Ron Wyden

Auto Added by WPeMatico

Despite promises to stop, US cell carriers are still selling your real-time phone location data

Last year, four of the largest U.S. cell carriers were caught selling and sending real-time location data of their customers to shady companies that sold it on to big spenders, who would use the data to track anyone “within seconds” for whatever reason they wanted.

At first, little-known company LocationSmart was obtaining (and leaking) real-time location data from AT&T, Verizon, T-Mobile and Sprint and selling access through another company, 3Cinteractive, to Securus, a prison technology company, which tracked phone owners without asking for their permission. This game of telephone with people’s private information was discovered, and the cell carriers, facing heavy rebuke from Sen. Ron Wyden, a privacy-minded lawmaker, buckled under the public pressure and said they’d stop selling and sharing customers’ locations.

And that would’ve been that — until it wasn’t.

Now, new reporting by Motherboard shows that while LocationSmart faced the brunt of the criticism, few focused on the other big player in the location-tracking business, Zumigo. A payment of $300 and a phone number was enough for a bounty hunter to track down the participating reporter by obtaining his location using Zumigo’s location data, which was continuing to pay for access from most of the carriers.

Worse, Zumigo sold that data on — like LocationSmart did with Securus — to other companies, like Microbilt, a Georgia-based credit reporting company, which in turn sells that data on to other firms that want that data. In this case, it was a bail bond company, whose bounty hunter was paid by Motherboard to track down the reporter — with his permission.

Everyone seemed to drop the ball. Microbilt said the bounty hunter shouldn’t have used the location data to track the Motherboard reporter. Zumigo said it didn’t mind location data ending up in the hands of the bounty hunter, but still cut Microbilt’s access.

But nobody quite dropped the ball like the carriers, which said they would not to share location data again.

T-Mobile, at the center of the latest location-selling revelations for passing the reporter’s location to the bounty hunter, said last year in the midst of the Securus scandal that it “reviewed” its real-time location data sharing program and found appropriate controls in place. To appease even the skeptical, T-Mobile chief executive John Legere tweeted at the time that he “personally evaluated the issue” and promised that the company “will not sell customer location data to shady middlemen.”

It’s hard to see how that isn’t, in hindsight, a downright lie.

Sounds like word hasn’t gotten to you, @ronwyden. I’ve personally evaluated this issue & have pledged that @tmobile will not sell customer location data to shady middlemen. Your consumer advocacy is admirable & we remain committed to consumer privacy. https://t.co/UPx3Xjhwog

John Legere (@JohnLegere) June 19, 2018

This time around, T-Mobile said it “does not have a direct relationship” with Microbilt but admitted one with Zumigo, which, given the story and the similarities to last year’s Securus scandal, could be considered one of many “shady middlemen” still obtaining location data from cell carriers.

Legere later said in a tweet late Wednesday that the company “is completely ending” its relationships with location aggregators in March, almost a year after the company was first implicated in the first location-sharing scandal.

It wasn’t just T-Mobile. Other carriers were also still selling and sharing their customers’ data.

AT&T said in last year’s letter it would “protect customer data” and “shut down” Securus’ access to its real-time store of customer location data. Most saw that as a swift move to prevent third-parties accessing customer location data. Now, AT&T seemed to renege on that year-ago pledge, saying it will “only permit the sharing of location” in limited cases, including when required by law.

Sprint didn’t say what its relationship was with either Zumigo or Microbilt, but once again — like last year — cited its privacy policy as its catch-all to sell and share customer location data. Yet Sprint, like its fellow carriers AT&T and T-Mobile, which pledged to stop selling location data, clearly didn’t complete its “process of terminating its current contracts with data aggregators to whom we provide location data” as it promised in a letter a year ago.

Verizon, the parent company of TechCrunch, wasn’t explicitly cleared from sharing location data with third-parties in Motherboard’s report — only that the bounty hunter refused to search for a Verizon number. (We’ve asked Verizon if it wants to clarify its position — so far, we’ve had nothing back.)

In a letter sent last year when the Securus scandal blew up, Verizon said it would “take steps to stop” sharing data with two firms — Zumigo and LocationSmart, an intermediary that passed on obtained location data to Securus. But that doesn’t mean it’s off the hook. It was still sharing location data with anyone who wanted to pay in the first place, putting its customers at risk from hackers, stalkers — or worse.

Wyden. who tweeted about the story, said carriers selling customer location data “is a nightmare for national security and the personal safety of anyone with a phone.” And yet there’s no way to opt out — shy of a legislative fix — given that two-thirds of the U.S. population aren’t going to switch to a carrier that doesn’t sell your location data.

It turns out, you really can’t trust your cell carrier. Who knew?

Powered by WPeMatico

Tall Poppy aims to make online harassment protection an employee benefit

For the nearly 20 percent of Americans who experience severe online harassment, there’s a new company launching in the latest batch of Y Combinator called Tall Poppy that’s giving them the tools to fight back.

Co-founded by Leigh Honeywell and Logan Dean, Tall Poppy grew out of the work that Honeywell, a security specialist, had been doing to hunt down trolls in online communities since at least 2008.

That was the year that Honeywell first went after a particularly noxious specimen who spent his time sending death threats to women in various Linux communities. Honeywell cooperated with law enforcement to try and track down the troll and eventually pushed the commenter into hiding after he was visited by investigators.

That early success led Honeywell to assume a not-so-secret identity as a security expert by day for companies like Microsoft, Salesforce, and Slack, and a defender against online harassment when she wasn’t at work.

“It was an accidental thing that I got into this work,” says Honeywell. “It’s sort of an occupational hazard of being an internet feminist.”

Honeywell started working one-on-one with victims of online harassment that would be referred to her directly.

“As people were coming forward with #metoo… I was working with a number of high profile folks to essentially batten down the hatches,” says Honeywell. “It’s been satisfying work helping people get back a sense of safety when they feel like they have lost it.”

As those referrals began to climb (eventually numbering in the low hundreds of cases), Honeywell began to think about ways to systematize her approach so it could reach the widest number of people possible.

“The reason we’re doing it that way is to help scale up,” says Honeywell. “As with everything in computer security it’s an arms race… As you learn to combat abuse the abusive people adopt technologies and learn new tactics and ways to get around it.”

Primarily, Tall Poppy will provide an educational toolkit to help people lock down their own presence and do incident response properly, says Honeywell. The company will work with customers to gain an understanding of how to protect themselves, but also to be aware of the laws in each state that they can use to protect themselves and punish their attackers.

The scope of the problem

Based on research conducted by the Pew Foundation, there are millions of people in the U.S. alone, who could benefit from the type of service that Tall Poppy aims to provide.

According to a 2017 study, “nearly one-in-five Americans (18%) have been subjected to particularly severe forms of harassment online, such as physical threats, harassment over a sustained period, sexual harassment or stalking.”

The women and minorities that bear the brunt of these assaults (and, let’s be clear, it is primarily women and minorities who bear the brunt of these assaults), face very real consequences from these virtual assaults.

Take the case of the New York principal who lost her job when an ex-boyfriend sent stolen photographs of her to the New York Post and her boss. In a powerful piece for Jezebel she wrote about the consequences of her harassment.

As a result, city investigators escorted me out of my school pending an investigation. The subsequent investigation quickly showed that I was set up by my abuser. Still, Mayor Bill de Blasio’s administration demoted me from principal to teacher, slashed my pay in half, and sent me to a rubber room, the DOE’s notorious reassignment centers where hundreds of unwanted employees languish until they are fired or forgotten.

In 2016, I took a yearlong medical leave from the DOE to treat extreme post-traumatic stress and anxiety. Since the leave was almost entirely unpaid, I took loans against my pension to get by. I ran out of money in early 2017 and reported back to the department, where I was quickly sent to an administrative trial. There the city tried to terminate me. I was charged with eight counts of misconduct despite the conclusion by all parties that my ex-partner uploaded the photos to the computer and that there was no evidence to back up his salacious story. I was accused of bringing “widespread negative publicity, ridicule and notoriety” to the school system, as well as “failing to safeguard a Department of Education computer” from my abusive ex.

Her story isn’t unique. Victims of online harassment regularly face serious consequences from online harassment.

According to a  2013 Science Daily study, cyber stalking victims routinely need to take time off from work, or change or quit their job or school. And the stalking costs the victims $1200 on average to even attempt to address the harassment, the study said.

“It’s this widespread problem and the platforms have in many ways have dropped the ball on this,” Honeywell says.

Tall Poppy’s co-founders

Creating Tall Poppy

As Honeywell heard more and more stories of online intimidation and assault, she started laying the groundwork for the service that would eventually become Tall Poppy. Through a mutual friend she reached out to Dean, a talented coder who had been working at Ticketfly before its Eventbrite acquisition and was looking for a new opportunity.

That was in early 2015. But, afraid that striking out on her own would affect her citizenship status (Honeywell is Canadian), she and Dean waited before making the move to finally start the company.

What ultimately convinced them was the election of Donald Trump.

“After the election I had a heart-to-heart with myself… And I decided that I could move back to Canada, but I wanted to stay and fight,” Honeywell says.

Initially, Honeywell took on a year-long fellowship with the American Civil Liberties Union to pick up on work around privacy and security that had been handled by Chris Soghoian who had left to take a position with Senator Ron Wyden’s office.

But the idea for Tall Poppy remained, and once Honeywell received her green card, she was “chomping at the bit to start this company.”

A few months in the company already has businesses that have signed up for the services and tools it provides to help companies protect their employees.

Some platforms have taken small steps against online harassment. Facebook, for instance, launched an initiative to get people to upload their nude pictures  so that the social network can monitor when similar images are distributed online and contact a user to see if the distribution is consensual.

Meanwhile, Twitter has made a series of changes to its algorithm to combat online abuse.

“People were shocked and horrified that people were trying this,” Honeywell says. “[But] what is the way [harassers] can do the most damage? Sharing them to Facebook is one of the ways where they can do the most damage. It was a worthwhile experiment.”

To underscore how pervasive a problem online harassment is, out of the four companies where the company is doing business or could do business in the first month and a half there is already an issue that the company is addressing. 

“It is an important problem to work on,” says Honeywell. “My recurring realization is that the cavalry is not coming.”

Powered by WPeMatico

Pressure In Congress Grows For GPS Tracking Reform After Supreme Court Passes On Cell Phone Case

capitol Senators and House representatives this week are calling on Congress to act on bills that would limit location tracking and phone surveillance after the Supreme Court decided not to hear a cell phone case earlier this week. The justices on Monday declined to review a federal court’s decision from earlier this year that police do not need a warrant to seize and search cell phone records… Read More

Powered by WPeMatico