I have been watching several articles published by ZDNet with interest. First, ZDNet reported that “four of the largest cell giants in the US are selling your real-time location data to a company that you’ve probably never heard about before.” That company is LocationSmart, which touts itself as a data aggregator that has “direct connections” to the carriers in order to obtain locations from cell towers and provide it to law enforcement.

The back story is that a former sheriff used location data he obtained from Securus, a customer of LocationSmart, to conduct unauthorized surveillance without a warrant. The story was picked up by The New York Times and ZDNet, which then reported that our real-time location through our cell phone is being sold to this third-party company, which is then providing it to the police through a web portal. No doubt it is getting paid for the service. So the cell carriers are charging us a monthly fee for cell phone service, then selling our real-time location data to a third party company, which is selling it to law enforcement. I want a refund from my cell phone carrier. Although I do not keep my location-based services turned on, it is well known that the carriers still can track your location, but apps supposedly can’t.

If you are appalled, so is Senator Ron Wyden (D – OR), who sent a letter to the FCC last week demanding that this be investigated, and also to the four cell carriers demanding that they stop selling the data and to provide answers about the allegations.

After ZDNet reported on the sale of the phone location data, a researcher at Carnegie Mellon University started looking into LocationsSmart’s website and found a bug! According to ZDNet, “the real-time location data on millions of cell phone customers across North America had a bug in its website that allowed anyone to see where a person is located—without obtaining their consent.”

According to the researcher, when he went to LocationSmart’s website to “try-before-you-buy,” although the page requested express consent before location data could be used, “due to a very elementary bug in the website, you can just skip that consent part and go straight to the location…[T]here seems to be no security oversight here.” The researcher and ZDNET report that “the bug may have exposed nearly every cell phone customer in the US and Canada, some 200 million customers.” That probably includes me and you.

Senator Wyden issued a statement saying that this bug “represents a clear and present danger, not just to privacy but to the financial and personal security of every American family…The wireless carriers and LocationSmart appear to have allowed nearly any hacker with a basic knowledge of websites to track the location of any American with a cell phone…which poses ‘limitless’ dangers to consumers.”

OK, so this is not really a tip, but more of an OMG. What I want to know from my security colleagues is whether our location can be tracked by cell phone carriers while our cell phone is OFF?

I will update you on the answer to this question next week. I am going to turn my cell phone off now. Stay tuned.

Facebook announced last week that it successfully completed a second test of an unmanned aerial system (UAS or drone) designed to carry internet access to remote parts of the world. Unlike Facebook’s first test for this task back in June 2016, the drone did not crash in this second test. Facebook plans to develop an entire fleet of drones that will fly for months at a time – powered entirely by sunlight –communicating with each other through lasers and extending internet connectivity to the ground below. During the first test in June, Facebook flew its drones above the Arizona desert for about an hour and a half, which was three times longer than it planned; but the drone crashed right before landing and ended up with a damaged wing. During this second test, which occurred back in May, the drone flew for about an hour and 45 minutes before landing near Yuma, Arizona, with only a few minor, easily-repairable dings. Before the second test flight, Facebook engineers added “spoilers” to the drones’ wings to increase drag and reduce lift during the landing approach which likely aided in the successful flight and landing. This is the beginning of a new revolution for Facebook and the internet, too.

Recently in United States v. InMobi Pte Ltd., the Federal Trade Commission (FTC) set a new standard for geolocational tracking. The FTC told app developers and app marketers one simple rule: honor consumers location privacy preferences and do not track them without permission.

InMobi is a Singapore Company that provides ads within mobile apps. They are a business-to-business company and its only customers are app developers who integrate InMobi’s software into their apps. InMobi allows for the collection of data from app users to display targeted ads.

Geolocation is often the best data for determining what types of ads to present to users. InMobi offers app developers three options: 1) “now” suite based on current location; 2) “conditional” suite based on customers’ past habits; and 3) “psychographic” suite based on demographics and activities in the last two months (e.g. frequent airport trips, luxury vacations). However, many consumers choose not to allow apps to access their geolocation. So one might think that this InMobi software would be useless for those consumers. On the contrary, InMobi realized they could access geolocation indirectly and still provide value to mobile app developers; InMobi started using data generated when devices connect to WiFi networks, and geolocational data from users who had opted in (i.e., figured out locations of other users by using other similar users’ data). The FTC considered this inference of the user’s location as an improper end-run around. The FTC’s investigation and enforcement against InMobi focused on InMobi’s statements to app developers: “First we take in location data on each user, in the form of user opt-in lat/long signals. Then we add real world context to these signals to figure out what places or businesses the user has visited. Our machine learning algorithms mine for patterns in this location history to identify what these trends mean about the user, from which we can infer what kind of consumer the user is.” The FTC did not consider this statement to be a complete, transparent explanation of how InMobi tracks the app’s users.

After the investigation, the FTC found that InMobi violated the Children’s Online Privacy Protection Act (COPPA) while also accusing InMobi of unfair and deceptive indirect location tracking. The consent decree, however, focused on COPPA and assessed damages only on that violation, while also enjoining InMobi from continuing its geolocation inference system. The FTC did not address the indirect location tracking’s unlawfulness overall.

This means that other app developers and app marketers are now on notice that the FTC considers inferential geolocational tracking to be unlawful (even though the consent decree only addressed monetary assessments under COPPA). After this action, the FTC also warns app developers to consider contractual terms with third party service providers to ensure they do not circumvent consumers’ privacy choices. Certainly sound advice from the FTC.

Vigilant Solutions is a company that takes photographs of cars and trucks using its network of cameras. What’s the big deal, traffic cameras are always recording our plates? Well not only is Vigilant Solutions taking photos of your license plate, but they are retaining your vehicle’s location data along with the photo of your license plate, AND they are selling it. To date, Vigilant Solutions has taken approximately 2.2 billion license plate photos in almost every major city across the United States. Among Vigilant Solutions customers (i.e. those buying your license plate numbers and locational data), 300 of them are law enforcement agencies. You might think to yourself, ‘Well don’t the police need to get a warrant to put a GPS tracking device on my car,’ and the simple answer is yes, but to get years of data on your vehicles location all the police have to do is pay Vigilant Solutions.

Vigilant Solutions subsidiary’s website, Digital Recognition Network, says, “All roads lead to revenue with DRN’s license plate recognition technology. Fortune 1000 financial institutions rely on DRN solutions to drive decisions about loan origination, servicing and collections. Insurance providers turn DRN’s solutions and data into insights to mitigate risk and investigate fraud. And our vehicle location data transforms automotive recovery processes, substantially increasing portfolio returns.” Is this reminiscent of George Orwell’s 1984? With this type of tracking technology becoming more and more affordable, we are sure to see an increase in its use before an end. As consumers (and individuals with constitutional rights) we should all be aware of this and speak up for our privacy rights.

On July 31, 2015, Quartavious Davis petitioned for certiorari in Davis v. United States, No. 15-146, asking (1) whether the acquisition of a cell phone user’s location data from his cellular service provider constitutes a search under the Fourth Amendment and (2) if it is a search, whether the search requires a warrant.

In previous posts, we explained how a number of courts have considered whether the Fourth Amendment requires law enforcement to obtain a warrant to access cell phone geographic location information.   In May of this year, the Eleventh Circuit Court of Appeals held that Mr. Davis had no reasonable expectation of privacy in his cell phone location records and, even if there were such an expectation, a warrantless search was still reasonable.

The Supreme Court denied Mr. Davis’s petition on November 9, 2015, but it remains an important issue. As noted in the Brief of Amici Curiae Electronic Frontier Foundation, Brennan Center for Justice at NYU School of Law, Center for Democracy & Technology, The Constitution Project and the National Association of Criminal Defense Lawyers in Support of Petitioner, there has been a dramatic increase in the number of cell phones and cell sites in the last 20 years.  Additionally, the number of law enforcement requests for location information is increasing, and Courts continue to be faced with resolving whether a warrant is required.

Everyone loves their smartphone. Everyone loves the newest app. Angry Birds has lots of company now. But most people don’t know the back end of apps and how they are accessing, using and selling your data. Why? Because no one reads the Privacy Policy and Terms of Use to figure out how they are accessing and using your data.

The most common features of apps that affect your privacy are the use of the microphone, location based and geolocation services, and access to personal data, like your photos, contacts and health information. Whether you care or not, just be aware of the data apps have access to, are using and selling, and make an educated choice about whether you want them to have access or not. This week, we will focus on apps’ use of your location through location based services.

First, you need to know which apps have requested to track you (and to which you agreed) when you downloaded the app. Touch settings on your phone and go to Privacy. Location based services is listed and is automatically on when you buy an iPhone. Why? Because Apple wants access and has access to your location and requires it for Find Your iPhone. But this means that Apple knows where you are at all times and is selling that data to advertisers so they know which cities you visit, which restaurants you go to, which supermarkets you visit and in general, your minute by minute location. If you browse down location based services, the apps that are following your every step are listed there. Some allow the app to only follow your location when you use their app, but many others automatically track you whether you are using their app or not.

Sound creepy to you? Then my suggestion is to turn your location based services off unless you are using a particular app that requires it. When you are finished using the app, turn your located based services off again. If it is off, none of your location data is being accessed, used or sold by the app developer.

When you download an app, read the fine print on how they are going to access and use your data, including location based services. I have refused to download apps if they won’t give me a choice about using my location. There is usually another app that does the same thing and respects my privacy.

Real story: a friend downloaded a trendy retail app and as she was walking by one of their stores in a mall that was located in another state than where she lived, the app pinged her to tell her that they were having a sale in that location and since she was walking by, she should stop in and check out the sale. Needless to say, it freaked her out and she called me to find out how they knew she was in that mall. Of course, she had her location based services on, and had agreed for the app to use her location based services at all times when she downloaded it. She hadn’t read the pop up information, and just clicked “I agree.”

And if you aren’t creeped out, just be aware of what apps are asking for and doing with your data, and make educated choices when you allow access to your location.

We have been watching the warrantless search cases closely. Yesterday, (August 5, 2015), the Fourth Circuit Court of Appeals held that it was unconstitutional when law enforcement used their cell phone location information without a warrant.

Two defendants were convicted of armed robbery. Some of the evidence presented at their trial included location information from their cell phones. The government obtained the information through a court order, as opposed to a warrant. They appealed the conviction saying the government should not have used the information without a warrant, that the search was a violation of their Fourth Amendment rights, and that the court order was insufficient.

Although the Court held that obtaining the location information without a warrant was unconstitutional, it agreed with the lower Court’s decision to allow the evidence in the case because the government relied in good faith on the court orders that were issued to obtain the information.

A number of courts have considered whether the Fourth Amendment requires the government to obtain a warrant to access historical and/or real time cell phone geographic location information, known as CSLI. CSLI is cell site location data your cell phone gives off when you place or receive a call. Additionally, cell phones also automatically generate location data by continually identifying themselves to the closest cell tower even when there is no live call, and some experts say, even if the cell phone is powered off.

Law enforcement views CSLI as vital to locate and track suspects as part of an criminal investigation, and often seeks the information by filing an application with the relevant court simply stating that the information to be obtained is relevant to an ongoing investigation. The applications may or may not include facts establishing probable cause or even distinguish between location information in either historical or real time. Some court orders granting access do not distinguish between historical or real time data.

Court decisions have been divided on whether probable cause and a warrant is required to obtain CSLI.  Last week, a United States District Judge in the United States District Court for the Northern District of California, San Jose division affirmed the judge magistrate’s ruling denying the government’s application for CSLI on the grounds that a warrant was required to obtain such information. Also earlier this year, the Florida Supreme Court, in Tracey v. State of Florida, held that real time cell site location information is protected by the Fourth Amendment.

However, in May of this year, in United States v. Davis, the Eleventh Circuit Court of Appeals reversed an earlier three judge panel upon rehearing en banc, and held there is no reasonable expectation of privacy in these cell phone location records and, even if there were such an expectation, a warrantless search would still be reasonable. 785 F.3d 498.

On July 31, Davis’ lawyers petitioned the U.S. Supreme Court to review and overturn the Eleventh Circuit’s decision in Davis v. United States. If the Court accepts the case, perhaps the Court will resolve the issue of whether the warrant requirement of the Fourth Amendment applies to searches of  CSLI.

While Foursquare’s new product, Pinpoint, surely isn’t the only technology tracking your location these days, with the release of this new product, businesses can transmit targeted advertising depending on an individual’s location (or the individual’s locations in the past).  Pinpoint, which was first announced on April 15, 2015, will send advertisements to individuals’ mobile devices based on where the individual has been physically located lately … or previously located for that matter.  You might be wondering,

But can they send those advertisements to me? I’m not a Foursquare user.

The answer is: yes. Foursquare announced that this new product will use more than just its own databases to expand its geolocational marketing beyond its own troves of user data.  But who will Foursquare get geolocational data on non-Foursquare users from? While the terms of any such agreements are not likely to become public, Foursquare does currently have relationships with third-party data partners like Microsoft, HTC, and Pinterest.  As Pinpoint hits the streets we may begin to see consumer protests against this new kind of privacy invasion. We’ll continue to track its use.

Yesterday, with broad bipartisan support, the U.S. House of Representatives voted overwhelmingly (352-65) to support the Protecting Americans from Foreign Adversary Controlled Applications Act, designed to begin the process of banning TikTok’s use in the United States. This is music to my ears. See a previous blog post on this subject.

The Act would penalize app stores and web hosting services that host TikTok while it is owned by Chinese-based ByteDance. However, if the app is divested from ByteDance, the Act will allow use of TikTok in the U.S.

National security experts have warned legislators and the public about downloading and using TikTok as a national security threat. This threat manifests because the owner of ByteDance is required by Chinese law to share users’ data with the Chinese Communist government. When downloading the app, TikTok obtains access to users’ microphones, cameras, and location services, which is essentially spyware on over 170 million Americans’ every move, (dance or not).

Lawmakers are concerned about the detailed sharing of Americans’ data with one of its top adversaries and the ability of TikTok’s algorithms to influence and launch disinformation campaigns against the American people. The Act will make its way through the Senate, and if passed, President Biden has indicated that he will sign it. This is a big win for privacy and national security.