It sounds like this was a piece of software where you uploaded a PDF of “proof” that you had the authority to track anyone in America, and then it let you. And someone finally bothered to look at the proof and it was a blank page.
This is why I’m against giving the government the power to intercept communications or middle-man encryption. They always pitch it like “This power will be protected by courts and warrants and Fort Knox level security!!” and then it’s a checkbox that any bureaucrat can use to violate civil liberties en masse.
See also LOVEINT. Every once in a while, some NSA spy gets caught spying on their loved ones. Not even incompetence, just plain malice and abuse. Looks like they don't even face any criminal charges either.
Governments are essentially adversaries, enemies we have to defend against. It must be mathematically impossible for them to abuse their power. Anything short of that is not enough.
With us all carrying cell phones and most all EVs having a net connection, anonymity is hopeless. For phones I could get a burner and then when I login in, no privacy. So then a burner w net connection that somehow isn't on at my house, and I ssh to my home computer to read my email. For my EV w a net connection, I could pull the fuse for the lte modem. But I like the map w routing and plug and charge at a supercharger.
I only have one idea, I use my friends phone and my friends car. We need a big swap meet every morning.
That's just impossible. Even if everyone had perfect e2e encryption, the government could just ban it and throw people who use it in jail.
You can't solve social problems with technology.
What is necessary is a governmental system which tends away from the abuse of power. This requires better voting, more transparency, and the literacy and engagement of its citizens.
The problem is, just like in Conway's game of life, the current system's state informs what states it'll progress to. If a system tends toward corruption or abuse and isn't actively changed, well eventually it no longer will be possible to change.
> You can't solve social problems with technology.
Sure we can. Every time people make subversive technology, it literally changes the world and its power structures. Computers are the ultimate example of subversive technology, they can make a mockery of courts and police using nothing but mathematics. It's really no wonder they want to control computing by only allowing us to run signed software, it's too subversive otherwise.
Every time new technology shows up, they have to increase their tyranny in order to maintain the same level of control they used to enjoy. Just assume anyone using such technology is guilty? Sounds like tyranny to me. The next step is to get everyone to use the technology so they can't just assume that. At some point we'll find their limits. We'll end up with either an uncontrollable population or a totalitarian government.
Interestingly they don't even need to ban the tech, just throw out enough FUD about people attempting to take back control of their personal data using the tech and you can set some nice precedent (in the mind of the judge and people) that those who use these tools _must_ have something evil to hide.
That's why you use a constitution strong enough to prevent the government from having authority to ban a tool like that. The solution's been known and described for 250+ years now.
The problem is, if you rely on tools - and a constitution is nothing else than a tool - you will end up developing a reliance on that tool. And all of a sudden, that tool breaks, and you're fucked.
Democracy must be fought for every single day, and for that matter so does all progress. Democracy isn't something a society automatically converges to and which everyone loves, it must actively be maintained or someone will come, sow mistrust and preach "easy" solutions - and then you wake up and your country isn't a democracy any more.
That's silly. A constitution is just a piece of paper. It has no inherent power. It's the institutions put in place to enforce the constitution that give it power. If those institutions rot, the constitution will not protect you. As we've seen time and again.
A constitution is a piece of paper. At the end of the day, especially in a representative democracy is it's people. If the people drifting towards authoritarianism in mass, they will gladly wrap that piece of paper around a stick, light it on fire, and impale you with it all while claiming their new king.
Constitution is nothing but paper. What stops the government from just ignoring it? Happened in my country. Supreme court started censoring people despite the fact it's unconstitutional. Police follows their orders so whatever they write on documents is law. A literal judiciary dictatorship was silently installed and nobody even acknowledged it.
This is why you should never allow them to disarm you. At the end of the day, it all comes down to the threat of deadly force. The government should be in a state of permanent existential dread, its power always threatened by the population.
The US Constitution certainly isn't modern or flexible enough to definitively protect (users of) E2EE. There are arguments for their protection, but none is ironclad (like "this is speech that is protected" ironclad). I'm not saying the Bill of Rights was wrong in its time period, but it would be more appropriate to lay out fundamental principles that must be upheld, and protection for E2EE (users) could then be derived. There's some of that already, but not in a clear and comprehensive manner.
I forgot about that argument. I think it's not ironclad because "code is speech" seems like a stretch to me. I guess I'm being a bit unfair; when I say I want ironclad principles, I mean the kind that you can interpret literally and deduce whatever correctly. Admittedly harder to do.
Want mathematical assurance that your government won't abuse power against you? Either you have to be the government or you don't live in a society with a government. Abuse isn't so easily constrained. Try proactive regulations, vigilance, and strict punishments (not comprehensive). Best effort, but what else can you do?
"Government can never abuse power or government can systemically abuse power" is a false dichotomy. You can make it cost more so it happens less.
Encryption is the common example. As far as anybody knows the government can't break e.g. AES. But they can still find out what's on your device because with a warrant they can install surveillance devices in your house to capture it when you enter your passphrase, then seize your device.
Which makes it possible but not easy, which limits the scope for abuse.
> "Government can never abuse power or government can systemically abuse power" is a false dichotomy.
I didn't make it a dichotomy. I was just commenting that "mathematically impossible" is too strong to the point of absurdity. Not fun at parties, but I would hope it's fine on Hacker News. I then provided a rough overview of a system to mitigate abuse. We're not even disagreeing about trying to minimize government abuse.
To discuss your example of encryption, the abuse is the government installing and using the surveillance devices (let's assume the suspicion isn't beyond reasonable doubt or whatever and the warrant is invalid). The question is whether that abuse is prevented or routed and justice is enacted.
Law enforcement burglarizing your house to install hidden cameras without a warrant is indeed something you would want the system to address, but it's also a much narrower problem, because it's expensive and dangerous. Typically when doing that sort of thing with a warrant, it would be done by a team who e.g. ensures that the homeowner doesn't come back while the cops are in there installing the bug, and who wouldn't go to jail if the suspect's brother unexpectedly shows up just then and catches them -- because they had a warrant.
Whereas anybody can forge a document and submit it to the phone company, and the scope of who is able and willing to abuse that data is very large. So it should be narrowed by not collecting it and forcing access to go via the more expensive route which is less subject to abuse.
I like that in spirit, but not as a practical standard. A major function of government is to prevent abuses of power. So I'm more inclined to shoot for overall minimization of abuse.
> A major function of government is to prevent abuses of power.
But they can still do this. If you want to know where someone is, instead of compelling devices or carriers to spy on everyone at all times, you attach a tracker to the suspect's vehicle, or assign an agent to follow them. That's more expensive -- which is the deterrent to abuse.
A bad cop doesn't have time to follow around their ex all day. They do have time to follow around the subject of an official investigation, because that's their job. Tracking devices cost money, so it limits the number of people who can be tracked at once and prevents mass surveillance.
The argument for compulsory backdoors is purely an efficiency case, but efficiency is less important than preventing abuse.
The carrier is not spying on you here. A cell phone network has to know your phone's location in order to function at all, and this info has only gotten more and more fine-grained with newer network standards. There's nothing wrong with granting access to such data with proper authorization.
The "expense" involved in getting warrants approved is a better check on abuse, since it's very easy to do this as part of official law enforcement duties, and quite hard otherwise - the corrupt cop will need to come up with some reasonable justification, and not have it fall apart under deeper scrutiny. Of course if your local judge will rubber-stamp blank_document.docx as a proper "warrant" you have a problem again. But that can be addressed in turn.
It would be simple to design a cellular data network that didn't tie account holders to devices. Issue access tokens good for e.g. 10 GB of data to the mobile device. Don't store the token in connection with the account. Anyone could buy a prepaid card with tokens for cash at any convenience store. The network identifies the device via the token, which is temporary and anonymous. Telephone routing is done via VoIP which anyone has the option of routing through a VPN.
It's designed the way it is now on purpose, to spy on everyone.
> The "expense" involved in getting warrants approved is a better check on abuse
Except that they don't actually get warrants when they're doing abuse, they just lie about it because the phone company has minimal incentive to check and the victim who does typically isn't notified.
> Of course if your local judge will rubber-stamp blank_document.docx as a proper "warrant" you have a problem again. But that can be addressed in turn.
"Quis custodiet ipsos custodes" is in latin because it was published circa 100 AD. No effective solution to this problem has yet been uncovered.
There was a phone called the AN0M that came on the market a couple years ago that purportedly had similar features, turns out it was an FBI honeypot op to sell it to people that were seeking "privacy" with the hope that criminals would purchase it.
> But they can still do this [...] attach a tracker
I was responding to somebody who wanted it to be "mathematically impossible for them to abuse their power". Attachable trackers aren't sufficient to achieve that.
Well, in this case a random law enforcement deputy could get sensitive location information about random people with no meaningful cross-check of any sort - and this has only come to light after the fact, as part of a criminal investigation. So there's reason to be highly skeptical that the status quo is the best we can do when it comes to preventing abuse across the board.
Yea I sometimes get a feeling that a large portion of the population just doesn’t understand conditionals. If you tell them “you have the authority to do X if Y”, they just ignore the Y part.
It's not about understanding, it's about seeing these sort of rules bent dozens of times first and then finally doing it yourself. Rules are only as strong as their enforcement and in many cases it turns out that no-one has neither the incentive nor the ability to enforce them very hard.
After some bantering with Swedish police officers on Twitter I’ve come to believe that many of them simply do not make a distinction between what they have the authority to do, and what they can get away with in practice.
One of the things that would help this if anytime any of these surveillance powers get used, they have to be used as part of a specific ongoing investigation, and when that investigation is closed, everything related to it becomes a matter of public record.
And then you have some hard rules like, investigations are automatically closed after the statute of limitations runs, or if the target of the investigation dies, or the victim chooses not to press charges etc. Things not in the control of the investigators, so they can't keep an investigation open forever to prevent their abuses from becoming public.
This is unworkable, sadly. I don't want my past location data to become a "matter of public record" merely because I have been caught up as a bystander in some random law enforcement investigation and it all ends up in the case file.
Obviously personally identifying information could be redacted without doing so for the request itself.
But you're just reiterating the problem that third parties are collecting the location data of innocent bystanders. Otherwise it wouldn't exist to be in the file.
People who are drunk on power subscribe to the "ask for forgiveness, not permission" philosophy. They think everything they do is right and just. They cannot understand or even believe people would not trust them and see the conditional as a pointless hindrance, bureaucratic red tape meant to stifle upstanding people like them.
Also, the system doesn't really penalize this philosophy. Try to do everything by the book and you find that you can't really get anything done. Cut some corners, you get shit done and, in the worst case, you get a mild slap on the wrist several years later.
And completely break down some walls, injuring others in the process? Get a promotion, and if caught just move somewhere else to do the same thing over again.
People love to wield power over those they oppose and don't care if the system they implement is abused until they're the targets of the abuse.
For example: most people love the police when they coercing wealth from strangers to fund their projects but hate when the same police step on their chest until they stop breathing during a traffic stop.
Because the government and pretty much all those power ignore Y, and whenever they get caught, vast majority of cases they don't get punished. Of course anyone remotely intelligent would ignore the Y part too. Only extremely gullible people with their blind trust in government would look at Y part and nod along. This particular case very much the exception.
> and someone finally bothered to look at the proof and it was a blank page.
I think I agree more than not with your worldview, but it seems like in this case this was the first time the person tried to improperly use the system... and he was caught and is now being sentenced. So I would say this is an example of the system "working".
I'm sure there are civil rights abuses that happen much more frequently, which we don't here about, but this specific incident seems like something that should be cheered.
According to the second sentence of the article, the officer tracked multiple people and their locations. He clearly wasn't caught the first time he used the tool inappropriately because he was found guilty of using it illegally multiple times.
The officer very clearly was not forthcoming with the investigation, judging from him falsifying documents after the investigation started. So he may have other undetected crimes.
In fact, the only fair conclusion I think you can draw is that some officer(s) use the tool inappropriately. Because it's not clear if all uses are audited, or this officer was found on a random check. But in my opinion saying "the system worked" is inappropriate given the lack of data.
Is this some kind of parody? He got caught because it was a literal blank piece of paper. Anyone with any sense would write some bullshit paragraph and I'm sure plenty did and got away with it.
I read it the exact opposite way. It turns out that when you punish people with a decade in prison for lying, you can just operate on their word and verify later.
I don't need a system that never gives data to a malicious user. It doesn't need to be Fort Knox. It needs to be logged and audited regularly and for people who abuse it to be punished severely.
I'm sure there are lots of technical measures keeping my bank account safe. But, the greatest measure is that if you take the money the US government will throw you in jail.
Courts are also sometimes full of work so any request by the executive will be granted by default. The chances of repercussions are much smaller to decide this way.
It's disturbing how much this information is sold and resold:
* Securus purchased the location data from 3Cinteractive Corporation, which was located in Boca Raton, Florida.
* 3Cinteractive Corporation, in turn, purchased such data from Technocom Corporation (doing business as LocationSmart), which was located in Carlsbad, California.
* Technocom Corporation (doing business as LocationSmart) purchased this data directly from telecommunications services providers.
* This capability enabled Securus’s registered users to obtain the location data entered in the LBS platform, or, in other words, to ascertain the approximate physical location of a particular cellular telephone on demand.
The cellphone companies have been selling the realtime location of all subscribers since at least 2018. It doesn't depend on whether you have location enabled either, since it figures out your location from the towers! On top of that, one of them had an unauthenticated API, meaning anyone in the world could track the realtime location of any US phone #[0].
If all of this bothers you, contact your state legislators. Most state privacy laws don't protect against ISPs selling your location & browsing info, even though that would be the common expectation. Maine's law is simple and does a good job[1][2].
> It doesn't depend on whether you have location enabled
It's even better: the location can be enabled through a network initiated request. This is because A-GPS works "both ways". See https://en.wikipedia.org/wiki/Assisted_GNSS#SUPL : SUPL Position Calculation Function (SPCF) lets the client or the server ask for the client’s location.
As part of the FCC’s updated 911 requirements, where cell phones (with no set location) are required to be routed to the correct 911 center, aGPS was developed to not only help GPS get a faster TTFF (time to first fix), but to transmit location data to the carrier (and to anyone else who can intercept the data)
> If all of this bothers you, contact your state legislators
If you don't like that and want a quick fix, on android devices check /data/vendor/agps_supl/agps_profiles_conf2.xml for ni_request="true": this is the Network-Induced Location Request functionality, where the network asks for the GPS position. Change that to false.
Personally, I believe 911 AGPS is of limited use: if I'm unconscious and can't dial, the phone 911 AGPS working won't do me any good. If I'm conscious and I can dial, I can also open a map app.
Still, if you want to keep the 911 stuff, just change reject_non911_nilr_enable="false" to true (because yes, by default, everything goes - 911 or not)
There's also lpp_enable="true" (LTE Positioning Protocol, yet another method by which cellular providers can pinpoint your location via aGP
S), imsi_enable="true" (which transmit a unique identifier along with the AGPS request!)
Check also /data/vendor/agps_supl/agps_profiles_conf2_prv.xml
Or even better: don't use a phone. I have a 5G/LTE module in my laptop when I need internet connectivity: it's turned off the rest of the time (rfkill block wwan). You can also disable the power to this M2 port (saving battery if you care about that)
> Personally, I believe 911 AGPS is of limited use: if I'm unconscious and can't dial, the phone 911 AGPS working won't do me any good. If I'm conscious and I can dial, I can also open a map app.
For what it's worth, new phones can detect car crashes and initiate a 911 call if you don't actively stop that.
What if you're not unconscious, but badly concussed or otherwise dazed? You can't count on having a clear and level mind in the aftermath of an unspecified emergency.
Because 911 is relatively simple and has been drilled into people since they were kids? I don't know man, I think being able to dial 911 is a lot simpler than being able to read your location off a map. Trying to find street names on google maps can be hard enough when my brain is working correctly.
> Any other related rererences - the tech that enables this sort of tracking?
It's everywhere in mobile devices. It's better not to use them.
If you must use one, you must at least have root to disable AGPS + add stringent iptable rules to disable any outgoing communication by default: you should only enable connections per app, or per IP/domain for what you need.
Still, that'll be of a limited help since the baseband manages connections (3GPP profiles etc) and does the equivalent of NAT to your device.
For all I know, the baseband could tell android "location disabled? sure thing!" while still getting GPS fixes + sending the position by UDP packets processed by the baseband OS: Android won't even see it! Yet by virtue of sharing the same IP (or being "enriched" with your IMSI as you can see above), you will be totally trackable.
If you want, you can also recover the stock firmware (https://github.com/Biktorgj/quectel_eg25_recovery), but the ability to audit from top to bottom to disable data exfiltration requires a 100% free software solution.
I’ve been asking where the hell these companies are getting our data to begin with for awhile because it has to be through shady means, even if technically legal.
Tracking a user and selling that data should not be able to be slapped deep down in some TOS that grants intrusion into your life at that level. I wish laws would be changed to require explicit tracking requests for this type of data, that has to be conspicuous and separately authorized in addiction to any TOS.
I wonder if these are all shell companies to hide the “origin server” for this CDN of unauthorized surveillance data.
I’m also curious how many of these are just middle men that do nothing but markup and resell, vs how many of these companies do anything to enrich the data before flipping it.
Wouldn’t it be funny if someone were to use these systems to get the location information for the executives at all of these companies, and it ended up online everywhere? I wonder if they would change their opinions on technical loopholes allowing the tracking of people without consent
Our gerontocracy is unprepared to deal with issues related to technology and privacy. I don't think these data brokers need to hide at all. We already see how legislators (failed to) comprehend issues related to technology in the many of unproductive congressional hearings over the past few years (Google, Tiktok, Twitter, Facebook... all brought before congress with nothing to show for it now). I think issues of technology and privacy are moving too fast for our gerontocracy to possibly keep up.
And I think our legislators show their ass in the case of the Tiktok hearing; effectively stating oh it's fine if the data is being bought and sold by a US company (Oracle).
If our legal system isn’t prepared to properly handle such things then it should default to being illegal to collect and sell data until the legislation is created to properly protect the rights of those who put them in office and pay their salaries.
The default of “you will be violated until we get to it, if we are able to comprehend it” is a dystopia I hadn’t imagined, yet here we are.
I’d like a definitive list which contains the source for each piece of data, the means that source acquired it, when they acquired it, and proof of my consent for it to be collected, stored, and sold to other parties who then sell it off to the highest bidder.
“It came from teleco companies” is not due diligence enough for me, and it shouldn’t be for you. That answer isn’t an answer and the lack of accountability is how the companies continue to violate our right to privacy and flourish.
> “It came from teleco companies” is not due diligence enough for
I never claimed this. I replied to the question about how a telecom provider would have PII. My mobile provider knows my legal name and other details. They obviously know which tower is closest to my phone at all times or my phone would not work. That it is terrible of them to sell this data was not in question.
Your cell phone company knows your name, address, and can infer where you've been based on the cell towers your phone checks in with. So that one's a given.
Here's a sampling of others:
Mastercard sells information on your purchases.[^1] (Based on the info Oracle had on me, I suspect they might be one of the sources for Oracle Advertising.[^2])
Equifax, who gets information from your bank, your car insurance company, your cable company, and loads of other places, makes a nice profit off selling your info.[^3][^4]
ISPs know who you are, can infer a lot about you from unencrypted DNS queries and HTTPS SNI snooping, and they're happy to sell information about you.[^5]
Then there are several tiers of companies that buy information from various other companies, aggregate it, and then sell that off. A veritable snowball rolling down a hill of privacy violation.
Just to clarify my point I’m not condoning this at all, but the telcos themselves have been selling live location data of their subscribers to aggregator services for years.
It’s really infuriating to me that people say Google or Facebook are “selling their data” (they’re not, they hoard data and sell targeted ads) when Verizon, T-Mobile, and AT&T literally sell your live, personally identifiable, non-aggregated, location data to third parties, hiding behind their subscriber agreement legalese.
there were rumors of gray market identity traders in the 2000 times, within the USA. What changes is accuracy, timeliness, noise levels and verifiability, off the top of my head... Apparently completely legal identity document sales have gone on since the 1950s at least, around driving registration, home address, employment and related things. Since that is in the USA, with newer laws and an alleged emphasis on citizen rights, I can only imagine that other large political powers have had this for centuries.
> Pena pleaded guilty to unlawfully obtaining confidential phone records. He faces a maximum penalty of 10 years in prison. A sentencing date has not yet been set. A
federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors
I mean, there are lots of worse penalties for things related to organized crime. Things like minor fraud or burglary are often also in the probation bucket.
Minor fraud and burglary generally don't generate a federal prosecution. Doing what would otherwise be a fairly minor crime under the color of law should generate a hefty bench-slap (as the lawyers like to say).
This seems correct regarding this person and this conduct, but I disagree that this type of penalty is "the standard for most first time, non-violent offenses."
Federal cases are a small percentage of total criminal prosecutions, and penalties vary widely across the country.
But three letter agencies do it all the time without any warrants and when caught no repercussion either last I checked. Maybe the DOJ attorneys can get to those as well?
This is why I’m against giving the government the power to intercept communications or middle-man encryption. They always pitch it like “This power will be protected by courts and warrants and Fort Knox level security!!” and then it’s a checkbox that any bureaucrat can use to violate civil liberties en masse.