Right on the heels of the still-unresolved Cambridge Analytica scandal, a new set of data breaches have revealed yet another data privacy and security crisis. Read these words carefully: almost anyone can track your smartphone’s position in real-time and there’s nothing you can do about it while using your phone.
Your location data is up for sale
The business of selling your data is called Location-As-A-Service (LAAS), and business is good. According to a report by Allied Market Research, the entire industry is expected to grow by 26.6% from 2016 to 2022. But what is it?
Generally speaking, LAAS is simply the collection and sale of location data. There are different ways to monitor a phone’s location, but the primary technologies involved are GPS locations and mobile service triangulation.
The real privacy threat we need to talk about is mobile service triangulation. This technology is nothing new – cell phone triangulation has been around since at least 1996, and the earliest known use of triangulation to discover a location dates back to ancient Greece. Here’s the issue – as long as your phone is on and has service, you can’t opt out, block, disable, or otherwise prevent your mobile service provider from tracking you. Mobile service users are using this to their advantage by selling your location to businesses, governments, and law enforcement.
Depending on who’s buying it, how it’s being packaged, and how it’s used, this may or may not be a huge problem. In India, for example
, LAAS is growing in popularity because the older phones that many people in India use don’t have GPS. This makes it difficult for first responders to find patients as quickly as possible. LAAS solves this problem by providing first responders with the locations of patients. Now, if only every use of LAAS made me feel so warm and fuzzy…
Why this is a personal privacy crisis
Unfortunately, first responders aren’t the only ones buying LAAS data. Since they apparently think you pay way too little on your phone bill, service providers also sell user location data to big data firms.
Now we’re in really shady territory. Did you allow your service provider to sell your location data to third parties? If so, did you know that you gave them permission? Did they ask you? Who are they selling your location to? Why do they want it? What are they going to do with it? Are there any laws or regulations in place to control how your location information is used? Are your service provider and the companies they sell your location to determined to keep your data secure?
Fortunately, we have a recent example that provides some insight into many of these questions: LocationSmart. We’ve broken down the LocationSmart scandal in greater detail in this post
, but here are the important takeaways you need to know:
- LocationSmart is a for-profit corporation that buys real-time cellphone location data from major service providers.
- Until recently, LocationSmart’s website featured a free trial that could easily be tricked into providing the real-time location of any individual tracked by LocationSmart to anyone free of charge. The free trial was removed after security analysts notified LocationSmart about the vulnerability.
- One of LocationSmart’s clients is Securus, a company that provides various phone-related services to law enforcement. One of those services can be used to find the location of almost any phone in the US.
- Securus’ website was hacked by an anonymous hacker who was able to access the login information of thousands of law enforcement officials using the service. This enabled the hacker to access any of the location data provided to law enforcement by Securus.
- One law enforcement official was discovered using Securus’ location data in a suspicious way by tracking the locations of his colleagues and local judges.
The cherry on top is how Securus responded to questions by the New York Times regarding how personal cellphone location data is used. A representative said that “Securus is neither a judge nor a district attorney, and the responsibility of ensuring the legal adequacy of supporting documentation lies with our law enforcement customers and their counsel.” In other words, the company denies any responsibility for ensuring that your data is used legally or responsibly!
So, let’s recap:
- Your location can be tracked and there’s nothing you can do about it (unless you leave your phone behind, turn it off, or never buy a service plan or mobile phone in the first place).
- The company that tracks your location sells it to other companies that can re-sell it to other companies.
- From what we’ve seen so far, at least a few of those companies have proven incapable of keeping location data secure, allowing anonymous third parties to access it.
- At least one of those companies doesn’t feel any sort of responsibility for ensuring that your location is used responsibly or legally.
What can you do about it?
Technologically, not much. You can turn on airplane mode, turn your phone off, leave it at home or throw it away, but there’s no way to both have cellphone service and be safe from location tracking.
The change has to come from the top in the form of legislation, meaning that there’s a difficult political battle ahead. Service providers must be forbidden from selling phone location data to third parties. Service providers and any other companies with your data must be punished for storing your data insecurely and allowing breaches to occur.
In the wake of the Securus scandal, one US Senator – Ron Wyden – has submitted an official inquiry to the FCC demanding that Securus’ operations be investigated. However, this isn’t enough. The US government needs to hear from you, and it needs to hear from thousands of other people who feel the same way you do.
Start talking about this topic with your family and friends. Share this post. Contact your government representatives and the organizations that fight for your right to privacy
in Washington DC. Demand your right to privacy and security.