Hacker News new | past | comments | ask | show | jobs | submit login
AT&T says it’ll stop selling location data amid calls for federal investigation (washingtonpost.com)
413 points by tareqak on Jan 10, 2019 | hide | past | favorite | 104 comments

They are lying.

The only winning strategy is if the FBI does investigate, and if there is an actual penalty. Nothing less will impact the long term behavior of AT&T or any other cell company.

Seriously, it is game theory. They are saying "we will stop" because of the presence of the threat. If the threat goes away, then they are going to keep making money/selling you until the threat comes back. Like the boy crying wolf, the villagers (fbi) takes longer to build momentum for the second event than for the first.

The organization is the least common denominator, so its moral capacity is the worst of a 5 year old child. Like raising/disciplining a child, the only way to change their negative behavior is to add an expected penalty to the behavior that is larger than the expected gain, so the risk-reward evaluation they make says "don't do it".

Surely their offer to stop is strong evidence that an investigation is warranted..

I'm not sure even a penalty will be enough, given how most of them end up being a slap on the wrist that is easily affordable.

My hope would be that even if the slap is laughably small for the current offense, the thread of larger fines for continued action would be a deterrent to keep going.

My limited experience with legal issues at large companies is that once a precedent has been set for legally risky behavior, the organization becomes extremely averse to approaching that behavior again (due to optics, legal complications, etc.). AT&T doesn't strike me as a company that cares all that much about the optics from citizen customers (as opposed to business customers), but being found to be a serial violator, i would hope, would have larger consequence.

This is why corporate fines should be based on percentages of global gross revenues, with minimums and no caps.

If your company might get fined and lose 5% of their global gross revenue for being a repeat offender, that’s likely to be a much stronger incentive.

Especially if those fines double in percentage for every repetition of the infraction.

Nothing less will impact the long term behavior of AT&T or any other cell company.

Or that of ... any other kind of company.

It's easy to find out if they keep doing it, so at least having the FBI force them to sign a statement that they stopped or XYZ happens (with the word prison on it), would be the minimum muster.

I would avoid equating raising a child with a corporation. It's a false equivalence. Positive reinforcement works way way better.

“Large company stops obviously inhumane/immoral behavior following gigantic uproar from hundreds of thousands of people after being caught red handed following years of secret misbehavior. Company Genuinely surprised, defends its actions, reluctant to stop profitable activity, but willing to do so given direct threat of action from government notoriously unwilling to stop companies doing anything.”

Just substitute in company name and alleged misbehavior and repeat over and over.

Ultimately... when it comes to a big enough company, these decisions get squirrelly from the perspective of a moderate politician.

Take VW's emsissions test cheating. They broke the law, blatantly, intentionally, for 6 years that we know of, with substantial financial and competitive gains.

In Europe (most consequences were in the US), this is even more aggregious, imo. European emissions standards, vehicle taxation and such are often designed to give locals (esp VW) an advantage in the market. VW wrote a lot of the rules they broke themselves, practically.

Anyway... Back to the moderate "jobs and harmony" politician. Handing out a genuinely sufficient (enough so that crime doesn't pay, even if you only get caught every 2nd time) penalty would endanger the solvency of the (limited liability) company. That's not good for jobs.

Genuinely pursuing criminal charges against execs is something every major company, bank and such cries "disaster" over.

It's kind of a "too big to fail" problem. Does Germany/EU care more about fairness and rule of law or about the success of the biggest German company?

In Europe, many of the VWs execs are prosecuted over this. In the US the exec got 7 years in jail if I remember correctly. The company itself was fined €1 billion (not enough imho) in Germany.

So this actually happens, and I agree that execs should be personally liable for damage that is done to others/the environment as result of their decisions.

(Partially) nationalize it as a penalty. Screws over the shareholders without endangering the jobs.

Why would you prioritize punishing the shareholders? Middle class savings are also shareholders too, especially of big public companies. They're certainly too diffuse to be complicit in the crime.

Punishing companies and shareholders has too much collateral damage to innocent employees and shareholders. We should focus on criminal punishment of executives via jailtime, not via fines.

Monopsonies can be as bad as or worse than monopolies.

Six months ago: "Verizon, Sprint, AT&T and T-Mobile stop sharing real-time cell phone location data"


But this time they mean it.

This is the same story in Sweden too. For a short period, I was part of the team, and we were being asked to see how we can answer some questions with the information for something around 10k peoples information in Spain and Portugal. The way they just handed us the data and their explanation of why this is not going to bite us back made me sick and I just left right away. But the mentality of how to use these data in the business should be taught to mainstream marketers. Obfuscation of these data to not pinpoint a single person is not something that is as robust as people may think. I can easily find myself in our neighborhood since I know some key points about myself!

Yeah, it's been shown time and time again how much de-anonymization can be done on thought-to-be-anonymous data.

Statements like these should be contractually binding. It's far more effective communication than their actual contracts. And given that the only point of a contract is to solidify an agreement that two parties are knowledgeable of, it would seem that all public statements should be considered a part of said contract.

T-Mobile just did the same. I think what you'll see instead is the phone companies selling the data directly instead of through a 3rd party broker.

In response to them claiming there's legitimate uses.. there's really not. If someone needs roadside assistance you can ask if they can get your location or require the caller to have a carrier app installed that requests location data.

And hey, T-Mobile also did the same last year!

I fully expect them all to stop selling location data next year, too.

"I can quit anytime I want, I've done so hundreds of times already"

It's interesting that even companies that have a clear paid service do this too. Companies like Google, Facebook and all sorts of free apps, rely on their shady back-end manipulation/ads because their service is free, but that even companies who actually have a product are doing these sorts of shady things as well makes one wonder if there is a future where the web isn't so antagonistic to the users.

We need something like the GDPR in the United States. Otherwise there’s always going to be someone sleazy offering money which most managers won’t turn down — the check makes their numbers better right now and it’ll be a long time if ever before someone notices.

California recently passed legislation that will kick in Jan 1, 2020: https://www.caprivacy.org/

The CCPA explicitly prohibits the re-sale of personal data, so it will at least impact the demand from data resellers of the location data in question, for example -- in theory, anyway.

It also gives consumers the right to request their personal data be deleted. It's, however, unclear how this would impact location data telcos are selling.

As other states begin to consider their own legislation, many are pushing for federal legislation that supersedes state laws, for obvious reasons. That will be worth keeping an eye on.

As much as I would love to have the protections offered by GDPR, I doubt it would even make it past a committee vote. Telecom/technology lobbyists would exert maximum pressure on legislators in order the proposal to die. There's far too much money to be made in trafficking user data.

I don’t disagree that it’ll be hard but I think there’s more awareness of the problem and rejection of “regulation is bad” propaganda than I can remember seeing before. I won’t be surprised if something happens at the state level, especially outside California.

Everyone is doing this. Not selling all your users' data is just leaving money on the table. The only holdouts are companies who've built their reputations on privacy. And probably not even all of them.

Anyone that doesn’t have advertising as their lifeblood has no incentive to sell user data. That’s far from “everyone”, it’s probably a minority of revenue $ across the entire industry...

Every time things like this happen, the bar for what is acceptable gets lowered. It's only going to get worse.

Even if they follow through and stick with it this doesn't meant they will stop collecting and storing the data. All US mobile telcos store location information for 2 to 5 years and that data is available on the drop of a hat for any federal government agency that wishes to have it.

As actual 5G multiple-in multiple-out antenna beamforming arrays and micro/nano/etc cells become more common the location data will be much more fine grained as well.

The problem here is not the commercial providers selling it to 3rd parties. The problem is them storing it for year and years. If it's there it will be used.

Narrator: "They don't"

Didn't they all promise this the last time they got caught selling this data?

"AT&T also said at the time it would be maintaining those of its agreements that provided clear consumer benefits, such as location sharing for roadside assistance services."

In the near future: “AT&T said in a statement today that they stand by the views they expressed earlier regarding location sharing, saying that ‘matching customers with ads is clearly in their best interests’.”

"Selling the names and locations of all people at all times allows us to charge less for phone plans, and so is in the clear interests of the consumer."

Sadly, Vizio made exactly this argument the other day about their TVs.

The counter argument is obvious (but hated by marketing department).

If people loves their adds so much, just let them opt-in.

It should almost bring the server down from people pressing the "give me adds" button if you are to believe how much people wants this :)

I pay €35 per month for true unlimited 4G data. Looking at what T-mobile offers in America I am not impressed with their phone plan.

its usually spun as "consumers love more relevant advertising"

Both forms are utter bullshit. Advertising is an assault on customer agency; it's hard to love it.

CNN hasn't published anything on this and they are owned by AT&T. am i being a tin-foil hat conspiracy theorist? it seems like lots of major outlets have discussed it, including their major competitor fox news.

I wouldn’t be surprised if this turns into a feature with a price attached. AT&T location privacy add on. $5.

We can know where the board of AT&T resides when they are in jail.

I don’t believe them, and I’m no longer interested in giving the industry more chances. ISP’s need regulation, nothing else will stick for long.

I think it's nuts that your video rental records are better protected than your phone records and ISP records. Maybe a future administration will rebuild the anti trust departments and they will start to break apart companies like Facebook, Alphabet, and Verizon.

>companies like Facebook, Alphabet, and Verizon

It may well be worth applying far stronger anti-trust to all of those, but I still think it's a mistake to lump together some companies that are merely big and have network effects with a company that has both government granted and natural monopolies on limited physical infrastructure. Given the massive backlash in just the last year against Facebook, and competitors growing vs Alphabet, it is at least arguable that it's too early for drastic steps before seeing what happens. There have been other big tech players that nevertheless got displaced over a decade or two (Xerox, IBM say). And even if they do need remedies, those may well be different remedies then what would be appropriate for Verizon (GDPR-style for example, transparency and control for people over data). There is in fact only so much available usable EM spectrum, or rights of way for cables. It's a different class of problem with different solutions and tradeoffs.

I just worry that if you lump too disparate things together it'll become an easy defense for the worst of them, and we'll end up with a situation where the likes of Verizon or Comcast or AT&T or whomever refer to themselves as part of the "Google/Facebook" group and then point to Bing and claim anti-trust is overblown. Also, reducing the most end point monopolies could have ripple effects up the stack, if everyone had content neutral symmetric WAN links closer to LAN speeds again it could significant aid decentralization, at least for the initial growth stages.

A network effect _is_ a kind of monopoly, and this monopoly power can be abused like any other. It’s harder to compete with Facebook than it would be in an idealized free market because there are only so many different platforms a user will be willing to use to keep in touch with their friends. This fact alone doesn’t automatically make Facebook evil, but does mean it deserves an appropriate level of scrutiny and regulatory oversight like companies with other kinds of monopoly power, even if the details differ.

The FTC staff had already recommended antitrust action against Google over its abuses back in 2012 but Obama killed the investigation to save them. Google was smaller back then and it was also before the EU had 3 antitrust cases against it. I fail to see how Alphabet is in a better position now. And Facebook should have never been allowed to buy WhatsApp and Instagram. It was already big enough at the time.

Merely big is a problem all by itself, IMHO. That's more a side effect of the lack of regulations around political spending by corporations but it's still a problem.

Aside from political influence, any company that's too big to fail is probably just too big.

It's much easier to change your search engine than your ISP.

Indeed but when you change your ISP you are generally completely disconnected from them. Changing your search engine is just the first in a lengthy series of steps required to separate yourself from Google's data harvesting capabilities. This is why it's reasonable to declare them a monopoly.

Taking just Google Analytics as an example. A quick search [1] indicated that, as of 2015, around 6,950 of the top 10,000 sites by traffic use it, with 546,000 of the top million using it. I'd expect those numbers have only increased. And their analytics service is just one branch of their extremely long reach outside of their search engine. You can get away from Google search, but getting away from Google is an entirely different issue.

[1] - https://marketingland.com/as-google-analytics-turns-10-we-as...

And those are just the ones that make it explicit. It's also pretty easy to mask usage of GA via a reverse proxy[1], or indirectly use GA via services such as Segment[2].

While both do create a degree of separation between your device and Google's servers, it still underscores your point of getting away from Google entirely being far more difficult than just avoiding Search.

[1] https://medium.freecodecamp.org/save-your-analytics-from-con...

[2] https://segment.com/

It's easier to change your ISP - even in the US - than it is for your data not to land in Google's or Facebook possession somehow whether it's through web site tracking, its own services, or partnerships with hardware manufacturers and other data companies.

It is not that easy to change ISPs in the US because in a lot of cases you don't have options.

But you can do one thing. Randomly click an ad and destroy their prescious data and metrics. while reading an article that has thirty fucking ads, I'll click one or two. it has gotten interesting what pops up now. The ads sucked before.

Ad tech has not improved in 20+ years. It's delusional of sv to think it has. There is nearly a generation of people working on it, and the end result is low quality ads as if it was 1999.

There's a great extension, AdNauseam, that automatically clicks every ad in the background for you. Google shut them down from Chrome, of course: https://www.fastcompany.com/3068920/google-adnauseam-ad-bloc...

How the hell do you break up Facebook? Make it worthless and unusable by forcing it to be regional?

A good start would be to spin off Instagram, Whatsapp, and other big acquisitions into separate companies. Those purchases probably shouldn't have been allowed in the first place.

This is a question everyone should propose to their representatives if anything is to be done about data privacy in the US.

I think the video rental privacy law came into being because of the rental records of a politician were leaked and he had been watching [clutches pearls] porn.

> I think it's nuts that your video rental records are better protected than your phone records and ISP records.

Librarians have shared ethical standards, and concern for people other than themselves. Engineers don't. The closest they get are safety standards.

So things that overlap with what librarians do have had constant pushback on privacy protection issues.

> Librarians have shared ethical standards, and concern for people other than themselves. Engineers don't. The closest they get are safety standards.

I think at least this needs to say "the engineering profession" or whatever (as opposed to just "engineers"). While engineer's disease is very real, saying that engineers don't have concern for others seems an overreach.

>Maybe a future administration will rebuild the anti trust departments and they will start to break apart companies like Facebook, Alphabet, and Verizon.

Zuckerberg 2020

Don’t you see yet? It’s regulation that’s giving ISPs so much power.

I'll bite: what's your solution then? How will deregulating the market allow more ISPs to pop up and become competitive?

It's horrible that it has taken this much time get them to take action against their bottom line.

Are there any cell providers out there that don't do this kind of shady stuff? It's unfortunate that this seems like another market failure, where consumers have no real choice and the only solution will be punishment/legislation.

also, would using a MVNO carrier prevent the tier-one carrier from having access to location data? either technically or legally? i.e. is it even possible for an MVNO to position themselves as "the carrier that doesn't do this kind of shady stuff"?

looks like this article answers both questions:


MVNOs can't really provide any protection. Google is "demanding" that their tier-one carriers don't sell their MVNO customers' data, but just by throwing their weight around. i doubt they'll continue after this blows over, and other MVNOs don't have that kind of weight.

which means every single mobile customer in the US has to choose the least shady infrastructure owner -- between ATT, Sprint, TMobile, or Verizon. those are literally the only four options in terms of which company you want to trust with a never-ending stream of your personal location data. and if you use an MVNO, chances are good that _more than one_ of these companies has access to your data.

PR trying to recover from the fake 5G fiasco.

Oh, they doubled down on that lie. The CEO fully supports lying to their customers.

Wow, exactly like last time.

I could be wrong, but I strongly suspect that when they say they are going to stop selling the data, what they mean is that they are going to switch over to some indirect means that is technically not selling, but accomplishes the same ends.

"for now."

The moment the heat is off, they'll go back to doing it.

The only way to stop it is with legislation.

That's hilarious. What's the difference between AT&T and the federal government ?

About 10 feet of walkway ;)

They are both staffed at the top levels with the greedy and sociopathic?

I don’t like the idea of my data being harvested and passed around the internet. And somebody selling my location data seems super creepy. But what exactly is this data used for? Targeted advertising? Is that it?

And people literally call me crazy for not carrying a phone around 24/7.

Great. But, of course, there'll be a new service fee to offset the lost revenue.

Are there carriers that do _not_ sell your location data?

We desperately need to nationalize telecoms.

we need laws. with teeth.

Laws are usually backed by guns, but your idea might work too.

For how long?

Is there a mirror of this article somewhere? Something that is not paywalled?

Just like 6 months ago. I won't bother typing up my thoughts again and instead just copy/paste what I wrote before: https://news.ycombinator.com/item?id=17416804

> You should seriously consider [not carrying a cell phone] once more.


> These carriers will use the narrowest possible interpretation of their statements. Historical

> location data appears to be fair game, and perhaps they'll just launch their own competing

> service so they aren't providing anything to a third party. These carriers all constantly

> record your location data and see it as another potential source of revenue. The law (in the

> US) does not prevent them from trading it, sharing it, selling it, targeting advertising

> using it, etc.


> They got caught with their hands in the cookie jar this time and are pretending to be really

> sorry about it so that the law stays that way, and they can go back to stealing cookies once

> this all dies down a bit. Don't for a second think that this means your location data will

> not be used against you in order for the carrier to make a quick buck.

What about simply not using a sim?

Depends on circumstance but I can survive just fine without one in many cities. At home I have the wifi from so many restaurants/bars that even on the move I usually get a connection.

I'm not sure how much that helps.

That should prevent carriers from being told/trivially discovering your phone number, but your cell radio might still broadcast with your IMEI, which is at least as uniquely identifying.

The best is not to have a cellular radio, or to disable physically your phone's radio (e.g. as the Librem 5 will be designed to do). If that's too difficult or involved, soft disable the radio ('airplane mode'). That, however, requires you to trust the software really does keep the radio off.

Fair point, tempted to go down this rabbit hole with a SDR.

You'd assume airplane mode should completely disable it simply for airline regulation reasons, but can't say for certain, and some manufacturers perhaps dont care. Xaiomi and Huawei come to mind.

So many people up in arms about Facebook. When the reality is that both cell phone providers and ISP's ACTUALLY sell your data. Both location data and DNS query logs. But sure, let's focus on the "social media boogie man".

While I agree with you in part, social media isn't a "boogie man". Their data brokering behavior is harmful. ISPs data brokering behavior is harmful. Both things can be true.

Define data brokering. Only Targeting isn’t brokering. Being naive and opening an app platform that allows users to give some information isn’t brokering. Selling bundles of PII without the users knowledge from quasi legal sources to companies and government agencies in digestible form is.

There are actual data brokers in the advertising industry. Seedy companies who with a tracking pixel ( or just outright data dumps ) can give you actual PII data. Facebook ( and to and extend google, althought an insane amount of malware goes thru google ads,I’m sure you’ve gotten the “you’ve won redirects”), have been putting those companies out of business.

Both Facebook and google have a ton of flaws. Facebook has been super naive on some areas. But Most of the reporting on their “data issues”, have not remotely offered a real view of the industry, or what actually happened.

Facebook may have not "sold" the data but they were "sharing" it with other companies like Huawei, Acxiom, etc. I don't see how that's any better. They were giving it in exchange for other data or favor instead of monetary compensation.

Nope they were not!

It was the other way around! You were able to use Acxiom/etc data to target people on Facebook

it blows my mind that, even in a community as technically literate as HN, people are hurr-durr on "facebook selling my data!"

Defending Facebook isnt worth it. For what gain? On principle? Cmon

Selling location data to advertisers and bounty hunters is bad.

Selling the ability to target different demographics of people with different deceptive and divisive messages to foreign government agents is also bad.

We can recognize both of these things, and perhaps even find a common root cause.

Your first line is quasi legal, and everyone agrees is bad. But no one calls it out. ( because even mighty new york times uses data brokers.. )

The other is literally how all advertising has ever worked! ( yes, cable TV was targeting you ). Yes, placing an ad in a certain location is also targeting. It's not inherently bad, it can be abused though.

The implied "please oh save us facebook", is well, WTH. Should we stop all political advertisement? should we prevent outside money in local elections? should we prevent foreigners from advertising in a different country? These are all great questions. But no one has ever had the right answers.

We're crucifying a company because they amplified society. We are asking them to solve societies evils. We are not focusing on the actual evil itself. ( sorry for the rant, but you went on one too :-P )

FB's whole business model is extreme targeting of ads based on learning everything possible about people by any means necessary, including grabbing their text messages without their knowledge. FB isn't the overworked security guard, they're the bank robber.

And yes, non-transparent targeting of opposite fact claims to different voting blocks is quite different from "put a TV spot on Conan because the young people like him", not least because anybody could see the spot on Conan, and because TV advertising is regulated.

> cell phone providers and ISPs

Wifi probe request tracking is by far the biggest invasion of privacy IMO (it works even when you're not connected) yet hardly anyone talks about it.

The fact of the matter is that there's a huge market for harvested data, and corporate parasites of all kinds have slithered out of the woodwork to compete for the largest, most intimately-detailed sets of information, and none of it is consentual (in the sense that, if people were actually privy to the scale of this nightmare, no one would agree to it).

False Dilemma - it isn’t either/or.

They're both awful. Why is that hard to understand?

Applications are open for YC Winter 2021

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact