Verizon and At&t are being scrutinized for allegedly creating mobile websites that extract personal info from its users. Without customer consent, the data is sold to the highest bidders in the private and public sector. Phillip Neustrom of Shotwell Labs blogged about it last week saying, “These services are using your mobile phone’s IP address to look up your phone number, your billing information and possibly your phone’s current location as provided by cell phone towers (no GPS or phone location services required).” This isn’t the first time Verizon has been caught in the crosshairs of privacy and business ethics. In 2014, Verizon was discovered running a Unique Identifier Header (UIDH) that was an “undeletable supercookie” able to track and record personal info. At&t quickly shut their version down after harsh customer disapproval. Verizon, on the other hand, didn’t come to terms with FCC’s demands until March of last year. They were now required to receive positive consent before they start collecting data. However, as Nuestrom found out, mobile providers are doing very little to verify consent and secure user data.
Information is shown in the danalinc.com demo interface. Shotwell Labs. blacked out some fields. Cell tower provided location data is also sometimes shown. Photo by Shotwell Labs.
Many of these platforms take visitors on their word that they either are the verified user or they received consent from the user to access their information. These tracker websites don’t even have a text or email verification which is the bare minimum of online security. These loose consent policies allow surveillance of any person to occur without proper oversight doing away with the obligation providers have to honor user privacy. And from the looks of it, there’s no telling how this data will be managed once captured. Nuestrom stressed in his blog that, “US telcos appear to be selling direct, non-anonymized, real-time access to consumer telephone data to third-party services — not just federal law enforcement officials — who are then selling access to that data.”
For most, the reality of their personal info being hidden in plain sight is nothing new. Users are willingly taking a risk every time they surf the net or browse a site. Moreover, tracking activity has always and will continue to be a valuable tool if utilized for ethical purposes. For instance, Payfone allows customers to authenticate a mobile login attempt by accessing who and where the attempt occurred. The company’s CEO, Rodger Desai, replied to concerns regarding consent telling Tech Crunch, “There is a very rigorous framework of security and data privacy consent. The main issue is that with all the legitimate mobile change events fraudsters get in…”
Desai has a point given that mobile carriers update their systems all the time making it hard for apps to adapt. Meanwhile, telecommunications is becoming more and more sophisticated causing the value of customer privacy to get lost in translation. Of course, the tracker sites were taken down shortly after Nuestrom’s blog post, but they probably won’t be the last.
How do you feel about these deceptive sites and should mobile companies be held responsible? Let us know what you think!