Cell service providers can and do track your cellphone location. All they have to do is measure the signal strength of your cellphone at different towers, and they can triangulate its position.
https://www.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hu...
I’m not familiar with other locations, but in the US, you only have the choice between three cell service providers. All of them admit to selling their own customer’s location data to third parties in their Privacy Policies.
AT&T https://about.att.com/csr/home/privacy/full_privacy_policy.h...
Verizon https://www.verizon.com/about/privacy/full-privacy-policy
T-Mobile/Sprint https://www.t-mobile.com/privacy-center/our-practices/privac...
Remember, you’re paying for these services. But they still sell you out.
I seriously recommend you read the privacy policy for your provider. It seems they collect as much data as possible (not just location, also browsing history and a whole host of other metrics) and share it with as many different parties as possible.
If you are using a cellphone, your location is being tracked. Period. You can’t avoid it. Even TOR isn’t gonna help you.
I worked on this story (and the others, we're still publishing [1] [2]).
The dataset we bought from Tamoco didn't contain an app name for most of the data. So instead of guessing, we're open about the fact that we don't quite know. Which is sort of the issue here – there's not a lot of transparency around what is collected and by whom.
The Norwegian Data Protection Agency (DPA) has opened an investigation into Tamoco [2] after our first story, and they want to cooperate with the UK DPA.
[1] https://translate.googleusercontent.com/translate_c?depth=1&...
[2] https://translate.googleusercontent.com/translate_c?depth=1&...
Having access to original NRK data, is it possible to deanonymize more people (try to check your home address, NRK HQ, etc), and ask them for a list of installed apps to check if all have one in common? Although it's questionable from privacy point of view, so probably better to pursue it in legal ways.
>We may de-identify or aggregate information so that Verizon or others may use it for business and marketing purposes. For example, the data we aggregate might be used to analyze, personalize and improve our services, to provide business and marketing insights to others and to help make advertising more relevant to you. You have choices about some of these uses
From AT&T:
>Equipment Information includes information that identifies or relates to equipment on our networks, such as type, identifier, status, settings, configuration, software or use. Location Information includes your street address, your ZIP code and where your device is located. Location information is generated when the devices, Products or Services you use interact with cell towers, Wi-Fi routers, Bluetooth services, access points, other devices, beacons and/or with other technologies, including GPS satellites. [...] We may share information with AT&T affiliates and with non-AT&T companies to deliver or assess effectiveness of advertising and marketing campaigns
Remember that many people ‘have nothing to hide’ so they turn on services like Google Latitude. Then later they’re al surprised when their data is sold to the highest bidder.
Here, have a read at this article on how cell phone operate and how to track them. Wrote that a few years ago.
https://thehftguy.com/2017/07/19/what-does-it-really-take-to...
And the HN discussion, where developers admit they've been developing that for real for years: https://news.ycombinator.com/item?id=14803443
You don't have to speculate, the article does state the method:
>> All modern mobile phones have a GPS receiver, which with the help of satellite can track the exact position of the phone with only a few meters distance.
>> The position data NRK acquired consisted of a table with four hundred million map coordinates from mobiles in Norway. A number in the table led us on the trail of Karl Bjarne Bernhardsen.
I think the general observation is that they (government, cell providers, 3rd parties to whom this is sold) have access to most GPS data and all cell tower triangulation data; the latter they have however often it is set up to be recorded.
If you then have a dataset of lets say 100 points around a location you can estimate the exact location even better.
Do you have any proof that Google does exactly this?
I don't like Google at all (anymore) but I thought Google was somewhat ok in that they never sold my raw data points even if they would sell accesss to place an ad to "visitors who have been at this geographic location recently".
Well.. no, you already revealed where you were going.
My paranoia is fulfilled with switching the phone off (before leaving home), but others would rely on removing the battery. Snowden recommended putting it in a fridge.
> If you are using a cellphone, your location is being tracked. Period. You can’t avoid it. Even TOR isn’t gonna help you.
It is still possible to buy an anonymous SIM in a few countries.
Ultimately, free is the culprit. People like to navigate, buy stuff online, see things on a map, get local weather, and so on - especially if it is free. The old adage about if it is free, you are the product probably applies.
False... Plenty of companies take your money and still sell your data.
The cell provider location data is the most insidious. They add noise to it, but the central limit theorem is a real thing and people who buy the data are aware of that.
[1] https://www.nytimes.com/2020/01/15/technology/data-privacy-l...
[2] https://www.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hu...
I would happily pay for a provider that doesn’t triangulate my location 24/7, but none exist.
Ironically, the data of paying customers is even more valuable. Spending money on these things is probably a great way to make them pay even more attention to you. For example, mobile game companies seem to know everything about their big spenders and I've read that some are in direct contact with those players.
that's the point, they "gave consent" via the terms and conditions checkbox, and this is upheld in court since the user knew they were getting the service for free. Few countries have kept up with their laws to protect consumers from this.
I don't get this argument when an alternative doesn't exist.
Not saying that's the right approach, but that's probably how the thinking goes. Billing is certainly easier than it used to be (that's what the 30% app store cut is for), but can still get convoluted, and might have the perception of being convoluted.
If you pay then you signal that you have disposable income and your data becomes even more lucrative to sell. It’s a no-win situation.
No, it isn't. Consumer data being sold in a completely unregulated manner is the culprit.
Paying for the product or service has nothing to do with whether or not your data is being sold.
Sort of. The real question is: how much does Google make with their free ad-driven model? You'd have to beat that with a paid model (taking into account the reduced userbase as a result of increasing the perceived price).
Also there is genuine value to having $0-cost high-quality maps, Internet search, translation, and many many many other things available to the general public, worldwide. I don't think you could match that same level of public benefit with a paid-only product.
For example, there's a popular email client that scrapes people's inboxes and sells their purchase history to anyone willing to pay. That purchase history is provided on an individual email level and is "anonymized". But if you know your target has this email client installed and you know a single purchase (e.g. a coworker saying "Oh, I bought this awesome coffee maker on Amazon last night!") you can now access their entire individual purchase history backward and forward.
This x1000.
I have seen people invite others to eat lunch at restaurants that only accepted credit cards in order to elicit such a data sample.
Care to share which email client it is? It should be killed with fire!!!
"Over the past year, his cellphone has revealed where he has been for almost 24 hours."
"Nor do tens or thousands of other Norwegians."
"Just before eight o'clock in the evening, a perfect little boy comes to the world at Stavanger University Hospital."
EDIT: The rest of the article is littered with these minor errors every few sentences. I didn't bother including any more quotes here.
Wait, no, that's America. I was thinking of America.
It is a pity they did not do better forensics on the installed apps. One or more were revealing the location.
But it can't be reported enough, for the general public.
I gather that NRK is the BBC equivalent for Norway, so it's not surprising that Tamoco sold so much data to it. But I wonder how selective Tamoco and its competitors are.
In particular, I can imagine that there's a substantial market for data that facilitates tracking people. Bounty hunters. Repo agents. Private investigators.
But also people who want to stalk others for whatever reasons. If someone could document that application, perhaps there'd be "pitchforks and torches".
Could I have an Android phone running a program that spoofs a long steady drive from Tampa to Butte?
You could also run an Android VM in the cloud and RDP to it when you want to use sketchy (edit: free) apps. This approach could have saved Bezos some trouble [2].
[1] https://www.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hu...
[2] https://www.nytimes.com/2020/01/22/technology/jeff-bezos-hac...
The article also points to WhatsApp as the infection vector.
I agree that anything Facebook produces is fair game as far as being sketchy goes, but it’s not the only messaging platform to have been exploited.
Do we run all messaging services in independent sandboxes in VMs?
In short, yes.
If enough people do it in a way that cannot be easily detected, the market for this sort of data will shrink quickly.
Using it as a daily driver is not advisable though.
Android has built in support for location spoofing with the developer mode option, select mock location app.
Generally speaking, there are no laws against merely possessing data, unless the data itself was the result of a crime.
Maybe you mean selling the data? That's nuanced. It seems to be illegal for phone-companies to sell your real-time cellphone location... but historical data? App developers instead of phone companies? The devil is probably in the details in terms of what constitutes a crime and what is just shady business. See [1] where AT&T sells your location data but insists it's not technically illegal (but claims they stopped selling it anyway).
Many companies try to anonymise this data anyway because it's good business to not piss off your customers.
[1] https://www.theverge.com/2019/5/17/18629553/att-t-mobile-spr...
It's not about selling data - purchasing the data or having it or using it also are covered.
If so, this could be a lot of fun. It would be interesting to see the political backlash, especially if the published dataset includes politicians. Perhaps, in the name of ethics, it should include only politicians, and only those who have voted against privacy legislation. Maybe we'd finally end up with something like the GDPR here in the States.
Big companies can get away with crimes while the same thing would result in successful prosecution if a little guy does it, so you might very well get in trouble even though you're doing exactly the same thing as an existing company that manages to stay out of trouble.
I however support your idea regardless of its legality (and especially if the data happens to contain details on politicians, the majority of which are responsible for the situation being as-is) and suggest you publish it anonymously (through Tor).
Apple and Google create systems that make it possible to harvest data with no user control possible. Neither provide the ability to see or stop data leaving your mobile device.
They do this so they can attract developers to their platform.
They do provide "controls" to prevent some sort of data access to prevent mindful users from leaving the platform.
It's just that the control have the same sort of ambiguity as a privacy policy. Many people still don't understand that "location services" really means two-way, or that bluetooth can be a proxy for very fine-grained location tracking.
I hope that we finally get alternative phones (say pinephone or purism) because I firmly believe there's a HUGE market opportunity for this sort of thing.
I’d say they don’t care to know, not that they don’t care. Ignorance is not a defence, even if it is temporarily a business case.
I've got the reply "if you don't like it, stay off the internet". Well.
If these companies are able to keep on truckin’ with massive user bases who don’t seem to care that the entire business model rests on flagrant violation of data privacy and data reselling, why would you ever expect anyone to care about the long tail of scammy lesser known data resellers?
Companies like Yelp or Foursquare are essentially as scammy as it can possibly be, with the scamminess shoved right in users’ faces, with lots of middle fingers and half-hearted sound bytes about respecting data privacy. If users don’t react in horror and delete accounts / stop contributing en masse in response to that, why would you ever think an expose about something a further ten degrees removed from the user’s immediate experiences is going to cause any reaction?
People just don’t care.
In reality, most users really do not understand or consent to the level of data tracking and are very confused about terms of use or privacy settings in the app or just on their device.
The big problem is that it is just not possible for the vast majority of people to have enough expertise or technical know-how to give anything resembling informed consent. Whatever the user is agreeing to, it emphatically is not anything like consent.
Again this is from my memory of MITM proxying iOS.
-> ok so yelp bought "Turnstyle WiFi" which runs wifi hotspots at businesses like Burger King and collects client data ...keeps reading... oh god their wifi is worse than their burgers this is sickening
