TechCrunch reported Shotwell Labs’ co-founder findings that even after the FCC penalized Verizon for injecting markers into their customers’ data that enabled them to be tracked without customer consent, the practice is still thriving across mobile providers and being used to sell name and location data to whoever ponies up for it.
The mobile providers are injecting a new data element similar to Verizon’s Unique Identifier Header (UIDH) which is appended to HTTP requests and allows websites visited to see personally identifiable data, including billing and location info, if they subscribe to the carriers data feed for it. While the article does enumerate some legitimate reasons for websites to gain access to this (employee tracking), it’s still concerning.
MPG: scum bags.
The possibility was discovered by Philip Neustrom, co-founder of Shotwell Labs, who documented it in a blog post earlier this week. He found a pair of websites which, if visited from a mobile data connection, report back in no time with numerous details: full name, billing zip code, current location (as inferred from cell tower data), and more. (Others found the same thing with slightly different results depending on carrier, but the demo sites were taken down before I could try it myself.)
MPG: the one site linked-to is now offline:
Note: this demo site may have been taken down after this report got traction.
Click “Begin,” enter the ZIP code and then click “See Underlying Data.”
What you should see is your home address, phone number, cell phone contract details, and — depending on what kind of cell phone towers you’re currently connected to — a latitude and longitude describing the current location of your cell phone.
MPG: So nice of the Feds to require that mobile devices be locatable to within 100 feet or so.
A few CEOs in prison for a few years would get things moving on eliminating or reducing some of these issues.
Private data is just too dangerous to trust to companies, or the government, since even the NSA cannot do it, an the IRS contracted with Equifax, which served up malware. Identity theft can land you in prison if the thief commits a crime in your name. It’s time to impose severe penalities for mis-use of private information, including the corporate death penalty.
Michael C write:
I was reading this morning your post and wanted to offer a few observations:
1 – Attached is a redacted privacy page from my Verizon wireless account here in San Francisco. Well hidden on the Verizon Wireless customer page, one can get to an opt-out page (My Profile > Privacy Settings)
2- Once on that Privacy Settings page, you will see three areas where OPT OUT selections can be made. I am presuming that Verizon is honoring those OPT OUTS. If they are not, then we are back to beating the snot out the scumbags in court, AGAIN.
3- The relevant FCC order is:
“5. To settle this matter, Verizon Wireless will pay a fine of $1,350,000 and implement a compliance plan that requires it to obtain customer opt-in consent prior to sharing a customer’s UIDH with a third party to deliver targeted advertising. With respect to sharing UIDH internally within Verizon Communications Inc. and its subsidiaries,6 it must obtain either opt-in or opt-out consent from its customers. Verizon Wireless will also generate customer UIDH using methods that comply with reasonable and accepted security standards.”
Like most other rational adults, I loathe the data-hoovering that goes on around us. I am concerned, though, that the Shotwell and TechCrucnh folks may have gone off half-cocked UNLESS the telcos are willfully violating these FCC orders.
MPG: good points—important to see proof of willful violaton—might be less bad than it seems.
It seems that Verizon has at least one bad link to opt out. A company with tens of millions of customers (probably more) cannot be bothered to make its opt-out links work? That should leave anyone incredulous.
Michael C wrote to Verizon:
Thank you for the information. You might make sure 611 Customer Service is equally aware. The answer " we have no control over security settings" is both inaccurate and inappropriate. Second, I note the link https://privacy.aol.com/advertising-and-privacy/#Adchoices located on https://wbillpay.verizonwireless.com/vzw/secure/setPrivacy.action is broken and thus
Verizon Wireless is not properly providing access to the necessary OptOut that is part of the OATH alliance "Verizon's Relevant Mobile Advertising program helps make the ads you see more interesting and useful. This program shares information with Oath (formed by the combination of AOL and Yahoo)"
I wish to ensure and verify that I am opted out of any information sharing related to my account, my usage, my location, or my web services. Under no circumstances is Verison to share my data with OATH or any other partners.
I look forward to (1) Verizon fixing the broken link on the privacy page and (2) your response.
with Verizon responding (whether ever fixed or if the message gets through, who knows):
I apologize for any inconvenience this may have caused to you. I will report that the link is not working correctly to opt out of Oath. After further review, I did verify that you can visit https://privacy.aol.com/mobile-choices/ to opt out of Oath on your mobile devices. If you have any other additional questions. Please feel free to email me.