Future Tense

The Privacy Scandal That Should Be Bigger Than Cambridge Analytica

Wireless carriers are sharing your real-time location with shady third parties—and a bug lets anyone use that data to track you.

Location tracker pulsing over a woman talking on a cell phone.
Animation by Lisa Larson-Walker. Photo by Larm Rmah/Unsplash.

Stop me if you’ve heard this before: A giant company that relies on users to trust it with some of their most intimate personal data turns out to have been abusing that trust by passing that data on to shady third parties. And not just occasionally, but casually, and as a matter of course, on a massive scale.

The practice makes headlines only when it inevitably turns out that those third parties were quietly using the data in unauthorized and disturbing ways. And it comes to light not because the giant company discloses it but due to a leak on the third parties’ end.

That’s a rough sketch of Facebook’s infamous Cambridge Analytica scandal. But it applies equally to a new privacy scandal that’s getting far less attention—even though it potentially affects more people, involves more sensitive data, and has yet to be seriously addressed or resolved. Oh, and there’s no way to opt out of the data collection in question.

The story involves the real-time location-tracking data that the four largest U.S. wireless carriers collect on everyone with a mobile device. Basically, they know roughly where you are at all times, even if you don’t have your GPS turned on, based on the regular interactions between your phone and nearby cell towers. The carriers aren’t supposed to share that information without your consent.

But the New York Times reported earlier this month that a company called Securus Technologies was offering a service that allowed users to track people’s whereabouts in real time, using data obtained from the wireless companies through a pair of intermediaries. The Times reported that a Missouri sheriff had been using the service to keep tabs on 11 people, including fellow officers and a judge, without their knowledge and without a warrant. He’s now facing state and federal charges.

That’s just the beginning. Motherboard reported last week that Securus had been hacked, with the credentials of 2,800 authorized users stolen, most or all of them presumably working in law enforcement or at prisons. (Securus’ main business involves helping prisons crack down on inmates’ cellphone use.) It’s a safe bet that some of those users had access to the same location-tracking tools that the Missouri sheriff abused.

So how was Securus getting all that data on the locations of mobile-phone users across the country? We learned more last week, when ZDNet confirmed that one key intermediary was a firm called LocationSmart. The big U.S. wireless carriers—AT&T, Verizon, Sprint, and T-Mobile—were all working with LocationSmart, sending their users’ location data to the firm so that it could triangulate their whereabouts more precisely using multiple providers’ cell towers. It seems no one can opt out of this form of tracking, because the carriers rely on it to provide their service.

It gets worse. A Carnegie Mellon researcher poking around on LocationSmart’s website found that he could use a free trial service to instantly pinpoint the location of, well, just about anyone with a mobile phone and wireless service from one of those major carriers. He did this without any permission or credentials, let alone a warrant.

In other words, almost anyone could have used LocationSmart’s site to find the location of almost anyone else, at any time. LocationSmart subsequently shut down the service and told security blogger Brian Krebs that the vulnerability had not been exploited before Robert Xiao, the Carnegie Mellon researcher, did so. Of course, we’ve heard companies make similar claims before that turned out not to be true. (Krebs’ story is the one to read if you want to get the fullest possible picture.)

Regardless, the takeaway is that major wireless carriers have for years been carelessly allowing their users’ location data to be exposed in all kinds of unauthorized and scary ways. It’s analogous to how Facebook allowed users to sign away not only their own data but their friends’ data to third-party app developers up until 2015, a practice that allowed leaks to firms like Cambridge Analytica. Except the wireless companies are still doing it, and as of Monday, Ars Technica has reported that not one had expressly pledged to stop working with LocationSmart.

Sen. Ron Wyden, the tech-savvy Oregon Democrat, has reacted furiously, sending a May 8 letter to the FCC demanding an investigation of Securus and letters to the wireless carriers calling on them to secure users’ location data. He gave a further statement to Krebs on Thursday, in response to the LocationSmart leak. The statement is worth reading in full, because it forcefully articulates what’s at stake here:

This leak, coming only days after the lax security at Securus was exposed, demonstrates how little companies throughout the wireless ecosystem value Americans’ security. It represents a clear and present danger, not just to privacy but to the financial and personal security of every American family. Because they value profits above the privacy and safety of the Americans whose locations they traffic in, the wireless carriers and LocationSmart appear to have allowed nearly any hacker with a basic knowledge of websites to track the location of any American with a cell phone.

The threats to Americans’ security are grave—a hacker could have used this site to know when you were in your house so they would know when to rob it. A predator could have tracked your child’s cell phone to know when they were alone. The dangers from LocationSmart and other companies are limitless. If the FCC refuses to act after this revelation then future crimes against Americans will be [on] the commissioners’ heads.

You might think that the major wireless carriers would be facing intense pressure to account for their lax handling of customers’ data. You might think the story would be all over newspapers’ front pages and cable news. You might think their CEOs would be hounded by the media, as Facebook’s Mark Zuckerberg was after the Cambridge Analytica story broke. You might think they’d be dragooned into testifying before Congress.

You might think that, if you expected a reaction commensurate to the one that accompanied the Cambridge Analytica revelations. And it’s conceivable that it will still happen. But so far, there has been none of that. The FCC told Ars Technica on Friday afternoon that it’s taking preliminary steps to look into the matter. That’s all the action we’ve seen so far from the government.

The reaction from the mainstream media and the public has been as muted as the reaction to Cambridge Analytica was explosive. Even tech sites have devoted relatively little coverage to the story. (Slate hasn’t covered it either, until now.) Why might that be?

I have a theory—one that started as a hypothesis early on in the Cambridge Analytica scandal. It’s that the outrage over the Cambridge Analytica story was never primarily about users’ privacy or about Facebook’s mishandling of users’ data. It was about how that data was then used—purportedly, to help elect Donald Trump.

Whether or not people’s Facebook data was in fact instrumental in Trump’s election is far from clear. (The now-defunct Cambridge Analytica denied that it used the cache of data on up to 87 million Facebook users in its work for Trump, and critics of the firm have questioned whether the firm’s methods were sophisticated enough for the data to be of much value anyway.) But even the suggestion that it might have been used in such a way was enough to turn an otherwise run-of-the-mill privacy scandal into top national and even global news, rocking the political world as well as the more insular tech world.

Privacy abuses and slip-ups by major tech companies have become so numerous, and the prospect of containing them seems so hopeless, that the public and much of the media have become nearly numb to them. My data was hacked? So it goes. It may have been used in unauthorized ways by unspecified parties? C’est la vie. But the idea that my data was hacked to help elect Donald Trump? That was what elevated the Cambridge Analytica story and got people to care about things, like privacy policies and developer permissions, that they had long taken for granted.

What the LocationSmart scandal lacks is not import, nor the potential for serious harm, but a link to some divisive political issue or societal outrage sufficient enough to generate visceral anger from people who aren’t privacy wonks.

None of this is to minimize the seriousness of Facebook’s breach of user trust. I point it out merely to observe (with some disappointment) that digital privacy, per se, remains a back-burner issue for most people even in our post–Cambridge Analytica landscape. And as long as it remains thus for the media and the public, it will remain thus for Congress—and for all the giant companies that know far too much about us, and have far too little incentive to guard that knowledge from those who would use it against us.