone
  - all credit cards and bank accounts
  - all hosted email solutions
  - all other hosted ways of communication (social media, messaging apps)
  - all ways of transport unless I own the devices (and even some cars you could own have telemetry these days...)
Basically only talk face to face, ride old cars and use cash or Monero. It's unrealistic.

Hey, that's the price of using all of those things, if you don't want to pay that price; don't. You don't own a photo I take of you nor do you own data I collect about you from the public sphere.

Why would you want to make it a price to pay? We choose what's legal and what's not, it's not given to us in some great revelation. Do you think people's lives would be better without privacy, or with privacy?

I see little benefit in developing an alternative system of payment to the dollar, some form of intellectual nudity, implications of which I don't fully understand. The dollar is fine, charge me and leave me alone.

The barrier to access for many people's location data is simply effort. If you want it you can probably find someplace to buy it. We need new ways to get control of our digital shadow.

>“The allegation here would violate our contract and Privacy Policy,” an AT&T spokesperson told Motherboard in an email.

Probably now AT&T execs are looking at increasing prices on such data. This is very valuable to be sold so cheap.

5G microcells will make this data much more accurate.

The network operator already has more detailed info, but the article says they are fuzzing it before selling it. Presumably this is to prevent pinpointing users too precisely. If radio cells are smaller, they get higher resolution in the source data, but we can't know what resolution data they would resell.

That is really not a good news for all of us. The big brands have to stop selling customers’ location data to anyone. There should be some law or act for this.

With this many companies of questionable security owning the data I think it's safe to say that this data is getting leaked.

Reporting on bad privacy practices while having an atrocious consent dialog...

That's why I will never own a phone.

Real question: How do you communicate when on the road etc.?

I don't. I don't want to be disturbed most of the time.

For EU folks: anyone tried a GDPR request to their phone provider to figure out what do they collect and what do they store? I'm thinking any of the following are within the realm of possibilities:

  - Call history, including metadata and potentially also contents;
  - Text messages, same as with calls: metadata and potentially the contents;
  - Location history;
  - Data connection activity, again: metadata and potentially the contents;
  - IMEIs of the devices I used.
Basically I want http://myactivity.google.com/, but for my mobile subscription.

I submitted a GDPR request to my GSM provider a few days ago, but I'm not fluent in legalese, so may not reach as far as someone fluent in it. Still awaiting initial response.

For a sneak peak of the kind of data you can expect take a look here [1] (German newspaper, but in English).

Background story: Malte Spitz, a Green Party member, sued to get all data collected and retained (according to a law which has been overturned since) by his carrier. Die ZEIT/OpenDataCity cross-referenced the data with publicly available information from his Twitter and party website and compiled it all into one visualization.

Unfortunately, they seem to have stopped paying for the Google Maps integration, but you should still be able to follow along just fine.

[1]: https://www.zeit.de/datenschutz/malte-spitz-data-retention

This is interesting, if that's indeed the case then I'll publish my findings and encourage people to 1) fill similar requests, 2) fill requests for data deletion and ceasing of further collection. Hopefully eventually we'll get an option to opt-out via the web, like on http://myactivity.google.com/

Also, EU readers: why not ask your own provider today?

Apart from location I'm still concerned about actual data transferred via those networks (calls, text and data).

> anyone tried a GDPR request to their phone provider to figure out what do they collect and what do they store?

Yes. The Netherlands, carrier is called Youfone.

They have very, very little data on me: they claim not to be able to see which cell tower I'm even connected to (which would be tracking info), which makes me wonder how they even provide their service. They say it's all outsourced to third parties, one of which is the network operator, KPN, and they cannot list those parties for commercial reasons. I doubt that's legal (I'd assume you can't just stuff everything into subsidiaries and go "sorry can't tell, business secrets": either you have to get it from the subsidiaries, or you tell me who they are and whom to talk to), but the Authoriteit Persoonsgegevens (local authority) seems to have their hands full, as do I, so I did not bother pursuing it.

The info I did get was: everything I provided (name, DOB, bank account), everything you would commonly expect (call logs (though that is not as common in Germany, it is everywhere else afaik), the invoices based on those call logs, data usage per month, etc.), and I think one or two uninteresting pieces of information (probably SIM card number and such). They also provided storage time limits for the data.

I feel like they did not have the process in place yet before my request, as a dude quite high up in the orga replied to my support ticket and they exceeded their response deadline. After two months they gave me a professional-looking PDF with the data, so I think they quickly set that up because GDPR was fairly new (few months after May 2018). They're also cheap, I'm sure the mails back and forth (not to mention the investment in that "data to pdf" system) cost them much more than my 8,50/month subscription would warrant. I kind of want to cut them some slack for working on it rather than bother those who try. Maybe I'll pursue it again later. Or maybe someone else can ask better questions based on my experience.

Thanks, I'll look out for that. @tapland and @jgibson also mention that mobile networks often outsource running the infra.

In any case - I agree with you that this seems like a shitty legal pseudo-loophole. At the very least the company you sign mobile contract with needs to share your phone number with those infra subsidies. But then according to GDPR: "15. 1. The data subject shall have the right to (...) access to the personal data and the following information: (...) (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed". Following this rule one should be able to reach the bottom of the data processing chain.

Yeah, I read the same clause. The crux is this:

> or categories of recipient to whom the personal data have been or will be disclosed

They provided that by saying it's for network operators.

Ugh. Thanks for pointing it out.

Possibly on the network facing side of the business in the form of logs that get purged when old, but I have yet to see any IMEIs, possibility to log texts, call histories etc, but if they are sent there will be a trail in the network.

Could probably send the GDPR-request to Huawei and Ericsson as well.

Just keeping track of phones permissions in the network 100 times/second is an insane amount of data, but there could be leaks/compromised systems somewhere in the User -> Apps -> Phone -> Network -> Provider chain.

I'm not familiar with how GSM networks operate. Why would I send a request to Huawei or Ericsson? Don't they just provide networking equipment? Or do they also provide services, part of which may be relevant for end user privacy?

My info may be a little dated, but yes, most of these companies (Huawei, Ericsson, Alcatel-Lucent, etc) also provide network services and ops to run the network.

Disclaimer: I work at Ericsson but am not directly involved in any network operations.

Ericsson provides operations service for a number of telecom operators. This means, the operators own the equipment and make the decisions, while Ericsson does the maintenance, supervision and troubleshooting of the network. This is usually done on contracts of three to ten years, after which time the operator may choose to renew or to contract with one of our competitors.

I could certainly be wrong, but my impression is that in this scenario Ericsson is not the data custodian according to the GDPR. It would be interesting to know what the outcome is, if anyone were to make a GDPR request to my employer.

Good to know, thank you! It should be enough to harass one's provider, but perhaps a more broad approach will work.

Great idea, not sure how they implement this though. They can just email it to you because GDPR does not specify the delivery means.

Just because the user is the one asking for the data doesn't mean the rest of the GDPR stops applying. They're still required to have appropriate safeguards, which means they certainly can't email it to you (at least not in plaintext).

Also, more specifically about the Right to Access, Recital 63 says: "Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data". (emphasis mine)

That's what I'd do if I were in their shoes.

I planned to document it and share with wider audience in case I find something out of the ordinary. For example, if they kept my location history for longer than is necessary to just route my data through their network, or if they had the contents of my texts, or DNS requests history.

Not sure how to pressure into the Google-style solution, but I think knowing would be a fist step.

Can you post your request and who is sent it to - with yours as a starting point I reckon a few of us can iterate to a good solution

Nothing fancy, and I sent it to the contact point they have in their privacy policy. You can find it on their websites (or at least I found it; in my case it was just an email but it will possibly escalate to snail mail). As far as contents goes - here it is, translated into English:

I am a/an [OPERATOR] subscriber, identification data: (...)

I would like to get a complete list of personal data that [OPERATOR] stores about me:

  - The history of telephone calls, metadata (when and where [to which number] I called or when and who [what number] called me) as well as the data itself (the content of the calls themselves);
  - The history of text messages, as in the case of calls - metadata and the data itself;
  - History of data transfer (Internet), as above - metadata and the data exchanged itself;
  - Connection history - when my phone was connected to the [OPERATOR]'s network, when in [OPERATOR'S COUNTRY] or when via roaming;
  - Location history - where my phone was located, e.g. which base stations it was connected to or from which country it was connecting or any other information allowing to determine my location more accurately than "Planet Earth";
  - History of used devices - IMEI numbers as well as other data collected about my device / devices;
  - Any additional information collected about me.
If any of the above mentioned types of data is not stored by [OPERATOR] please let me know.

I don't think it's your responsibility to play whack-a-mole and guess what types of data you think they might have. It's their responsibility to tell you.

The right to access your data is Article 15 of GDPR. Section 1 lays out what they have to provide you. Part (b) of that is "the categories of personal data concerned." I'm no lawyer, but I take that to mean that they have to provide you with the complete list of processing they do.

If I were making this request, I would scrap the entire bullet-point list you wrote and say that I'm invoking my Article 15 rights to be informed of the categories of personal data that [OPERATOR] processes about me.

Relevant law text: https://gdpr-info.eu/art-15-gdpr/

See, one of the reasons why I'd prefer someone who speaks legalese to do this :)

Thanks, makes sense. I wanted to make it clear I'm not happy with a response "Yeah sir, you live here and here, and your device model is X. That's your personal information.". But I'll keep pressing them, as I seriously do not entertain the idea that someone may store all the data that can be inferred from my activity in a mobile network.


Is this a computer generated sentence?

It's perfectly good sentence (or 3, rather) once you insert the missing punctuation; a full stop before each of the capitalized words (except the first.)

It’s true that they are correctly formed sentences. But they seem to lack context. What does it mean to pay an operator to auto-rotate my number, and what relevance does it have with the subject of the posted article? What’s “free real estate” refer to?

"It's free real estate" is a meme based on a parody of late-night infomercials touting quick and easy money but are actually bait-and-switch scams.


The other two bits are probably meaning that the phone company can make money selling your location and make money charging you to change phone numbers every so often to avoid tracking efforts by people who only have your old number.

Thanks for the helpful explanation (TIL a new meme :)). I guess it seems the problem is the commenter using inconsistent subjects, i.e. it would make sense (even without punctuation, or knowing the meme) had it been phrased as:

> Charge for your users' locations! Charge users to change/auto-rotate their numbers! It's free real estate!

Indeed this is what I meant. I pondered my informal phrasing afterwards.

Also I entered single carriage feeds between sentences, forgetting that they're going to get stripped on HN anyway.

Change title please and add "in the USA"

The title doesn’t assert that this necessarily exists worldwide.

edit: I mention this downstream, but it's worth correcting myself. The article prominently features a company named Zumigo, which provides mobile device location data in India as well as North America. So adding "in the U.S." to the (already altered) post title is not needed, especially since it could obfuscate the fact that these location companies do operate internationally.

[0] https://zumigo.com/zumigo-introduces-breakthrough-mobile-loc...

Yet mobile customers exist worldwide and I opened the article to see how they circumvent GDPR because I though it applies to Europeans too.

The article asserts that the authors have verified that this practice currently exists when tested in the U.S. They do not make claims whether or not the companies may be lying about whether this framework may exist in other countries. It's interesting enough that this framework exists at all in the U.S., and it's relevant worldwide because these mobile companies and their customers exist worldwide.

And not just the mobile companies, but the middlemen who provide this location data. Zumigo [0], one of the companies mentioned, has an office based in India and counts Indian banks among its clients for its "first-of-its-kind global location and identity platform".

[0] https://zumigo.com/zumigo-introduces-breakthrough-mobile-loc...

As a European, having "bounty hunters" in the title implied that already.

I was unaware of bounty hunters being aserious profession in any particular EU country. Then again, i don't know any EU country where an accused can bail themselves out of jail till the court case.

> Then again, i don't know any EU country where an accused can bail themselves out of jail till the court case.

Germany (1), UK (See Assange) I’d assume that most European Countries have a similar system. However, it’s comparatively rare that bail is set in Germany. If I follow the US bail reform debait correctly I get the impression that jail before trial (Untersuchungshaft) is comparatively rare in Germany and requires specific reasons (2) while it’s comparatively normal in the US.

Both might be contributing reasons why the bail system is not commercialized as in the US. Generally, the European Systems frown upon private law enforcement much more, that might be another reason for the nonexistence of bounty hunters.

(1) §116 StPO https://www.gesetze-im-internet.de/stpo/__116.html

(2) mostly Fluchtgefahr (Danger the accused may flee and leave the country, Verdunklungsgefahr (The accused might hide evidence, the danger of repeating the offense on violent offenses) §112 StPO https://www.gesetze-im-internet.de/stpo/__112.html

> Then again, i don't know any EU country where an accused can bail themselves out of jail till the court case.

While some other countries have cash deposits as part of bail, the US and the Phillipines appear to be the only countries with widespread commercial bail bonds system.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact