US cell carriers are selling access to real-time phone location data | Hacker News


Throwaway account.

I work in location / mapping / geo. Some of us have been waiting for this to blow (which it hasn't yet). The public has zero idea how much personal location data is available.

It's not just your cell carrier. Your cell phone chip manufacturer, GPS chip manufacturer, phone manufacturer and then pretty much anyone on the installed OS (android crapware) is getting a copy of your location data. Usually not in software but by contract, one gives gps data to all the others as part of the bill of materials.

This is then usually (but not always) "anonymized" by cutting it in to ~5 second chunks. It's easy to put it back together again. We can figure out everything about your day from when you wake up to where you go to when you sleep.

This data is sold to whoever wants it. Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go. This isn't fantasy, it's what happens every day.

Almost every web/smartphone mapping company is doing it, so is almost everyone that tracks you for some service - "turn the lights on when I get home". The web mapping companies and those that provide SDKs for "free". It's a monetization model for apps which don't need location. That's why Apple is trying hard to restrict it without scaring off consumers.

reply


I can confirm this is happening, I designed some of the analysis systems used. Contrary to what many people assume, this is not just a US thing. It is done throughout the industrialized world to varying degrees, including countries where most people believe privacy protections disallow such activity. Governments tacitly support it because they've found these capabilities immensely useful for their own purposes.

reply


Should they? The vast quantity of users find it incredibly useful and have no reason to be concerned about governments or third parties being able to determine their geographic location, because governments or third parties don't generally care.

reply


Several recent HN stories have had this kind of comment (first noticed with the Securus submission) that's a weird mix of "You have nothing to fear if you have nothing to hide" and "They will never come for you, you're too unimportant." Is this a sustained campaign or just a way for folks who have contributed to these issues to feel good about themselves?

reply


You can be upset about an aspect of a product, and seek to change that aspect, without abandoning use of the product. For example, 1.3 million people are killed by cars every year, and while we recognize the risk, we also constantly improve them through safety regulations, training and improved technology. Just because people use cell phones and apps today doesn't mean we're okay with the downsides and should stop trying to improving them.

reply


Did they? They're sales pitch claimed they could but what we've heard of actual methods and impact didn't appear more effective than regular FB ads.

reply


Mass surveillance is not really for investigating individuals.

The game being played is not '1984', it is 'Foundation'.

It is for steering entire societies, and this works far better on the boring people who think they have nothing to hide as they are the easiest to model

reply


The general public and repeatedly-reported-upon understanding of how data collection can be leveraged to find unexpected insights not obvious from the data, coupled with the Snowden leaks, coupled with the ever-increasing user count for cellphones, Facebook, Twitter, and the Internet in general.

If people were deeply individually concerned about the risks vs. rewards of these technologies, they'd stop using them. That's the rubber-meets-the-road calculus I see.

reply


Do you trust the public is informed about these technologies? I think you might be overestimating individuals... most folks still don't know about Cambridge Analytica.

reply


> "If people were deeply individually concerned about the risks vs. rewards of these technologies, they'd stop using them."

Why do you think that? It clearly doesn't apply to stuff like oil, for instance.

I could give up my phone, but I would be in deep shit if I did it tomorrow. It would take a lot of arrangement to do so and it would piss off my family and lose me work.


If they "don't generally care", they wouldn't be collecting that data to begin with.

reply


They collect the data because they can find themselves needing to care in the future, at which point nobody wants to be kicking themselves for failing to collect the data.

reply


> for their own purposes

Such as?

If this also happens in the EU and is as blatant as you say it is and with GDPR and all, surely this is just waiting to blow up?

reply


Parralel construction.

You pull the phone location records of everyone near a protest without a warrant (and no intention of using the location data in court) then you dig into them to find something unrelated to the protest you can nail them on.

That way you take out key players without it looking like a political crackdown.

reply


Based on the discussion in this thread doing such a thing seems relatively easy.

Obligatory Orwell:

“The most gifted of [the Proletariate], who might possibly become a nuclei of discontent, are simply marked down by the Thought Police and eliminated.”

reply


Yep, that's on the simpler end of the spectrum, they can/could be far more insidious and subtle.

It's horrible but beyond supporting ORG, EFF and writing to my MP (I'm in the UK) not sure what else I can do, even if I protect myself from it my family and friends are still potentially fucked.

reply


I'm in the space as well. I've tried telling my congressmen but they ignore me. I'm waiting for the backlash, especially will all the recent privacy issues. It hasn't happened yet and the problem is so large that I honestly doubt whether the public will ever truly grasp what the scope.

The advice I always give when this topic comes up us to be very careful with what you install on your phone. The least expensive mobile location data tends to come from random apps collecting the data to sell it, and ad networks. Permission to use your GPS is permission to track you until you uninstall the app.

reply


If you're willing to have your name attached to this, if / when it does finally blow up, please make an effort to talk to news organizations about who and when you initially reached out to congress people.

If you're not comfortable with your name being publicly attached, at least give news orgs the information and request confidentiality.

Part of the reason congress people can punt is that the cost of inaction < cost of action before it penetrates media.

A big part of shifting that equation is starting to publicize "You had all the information available now on X date and did nothing" as loudly as possible. Naming and shaming has been healthy for vulnerability disclosure.

reply


Are you able to send them a copy of their individual location data, or the location data of their staffers/friends/family? That might make for a potent wake up call. Though, you'd want to run that by an attorney first.

reply


Screw that. Put together a consumer stalking website, sell the data directly. Advertise, make tons of money, and let the outrage from that bring light to the entire industry.

reply


that's only the low end. app gps usage shows up on the UI.

the article discusses when the ISP/telco sells the data that you have zero visibility on. there's no way to get around this.

btw, apple and google ad spyware process (google play service) will collect gps and wifi data without any user visible UI, not to mention download ads in the background.

reply


>It's not just your cell carrier. Your cell phone chip manufacturer, GPS chip manufacturer, phone manufacturer and then pretty much anyone on the installed OS (android crapware) is getting a copy of your location data. Usually not in software but by contract, one gives gps data to all the others as part of the bill of materials.

so what's the flow here? is it something like this?: phone gps -> manufacturer installed crapware app -> crapware server -> (various third parties)

wouldn't this be mitigated if you use a custom ROM like lineageos?

reply


some of crapware can be avoided by using custom ROMs, but not all of it. For example: Qualcomm IZat location services and other location-based trustzone applets remain running even on custom ROMs.

reply


How is it sending the data though? if it's using mobile plans, wouldn't it be noticeable on the data usage plan? (or is it that manufacturers have agreements with carriers to not charge for it?)

reply


>Qualcomm IZat location services

did a quick check, it's not on my phone (SD 820 SoC).

>other location-based trustzone applets remain running even on custom ROMs.

I have no doubt some proprietary blobs still remain on custom ROMs, but do those actually send back location data to the OEM?

reply


You have a Qualcomm Snapdragon 820? Oh yes, IZat is definitively there, along with other interesting trustzone applets :)

It is running under QSEE (Qualcomm) and/or MobiCore (Trustonic) OS, which is separate from your Android OS. It is left untouched by custom ROMs.

reply


I do not understand.

Even if there was a separate OS running in parallel with Android, how could it access the wireless-networks-based and satellite-based location data? I thought that access to these things is controlled by Android.

In other words, when I turn off e.g. satellite location data in Android, can IZat (which, according to your post, runs outside of Android) or other similar spyware keep secretly using it anyway? That would be quite worrying.

I suppose that the location data can be collected by sniffing the low-level communication between the radio device and Android kernel, provided that it has been enabled in Android first. But even then, how could this location data be transferred out of the device? Are these "parallel-running" OSs also able to somehow "tap into" Android's network layer and send the collected data out?

reply


Oh, sweet summer child ...

"Even if there was a separate OS running in parallel with Android, how could it access the wireless-networks-based and satellite-based location data? I thought that access to these things is controlled by Android."

There is a separate OS running in parallel with Android and it is running on the very hardware that makes the network connections to the cellular network that you are speaking of.

In fact there are two - the OS and software stack that run on the baseband processor and the OS and software (java apps) that run on your SIM card, which is a full blown computer with its own memory and processor, etc. In fact, your carrier can upload new java programs to your SIM card without your knowledge at any time.

Your final question is a good one - many (most ?) implementations give the baseband processor DMA to the main, application processor. So you are hopelessly owned. Deeply, profoundly, hopelessly owned.

reply


True++ there are at least 4-5 OSes on Qualcomm with direct access to the Internet:

1. Linux Kernel / Android OS, running on main ARM CPU in "normal mode"

2. QSEE or Trustonic OS, running on main ARM CPU in "trusted execution environment" mode, in parallel with "normal mode"

3. OKL4 / REX Kernel + AMSS OS, running on the baseband CPU (modem)

4. SIM card processor, although it is very limited (typically 32k RAM) and acts only as a MITM for SMS's, not cellular data

5. The OS running on the Wi-Fi card

reply


You're looking in the wrong place.

TrustZone OS is started during SBL2 (secureboot level 2), running in hypervisor mode, while you're looking at the Android OS started during SBL3 (secureboot level 3). You cannot see hypervisor processes & apps from your vantage point (the android kernel).

The trustzone OS is usually located in TZ partition, and it uses some additional partitions for custom TZ apps and data persistence.

The hypervisor has independent access to the internet, the wifi card (for indoor location), and more.

Qualcom boot process, showing SBL1, SBL2 and SBL3 stages:

https://forum.xda-developers.com/showthread.php?t=1769411&pa...

It goes without saying that without TrustZone OS, the phone won't boot to Android OS (won't proceed to SBL3).

reply


You don't seem to appreciate the fact that the OS you interact with on a modern smartphone is essentially a guest.

There's a world of proprietary complexity you have zero visibility into, and much of it is running with direct access to hardware the application OS you interact with can only partially make use of.

reply


If all that is claim in here isn't conspiracy, how can it stay a secret? Isn't it the reason wikileaks was created in the first place?

reply


if you want to get it to blow up then (based on past experience of what seems to catch regulator/legislator interest) I'd say that someone tracking the locations of a load of politicians for a while, finding things of interest about places they've visited and then publishing on a news outlet would do the job.

reply


Your approach starts off by making the very politicians that you want to help you extremely pissed off at you.

More effective would be to track a few key politicians, such as those on the committees that would deal with regulating these things, and also a few reporters who have agreed beforehand to participate.

Then the tracking on the politicians is turned over to the politicians, but NOT made public. The reporters write stories about this, illustrating the tracking detail by publishing what it showed about them.

This approach gets the news out to the public, personally shows the key politicians the scope of the issue (and that they are vulnerable too), and lets the public know that the politicians have seen proof of how serious the issue is so that the politicians know that they need to get to work on this because their opponents come the next election will certainly be gearing up to use it as an issue if they do not.

reply


Expose's by investigative Journalists have often made politicians angry, but they have also effected change.

My idea is based on the fact that in my experience people rarely really care about privacy until it personally affects them.

reply


Will it blow up, even if the public is aware?

When Snowden revealed the extent of NSA activities, it caused a momentary uproar but the people moved on pretty quickly after that. As far as I know (and let me know if I am wrong!!), there was no fallout for the government, and business continues as before.

So I am not sure if people will care this time either.

reply


Snowdens' revelations had a massive effect on the tech. sector.

It provided security people with ammunition to push things like encryption of data over "private" network connections, which prevented their misuse by governments (or at least made it harder)

It also pushed tech. companies to publicly take positions on government spying, in general by insisting they wouldn't co-operate.

reply


Good way to loose your job very quickly. I don't think we should have to rely on somebody sacrificing themselves to make a difference.

reply


Not sure anyone would lose their jobs.

1) Be an investigative Journalist

2) Purchase access to these location vendors data

3) Correlate data with known mobile numbers of politicians

4) Find things in data that might be of interest to readers (e.g. "politician x was noted to be in the same place as Lobbyist y on 5 different occasions")

5) Publish Story :)

reply


I you are willing to be blacklisted than more power to you. I wouldn't want to force that on someone.

reply


Not if precautions are taken, and even if someone did, such a patriotic disclosure (if done responsibly a la Snowden) would put that person is very esteemed company.

reply


Yes, but Snowden is currently living in exile, and there's no end to that in sight.

Few have the stomach for that sort of thing...

reply


Tested and same result.

I have a strong suspicion that it intentionally places you some distance from where it knows you actually are. Unless there is some underlying reason why it would never be 100% accurate -- I've seen dozens of people post their results and every time it's 1-300 meters off.

And it's not just "no one tests while under the cell tower" because the location it gave me was 150 meters in the opposite direction of the cell tower that I can see out my window. And the location it gave was smack in the middle of a neighborhood I know well and know to be free of cell towers. Or I'm just paranoid.

reply


I just used the internet site it said up to 14 miles off in accuracy on the results page. It was actually 4 miles off with my wifi off and GPS off and ZLAT off. I'm also pretty sure the location it picked is very close to an existing cell tower.

reply


I'm somewhat weary. This might be the final missing piece to connect your mobile phone number to your mobile browser user agent, or even worse, your desktop browser agent.

reply


If the mobile carriers are selling your real time location data, I don't think there is much stopping them from also selling your browser user agents.

reply


I believe that dmichulke means that when the phone number is linked to the user agent it's much more dangerous than when they are sold without that connection being known.

reply


Interesting. I wonder if the mistaken use of "weary" comes from a combination of "wary" and "leery"! I always assumed it was because "wear" is pronounced the same as the first syllable of "wary". Unfortunately "weary" is already a word and "I'm wary of X" has a different meaning from "I'm weary of X", but similar enough that a lot of confusion could result.

reply


Can you post the SMS opt-in message you received? Curious as to whether this is exploitable as well

reply


LocationSmart: Reply YES or YES LS to confirm consent for cloud location & messaging demo. Reply HELP for help, Reply STOP to cancel. Msg&Data Rates may apply.

That is what I was sent.

reply


I'm betting the opt-in is something along these lines

"FirstName LastName wants to obtain your location..."

Also betting that you can put 160 characters into those fields, so effectively a blank SMS is received

Betting further still that you can just spoof the SMS reply

reply


And how can I buy this realtime data? Also

> Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go.

Any articles/webpages about this one? Or a company name who is doing it?

reply


Pinsight is a big one.

But there are too many to name. In 2018, you should assume that any free service (Unroll.me), web/mobile SDK (Slice), email client (Airmail), personal finance tracker (Mint), integration API (Plaid), geolocator (Foursquare), etc is monetized by selling your data en masse for market research.

It's not just location data. Dig into the TOS of free services you use. It's your receipts, your transactions, your subscriptions...all are "anonymized" to varying degrees of success. Even Meraki, the network router/switch company, sells location data.[1]

____________________________________________

1. https://meraki.cisco.com/technologies/location-analytics

reply


Link to pinsight: https://pinsightmedia.com

> Ever wonder what your consumer thinks minute-by-minute? Pinsight’s ID Suite gets behind the lock screen to understand the mindset of your best customer. Leveraging 24/7 insights from the mobile device, we uncover new audiences and discover new market opportunities so you can engage with consumers in ways that matter.

“Gets behind the lock screen”

Jeez that is some brazen marketing.

reply


Assuming you’re talking about Airmail, the iOS and Mac mail client[1] (which is not a free app), do you have any reference to back up this claim? Their privacy statement states:

> Airmail does not share your information with any third parties. We are not in the business of selling your data. However, we may disclose information if we determine that such disclosure is reasonably necessary to comply with the law.

They also state that they do not send information to their servers unless you enable push notifications, store data only for this purpose, and delete the data when you disable this setting.

[1] http://airmailapp.com

reply


Foursquare is selling business services based on the data they collect, not the data itself (as far as I know).

reply


Do you get that data before you place the bid? Can you can just bid the minimum amount so you never actually buy an ad, but get the tracking data anyway?

reply


You get all the data (geo, user's year-of-birth, user interests, device type, etc) before you place the bid. All the json data fields are defined in the standard. I can see iOS and Windows-phone in the feed, it's not limited to Android phones.

https://www.iab.com/wp-content/uploads/2015/05/OpenRTB_API_S...

You don't actually have to bid.

(HN is rate-limiting me) edit: Data is pushed to you as fast as you can process it. It's a firehose.

reply


To get a seat on the exchange, you need to bid, and exchanges also don't allow you to store data of bid requests that you don't win for purposes other than bid algorithm optimization in their terms and conditions, since that's stealing data. If they find out you're freeloading, they'll cut you out.

Also, most of the data on it is pretty shitty with lots of fraud since the publishers want to get more money. The geo data is often fraudulent (https://en.wikipedia.org/wiki/Geographic_center_of_the_conti...), and that's why companies that bid hire data scientists to sift through the fraud.

There's also rarely, in my experience, year-of-birth or any personally identifiable data.

reply


In a typical bid entry there are between 500 and 5000 bits of information relating to an individual, per the definition of GDPR. And that's not including the dreaded "IFA", which uniquely identifies the individual.

I don't agree with your claim that "the geodata is often fraudulent".

Anyone can read the linked pdf specification (above), download sample data from the exchanges, and judge for themselves.

reply


Is it pushed to you or do you pull it? Is there no rate limiting?

That’s really creative honestly.

reply


>> Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go.

> Any articles/webpages about this one? Or a company name who is doing it?

Foursquare does it, there were some articles last year about how they pivoted to providing that data. They were able to accurately predict Chipotle customer declines after their food contamination scandals.

I'm not sure if they use this carrier location data, or just the data from the people who are still using their app.

Edit: here's one: https://www.washingtonpost.com/news/innovations/wp/2016/04/2...

reply


Advan, Reveal Mobile, QuestMobile, Pinsight, Streetlight Data, RootMetrics, OpenSignal, SafeGraph are a few of the companies selling various forms of mobile user location data.

reply


Allow me to ask some questions :)

> It's not just your cell carrier

No reason to think this is only US right?

> cell phone chip manufacturer, GPS chip manufacturer

How & when is this transmitted and what other data apart from lat & long?

> pretty much anyone on the installed OS [...] is getting a copy of your location data

You mean the devs of whatever app is installed on the phone? The outgoing data should be visible in things like Charles proxy, right?

Is this analogous to FB data being available to any dev that gets permission to access your profile?

> It's normal to track hundreds of millions of people a day and trade stocks based on where they go

Whaaa ... ? Do explain, fascinating.

Can this all be mitigated by those smartphones-hardened-for-criminals type devices?

reply


Is this happening with iPhone as well, or primarily android due to the third party nature of the hardware?

reply


The problem is once it's at the cell carrier level it doesn't even matter if you use a dumb phone. They know roughly where you are based on tower triangulation.

reply


Not my area of knowledge at all, so perhaps someone who knows radio better could chime in: Would it be possible to fool the triangulation from the device, by arbitrary (or intelligently) delaying the mobile radio signals? Or are they too dependent on timings and such to work?

reply


> Would it be possible to fool the triangulation from the device, by arbitrary (or intelligently) delaying the mobile radio signals?

Not without messing up your ability to make and receive calls. Cell towers use precise timing and power-level measurements in order to do things like decide which cell-site is best, and to hand-over your call from one tower to the next without breaking your call or glitching.

Edit: Even if you were to play around with timing of responses of the radio signal, you have no control over how it radiates in free space. The time-delta between reception of the same signal by 3 towers at known locations is enough to triangulate your position. Maybe a unidirectional antenna pointing to just one tower might work, if there are no other towers within the beam behind it and no sideway leakages.

reply


There are no available cellphone radio baseband computers/transceivers that allow you do do things with that. You would literally have to implement the entire cell baseband from scratch with a software defined radio. It would be a very non-trivial project.

And it'd be useless unless you had many of these custom transmitters faking your signal spread out over large physical distances.

reply


That's always been common knowledge, the shocker is that it's being transmitted to "everyone and their dog" or even being sold. Afaik that was never the case with dumb phones.

reply


A dumb phone can be localized by cell triangulation. The US military disclosed that it was using such a technique in Afghanistan to locate Al-Qaeda targets (they disclosed this because Al-Qaeda had gotten so paranoid about he accuracy of US military operations that they had assumed they had human spies on the ground feeding the US information and began killing civilians on suspicion of spying).

reply


As an amateur radio operator, I would expect nothing less for carrying a highly networked radio transceiver with loads of sensors including geopositioning.

Simply put: don't want to be tracked? Put your phone in a lead sealed box or leave it at home. Tracking only tracks the phone , not your person.

reply


Yeah they know where you are at any given moment, but they don't have to record it. And they especially don't have to sell it to third parties. That's what we mean by "tracking".

reply


So basically either give up your right for privacy or don't use any new technology? That doesn't look practical. A better idea would be to ban cell carriers (and anyone else) from using location data for anything except explicitly permitted by law, like help in emergencies or conducting investigations.

reply


What would be most effective would be a pair of rules in tandem:

1. Allow the location data to be utilized by the cellular carrier only for legitimate engineering purposes relevant to the delivery of the cellular services. (The network needs to know your location in real time in order to route calls to you.) Also, allow the use of real time location data for emergency services in response to an emergency call. Potentially also allow the use of emergency services initiated real time locations, with a non-suppressible UI required to be presented to the user if this is performed.

2. Require that the cellular service providers purge / NOT retain this location data for any longer than is literally required to provide proper service.

The data retention policy #2 item here is essential in preventing temptation to come up with end-runs for the first rule. It's important that historic data that has no legitimate use under rule #1 not be preserved so that there isn't a mound of accumulating data of theoretically increasing value if only we could change / get rid of rule #1. That sort of thing will create ever mounting incentive to repeal / replace rule #1.

reply


A better idea would be to ban cell carriers (and anyone else) from using location data for anything except explicitly permitted by law, like help in emergencies or conducting investigations.

That doesn't do anything to protect your data from being accessed by the State, which is actually the bigger problem.

reply


If it does great harm for the state to have this data, and also great harm for the cell carriers to have this data...

Why thwart one great harm yet happily tolerate the other?

reply


Does it cause "great harm" for private businesses to have access to this? I'm not sure sure. After all, there is a qualitative difference between the State, which employs men with guns and arrogates to itself the right to use force to impose its will on people, the right to jail people, etc.

If Starbucks knows my location, they can send me a coupon if I enter a Dunkin' Donuts store. If the State knows my location they can falsely accuse me of a murder that I just happened to be near the location of and - if I'm unlucky or have a bad lawyer - execute me for it.

That's not, of course, to say that there aren't some cases where a private business having access to my location could have a deleterious effect. But here's the rub: if you rely on regulation to prevent those cases, you're right back to needing to trust the State, which is - IMO - a foolish proposition.

reply


> Does it cause "great harm" for private businesses to have access to this?

Wide availability of tracking data facilitates domestic violence and stalking, for starters.

Say that someone gets killed by their ex who found them through tracking data leaked by some irresponsible and/or profiteering company. How do we hold that company accountable? How can we prove that it was them who leaked the data, when it's everywhere?

We can't hold the credit authorities like Equifax accountable today for the identity theft they facilitate. This is the same problem. The aggregation of our individual data by companies causes massive negative externalities, borne by individuals.

reply


It doesn't really matter, if a business has the data and the state wants it, the state gets access to the data via the business.

The division is so trivially violated it's pretty much irrelevant.

reply


Whataboutism. Yes, there is a bigger problem. No, that should not prevent us from solving the smaller problem first. With regard to the bigger problem, we build checks and balances in the legal system.

reply


That doesn't mean banning corporations from exploiting your location is a bad idea, even if it's not the optimal privacy-enabling solution.

reply


I don't think we want an outright ban. I certainly have the right to allow a corporation to access my location if I choose to. There may be cases where an individual would judge it in their interest to allow a corporation to have such access.

The problem with the current setup is that we don't know who's gaining access, when they're gaining it, what they're doing with it, etc. Once the cell carriers have it, there's no easy way of knowing who they are selling the data to, and who that entity sells it to in turn, and so on.

Sadly, I don't see a good way to resolve this at the moment. If you use a cell-phone the carrier can always get your (at last approximate) location through triangulation. And regulation only makes sense if you trust the State, and I would like to think we've all learned better than to do that by now. So what do we do?

reply


For communications technology: yes, that seems to be the norm.

Don't like the rules of the road, don't drive.

Don't like that your data goes over a third-party's network to get to its destination, don't put your data on a third-party's network.

Bans "by law" only work until the people making the law become people interested in your location and they change the law.

reply


So basically either give up your right for privacy or don't use any new technology?

I think this is probably correct.

The problem with the ban you suggest is that it will degrade service in many instances. Some level of location tracking is necessary for all cellular phones to make a smooth handoff between towers or for example to load balance connectivity between different towers.

In the end the more personalized the service you want to have, the more "invasive." Opt in is probably the best total solution, however it quickly becomes an education game if you want it to be effective, and most people don't have the time or technical understanding to put up with a dozen different opt ins.

reply


Uh, not really. They can still utilize location data to make smooth handoffs and the other services you mention without bending us over and fucking us with a rusty chainsaw.

They do not need to sell location data to other parties in any way, shape, or form.

reply


Define me the following then about the metadata:

Who does your cell phone's location belong to?

Who does the tower's connection data belong to?

Who does the multitude of tower signal strengths belong to?

Who does the user's cell phone data belong to if allowing multiple apps to use it?

Answer: User's location data belongs: to the user, 3rd party apps they have allowed, and terrestrial cell companies that run towers with the appropriate frequencies for your phone.

The technology isn't the right area to change it. In the end, you're doing stupid stuff with encryption and still emitting point-source radiation that can and will be triangulated.

reply


There's no need for lead sealed box, Faraday cage will do. :) I think they even sell phone casing Faraday cage nowadays.

reply


It's android for the hardware manufacturers and OS crapware getting location data.

For iOS, assume every app using your location is selling the data. That means every app using a map or location smoothing SDK (GPS jumps around, there are services to smooth it out), since the map SDK providers (and there's not many) are selling your data even if the app itself isn't.

Google, Apple, Microsoft etc are pretty careful for good reason. Anyone below that is probably selling it.

reply


Every app that has access to nearby WiFi SSIDs (or even just the one you’re connected to) can also turn this data into location data.

In fact I don’t think that is even a gated permission on iOS.

reply


> This data is sold to whoever wants it. Hedge funds or services who analyze it for hedge funds is the big one. It's normal to track hundreds of millions of people a day and trade stocks based on where they go. This isn't fantasy, it's what happens every day.

I initially thought this was too far fetched but then I started duckduckgoing* and found this: https://www.fnlondon.com/articles/regulators-campaigners-sou...

* If 'googling' is a verb, why not this.

reply


This is a problem with the GSM/UMTS standards themselves. Carriers always know where you are, but one could create a standard where they wouldn't have to know unless you make a call. With enough encryption and effort, I'm pretty sure one could even create a standard where carriers would never know where you are, even while you are using services.

reply


Would not it be easier to ban anyone from using this location data for anything except explicitly permitted by law? The problem is not with standards, the problem is with people.

reply


Banning things works relatively well for people because they fear having trouble with law and justice. Doesn't work that well for corporations whose law department is just like any other department. In this case you must assume that if it's technically possible then it's done.

reply


This argument can be used against any law, like antitrust law. Having a law department doesn't give you a free pass to break laws.

reply


Unless we start throwing the legal department and higher ups into prison then it basically becomes a free pass to break laws. Currently, we assess fines to corporations that violate these laws.

It then becomes a cost/benefit analysis weighing the likelihood of getting caught * cost of potential fine vs business value of ignoring the law. Ignoring the law is frequently the correct decision.

reply


Agreed. There needs to be criminal liability for folks like Stumpf and other big bankers/corporate overlords.

But do you think our government will ever stand up? Doubtful

reply


Exactly. I assume that's part of the point.

But having a law doesn't mean people or corporations won't break it out of the 'kindness of their heart'. Or because they're 'good people'.

For example, look at 'No gun zones'. You think a criminal is not going rob a bank at gun point because the bank is a no gun zone? If anything it incentivizes them because they know they'll have a monopoly of force upon entering ( if they have a gun, and can fairly assume no one else will because of 'no gun zone' policy )

reply


Maybe not, but when the cost of breaking the law is less than the gain, it seems logical. A law department is probably better equipped to make that calculation.

edit: Reading into the context of 'too big to fail' and 'collateral consequences' reveals exactly that kind of behavior.

reply


How does one determine which tower to route an incoming call through, in your model? How could roaming work?

Spoiler: I don’t think doing what you are describing is feasible.

reply


Calls could be done over IP, and as long as you could anonymously authenticate to the tower then you could be granted a new IP address at each tower via something like DHCP. I imagine roaming and handovers would have to be done on the end-device though; the end-device would need to proactively associate to new towers and both ends of the voice call would need to agree to switch to the new IP address.

But if the tower operators collude then they can still track you across towers by localizing the physical source of the end-device's signal.

reply


If you really wanted to do this, a more secure approach is onion routing. It's essentially the same problem -- attempting to preserve anonymity in the face of adversarial network hardware, while being limited by a requirement to enter / exit through certain nodes.

So you'd want a mesh network, formed adhoc out of currently in range cellular device neighbors, with packets re-encapsulated and encrypted at each hop, eventually hitting the tower from a random device.

Authorization would be impossible (the intent of the scheme) without a side channel (as you can't simultaneously have individual authorization and individual anonymization). Which makes it a non-starter for commercial use.

reply


Oh yeah, that's an interesting solution.

I'm not sure simultaneous authorization and anonymization is impossible. Couldn't you use something like Chaum's e-cash to obtain tokens that guarantee the holder the right to use the network for some amount of data, but these tokens are tradeable and therefore the spender doesn't have to be the same as the buyer. Then you could spend this token in the network to get access and the network could authenticate the token without identifying the spender. I'm guessing something like zcash could be used as well...

reply


That's what I meant by side channel. So yes, you can split authorization responsibilities into a different entity, but then that entity is going to be able to deanonymize you.

And it wouldn't play well with billing accounts being deactivated / reactivated.

And... now that I think about it, given the tower:location mapping, you'd also have to include bouncing traffic back out to a non-tower-sharing peer and then back into their tower w/ randomized timing, else outer layers of encapsulation would still identify tower association.

Which means latency would be utter crap.

reply


"without a side channel"

Do you have any links where this is done without a third party?

reply


Off the top of my head, you could have this system: you use a new id that authenticates you with the carrier every n packets, and you do the routing from the source to your id on a server that you control yourself.

reply


Spoiler. The utility of the live call is overstated. Most of the people I interact via a phone vastly prefer async SMS over sync voice calls. We can do SMS via polling, the network doesn't need to push anything to us.

reply


People text so much because there is an expectation the other person is going to respond pretty quickly. There is definitely value derived from having people accessible all the time, and I doubt a service would sell if people weren't.

reply


With the current setup, sure, but that's by design. The cellular modem could stay off until you decided to take the call if there was a nationwide page circuit listening, the user would get the ring, see the number the page sent, and if desired, answer, which powers on the modem, hits a tower and connects to a backend system that sent the page which took the incoming call.

Page messages are in-the clear, but that's fixable by (gasp) OTP.

reply


You want every single cell phone call in the world to send out a signal over every single cell tower?

reply


No. But at a certain point, with the high speed modulations we have today, it is totally feasible to broadcast these passively to a multi-state region encompassing a radius of hundreds of miles.

There's not a legitimate engineering reason that the network needs to maintain constant fine-grained location data for each registered device at this point. The scope of the registration can be far more widely cast.

This would even have upsides for the devices and users. As check-ins to the network in which the device must transmit to the network would be far reduced, battery life improvements can be had.

Yes, this increases the amount of "broadcast" traffic, but honestly, even for some of the busiest telco switches in New York or LA, those data streams don't even approach the throughput requirements of a single HD Youtube stream...

reply


> where they wouldn't have to know unless you make a call

Presumably this is actually "unless you make a call or use data"?

reply


How can one prevent this and still carry a cell phone? Would keeping one's phone in a faraday bag defeat this constant tracking?

reply


I don't think it's possible through technological means to avoid being tracked and still use a wireless network. Even if you could anonymously authenticate to the network, if the base stations have a large number of antennas then they can locate the physical origin of your signal and track you that way.

It may be possible of course through other means, like government regulation or only using carriers that have some guarantee of privacy.

reply


I mean unless you've got a ham license and bounce your signal through your own network of relays using a different band than the final signal to the cell tower. But I don't think that's going to work as a popular solution. Would be a really fun experiment to build though.

I wonder if you could still use latency timing to get a rough fix on location through a secondary network like that. Not that anyone would be trying to.

reply


A good start would be using a prepaid mobile phone (paid with cash, via an intermediary to avoid appearing on store CCTV), plus using phone apps that are not tied to your real identity. A Faraday bag for the phone when it's not in use.

Honestly, it just depends on how paranoid you want to get, and who your adversary is.

reply


If your goal is to simply avoid your location being sold by your carrier for marketing purposes, an intermediary seems a little excessive, no? Unless you have reason to believe that your local pharmacy or cell shop is selling facial recognition data as well ...

reply


Selling facial recognition data is the next big revenue stream. There is a reason the Googles of the world are gushing over installing internet connected surveillance cameras on every block [0].

[0] https://nest.com/cameras/

reply


Carriers will still be able to track you via the cell towers you're connected to. I'm sure they can triangulate based upon signal strength, and that's strictly using your cellphone as a dumb phone.

reply


> "But switching off location will probably do it too."

Wrong. Phones can be triangulated by the carriers regardless.

reply


Can we trust the GPS receiver to be powered down when we the OS tells us it's powered down? I know Android keeps listening for WiFi stations even if you tell it to turn off the antenna. Might it do the same thing with GPS?

reply


It may help in regards to your exact location via GPS, but cell companies can still triangulate your location based off how strong your signal is to certain towers in the area and which towers you have connected to recently.

reply


No switching off location would not do it - why would it? Cell tower data is sold at the carrier as per the article.

reply


How much of this data is archived and searchable?

Most of the descriptions of the service so far indicate a real time or near real time feed. I'm curious if it's possible to go take a phone number and ask "give me location data for this person around xx:xx at yyyy-mm-dd."

reply


i’m not quite following. are you saying that individual,identifiable location data is being collected and sold?

reply


What specific data about the person is traded alongside their location history in the... schemes that you describe? (name? Some govt ID number? Phone number? Address? ....)

reply


Ah yes I've personally seen this while working at an OEM. There are a lot of other insane things happening on a phone like CIQ. FYI, listening to users via microphone is one thing that actually does not happen.

reply


okay, so, to cut to the chase here: how do we disrupt or destroy the companies doing this?

it isn't acceptable that they are taking advantage of us in this way.

we can't expect any political solution to the problem, which leaves us to pursue other means if we want to protect ourselves.

is there a way to introduce fake data or noise? what about opting out?

is there a law being broken here that we can make into a lawsuit? i wonder if there is a precedent regarding restraining orders or unwanted surveillance by private entities...

reply


Making a cell phone out of a pi with a sim card and gps daughter board is sounding less and less crazy each day. Really looking forward to when the librem phone starts shipping. I wonder if they've really been thorough enough vetting hardware for those bare-metal security issues.

This is at once staggering and completely unsurprising that companies would violate user trust in such a way and sell data without proper vetting that exploits people and could potentially put them in danger. Yet another episode in the misadventures of techno-illiterate regulation and totally unread TOS agreements.

reply


Even a RPI won't help you unless you can build all of the software for the microprocessors which drive the wireless stack. Even then, vendors (e.g. Qualcomm) will already have their software on the chip when you get it.

A completely open spec, open source set of components is what the community has desired for a long time. As standards get more complex and evolve faster, 4G and beyond, it becomes less possible to keep up in the open.

reply


It's funny that this is coming up now. The other day I was on the phone with Geico's roadside assistance and they wanted to know my location. I told them I didn't have their app downloaded, they said it wasn't a problem and they could get it without it. Sure enough they could. I checked their disclaimers [1] and they purchase the data from my cell carrier. They didn't even have to know which one.

[1] https://www.geico.com/web-and-mobile/mobile-apps/roadside-as... (see disclaimers at the bottom)

reply


Wow. The fact that they can just get this with "oral approval" (relayed by them to your carrier) is shocking to me. This is ridiculous.

reply


The other respondents to this message more or less have it right.

The way this stuff works is that when GEICO signed the deal to get access to this, they pinky-swore in a contract to only use the data certain ways.

Often, the representatives on both sides of such transactions even have a wink-wink nod-nod deal going which is different from what the contract materially represents.

Importantly, these contracts virtually always avoid talking about mechanisms for tracking such usage, auditing such usage, and even any remedies for violations (beyond discontinuing the service access - and then only if it's egregious).

You'd be amazed how much in the telecom world is handshake and contractual with no technological enforcement and often neither side of these agreements are incentivized to enforce the terms laid out.

The parts of these agreements that are solid is how transactions, events, etc are measured and what these cost and who pays and how. Shocking, that.

reply


They don't need oral approval or any approval. GEICO is only asking so that their customers won't freak out when GEICO magically knows where they are. The customer service rep probably had the data up on their screen already when they asked.

reply


I wonder if they use this data to price insurance -- they would easily know when their drivers are going over the speed limit (or, if such data is not so precise, if their average speed over 10 minutes exceeded the speed limit).

reply


More likely is approximating number of miles driven and price discriminating based off that. More miles driven = more risk of an auto accident. Basically pay-per-mile car insurance, but hidden.

reply


I believe the relevant T-Mobile privacy policy (that I definitely read before signing up...) is:

"With your consent. We may provide location-based services or provide third parties with access to your approximate location to provide services to you." https://www.t-mobile.com/company/website/privacypolicy.aspx

That is why a text message confirmation is required to get a cell phone's location from https://www.locationsmart.com/try/

For those on T-Mobile, there are privacy settings that can be adjusted here: https://my.t-mobile.com/profile/privacy_notifications/advert... I already had all of them disabled, and I was still able to get the location of my cell phone from LocationSmart.

I chatted with T-Mobile support yesterday to see if I could opt-out of them sharing my data. Not surprisingly, the support agent was less than helpful. "Don't worry, your data is secured"

Are there any US carriers that respect privacy and do not share private information with 3rd parties? Or is that a pipe dream?

reply


> Kevin Bankston, director of New America's Open Technology Institute, explained in a phone call that the Electronic Communications Privacy Act only restricts telecom companies from disclosing data to the government. It doesn't restrict disclosure to other companies, who then may disclose that same data to the government.

It seems like intelligence services spend a lot of their time dreaming up ways to do an end-run around the law. This is the same reason US intelligence does partnerships with foreign intelligence services.

reply


I'd rather them try to do end-runs around the law than run it up the gut... (If I had to choose)

reply


Just think of how amazing the museum will be for your great grandkids when we completely dismantle them when, inevitably, their stated mission goals supersede common sense and a responsible relationship to the American public.

reply


I doubt any of the privacy invasions are going anytime soon.

The big tech cos pull in ~100B in revenue precisely because they can capitalize on the data.

As long as there is crazy amount of money to be made, it will keep on getting worse. Having hope on the US govt to do anytime is wishful thinking. Govt and corporations are hell bent on knowing everything about you. It gives them the power.

reply


Carriers have been providing these services to 3rd party providers since at least 2006

https://www.theguardian.com/technology/2006/feb/01/news.g2

A few points to note:

* Obtaining consent is entirely left to the provider to implement. It does not appear to have any auditing. A provider can query any number they like.

* The opt-in process used by many providers is easy to exploit, by spoofing SMS replies or abusing the SMS template so that the surveillance target does not get notified

* The providers have are well aware of the potential to exploit this and have been for some time. It has never been resolved in over 10 years.

reply


I just discovered this treasure trove from the UK house of commons in 2006

https://publications.parliament.uk/pa/cm200506/cmhansrd/vo06...

"To extend that to adults, The Guardian journalist Ben Goldacre showed recently that someone needs possession of another person's mobile phone for only a couple of minutes to appear to give the consent required under mobile phone companies' current procedures. The person he was tracking never got any of the warning messages that were meant to have been sent to her. Even more scarily, a hacker's website has recently published information telling how to spoof consent without even having to have temporary possession of the target's phone; all that is needed is the number. If someone has a person's number, he can track them. It is not a problem. I know where the website is, but I am not going to tell Members. It is possible to track people just through their phone numbers."

reply


Is it even considered an exploit?

It's a cell carrier providing data about the radio communications between hardware they own and someone else. At a moral level, seems somewhat equivalent to a web server providing data about clients that access the server.

To opt out, stop using some third-party corporation's owned hardware to route your communications near lightspeed around the world. Hey, the Amish communities may have something in their overall philosophy of "Don't be beholden to strangers who aren't part of your community."

reply


I'm not clear if you missed the point here? This isn't aggregate data, it's obtaining the location of a specific individual just by knowing their phone number. It can be done without their knowledge or consent.

By your webserver analogy, the equivalent would be more akin to google publishing the contact details and search queries of anyone using the service.

reply


One of these days, most of you will finally understand just how right RMS was and is...

It's just a shame so many can't see it, and worse, give those of us who do shit.

reply


I am starting to wonder what all have I consented to? Every week I learn I have consented to this and that because of a news article as I never read those contracts or TOS. I wonder if there will be a way to phrase long contracts into bullet list of ideas for someone simple minded like me in the near future.

reply


One of the things that GDPR requires is real informed consent, small print hidden inside a thirty-page EULA is not acceptable.

reply


And unlike some of the recent proposals in the U.S., it's generalized to all industries.

reply


Maybe by some 3rd party then? Maybe an application of all the fancy natural language processing or some other ML. I visit the site, paste the TOS or maybe there is a list of TOS that has been translated and i get a nice gist.

reply


I think a more realistic option is Congress imposing a requirement on them, the way the terms of a loan have to be presented in a standard form.

reply


The worst part is there isn't any possible way I know of to defend yourself against this other than not having a phone.

reply


A while ago I thought of a very neat 'future job': you walk around town with somebody else's phone. So if you 'need to be' somewhere, you just hire this service, deliver your phone, which will be returned to you, and there goes your track record.

reply


I'm hoping the Librem 5 succeeds. I think disabling the baseband would be a solve and at least slightly more trustworthy than airplane mode.

Right now I think you're right, there's no defending against it without turning off devices.

reply


What about a decentralized networks over 802.11?

It wouldn’t be a total solution, because access points get hacked, etc. but it would make the data a lot fuzzier.

reply


The reason that cell phone networks actually work (they're effectively decentralized networks) is that they pay the big bucks to rent space on high towers, building roofs, etc.

The only thing that matters for radio communications is line of sight. The only thing that gives you line of sight is relative height. The only thing that gives you consistent height is money.

reply


Voice over WiFi definintely works. I don’t think “works” is the word you are looking for. “Won’t have great coverage” is maybe what you were going for.

A WiFi-based network with stronger privacy characteristics would be valuable to the small part of the market who cares more about privacy than coverage. Those people exist, ya?

reply


>The only thing that gives you consistent height is money.

Or long rope, a balloon, and a heat source ;)

reply


You still can't be sure. Your car may contain a SIM card nowadays, always connected, for your protection, sure thing.

reply


While unreliable it wouldn't be unrealistic to use wifi in densely populated areas. It looks like the pager industry is still alive, too.

reply


Most wifi hotspots have location information anyway, so your phone will know where it is, and then one of the many apps on your phone can report back with that information.

And isn't a pager just a really simple cell phone? I'm not sure how that's a solution if cell towers can triangulate your position.

reply


Until/unless they modify the law - turning off your phone thwarts it. While your phone is powered off, it has no ability to track & record your location movements. Obviously your active location will then be picked back up after you power it on, it won't have a record of anything inbetween.

A simple example of limiting the invasiveness using this approach, would be to have your phone on only at work & home, or similar. In absence of phone snooping, someone can already easily locate you at those two standard destinations, and can easily discover when you'd typically be at those places (ie you're not giving them much by using your phone there under normal circumstances).

reply


The way I understood it is that the requester of the location is trusted to have gotten consent from the subject of the query. The providers will answer any queries.

So Securus works on the "we're sure our customers are getting consent for their inquiries" presumption. What are the consequences if a company is found to not have gotten consent? Business sense dictates there to be no consequence at all if Securus can avoid it.

The way this should work is that the carriers can get permission to share location data with third-parties. They should not do it without having gotten permission from their customer. But then they probably get that when you sign the contract. Or do they just not mention it?

reply


The most obvious use of the data appears to be by credit card companies to detect fraudulent use of a card and decline those transactions. This is something I'm relatively comfortable with, though it's plainly in the interests of the bank and I only indirectly benefit from the tracking.

reply


As blocking fraudulent claims could remove a reason for my premiums to he higher, I can't say I'm against that.

With the caveat, for course, that people are not always where their phone is so this taken on its own would be circumstantial evidence: one would hope decisions are not made directly based on this information.

reply


It’s not in the interest of insurance companies to lower premiums. They only do it if competition is eating them alive. Geico has been raising their margins ever so slightly. I bet they are also the purchasers of ungodly amounts of data for targeting marketing.

Insurance companies #1 goal is to make maximum profits for their shareholders without getting caught with their pants down.

reply


Are you changing insurance companies regularly? Why would an insurance company have any reason to reduce your rates unless legally required to? Even if they've been overcharging you for years compared to competitors, if you aren't calling them up and threatening to change insurers, why would they ever give you money back?

reply


Or maybe parallel construction used to deny/approve loans. E.g. I can't weight the loan approval negatively specifically bc the person is black, but the GPS information suggests they frequent black areas.

But really every use of this information is highly assymetrical. If they're using it to trade stocks, while regular people are using traditional means, it's an advantage we don't have access to. This is basically the virtual castle walls keeping us peasants out in the fields. Modern feudalism.

reply


Yes, I am greatly bothered by it, especially because I am not aware of the extent that my information is being distributed.

On the one hand, I opt-in to location tracking for apps and services such as Google services, because I genuinely believe that I benefit greatly from location-targeted information. On the other hand, I would opt out of any other location tracking of my cellphone to companies that I do not see the benefit of having. I want fraud-protection and no liability when it comes to fraudulent purchases (opt-in for credit card companies and banks), but I don't want the government/Facebook/retailers/insurers to have this access without permission.

reply


How do you expect this data to be used in your favor? If there is a technical glitch/human error and your data is intermingled with someone else's, it will be used against you silently and you will have no recourse.

reply


I was aware the cell phone companies were selling anonymized data for some time (not revealing the numbers and adding some jitter to the location data to avoid identifying users).

This is the first I’m hearing that they’re releasing detailed personal tracking by phone number. When I sat in on a recent presentation with Verizon execs they flat out said they were not doing this. Oops.

reply


Airplane mode would work, yes. But it only works against the cell provider. The on-phone GPS can still work and sync the data later.

reply


The off button/battery out is a simpler solution. You won't be receiving calls anyway.

reply


Previously discussed yesterday, and again two days before that: https://news.ycombinator.com/item?id=17069459

This is one of the reasons I use a public-facing Twilio number, which forwards to a private number which I never hand out.

This isn't something that people should have to do to opt-out of tracking like this, but it doesn't seem like there are many other reliable options.

reply


If you take that cell phone home with you regularly and don't live in a multi-unit building, it would be relatively trivial to figure out your identity using this data.

reply


Undoubtably. Not a strong protection against doxxing, but might offer some semblance of protection from 'drive-by-lookups'. With a modern smartphone and location services, there's only so much you can do.

reply


Just a heads up: Twilio now offers a metric fuckton of services geared towards SIM-enabled IoT. You can order SIM cards by the pile and then bind them to a Twilio number by activating it in the UI (or via API). So now instead of (or in addition to) simply forwarding traffic from garbage numbers to your real number, you can get Twilio numbers that are registered on T-Mobile's network via an actual SIM card, making it much easier to send from your Twilio number than it used to be without it bound to a SIM card. Fairly good price, too. Unfortunately, I'm not sure what happened to Twilio's API as it's now as opaque and awkward as any AWS API (almost as though someone on Twilio's engineering team made the decision to model their API after the way AWS builds their APIs), but the services they offer are as compelling as they always were. I'd give Twilio a solid D for what the API has turned into, but A+ for service innovation.

reply


Last time I checked the data price for twilio sim was not good for daily use. Far cheaper to use something like Google Fi and a data only sim.

reply


I wondered how the spam callers knew what area code I was in while traveling out of state.

I would assume that through clustering analysis (eg coworkers/friends travel together) even fairly coarse position data can allow you to construct relationships. Then they can spam/fish both you end your coworkers with the same fake number. That makes it seem more important to answer and more organic.

reply


A friend of mine just got back from NYC and then received a fake call from an NYC area code. I get several every day from random area codes, and we had to wonder whether it was coincidence or not.

reply


When are we going to wake up and reform privacy laws?! This cannot be the new norm.

Something about this has to be illegal.

reply


This exploits a vulnerability in the SS7/MAP protocols that power mobile networks worldwide; the cooperation of the carrier isn't even required (even if carriers were against this; bad actors can and will get this data anyway).

reply


> the Electronic Communications Privacy Act only restricts telecom companies from disclosing data to the government. It doesn't restrict disclosure to other companies

Clearly the US has their priorities completely the wrong way.

reply


Part of the American mythology is that government involvement is always bad. It's hard for me to know if this developed because of the myths of the America Revolution, that a small colony won it alone and not because of external factors, and how much is due to people preaching small government politics. Regardless a distrust of the government seems to be ingrained in the American psyche IMO.

reply


Small government just means localized government.

At a more local level, people have much more influence and ability to change problems that they see. At a more federal level, policy is imposed without localities having much/any influence.

That centralization and imposition of policy that half the country opposes is the reason for the political divide that we see today. If the same policies that we argue about so much were implemented at a state level, people would have the ability vote with their feet.

That doesn’t mean some legislation shouldn’t be federal, but there is a reason that the intention was for federal policy to be overwhelmingly agreed upon rather than forced in along party lines.

reply


This is a good summary. The US was designed similar to the EU; each "state" is autonomous, but some things are shared, like currency, etc. Allowing frictionless movement between states is also paramount (and explicitly defined).

The logic being, if a state starts to get out of control, you can just move to another state. This allows states to experiment with various laws specific to the population.

Most of this was undone with the Civil War. As abhorrent as it was, the federal government had no legal power to ban slavery outside a constitutional amendment. The 13th-15th amendments actually banned slavery after the war, not the Emancipation Proclamation. Today, the federal government bans whatever it pleases and uses the commerce clause to skirt the constitution.

Take the drug war for example. Because a group of drugs was federally banned, states were powerless to do anything about it. I think most people would agree that federally banning all drugs ended up being a terrible idea and ruined many lives and families over the course of it's execution. It continues to do so today. If the constitution was actually followed, each state can determine which drugs it would allow. As far as I know, Colorado hasn't devolved into a cesspool of depravity since it legalized pot. Imagine all the hell that could have been avoided if states were allowed to decide which drugs to ban rather than the federal government.

Of course a strong federal government has some plusses as well. It was hotly debated during the country's inception, but the ultimate compromise all the states agreed to is what we got.

reply


Ahaha what? There's no myth that we won it alone. Elementary school texts on the subject lay it out fairly clearly that we did it with the French.

reply


There are a worrying number of people in the US who believe in American exceptionalism. When the French are brought up by them, it's generally in the context of "We saved their asses in WWII", not "They were vital in our war of independence".

reply


Trump just spent his formal state visit with Macron repeatedly extolling the role the French played in American independence. Trump addresses almost everything he does to the same audience that elected him (the same people that your premise would imply don't understand how vital France was to US independence). It's blatantly clear that average Americans for two centuries have understood the very important role France played. It is taught in all schools in the US.

Just about all nations believe in their own exceptionalism. Ask a person from Scandinavia what the best nations on earth are sometime. You really don't need to ask, they'll start all of their replies with: in Sweden we are bestest. Ask a French person how glorious their culture is. Ask a person from China how extraordinary their nation is and about how it's going to dominate the world in the future. Ask a German who makes the best cars on earth (they'll volunteer that, you know, Americans should make better cars if they want to fix the trade deficit, snark snark, chortle). Ask a Canadian if their country provides for a superior way of life vs the US - they won't hesitate for a second to proclaim that as a matter of fact their way of doing things is superior. Ask a Japanese person, off the record, if they're superior to the Chinese.

America's exceptionalism, is that it's the only nation aggressively called out for believing it's exceptional.

reply


'Generally'.

Also, a severe lack of commentary on those who live in other countries believing in their own exceptionalism. So not sure what you're responding to.

reply


There's no doubt that those were factors that aided. As always nothing in world history happened due to a singular factor or cause. But it is not mythology that a lot of brave and enlightened people fought an empire and have become a very successful country. What next? Are we to discount the Allies win over the Axis because well the Third Reich was worn down due to fighting in Russia? I am a US born citizen and criticize our country quite a bit, but it is insulting to say that the uprising here wasn't the main factor in us achieving our independence.

reply


Until the levee en masse in France pretty much all European armies consisted of mercenaries, criminals, and various other people considered the dregs of society, rather than patriotic citizens devoted to the cause.

Also the British Empire lasted significantly longer and a big factor in pulling out was protecting the Caribbean possessions from the French.

reply


Probably a bigger myth is that farmers hid out in trees and picked off stuffy Englishmen foolishly clinging to warfare in lines (so why was von Steuben important, then?), which only comes close to describing reality in places like Kentucky where a bunch of partisans were participating in what we might today call guerilla warfare. But even in that case it was less picking off soldiers and more killing your loyalist or patriot neighbors. Warfare in lines was completely logical given the weapons available at the time.

reply


> There's no myth that we won it alone.

Yes, there is.

> Elementary school texts on the subject lay it out fairly clearly that we did it with the French.

Textbooks are a mixed bag, but most I've seen at K-12 levels do mention that the French eventually were involved in some way, but very few give a real idea of the nature, extent (material or temporal), and criticality of French aid. E.g., approximately zero note that France started covertly arming and funding independence-minded Americans before the Declaration of Independence.

But even if the textbooks told the whole story, that wouldn't disprove the existence of a popular myth, it would just make it's persistence more remarkable.

reply


Even if it were factually accurate that we won it alone, the story of the revolutionary war has still taken on mythic status in our society. The revolutionary war is just as much a mythic story as many religious stories.

reply


Another part of the American mystique is that every politician is for sale via legal bribery where companies donate to their campaigns and get them to do mostly whatever the company wants, totally contrary to the interests of the public.

reply


They do, some folks.

The idea is companies, caring only about their own revenue, are purer of heart than politicians who are interested primarily in their own social status.

... that a kind of bulk morality emerges from many individuals all working to maximize a single product’s sales.

reply


It's reasonable and wise to distrust government. What is unreasonable is American blind faith in private industry.

This tracking is a great example of the threat posed by industry to individual citizens.

reply


You leave out another option: Americans distrust government because we see it fail us every day. Corruption, police brutality, inefficiency, politician sleaze baggery...

In general corporations provide a much higher quality service than the government in the US.

reply


It always boggles my mind how 1/2 the people that realize and complain about those things go on to recommend more government and that only they should have effective guns.

reply


It’s not half, it’s a tiny percent who recommend those things.

Saying half the country wants those things because they vote D is the same as saying half the country wants to ban Muslims because they vote R.

You can’t treat populations as individuals. You can’t take the many desires of a group of people and expect them to make sense as if they were one mind.

This mindset is the reason political discussion has broken down in this country. Rather than treat each other as individuals with diverse opinions, we treat each other as mini clones of the nonsensical amalgam of the worst aspects of half the country.

reply


You make a good point about the government, but I don't agree it extends to corporations. Corporations do much of the dirty work of the government.

Defense contractors and mining concerns operate hand-in-hand with the government, training police, researching weapons, running prisons, crunching data. Look at the story of this article: it's corporations doing the dirty work the government isn't technically allowed to do.

Furthermore corporations only submit to greatly reduced requirements for attending to those with special needs, like in wheelchairs, deaf, etc. There are some valuable services provided to them, like closed captioning, but only under passioned support from idealists and with profit incentive.

If we left it all to corporations, only the most able-bodied and well-off people would run the country for the most able-bodied and well-off, forming tight-knit circles to maintain their power and never perceiving the world as a place for living, only protecting power.

reply


> ...There are some valuable services provided to them, like closed captioning, but only under passioned support from idealists and with profit incentive.

It's worth noting that video closed captioning had to be mandated by law (Telecommunications Act of 1996) before it became universal[1]. Some broadcasters were ahead of the curve & implemented it prior to the legislation, but it was rarely comprehensive.

Of course, this just underscores your point that disabled consumers were not a large enough group to have their needs met by market forces alone.

[1] https://www.fcc.gov/general/telecommunications-act-1996-and-...

reply


The clever part is that the government in turn is allowed to purchase data from the other companies.

reply


Also, if a government employee does a lookup in their spare time as a private person out of curiosity, it is ok? Or if they ask their friend to do the lookup?

reply


Why? Releasing the data to the government creates Big Brother. I thought we were all against that?

reply


Now you've created a corporate Big Brother, who is hell bent on pure profits and doesn't even have to answer to you in the elections. Is that better?

reply


Yes? Government Big Brother can put me in jail just because a cell phone record said I was near a crime while being committed. Corporate Big Brother can only make money from me.

reply


Here the difference shows pretty clearly, as I would trust the government more than any company. Government serves the people, while companies mostly care just about profit. Any of companies' privacy concerns are related to legal and PR risks.

Being from Northern Europe, I do feel I have a good reason to trust the government. It's a machine that is working for my benefit, with my tax money, and is held accountable via my votes.

reply


“Here the difference shows pretty clearly, as I would trust the government more than any company.”

What the?

”Government serves the people”

Wait seriously?

”Being from Northern Europe,”

OH. Yea, I’m pretty sure there is a cultural difference we just aren’t going to agree on. I don’t know what country you are from but I’m going to guess it’s population is pretty small and what you effectively have is small government anyway.

reply


Whether or not they live up to that purpose is another discussion, but at a base level the government exists to serve the people while (for-profit) corporations exist to make money. Regardless of cultural differences.

reply


What stops Corporate Brother from voluntarily sharing/selling/giving data to the government out of patriotism? Or for some help in exchange. Especially if done unofficially.

reply


Well, such a release should of course be limited, regulated and with oversight. But I'd argue that at least police should have some possibility to get at customer data, even without opt-in.

Release of privacy-sensitive data to other companies should strictly be by clear customer opt-in, with clear limits on its use. And even some of that should be forbidden for semi-monopolies such as telecom providers.

reply


Contrasted to Palantir, Facebook, cambridge analytica and private firms working for NSA?

Ironically, governments are somewhat still under democratic control... somewhat.

Corporations are completely authoritarian, and by design.

reply


But that act says it's telecoms that can't sell it to the government. Doesn't the government purchase data from other 3rd party entities anyways?

reply


What if I as an European visit the states? Am I protected by through some agreements with my local provider or even GDPR?

reply


Maybe [1]. I wouldn't count on being protected while outside the EU.

Art. 3 GDPR Territorial scope

Article 3(1) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

Article 3(2)(a) - the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or Article 3(2)(b) - the monitoring of their behaviour as far as their behaviour takes place within the Union.

Article 3(3) This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

[1] https://gdpr-info.eu/art-3-gdpr/

reply


Practically you're just going to get extra tracked because you're a foreigner. Also if the articles about TSA borrowing your phone to clone it real quick or forcing you to log into facebook are true, I wouldn't expect them to abide to GDPR.

reply


Through FISA, all foreigners are legal monitorable, no matter what.

This is part of how US mass surveillance works. We record everything and if it turns out to be a citizen, we're supposed to throw it out. Of course in reality, it goes to the Parallel Construction Department who uses the information to build a case against someone through other means, knowing the answer in advance.

reply


I’m shocked that anyone is shocked about this! Transportation departments have been buying this data since the late 90s.

More creepy are the planning solutions for commercial development. You can buy datasets that will tell you the average income of drivers on larger highways in hourly buckets.

reply


So as a private citizen, I can pool some money and get the same level of tracking that American intellignece services have of individual cell hardware?

Sounds like a win for the citizens.

reply


> Cook: What would he do if he were Facebook CEO Mark Zuckerberg? His answer: “I wouldn’t be in this situation.”

Sounds like one of those situations to me...

reply


The article mentions banks tracking your credit card usage to detect fraud. Are there known instances of banks reselling this location data?

reply


I tried location smart website said location accuracy was up to 14 miles off. They were really 4 miles off. So not that accurate. If it was 2 blocks like other poster I'd be worried.

reply


Has anyone suggested a practical way that people can avoid being tracked? (Aside from Airplane Mode or keeping your phone in a Faraday Cage)

reply


I see a lot of suggestions about reducing or shutting off your signals, but what about boosting them in certain directions? As far as I understand cell tower triangulation, having a stronger signal in one direction might offset your calculated position in that direction. I wouldn't expect that to decrease connectivity, just require special equipment and more battery life.

reply


If it's happening at the carrier level (triangulation via towers) there's zero you can do at the client (your phone) besides stop transmission by turning it off or placing it in a faraday cage.

reply


It sounds like GPS units are also involved: tower triangulation is inaccurate so by carrying a phone that has no GPS you would be able to claw back a few meters.

reply


Out of all the solutions suggested - this is the most practical. This would actually fix the problem at hand. Make it illegal for them to either obtain and/or sell this data.

reply


There's no way to do this without using your own antenna network. Even then, you need encryption just to anonymize your calls, but if you end up talking to people subscribed to the same carriers you're trying to avoid, you can trivially be de-anonymized by timing attacks. So there's no good solution, unless you're willing to turn your calls to voice mail.

More practical solutions would include:

-(physically) Powered off radio unless you want to make a call. A clear drawback is that you can't receive calls.

-Satphones. I'm pretty sure satellite phone providers aren't in this yet. They could be, but my guess is that they wouldn't want to waste bandwidth triangulating their users. Also satellite-based triangulation would be much harder and less accurate, and if you use your own directional antenna and sat-tracking mount, you can avoid this altogether. Until they start installing phased array antennas or something.

-Finding a provider that doesn't sell your data to third parties. Probably the hardest of all, and you have to rely on their word.

reply


It used to be possible to buy prepaid SIM cards with cash and not have to provide any identification. AFAIK, this isn't possible anymore. Does anyone know for sure?

reply


Laws are everywhere to prevent this, because without ID, a terrorist can buy a SIM card and put it in his GSM-controlled IED. Not sure how strong it is being enforced though, the terrorist can just give a homeless guy a few bucks to buy a SIM card for him. IIRC when I bought a SIM card in an Asian country I went to visit, the seller just entered her ID number into the system.

reply


The real question being: How hard is it to bypass/cheat the identification requirement? Especially considering the US doesn't even have something like an official ID card.

They also changed this in Germany. Now you have to fill out a form to activate your SIM, but afaik nobody ever checks if the information in the form is actually yours.

reply


The providers in our country require ID. I think there was an EU directive in 2006 that gradually forced all providers to require identification. Of course this doesn't stop criminals in the slightest, they just get second hand SIMs registered by homeless or just SIMs from outside the EU, so it was a pointless law with regards to reducing crime, but if the goal was more surveillance they did ok.

reply


You don't have to use a Google powered phone. But the modern economy almost demands you have a cell phone.

reply


Carrier IQ was far more invasive than just location. Their "Experience Manager" was supposedly tracking every app launch, time spent in that app, metrics on key & button presses within that app, and other misc interactions.

They got accused of being a "keylogger" which they rightly said they weren't, but that ignores how invasive and creepy Experience Manager was (is?). Their whole argument was that carriers can use this app data to see what apps are draining battery, which is kind of bs since carriers are in no position to resolve battery issues or advise customers.

The reality is that carriers wanted more information on how customers were using their devices, Carrier IQ provided that raw data, and both got rich. They survived the scandal because the critics focused on keylogging, instead of the highly invasive usage analytics which it really was.

reply


Carriers are also selling your billing records. They offer a service to return the carrier billing address/name based on the mobile number.

Not only this but late last year all 4 of the major US carriers are offering APIs to convert mobile IP to a billing record (name/address/phone number).

reply


It's so strange--I never would have expected the boot of tyranny to come from private corporations, but here we are. And what all this proves is that technology is value-neutral and can wipe us all out, or just make us incredibly miserable, if we let it.

Hopefully there will be a way to opt out. Otherwise, I should start selling faraday bags for devices. Probably should anyways.

reply


This tracking abomination is an emergent phenomenon of the merger of private industry and government in the US. See for example both legalized bribery (a.k.a. unlimited campaign contributions by corporations thanks to Citizens United) and outright bribery (Cohen) by telecoms like AT&T, ensuring that they will have the flexibility to perpetrate such garbage as this tracking data sale.

Why not distrust both government and industry? The rule "power corrupts" holds in either case.

reply


Why not? Both government and private industry bring innumerable benefits to humanity. But we can and should view them both with constant skepticism and exercise vigilance. Why should holding one accountable mean that we can't hold the other accountable?

If you're looking for someone to root for, I'd suggest the individual citizen.

reply


> Hopefully there will be a way to opt out

Don't use a cellphone.

See also: the FBI can't wiretap your phone lines if you never use a telephone.

reply


Live in a cabin in the woods and never have contact with anyone. Now your surveillance worries are solved.

reply


I think it depends a lot on the kind of capitalism you have. There's what I think of as small-business capitalism, where business owners in a community naturally take the community's interest into account because that's where they live.

I think that's distinct from American MBA capitalism, which is the increase-shareholder-value, up-and-to-the-right, maximize-short-term-cash-gains kind.

The former is positive-sum, the latter can easily be negative sum. And I think the latter, because it doesn't include any humanity in its calculus, is perfectly capable of profitable tyrrany.

reply


I've just started using Signal and was surprised by how good the call quality is. For those that aren't aware, Signal calls are encrypted, so you effectively give nothing to the cell carrier when you make a call through it (except that you used some data).

reply


Unless I misunderstood, this has nothing to do with what apps you use to communicate. It has to do with connecting to the cellular network at all. I think the only way around this would be to run airplane mode with wifi only, and then taking lots of steps to keep your wifi use private too.

reply


While it is true that Signal's call quality is great, this doesn't seem relevant to the fact that cell providers can track you regardless of what apps you use.

reply


> Signal calls are encrypted, so you effectively give nothing to the cell carrier when you make a call through it (except that you used some data).

Maybe not to your carrier, but presumably Google could capture some form of metadata.

reply

https://news.ycombinator.com/item?id=17081684