Wireless Carriers Again Busted Collecting, Selling User Data Without Consent Or Opt Out Tools

A few years ago, Verizon and AT&T were busted for covertly modifying wireless user data packets in order to track users around the internet. Verizon used the technology to track browsing behavior for two years before the practice was even discovered by security researchers. It took another six months of public shaming before Verizon was even willing to offer opt out tools. And while the FCC ultimately gave Verizon a $1.3 million wrist slap, it highlighted how we don't really understand the privacy implications of what mobile carriers are up to, much less have real standards in place to protect us from abuse in the modern mobile era.

While notably different in scope and application, these same companies were again caught this week collecting and selling user information without user consent or working opt out tools.

Earlier this week Philip Neustrom, co-founder of Shotwell Labs, discovered something interesting and documented his findings in this blog post. Neustrom discovered a pair of websites that, when visited by a mobile device over a cellular connection, appeared to easily glean numerous personal visitor details, including the visiting user's name, some billing and location data, and more. Users simply needed to input a zip code, and the carriers providing your cellular service seemingly provide a wide array of personal data to these services without user consent or an opt out.

On the surface, the intention behind these services isn't particularly nefarious. These websites are examples of fraud prevention services companies like Payfone offer to companies, employers and organizations to help verify a visitor is who they say they are. Visitors to a specific website have their data immediately cross-referenced with billing, phone number, or even GPS data that's provided by wireless carriers. The problem, as Neustrom documents, is that mobile carriers don't appear to be adequately informing users this data is being collected or sold:

"But what these services show us is even more alarming: US telcos appear to be selling direct, non-anonymized, real-time access to consumer telephone data to third party services"-"not just federal law enforcement officials"-"who are then selling access to that data. Given the trivial "consent" step required by these services and unlikely audit controls, it appears that these services could be used to track or de-anonymize nearly anyone with a cell phone in the United States with potentially no oversight.

He also found that the existing opt out mechanisms used by T-Mobile, Verizon, AT&T and other mobile carriers don't do a damn thing to prevent this data from being monetized:

"AT&T's "consumer choice" opt-out at https://att.com/cmpchoice didn't appear to do anything to stop this, even after waiting the stated 48 hours. All of the demos were still working for me on the morning of 2017-10-15 after I had opted out on 2017-10-13. Many users on Twitter and elsewhere also report that AT&T's opt-out process doesn't do anything here. Verizon's "opt-out" pages also may not do anything to prevent this, either (A, B)."

The report was seemingly a bit too obscure to get much mainstream media attention, but obviously hit a nerve all the same. Shortly after publication, both websites -- and their previously public API documentation were pulled offline by Payfone. Similarly, video of a joint AT&T Danal presentation from 2014 explaining how this technology works was pulled from YouTube. The security community was surprised to learn of the technology, with some offering more concise analysis than others:

what the fuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuck https://t.co/ppLhDwH0IZ

- NightmareOnTayStreet (@SwiftOnSecurity) October 15, 2017

You'll recall that for years mobile carriers like Verizon argued that we don't need meaningful privacy protections because they always self-regulate within the boundaries of good taste. Carriers re-used this justification earlier this year when they convinced the Trump administration and GOP to kill FCC broadband privacy protections. But it's hard to hold these companies accountable for privacy violations when even security researchers aren't aware it's happening, and unlike the realm of Google, Facebook or other advertisers, a lack of competition in the telecom sector means less organic competitive pressure to behave.

This week's discovery is just another example of how mobile carrier self-regulation isn't working, and some modest rules requiring more transparency (and mandatory, opt out or opt in tools) would have been of immense public benefit.