It is well-known that customer privacy is often not a priority for mobile phone providers. We all know that they are in cahoots with the government policing and spying apparatus. Well, no surprise, that’s not all they’re up to. An enterprising software engineer, Philip Neustrom, took to his blog to shed some light on their activities. He revealed that cellular providers are allowing third parties to receive detailed information about you. This information includes phone contract details, your phone number, and your location. The intent of the service is to verify users for applications like mobile banking and payments. It is worth noting that the identity service is not for the general public. It’s intended audience is those who subscribe to the toolkit, and pay the mobile providers a fee. Neustrom demonstrated, however, those companies may be giving your info out without much scrutiny.
The information in the demo is only accessible if the IP address you are requesting information matches your own IP. As noted in the blog post, these safeguards may not be in place if somebody uses another method to access the data. Specifically mentioned is the payfone.com API, which appears to allow batch lookups of user information. The criteria for a client to lookup data through this service appears to be only that you have to say that the target agreed. Another demo from Danal required a zip-code to verify. There is no real evidence that mobile providers are making any effort to make sure that users are actually consenting. Since Neustrom’s post, both Payfone and Danal have, unsurprisingly, removed the demos.
So, you might be asking by now, how can they do this and not inform the consumer? They can’t, at least that is what the FCC said last year in a related matter. For several years, Verizon was using tracking headers in its mobile traffic, without user consent. These headers uniquely identified the device to any website that it visited. The FCC and Verizon came to an agreement that essentially states that no tracking without explicit permission is allowed. The EFF claimed this as a “Victory”, but it seems that the mobile industry did not get the message about informed consent. Based on a quick browse of Payfone and Danals websites, they both have relationships with most major carriers. This seemingly indicates that all of those carriers have an identity service, to some degree. AT&T and Verizon have provided this service to enterprise customers for several years. Verizon since at least 2014 and AT&T since 2013.
With Verizon’s UIDH Header, the biggest issue is that it allows websites and ad networks to track users. Even if those users had cookies disabled, or “Do Not Track” features turned on in their browsers. This was an invasion of privacy for sure, but, this new revelation raises that bar substantially.In addition to concerns about tracking, this service provides much more personal information, and scarier yet real-time location. The potential for abuse here is staggering.
I would like to believe that this service exists to protect consumers and companies against fraud. That may be most of the reason for the existence of the service. However, the fact that the mobile providers are selling the access, makes the motives questionable. No matter the motives, it is clearly very to easy to get access to this data. The fact that users are not conspicuously notified about this system is unacceptable. And, no, burying the notice somewhere in a multi-page TOS/privacy document doesn’t count, if that even happened in this case. The wireless companies, or the FCC, need to take action to address this, and soon.