When the US government massively expands its state surveillance policies despite the protests of privacy, civil rights and cybersecurity experts, it would be reasonable to expect that, at the very least, that data will be secured and handled with care. As a shocking report by Motherboard proves, however, they can’t even get that right.
Securus, a company that buys up smartphone location data from major US telecom companies and sells that data to law enforcement, was just hacked. The hacker sent documents to Motherboard proving that he had gained access to the account information of thousands of law enforcement officials who were using the servicer to track phones.
An article by the New York Times earlier this month revealed the Securus service and prompted Democratic Sen. Ron Wyden of Oregon to demand an investigation by the FCC. In a shining example of corporate responsibility, a Securus representative told the New York Times that “Securus is neither a judge nor a district attorney, and the responsibility of ensuring the legal adequacy of supporting documentation lies with our law enforcement customers and their counsel.” If a cop says his search is legal, it’s legal!
Before getting hacked by an anonymous hacker, the data being collected by the company was already being used in questionable ways (in addition to tracking private citizens). Indeed, a former sheriff of Mississippi County, Missouri, Cory Hutcheson, used the service to track local judges and other law enforcement officials.
To recap, this is a company that collects the locations of private citizens, sells that data to law enforcement, and feels no obligation to ensure that the data is used lawfully. In addition, its cybersecurity was flimsy enough that the company was hacked less than a week after the existence of its legally questionable and unethical service was exposed to the public.
Whenever there’s a discussion about the importance of online privacy in the face of government surveillance, someone’s bound to insist – “Why should I care? I have nothing to hide!” There are plenty of issues with that argument, but the case of Securus shows us, there’s one that cuts to the core of the matter – governments cannot be trusted with your private data.
The government is not a single, homogenous, infallible entity. It consists of people, and people make mistakes. Some of those people have ulterior motives. Others will even abuse their authority to commit crimes. Sometimes, the government gets private companies like Securus to perform services for them, like handling your location data. Even the NSA has private contractors handling massive loads of data.
You may or may not trust “the government” with your location data, but do you trust the employees at Securus (a private company) with your data? How about law enforcement officials like Cory Hutcheson, who seemed to be using the tracking service to monitor people far beyond its intended purview? If Cory was a local sheriff who had a grudge against you and your family, would you still trust “the government” with your family’s personal location data?
And we haven’t even gotten to the massive failure in cybersecurity accountability that this debacle represents! In the documents provided to Motherboard, the hacker proved that they had accessed the login information of prison wardens, administrators, correctional officers, and other law enforcement officials – “the government.” They also indicated that the hack was “relatively simple,” though no further details have been published.
We can only hope that the hacker’s only goal was the exposure of this gross mishandling of private data, but what if it wasn’t? What if the data was accessed by malicious criminals or by a state hostile to the US? Would you still trust “the government” with your private data then? You should hope that the government places a high priority on sensitive data, and in some cases (like the military), you might be right – but is our private data considered sensitive data? Just a few days ago, the White House eliminated the cybersecurity coordinator’s position, and it is unlikely that this was done due to a deep desire for greater cybersecurity.
Unfortunately, this one’s a tough nut to crack when it comes to smartphones. There’s no way to prevent your phone from being tracked while also remaining connected to your network and capable of receiving and making phone calls. If that second point isn’t an issue, turn your phone off, leave it at home, or turn on airplane mode.
Turning off your location settings will make it harder to discover your location, but not impossible. To maintain a constant connection, modern phones always try to stay connected to at least three cell phone towers. As long as this is true, your service provider (and, by extension, the government) will be able to triangulate your approximate location to varying degrees of accuracy.
There’s an additional player in this story, and it turns out that the originally reported security vulnerability was even worse than previously thought.
Securus bought location data from LocationSmart, a company that collects location data from telecoms and sells it to a wide variety of different companies. Just about anybody willing to pay can track your location!
However, cybersecurity researcher Robert Xiao discovered that there’s an even easier way. He revealed an exploit where the company’s free demo could be used to discover a cellphone’s exact location without even logging in. Anyone, anytime, for any reason, could use their platform to track someone’s exact location. He even tested it on his friends!
This information was published in a report by cybersecurity journalist Brian Krebs only after the breach was fixed. However, it helps to reinforce the point that many powerful institutions are not being serious enough about securing sensitive data and that governmental data collection cannot be trusted.