Last year, you might remember that Verizon was in the news for reaching an agreement with the FCC. The issue centered around the tracking of its customers without consent. In reality, carriers have been doing this for years, but privacy advocates like the Electronic Frontier Foundation asked Verizon and the FCC to put a stop to it. In the end, Verizon agreed to stop tracking customers unless they expressly agreed to opt-in to the program. The agreement between Verizon and the FCC was roundly seen as a win by privacy advocates and consumer rights groups.
Unfortunately, it looks like the practice is still in effect. Philip Neustrom, the co-founder of Shotwell Labs, recently found two demo websites that would return account details if visited from a mobile connection. By simply entering a zip code and clicking a button, the site would spit out the full name, current location, and more information.
It would appear that these sites are grabbing the information from the same process that Verizon got busted for. That program, the Unique Identifier Header, added information to HTTP requests from Verizon customers and then, for a fee, would let websites see the info. AT&T has a similar plan called the “Mobile Identity API”.
The collecting of this kind of data is not a new thing. Carriers have been doing things like this for years, but the FCC agreement was supposed to put an end to it. On its face, a program like this may seem to have zero benefit to customers. But, there are companies that can leverage this information for security-related purposes. Companies should, in theory, be able to verify that a user is where their IP address says they are with information like this. If a user was asked to use a security procedure like this, they would be opting in by default.
The problem, however, comes from carriers not verifying consent. The sites that Neustrom found provide a demonstration of their functionality by pinging mobile providers and showing you the data. This process is dangerously unsecure because carriers are not sending out any kind of confirmation you’re actually opting into this process. The API for one of the sites, payfone.com, even allows customers to look up the information by just saying the user has consented. It also allows batch lookups.
There is now evidence that US telecom companies are selling real-time access to customer data to third-party companies. Then, that data can be resold to other companies or governments. This is all happening without customers opting in.
In his blog post, Neustrom goes as far to say that “these services could be used to track or de-anonymize nearly anyone with a cell phone in the United States with potentially no oversight.” That’s a pretty serious claim and something that definitely needs to be looked into. But with this FCC, who knows what will happen.