Just wanted this to be at the top in case anyone is allergic to reddit threads.
Turns out my family was "opted in" even though we never gave any consent for this (and we certainly never would if asked).
To quote the top reddit comment: "Get f*ed at&t"
As an aside, they have a terrible UI/UX for this - it's probably on purpose. They could have easily put all of those permissions on a single page.
> The keyword here is content. They don't use the content of the messages and calls, just the metadata (numbers that communicated, duration, etc). That information alone could be very revealing though.
If you have a phone call with a friend about widgets and then they google for it just after the call, a wise marketer might think they should show you some ads for the same thing just in case.
Just pray your friend doesn't google something illegal or distasteful just after they get off the phone with you.
You might guard your own privacy 100% but have a conversation with someone who doesn't. If you share interests, then your privacy op sec is now compromised in a way completely out of your hands.
They almost certainly already know where you live and whom you live with, where you work, where you shop for groceries and hang on, where you travel to on vacation, and so on.
For many years now, they've been capturing this "metadata" (at minimum) anyways -- to hand over to the U.S. Government on a daily basis -- so we really shouldn't be surprised that they decided to take advantage of that and use this information in any way that they can.
Personally, for quite a while now, my "default" has been to automatically assume that pretty much ANY data I provide to any company WILL be kept -- forever -- and used in absolutely any way whatsoever they they desire and/or for any purpose, including "sharing" it with any other company to be used in any way and for any purpose (and even if they aren't right now, that can change at any time).
As an aside, Gen. Hayden (former DIRCIA/DIRNSA) testified that, "We kill people based on metadata".
: Additionally, any "missing pieces" of their profile of you can probably be "filled in", thanks to their access to your (Internet) data that also travels across their network. Of course, I'm sure they would NEVER do anything like that -- nor anything they might ever need "retroactive immunity" for!
I am copying and pasting another comment I made on another thread:
"Companies are now promoting data services to advertisers that allow a company to install a cookie on their website and, by just having a user complete a site visit, match an IP address to a physical mailing address with claimed 90% + accuracy. Don't believe me? Check out this company: https://www.eltoro.com/. One of many companies that have recently popped up offering just such a service."
This is achieved by layering user data from mobile applications and user data from ISPs and mobile carriers. Combined it is enough to do some scary stuff.
Its similar to that Reply-All story where they looked into whether the claim that FB was listening in on people's discussion, and despite there being no physical way for it to happen, people still believed it.
I think what's much more likely is that machine learning algorithms are so good right now, they're able to determine what people are interesting in based on browsing habits and other metadata. Either that or they're using your location data and tracking what adverts people are physically seeing on signs/billboards.
So you may think your app is listening to you because you get an ad for something you talking about, but you don't realize you talked about it because your brain subconsciously registered a billboard over and over again.
I and a friend were discussing this before that podcast. He was of the opinion that FB was very likely listening because he had multiple occurrences where he'd visit family, and they'd talk about something, either some product that family was interested in or had just bought, and hours to a couple days later he'd see an advertisement for it.
My stance (which looks to be the same as yours) was that they don't even need to listen to you, and doing so would probably be really bad if it was found out. Instead they know who you're around, they what that they're interested in, and they make some educated guesses and tag you as interested in stuff they are also or that they just bought, and it's the hits that stick in our mind, not the random other stuff you were shown that you never talked about with others but they had searched for or bought.
Throw enough data at he problem, you'll get some hits. There's a lot of data out there right now.
About ten years ago, I discovered that one of the major "rate you shopping experience"-type survey providers had a feature where shoppers would be tagged at the beginning of their session, and if they were randomly selected, everything they did on the website was recorded (including text entered in fields, etc.). When they checked out, they'd get a pop-up asking if they wanted to complete a survey. If they answered "no", supposedly that recording was deleted, but who knows? There was certainly no indication that answering "yes" would result in it being saved indefinitely for playback by the marketing department.
The only reason I found it was that I was curious about some binary data that would be uploaded every once in awhile. It wasn't hard to take apart (zlib, I think), but the standard tools didn't catch it at all because it was a custom thing developed by that vendor. I've still never seen anyone discuss it publicly, despite it having been very common on online stores for years.
It could also be that no one is doing marketing analytics based on voice recordings, of course. I just wouldn't take it for granted that someone would have found it and disclosed it.
Not that it's actually happening, but the best cell network speech codecs use ~6kbits/s, and it's probably possible to go lower with reduced speaker identifiability. You also only need to record when there's speech detected, and can delay and/or batch transmissions.
Purina Dog Chow purchases "Qualified Leads" from marketers who have lists of people interested in Dog Food.
We have no idea where they get those lists. If you play Candy Crush, and that third party app has Microphone access it could be collecting the data, and selling it to marketing agencies, which then sell the qualified leads to Purina dog chow.
You are still being listened to and your information sold. It just happens on Facebook more than it being Facebook's fault directly.
But, you know, those same laws do a good job of preventing shit like this.
They know the regulations are tough, so they can corner the market and up charge accordingly.
(Big) Profits are not made in competitive markets.
Other parts are infosec best practices, anyone who is security conscious could look at it and say, "yeah, that makes sense."
And this "independent" court will mostly target Google and Microsoft while taking crumbs from Facebook.
Coincidentally, Mark Zuckerberg will meet with the "independent" court frequently.
The only effect this will have is making the sale of your data more overt rather than covert.
Well if you know your telecommunications services provider sells your data and the only other one also does it (if there even is a second one), that also makes your choice pretty easy - albeit in a null kind of way.
> Sometimes we enter a wrong search word, or a wrong web address, or maybe the website we want is no longer in service. If this happens, the DNS Error Assist service automatically searches for similar or related terms and presents you some results that may be useful for you. Otherwise, you’ll get a “No results found” error message.
Ok, I'll try to turn it off.
Nope, it's broken.
To get to it, goto the prepaid link above, login, then click "My T-Mobile" in the top right, then "Notifications and privacy" then "Privacy settings".
There are a handful of obvious, simple ways to establish and protect personal privacy:
Extend property rights to all personal data. Then "privacy" is treated like every other asset, liability and protecting it is just bookkeeping.
Ban targeted ads. Ban freemium. Effectively eliminates most (non-govt) incentives for aggregating PII.
Require translucent database techniques to encrypt all PII data at rest. (Just like proper password persistence. Store salted hash, not the original value.)
Extra credit: Federal agency for credit ratings. Hellban all the non-govt agencies.
Grandpa story time: mid aughts, the company (Quest Diagnostics) that acquired us was trying to figure out how to monetize all the awesome new patient data our product was aggregating. Labs, scripts, allergies, etc. Negotiations with MS, Google, pharmas. Our Zuck and Thiel equivalents were electrified by the prospects. Us nerds were horrified. I now forget which specific ruling killed the idea. But it now occurs to me that I should have leaned in. At the time I was still trying to find, invent, steal a technical solution and had not yet figured out that's impossible.
There’s healthcare providers who sell patient data today still. It’s “anonymized” of course but if you want to know the history a given medication or procedure is performed on a per-patient basis, that’s all available. It’s just an anonymous identifier and somewhere someone checked a box that grants permission to resell that info, so it’s unfortunately legally acceptable under current law.
Since I'm a slow learner, it took me a long time figure out that big data will always win in the anon/deanon arms race. I don't really grok "differential privacy", so I just say it quantifies how much one has to fuzz the data to protect any single individual, given the data's bounds. But even then it requires the "honor system" to prevent others from using additional data to deanon fuzzed data.
It really clicked for me during a demo of Seisent (now owned by LexisNexus). Given enough data sources, the errors cancel out, so there's no way to hide or be an imposter. You'd stick out. Their sales team gave some examples of law enforcement using their tool to close cold cases. Not in so many words, because people would freak out, but basically: instead of finding the needle in the haystack, they rule out everyone who couldn't be the perp, and any one remaining is a suspect, and one of them has to be the bad guy. So then they work backwards, just like working around tainted evidence. (I've since had this theory confirmed by a professional bounty hunter. He was very surprised a layperson figured this out.)
I've talked to a lot (20+) healthcare startups, and attended confs and meetups, since. As of two years ago, exactly none of them understood the problem space or patient privacy. And I just don't have the goodwill or energy to refight those battles with another crop of noobs.
Most of us in our startup wanted to "fix" healthcare. Our contribution was going to be portable medical records. Specific initial use cases were to prevent mistakes due to missing patient history. Over time we got really good at showing our clients their own data, which became the prime selling point.
It eventually became clear that only a single payer system would have the juice to force all the competitors to play nicely. Good so far. The Bush Admin intended to allocate $17b federal grants to make it happen. Alas. Their mortgage default dumpster fire, causing the 2008 economic meltdown, and all federal juice went poof. Sadly, the Obama Admin didn't pick up that mantle. (They had other ideas about data sharing, which seemed naive at the time, but I haven't gone back to see who was more right.)
This isn't just a sob story. Ironically, I came to understand that one viable strategy to protecting patient privacy requires a top-down approach. Like a Real ID for medical data and services. Until that, or something better, happens, I just can't muster any interest.
They very well could say that their product teams (internet, tv, cellular, etc) take the data they sell into account when determining prices and thus prices are lower since barely anyone opts-out of selling the data.
Am eager to hear your thoughts, proposals.
AT&T _could_ choose to violate this policy but I imagine it would open them up to legal risk that they would not want.
That’s my experience
They'll probably prevent a sim swap, but I don't know about not using my personal data.
HN discussion: https://news.ycombinator.com/item?id=24653252
Verizon's Account Settings page has an evil dark pattern. The link to the Privacy Settings page does not appear in the menu. There is a Privacy Dashboard link which also does not contain a link to the Privacy Settings. I only found the link to Privacy Settings after submitting a request to Verizon to delete the data they have stored about me.
I would switch to a mobile service provider that cared about its customers, if one existed. The options in my area are AT&T, T-Mobile, Verizon, their subsidiaries, and Google.
Then "Manage Online Advertising Preferences"
We were opted in by default.
Also (they claim) you can delete previous information collected on you at: https://www.verizon.com/privacy/secure/delete
Credit card transaction data has a much higher signal for the same purpose and is just easier to work with.
Allow Use of Information:[No] Restrict User:[Yes]
Bot detection is sooooooooo strong though. Especially if someone wants to stop you.
I believe they call this data CPNI - Customer Proprietary Network Information.
Also, who uses naked SMS and expects privacy??
And anyway, phone companies have to make a buck.. Its not like we're paying them for the service!
I was amazed by how strict some of their consumption rules are against, for instance, storing the metadata. This is data you’re paying for!
The docs claim it’s to improve the end user experience but I imagine it’s primarily to protect their interests as data brokers.
It really jars me how metadata so inconsequential, like the year a book in the commons was published, can be so strongly legally protected by a party that didn’t even initially produce that number meanwhile we have so little say or protections when it comes to the personal data we first-class produce.
I’m becoming more and more of the opinion that people in the US are second class citizens behind corporations.
(I can't quote the specific rule, but I seem to remember this from some feedback that @dang gave me a while ago.)
"Avoid snark" is my first guess.
When you use /s, you're disclaiming the sarcasm immediately and in the same delivery as the words. It doesn't resemble tone at all, because you can't choose to be subtle. You don't get a beat in which the other person is initially surprised and then "gets it."