I have been watching several articles published by ZDNet with interest. First, ZDNet reported that “four of the largest cell giants in the US are selling your real-time location data to a company that you’ve probably never heard about before.” That company is LocationSmart, which touts itself as a data aggregator that has “direct connections” to the carriers in order to obtain locations from cell towers and provide it to law enforcement.
The back story is that a former sheriff used location data he obtained from Securus, a customer of LocationSmart, to conduct unauthorized surveillance without a warrant. The story was picked up by The New York Times and ZDNet, which then reported that our real-time location through our cell phone is being sold to this third-party company, which is then providing it to the police through a web portal. No doubt it is getting paid for the service. So the cell carriers are charging us a monthly fee for cell phone service, then selling our real-time location data to a third party company, which is selling it to law enforcement. I want a refund from my cell phone carrier. Although I do not keep my location-based services turned on, it is well known that the carriers still can track your location, but apps supposedly can’t.
If you are appalled, so is Senator Ron Wyden (D – OR), who sent a letter to the FCC last week demanding that this be investigated, and also to the four cell carriers demanding that they stop selling the data and to provide answers about the allegations.
After ZDNet reported on the sale of the phone location data, a researcher at Carnegie Mellon University started looking into LocationsSmart’s website and found a bug! According to ZDNet, “the real-time location data on millions of cell phone customers across North America had a bug in its website that allowed anyone to see where a person is located—without obtaining their consent.”
According to the researcher, when he went to LocationSmart’s website to “try-before-you-buy,” although the page requested express consent before location data could be used, “due to a very elementary bug in the website, you can just skip that consent part and go straight to the location…[T]here seems to be no security oversight here.” The researcher and ZDNET report that “the bug may have exposed nearly every cell phone customer in the US and Canada, some 200 million customers.” That probably includes me and you.
Senator Wyden issued a statement saying that this bug “represents a clear and present danger, not just to privacy but to the financial and personal security of every American family…The wireless carriers and LocationSmart appear to have allowed nearly any hacker with a basic knowledge of websites to track the location of any American with a cell phone…which poses ‘limitless’ dangers to consumers.”
OK, so this is not really a tip, but more of an OMG. What I want to know from my security colleagues is whether our location can be tracked by cell phone carriers while our cell phone is OFF?
I will update you on the answer to this question next week. I am going to turn my cell phone off now. Stay tuned.