This is one of the reasons I use a public-facing Twilio number, which forwards to a private number which I never hand out.

This isn't something that people should have to do to opt-out of tracking like this, but it doesn't seem like there are many other reliable options.

Clearly the US has their priorities completely the wrong way.

So Securus works on the "we're sure our customers are getting consent for their inquiries" presumption. What are the consequences if a company is found to not have gotten consent? Business sense dictates there to be no consequence at all if Securus can avoid it.

The way this should work is that the carriers can get permission to share location data with third-parties. They should not do it without having gotten permission from their customer. But then they probably get that when you sign the contract. Or do they just not mention it?

I would assume that through clustering analysis (eg coworkers/friends travel together) even fairly coarse position data can allow you to construct relationships. Then they can spam/fish both you end your coworkers with the same fake number. That makes it seem more important to answer and more organic.

https://www.theguardian.com/technology/2006/feb/01/news.g2

A few points to note:

* Obtaining consent is entirely left to the provider to implement. It does not appear to have any auditing. A provider can query any number they like.

* The opt-in process used by many providers is easy to exploit, by spoofing SMS replies or abusing the SMS template so that the surveillance target does not get notified

* The providers have are well aware of the potential to exploit this and have been for some time. It has never been resolved in over 10 years.

It seems like intelligence services spend a lot of their time dreaming up ways to do an end-run around the law. This is the same reason US intelligence does partnerships with foreign intelligence services.

I work in location / mapping / geo. Some of us have been waiting for this to blow (which it hasn't yet). The public has zero idea how much personal location data is available.

It's not just your cell carrier. Your cell phone chip manufacturer, GPS chip manufacturer, phone manufacturer and then pretty much anyone on the installed OS (android crapware) is getting a copy of your location data. Usually not in software but by contract, one gives gps data to all the others as part of the bill of materials.

This is then usually (but not always) "anonymized" by cutting it in to ~5 second chunks. It's easy to put it back together again. We can figure out everything about your day from when you wake up to where you go to when you sleep.

This data is sold to whoever wants it. Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go. This isn't fantasy, it's what happens every day.

Almost every web/smartphone mapping company is doing it, so is almost everyone that tracks you for some service - "turn the lights on when I get home". The web mapping companies and those that provide SDKs for "free". It's a monetization model for apps which don't need location. That's why Apple is trying hard to restrict it without scaring off consumers.

Not only this but late last year all 4 of the major US carriers are offering APIs to convert mobile IP to a billing record (name/address/phone number).

[1] https://www.geico.com/web-and-mobile/mobile-apps/roadside-as... (see disclaimers at the bottom)

This is the first I’m hearing that they’re releasing detailed personal tracking by phone number. When I sat in on a recent presentation with Verizon execs they flat out said they were not doing this. Oops.

"With your consent. We may provide location-based services or provide third parties with access to your approximate location to provide services to you." https://www.t-mobile.com/company/website/privacypolicy.aspx

That is why a text message confirmation is required to get a cell phone's location from https://www.locationsmart.com/try/

For those on T-Mobile, there are privacy settings that can be adjusted here: https://my.t-mobile.com/profile/privacy_notifications/advert... I already had all of them disabled, and I was still able to get the location of my cell phone from LocationSmart.

I chatted with T-Mobile support yesterday to see if I could opt-out of them sharing my data. Not surprisingly, the support agent was less than helpful. "Don't worry, your data is secured"

Are there any US carriers that respect privacy and do not share private information with 3rd parties? Or is that a pipe dream?

In 2009, Malte Spitz (German Green Party politician) sued his telecom provider for all the information they had stored on him in the last 6 moths. He and others made a good (and spooky) visualization showing how it tracked his entire life [2]. He did a TED talk about it [3], which received a spirited applause and unfortunately minor press coverage.

I think many naively bought the idea that all this detailed data was only for LE (maybe a side effect of all the reporting on the Data Retention Laws?), despite constantly seeing clauses in their EULA's saying their data will be shared with third parties.

----

People only care about these issues once they become evident and widespread, and they personally are affected. I remember the shock my friends had when Google Maps released the location history feature. Up until then, its just a theoretical concern.

Good demonstrations, hard hitting expositions and good press coverage are essential.

----

[1] - https://en.m.wikipedia.org/wiki/Data_retention

[2] - https://www.zeit.de/digital/datenschutz/2011-03/data-protect...

[3] - https://youtu.be/Gv7Y0W0xmYQ

The amount of information the NSA has on people is going to be phenomenal. It'd be interesting to be able to glimpse the data just to see how much we all give away. Here's to hoping we never once ever end up putting a 'bad' person in high office because the amount of targeted damage somebody could do with this information is just staggering to even consider.

I went to a recruiting event in 2013, or 14 perhaps, for a major telecom network in Canada. They were proudly showcasing their ability and interest to analyze people's data. I was shocked, so I spoke to the hiring manager:

"You should be concerned about google and Microsoft, they have much more data" he said. They do, but much less sensitive data. And I am paying you! And google gives me free excellent services. You are an expensive oligopoly with not the best customer protection track record.

2. I had a free modem from a major network that came with the internet. I used the modem at another location while I was away. I got charged for my usage! The modem was not just a modem, it was sensing more information to their system. That is how they tracked my usage, if that is the only thing they tracked. Their technical customer service avoided any form of discussion. Cancelled my internet line with them, and using VPN for trackable stuff ever since.

I am seriously considering cancelling my cell phone until their practices changes.

Art. 3 GDPR Territorial scope

Article 3(1) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

Article 3(2)(a) - the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or Article 3(2)(b) - the monitoring of their behaviour as far as their behaviour takes place within the Union.

Article 3(3) This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

[1] https://gdpr-info.eu/art-3-gdpr/

https://publications.parliament.uk/pa/cm200506/cmhansrd/vo06...

"To extend that to adults, The Guardian journalist Ben Goldacre showed recently that someone needs possession of another person's mobile phone for only a couple of minutes to appear to give the consent required under mobile phone companies' current procedures. The person he was tracking never got any of the warning messages that were meant to have been sent to her. Even more scarily, a hacker's website has recently published information telling how to spoof consent without even having to have temporary possession of the target's phone; all that is needed is the number. If someone has a person's number, he can track them. It is not a problem. I know where the website is, but I am not going to tell Members. It is possible to track people just through their phone numbers."

so what's the flow here? is it something like this?: phone gps -> manufacturer installed crapware app -> crapware server -> (various third parties)

wouldn't this be mitigated if you use a custom ROM like lineageos?

They were about two blocks off, and located me by cell tower. Apparently they don't have (or at least don't admit to having) A-GPS level data for me.

This is part of how US mass surveillance works. We record everything and if it turns out to be a citizen, we're supposed to throw it out. Of course in reality, it goes to the Parallel Construction Department who uses the information to build a case against someone through other means, knowing the answer in advance.

A simple example of limiting the invasiveness using this approach, would be to have your phone on only at work & home, or similar. In absence of phone snooping, someone can already easily locate you at those two standard destinations, and can easily discover when you'd typically be at those places (ie you're not giving them much by using your phone there under normal circumstances).

Right now I think you're right, there's no defending against it without turning off devices.

The advice I always give when this topic comes up us to be very careful with what you install on your phone. The least expensive mobile location data tends to come from random apps collecting the data to sell it, and ad networks. Permission to use your GPS is permission to track you until you uninstall the app.