Hacker News new | past | comments | ask | show | jobs | submit login
[dupe] Despite promises, cell carriers are still selling your real-time location data (techcrunch.com)
225 points by jbegley 3 months ago | hide | past | web | favorite | 94 comments

This is blogspam that adds nothing new to Vice's original journalism: https://motherboard.vice.com/en_us/article/nepxbz/i-gave-a-b...

HN discussion here (still on the front page as of my reply): https://news.ycombinator.com/item?id=18857220

It's frustrating that TechCrunch seems to get a pass on their worthless blogspam when other blogspam posts are removed.

You could email the mods at the footer Contact link and ask them to change the link and explain why. They might say yes!

It was posted an hour ago. Things take time!

FWIW this post is a summary of an investigation posted and discussed yesterday: https://news.ycombinator.com/item?id=18857220

(The TC summary is lengthy enough that it’s not necessarily blogspam)

This stuff makes me so mad. It's to the point I don't want to carry a phone anymore. Why is it that people aren't allowed to record my conversations but they can record my real time location?

It's a problem at every level of the stack. I have a phone device that I have very little control over (thanks Apple and Google!) that talks to service providers who know who I am. Those service providers are shady and sell my real time location and I have literally no choices for a cell provider who doesn't do this. Then there is obviously a huge market for buying this collected data.

Where in the stack do we fix this? Do we need a data custody law first so I can track who the problem players are? Do we need devices that we have some control over so we can manage when they beacon out? Can we simply say that we (US citizens) have some right to privacy over our electronic data?

Seriously, these practices are abhorrent.

The US has no general privacy law, but there's a clue in one of its hilariously specific privacy laws: https://en.wikipedia.org/wiki/Video_Privacy_Protection_Act

The way to get a cellphone privacy law is to get the locations of congresspeople (especially Republicans), and use this against them.

The current situation in Germany is actually like this. Some kid doxxed a lot of politicians, musicians and jounalists and they found him within a week and now we suddenly have a discussion about data theft. It's insane.

edit: eg see here - https://www.bbc.co.uk/news/world-europe-46793116 The kid was annoyed by some politician's statements. I had hoped he was aiming for this effect, but maybe not.

Do you have a link to the story?

I added a link above just after posting. There was a HN discussion too, from before they found the kid:


If you google 'germany data leak' or similar you will easily find more.

Likely buried now but sorry I meant about the kid and the discussion you mentioned.

The U.S. has some privacy laws, but at the same time, the U.S. (along with Canada) also obligates carriers to gather and store location data. A law saying they can not sell that is not a major step, it just takes an act of congress, and if the whiners and complainers would get off their ass and actually select their congresspeople based on policy, they might get things like this. For the time being a couple percent of the electorate selects your house member because almost nobody else even knows that a race is under way.

Hyperbole "The U.S. has no...", and tribal bashing "especially Republicans", is probably part of why the handful of people who have even heard their chosen congressperson speak, still choose based on tribe.

Fair point, but where are you getting your statement "For the time being a couple percent of the electorate selects your house member"? As far as I know, voter turnout is at least a magnitude higher.

It's important to realize that what seems like the obvious way an ideal democracy should function is not what we have in the US. We have a partial democracy where all decisions are heavily lobbied by massive corporations to a degree that can't even be compared to most nations. If the 'free market' didn't surround these lobbyists, it would be called racketeering the government.

> Fair point, but where are you getting your statement "For the time being a couple percent of the electorate selects your house member"? As far as I know, voter turnout is at least a magnitude higher.

I'm talking about some uncompetitive districts where only one party is ever considered in the general, and only a teeny tiny fraction of the electorate bother with the primary.

Added: For example, in New York's 14th congressional district, Alexandria Ocasio-Cortez won in the general election because, barring a monumental scandal, the democrat will inevitably win there; and in the primary, she won by an okay margin, but her total number of votes in the primary was just ~17k. As far as I can tell, this means that about 17k people selected the house member for that district of ~690k people (of which 141k voted in the general election).

I think I was being imprecise when I said "a couple percent of the electorate", it's really a couple percent of the overall population in this case, but the point largely stands.

There is more to the local election. Much less do anything to help select which person their party actually runs. Even of those that do, who is a great speaker or looks the best is often a more important consideration than what policy they support/oppose.

There's no general constitutional level right to privacy comparable to that in ECHR. So there's a constant risk that privacy laws get overridden by First Amendment considerations.

The specific example of VRRP came about because of a Republican - Bork, who had his privacy invaded.

> There's no general constitutional level right to privacy comparable to that in ECHR.

I suspect that, in part, they are capable of this due to the lack of a vagueness doctrine. A law that broad would likely be unconstitutionally vague and difficult to square with the first amendment in the U.S., but is perfectly acceptable over there because vagueness is not a defense, and there is no equivalent protection of freedom of expression.

> The specific example of VRRP came about because of a Republican - Bork, who had his privacy invaded.

One example does not justify an eternity of digs that let everyone know who exactly how intolerant people can be here.

Added: as a matter of opinion, I value the broad protection of freedom of expression enjoyed in the U.S. far above any additional protection of privacy which could be provided.

I've been really getting into growth and marketing lately as I want my ideas to take off. If I'm building a new company I want to be able to get users quickly.

This stuff is REALLY screwing us over.

Users are insanely skeptical now. This data is insanely valuable for growth but if the industry creates an entire generation of people who REFUSE to be monitored we're going to be in a horrible situation.

If someone is legitimately just interested in the cities you're visiting I don't think this is much of a problem.

For example, say their product is only available in San Francisco. It doesn't make sense to try to recruit users in New York.

This makes it much easier so get initial users as you can just buy ads for users in San Francisco, potentially saving a massive amount of money on your ad campaign.

With Polar (https://getpolarized.io/) I need to have analytics about what users do in the editor. What they click on, etc.

Polar is a research tool for reading and annotating PDFs and caching web content for later reading.

I get regular complains from users to disable all analytics.

I might ship it as an advanced feature for users to opt-out but I don't have any nefarious use case here. My only goal is ti figure out if you're using feature X or not.

I think there's a distinction to be made with respect to "needing" a user's data in order to be able to provide service at all (for example, a user's age as you cannot permit them to use your application if they're under 13) vs. user data that makes it easier to provide the service, or in your example, advertise your service, to users. If your users are telling you they don't want to give you that data perhaps you should consider listening to them.


One thought for you, do you actually plainly spell that out anywhere? I just visited the page and I could not find anything about a privacy policy.

One privacy policy I stumbled upon recently was this one: https://www.roguefitness.com/privacy-policy

They plainly spelled out what data they use, how they gather it, plainly said they do not sell the data and a very easy way to opt-out. That made me feel much better about doing business with them and creating an account with them versus a very legalize and obscure way of spelling it out.

I have a feeling you get people who complain is because the assumption is that the software tracks everything and it gets sold to anyone.

The acceptance of monitoring has always been a tacit choice made from ignorance, resulting from deliberate misdirection and subterfuge on the part of marketing organizations.

Your notion that the rejection of monitoring is a conditioned generational characteristic is delusional. In fact, anything less is completely anomalous within the context of all human history.

Good products will find a way to succeed regardless.

I actually don't carry a phone with me. My wife has a flip phone that she uses to contact our kids' schools, and that's it. We also don't have home internet anymore. And when I do use the internet, I make sure to use Safari or Firefox with strict privacy settings enabled. Living without home internet in 2019[1] isn't that hard, it's actually easier and more rewarding and enjoyable than having home internet.

[1]: https://sephware.com/blog/2019-01-04-being-a-software-develo...

It might sound silly, but there is a delicious warm feeling that comes with waking up and having no internet available. The day feels less harried, more focused, and just calmer. The boon of increased productivity in every direction also feels incredible.

The easiest method is fixing the phone OS. There is no need to depend on Google or Apple services for anything. A decent Debian-like free software project could be organized to build a solid phone OS distribution; they could start with the Android OS as a base. There have been a few half hearted attempts at this but none have really taken root. This should definitely be a major goal for anyone interested in recovering our economic, social and political autonomy.

With sufficient energy other portions of the stack could be attacked - we don't need Google or Apple to provide us with map solutions, or email, or whatever.

Solving the problem of cell providers just selling your location just seems impossible, on the other hand.

> The easiest method is fixing the phone OS. There is no need to depend on Google or Apple services for anything.

Location tracking happens at the baseband level, sometimes even without cooperation from your phone. Whatever you have running in the application processor, your carrier is legally obligated to at least try to ascertain your location.

Can't the carrier still reveal what cell tower you're nearest? It seems that no solution for this problem is possible without federal regulation followed by BIG fines for violations.

Maybe a few dozen kids need to be abducted before anyone will care. But frankly, after ignoring Sandy Hook, I no longer see Washington as a force for good of any kind.

When I was in the wireless industry, we did many shady things and had all the lawyers and lobbyists to back us up. We could change any laws that got in our way. My employer was never remotely interested in ethical issues. They were only interested in paying subscribers. I could go on all day with examples if HN were interested.

As a funny side note, we would joke that our best customers were drug dealers. They always paid on time and always in cash. They could not afford to miss any calls.

Go on, go on. What are some examples of laws you had changed and what was the result?

One example was hands free laws. That was supposed to happen in 96/97. Our lobbyists kicked that can down the road quite a long ways. I had a major project queued up in PoC phase with an AI that listened in the background to everything you said. You could tell her to conference in someone, call someone, hang up the call, etc.. This was before "smart" phones. It was the same software used by the gov. to monitor calls for key phrases. No training required, she could understand any language, accent and context. Really cool software actually.

Another incident was around someone that broke the GSM encryption algorithms and was going to go public. My boss and a federal official met with them and explained what prison they would disappear into and for how long. Such things were postponed until long after the internet had grown and disclosures became more common. Nowadays people know that the GSM algo's have been broken for some time.

Another one was a spammer that managed to get his own SS7 signaling link and was spamming phones with text messages. I suggested dropping his link and I was told to let it go, since he was paying for the link... There are no laws against spamming mobile devices because they are not landlines. The laws around unsolicited advertisements only applies to landlines and fax machines. As I am sure you all know, having your own SS7 link means you can spoof the caller ID, do caller-id blocking override, drop callers on congested cell sites and much more. This is why 2FA on cell phones is less effective.

This one isn't so much about laws but rather ethics, and phone theft. From day one, we had the ability to brick any GSM phone over the air. We chose not to do this however, as customer support could accidentally brick the wrong phones. As you know, this led to phone theft being very profitable. That was the very thing that GSM bricking was supposed to stop, but we were just not willing to do it. There were no laws requiring us to use our capabilities to remove incentive to steal phones. There was discussion of making laws to require this, but we blocked all discussion from happening.

Some of the other issues I can think of would be rather risky to post here, despite being well after the statute of limitations, as they could cause embarrassment for certain agencies and could risk HN getting censored.

Nothing you post could get HN censored.

Perhaps you are right, but with all due respect, I will pass on that.

Why does our society tolerate so much evil?

Most days I learn something new about how people somewhere are being evil.

Doing the right thing takes work, effort, time, and money.

Agree to this contract and I'll tell you.

If Apple really wanted to put its cash to use, it could build its own cellular network. Privacy focused, no surprise fees, integrated billing for desktop/laptop/iOS/watch devices.

There's enough bad will against the existing ISPs/mobile carriers that Apple could swoop in and gain a lot of market share very quickly. And customers could save money by combining their home internet with their mobile plans. The future is a singular wireless data subscription without any routers or modems.

Really love this idea. $237BB in their piggy bank according to their most recent 10K. Since the era of carrier subsidies is more or less over in North America, this might accelerate their transition into services company in a major way.

A buildout of a nationwide cellular network is almost tailor-made for the amount of cash they have in the bank, and almost the entirety of their would-be competition is universally hated. Seems like a no-brainer to me, and unlike other things they could spend their money on, a cellular network could always be sold off if needed. Not true for investment in A.I./self-driving cars/marketing/failed products/etc.

They would never be able to replace existing providers unless they could quickly provide service to significant portions of the country (and eventually, world). However, they might be able to make some serious waves in the market if they focus on a small, highly populated part of California. It’s better than the Google Fi route except for the service coverage.

Unlikely, they would be blocked at the first step: they couldn't get any radio frequencies to build on. Not only are all frequencies assigned, but all attempts to get them would be blocked by anti-monopoly laws.

They could just buy a carrier, along with their frequencies. You may be right re: anti-monopoly laws.

TMUS is $57BB market cap. Say $100BB for the premium. Not sure why there would be antitrust considerations here. AAPL does not have a monopoly on phones, watches or pretty much anything else. That's a key advantage of them being a premium brand with relatively small share.

What makes you think that Apple has any interest in your privacy?

I thought carriers required user consent to get the E911 location data? It does have some legitimate uses. This location data is used by financial companies and one of the reasons you don't need to do travel notices at some of the major banks. They'll actually ping the E911 location when they see a credit card auth in new geographic location. Check your TOS at your bank, there's probably something buried in it about consenting to pulling mobile phone location to prevent fraud.

That's not a legitimate use. 911 is for emergencies. Emergency, security, terrorism are always the excuse used to strip us of our rights and our privacy.

E911 is the data set. It's just the triangulation data from the cell towers. There's also GPS data which is more accurate but the carrier doesn't get that data but apps can get it.

A lot of people willingly install their bank's app. I don't see why this couldn't just be a case where people who have the app installed get this nice convenience and people who don't (willingly or because they don't have a smart phone) just have to notify their bank, as people have done for many years.

I've heard from multiple sources (including a former Seattle police officer who taught the first aid class I took last fall) that 911 operators here do not get any location data from cell phone calls.

Maybe that's the intent or justification behind collecting the data, but it isn't getting to those people.

This is why "promises" and "industry self regulation" are meaningless. People need government to protect them from companies' greed, which here means: regulatory agencies with teeth.

"Self regulation" only works when there is a monetary incentive for companies to keep their word, for example in ecological agriculture.

As for mitigation, does anyone know if MVNO users are also subjected to their data being sold?

Self regulation works in industries in which there aren't significant barriers to entry.

Unfortunately, Telecommunications is notoriously asset heavy and complex and the historical lack of competition creates behemoths with outsized influence in politics. The FCC then is effectively powerless barring the election of a president who personally cares about the matter.

In sum, self regulation works in free markets. You would switch to a better carrier if there were one, I'm certain.

Are today's government officials more starstruck with or paid off by big corporations than they were back in the Microsoft antitrust era? Big business gets away with so much bad behavior today but, in the US at least, it seems like years go by and nobody cares enough to pass regulation to preserve the basic right to privacy.

With notable exceptions, today's political campaigns are often financed by wealthy individuals and companies. The type of politicians which receive contributions are, unsurprisingly, the type whose views best align with those individuals and companies. This funding is instrumental in lifting many of these politicians into office. When a question of political control or regulation of companies arises, it is also unsurprising that these politicians often see things from a certain perspective.

Corporations aren’t allowed to “finance” “political campaigns.” When OpenSecrets says stuff like “Google” contributed $X million to Democrats, it’s lying. What really happens is Google employees contributed that money.

While on paper there is are still limits on direct contributions to campaign organizations, the Citizen's United decision (combined with SpeechNOW vs. FEC) enables companies to instead donate to SuperPACs which are in theory independently controlled. I personally believe the distinction is for all intents and purposes meaningless. Doubly so when considering how little enforcement of the separation has actually been pursued.

So, yes, I do believe companies finance political campaigns. Whether the money flows through campaign organizations is not an important distinction to me.

It’s not a matter of what you “believe.” In election law, the “campaign” is a specific thing and financing it is something with specific meaning. Having an independent entity run ads because it happens to support that candidate is not “financing the campaign.”

Leaving that aside, SuperPACs account for just 15% of election spending in 2016. It’s inaccurate to even suggest that corporate money and money from wealthy donors is the dominant factor in campaigns.

While this is technically true, it's de facto false. With the Citizens United ruling, corporations can donate unlimited funds: "[Super PACs] can raise funds from individuals, corporations, unions, and other groups without any legal limit on donation size."[1]

[1] https://en.wikipedia.org/wiki/Political_action_committee

SuperPACs can’t use that money to “finance campaigns.”

For most intents and purposes this changed with Citizens United v FEC.

What about when the FEC says that Google's PAC donated to particular Republican politicians?

Google’s PAC is just a way to pool donations from Google’s employees. That money can’t come out of the corporate treasury.

That's ostensibly true, but if you talk to people who actually donate to these PACs you find they break down into high-level management (ie: the company itself; people with more-than-normal control over compensation) and "employees who sort of opt-in as a show of support for the company but who have no real idea what the PAC does".

I think it's more than fair to attribute the Google PAC to Google, and not to a diffuse group of Google employees.

The Republican Party’s official position is that business should be as unregulated as possible [1]. So we shouldn’t expect to see any regulatory action under Republican administrations.

Obama focused on blocking mergers among companies with products that they charged consumers for. It looks mainly like the precedent of consumer harm is undefined when the products are free to start with, and no one has gone back to try to patch the hole.

[1] https://gop.com/platform/restoring-the-american-dream/

Dozens of politicians are elected over and over. Richard Byrd from Virginia retired from the Senate in 2010 after 51 years. That's the current "record".

It's similar in the House. John Conyers just stepped down due to scandal after 52 years.

IMO, that there are no term limits is absurd. Thomas Jefferson got it:


As we've improved our understanding of the human brain through neuroscience, and how can see that ideals will get lodged in people's brains and not change, having people serve that long just leads to stagnant idealism controlling politics.

We’re in a decades long reaction to government regulation that pervades the west. The government used to tell airlines and trucking companies what routes they could sell and what prices they could charge. That level of government regulation proved to be such a disaster, that everybody abandoned it starting in the 1980s. As a result, you have an entire generation of administrators, on both sides of the aisle, who grew up with an extreme aversion to government intervention.

> As for mitigation, does anyone know if MVNO users are also subjected to their data being sold?

As a Google Fi user I am very interested in this.

And forced arbitration of class claims has destroyed the private accountability mechanism. Government is literally the only option.

Out of curiosity, how do they force arbitration? Do companies have military personnel they send to threaten those who want to sue them?

Courts simply reject these cases because you "voluntarily" agreed to waive your right to a a court proceeding.

These courts belong to the government, right? The one that is "literally the only option"?

No. Courts don’t govern. They mediate disputes.

When your state AG or the CFPB are the only way to stop collective harm, it’s a problem. Private rights of action were a thing until recently. I’d imagine a whole lot of these privacy breach issues would be closer to resolved if class actions were holding these big companies accountable.

Then you have the issue of regulatory capture. Often those in charge of the regulations are just as corrupt: selective enforcement is the name of the game.

c'mon lets get real, 'Self Regulating' means someone actually has to be honest of something but as long as there is profit to be made, honesty takes a back seat.

No it doesn't. Self-regulation is often motivated by 1) collective action problems where coordination benefits every company in a way that individual action wouldn't or 2) to ward off govt regulation by showing the govt that you can behave, as an industry.

Neither of these require anything but self-interest and the profit motive from the involved parties.

> collective action problems where coordination benefits every company in a way that individual action wouldn't

Remember we are talking about Capitalist corporations that answer to investors.

Your point is great if there is an incentive to only benefit the consumer. The benefit in this case is to maximize profit at all cost. Profit creed(not greed) is to ingrained the need to maximize profit. Because of that, greed is the ultimate driver against achieving 'self regulation', hence the reason why we have gov regulations in the first place.

> Your point is great if there is an incentive to only benefit the consumer.

The entire point of my comment was explicitly claiming that this isn't required in order for regulation to benefit companies' bottom-line. I'll repeat: there are collective action problems where coordination (between companies) benefits every party (company) in a way that individual (company) action wouldn't, even when the coordination takes the form of constraints on individual behavior. My comment was assuming the model of corporations as solely profit-maximizers, and it still occurs under that assumption.

It's fairly basic game theory. If the defect-defect equilibrium leaves everyone worse off, and defect-cooperate leaves the defector better off than cooperate-cooperate would, then then under certain fairly reasonable assumptions, putting constraints on the behavior of all parties (i.e., regulation) makes the cooperate-cooperate equilibrium stable in a way it otherwise wouldn't be.

Things like the MPAA rating system seem to work, even though it is against the financial interests of studios.

There is a perfectly good and time tested alternative to regulatory agencies:

Promises in the form of legally binding contracts.

Frankly, given carrier behavior, re-nationalizing telecom starts looking appealing.

If you're concerned with privacy from government, don't be - you already lost that war.

If you're concerned with a drop in innovation, don't be - we're already far behind most of the rest of the developed world.

If you're concerned about prices going up, don't be - we already pay insanely high rates compared to peer-countries.

Welcome to the "free" "market".

One reason to be more concerned about privacy in a nationalized communication network is because it removes a middle man - one who cares at least a little about PR backlash - from the current system. In a nationalized system, there is likely much less friction for a bureaucrat to block entire classes of content than there is today (where they need to deal with a handful of companies whose goal is to make money rather than silence dissident opinion).

> If you're concerned with a drop in innovation, don't be - we're already far behind most of the rest of the developed world.

Not convinced by that - mobile telephony is pretty equal in technological innovation across most of the developed world (LTE rolled out, VoLTE rolled out by most carriers, 5G in planning), and handsets are pretty much the same for all markets.

I am much more worried about the government spying for my phone than about corporations spying for my phone. All that corporations want is money.

I agree with you, in theory. But these days, with the revolving door between gov leadership and corporate leadership (1) this is a distinction without much of a difference.

And we all probably know about the vast data collection by the PRISM program (2), and access given to tech databases by the Freedom Act (3). And of course our current president signed 702 rauthorization last Jan. (4) so this cozy relationship could continue.

I guess my point is that it sure feels like we’re in a pretty hopeless state, given the deep ties between business and government.

At one time I was not so cynical about this topic. But after seeing the inside of the political process in both campaign work and working in the defense industry, my eyes have been opened.

The only solution involves political activism on topics most people either don’t understand or don’t care about.





Governments tend to have quite a bit of money.

The frustrating part is that you cannot protect yourself from that outside of turning your cellphone off or putting it in airplane mode.

Airplane mode does not disable GPS.

It could be queuing positional and temporal data, and awaiting a connection to later send.

That isn’t how this data is obtained though. It’s all known on the carrier side. It does not rely on your phone submitting it.

The data they're selling is coming from signal triangulation, it's not coming from software implanted on your phone.

It's pointless to think the industry will regulate itself, they can't help it. If there's a shred of profit to be made in anything give it time and it will be done as long as it's not illegal and often even if it is.

> ...given that two-thirds of the U.S. population aren’t going to switch to a carrier that doesn’t sell your location data.

To be fair, what are our options, exactly? If we want anything near acceptable coverage and price, that is.

>To be fair, what are our options, exactly?

This is key. This is how citizens will lose their expectation to privacy. I fear that in the near future there will be no 'safe' option and you will be forced to forfeit your privacy rights to participate in the digital world.

Mobile will become as essential as internet in general has become to participate in larger society.

I see it starting at the bottom. Tired of being tracked and trapped inside class barriers, the homeless and destitute will be the first to adopt extreme privacy-oriented protocols such as regularly cycling burner phones, using mobile VPNs, stripped-out GPS modules, and anonymous software such as Signal but which don't rely on phone numbers as identifiers. The poor will stop using phone numbers altogether. Perhaps charity services will exist which help aid this transition.

It will also start from the top, as we already see high-level CEOs using encrypted messaging and privacy-oriented protocols. They will see the obvious need for such services.

The overwhelming majority, the middle class, will be the last to adopt such practices and take back control of their privacy.

Of course they are. They have to show growth quarter after quarter. Until investors stop punishing companies for not increasing growth every quarter, this will continue. Everything is money driven. There's no thought to the consumer any more. There doesn't have to be as there isn't any accountability to the consumer; they have nowhere else to go.

Are there any known ways to obfuscate cell location data? There are sim addons that can change IMSI to circumvent carrier lock[0], would IMSI obfuscation be a viable option to defend against cell tracking? [0] https://en.m.wikipedia.org/wiki/Turbo_SIM

The carrier needs to know which cell you're talking to do route calls to your phone, and after that it's just a matter of triangulation to narrow it down. But even without triangulation the company knows what neighborhood you're in, by design.


US needs (something like) GDPR. 2% to 4% of revenue is a good starting point for a penalty. In the absence of a penalty why would anyone running a Telco company not take the extra cash from selling data.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact