It’s the biggest privacy scandal you’ve never heard of—a series of new discoveries detailing the surprising scope and scale of the unauthorized location-tracking programs operated by the largest wireless carriers in America, and the flimsy protections they and their third-party partners place on your hypersensitive location data.
Anyone with a cell phone is likely at risk, making its impact potentially broader than Facebook’s notorious Cambridge Analytica firestorm. And because the unsanctioned data collection tracks the real-time movements of nearly every cell phone in the country, the misuse of that data could put consumers’ physical safety at risk.
Yet the scandal has elicited barely a whimper in the halls of power and across the country. Few in Congress seem aware of the issue, and even fewer interested in investigating it. The Federal Communications Commission has begun a probe into some of the allegations, but does not appear to be moving with any particular haste. And in the chaos surrounding last week’s rollout of new European privacy rules, the revelations appeared to slide under the radar of even some data-privacy experts.
Robert Xiao—a researcher from Carnegie Mellon University who this month discovered a security flaw on the website of tracking firm LocationSmart allowing anyone with internet access to triangulate the real-time location of nearly every mobile phone in America—is frustrated that the issue isn’t being taken seriously.
“People were suggesting that I should’ve gone on there and downloaded the locations for 100 million Americans, or whatever, and dumped it online,” Xiao told National Journal. “That might’ve had the desired effect.”
Some experts say the steady drumbeat of new privacy breaches may be paradoxically causing consumers to lose interest. Ernesto Falcon, the legislative counsel at the Electronic Frontier Foundation, noted that the public has been hit over the last several years with news of massive breaches at Yahoo, Equifax, Facebook and now the wireless carriers.
“People are getting fatigued,” he said. “They’re still angry, but they’re getting kind of fatigued by the fact that they just don’t have control.”
While the fundamentals of this incident and the Cambridge Analytica scandal are similar, Xiao believes the breach of mobile-tracking data hasn’t sparked a Facebook-style fracas because it fails to feed the public’s fascination with President Trump and his campaign.
In the wake of the Facebook scandal, some commentators mused that Americans may finally be waking up to the problems caused by a lack of data privacy. Xiao disputes that notion, arguing that any privacy issue lacking a Trumpian bent simply doesn’t have the staying power in today’s news cycle. He pointed to the lack of major public outcry or legislative action following last fall’s massive Equifax breach as a prime example.
“Equifax is still happily in business, doing what they’ve always done. They haven’t really changed anything about their processes,” Xiao said. “They sort of weathered the storm by being very quiet and, frankly, not being related to Trump.”
LocationSmart is one of an indeterminate number of third-party firms partnering with AT&T, Verizon, T-Mobile, and Sprint to better track the real-time location of their customers’ mobile phones. The technology is used to accurately rout emergency responders, and its utilization by law enforcement has at times sparked controversy.
The extent to which users’ location data is shared with or sold to other firms remains unclear, and there’s no way for cell-phone subscribers to opt out of the tracking. Experts have long worried that the databases were poorly secured and at risk of abuse or cyberattacks.
Those concerns crystallized this month, when it was revealed that a Missouri sheriff allegedly used the services of another firm called Securus Technologies to improperly track the movements of fellow police officers and a judge.
Then came the news of a successful hack against Securus, which saw the usernames and passwords of more than 2,800 law enforcement users stolen. Just days later, Xiao discovered anyone could use LocationSmart’s free trial version to look up the location of nearly any cell phone in America. Xiao alerted the company, which moved to quickly close that particular loophole.
Privacy experts say the sudden surge of allegations surrounding the abuse and mismanagement of Americans’ location data raise additional questions, including the scope of data-sharing with insecure third parties and the need to update outdated privacy laws that fail to protect the new types of data constantly streaming from smartphones.
“What these scandals reveal to me is that we don’t have very much information at all about how these things are handled, and the few examples that we have should raise alarm bells,” said Neema Singh Guliani, a legislative counsel at the American Civil Liberties Union.
Sen. Ron Wyden sent a letter to the FCC this month over the Securus scandal, helping kickstart an investigation. The Oregon Democrat also sent a list of questions to the four major wireless carriers, and his office says that as of Thursday, the senator has yet to receive a response from any of them.
And Thursday, Rep. Frank Pallone, the ranking member on the House Energy and Commerce Committee, called on Chairman Greg Walden to hold a hearing on the issue of unauthorized cell phone tracking.
But outside of Wyden and Pallone, almost no one on Capitol Hill is discussing the issue. Walden’s office told National Journal last week that the committee was “considering [Pallone’s] request,” but could not provide further information. And a spokesman for Sen. John Thune, chairman of the Senate Commerce Committee, said the senator was not considering holding a hearing at this time.
In a statement provided to National Journal, Wyden expressed disappointment that his fellow lawmakers and the public seemed largely unconcerned by the issue.
“This is an extremely complicated issue, maybe more complex than the Facebook/Cambridge Analytica scandal, so it can take time to educate members of Congress and the public about just how dangerous these leaks are,” Wyden said. “You can choose to close your Facebook account, but it’s much harder to go without a cell phone in 2018 America.”
“The privacy and security of nearly every adult American is impacted by the LocationSmart leak and the entire ecosystem of selling Americans’ location data, so it would be well worth the Commerce Committee’s time to investigate the issue,” Wyden added.
Wyden did note that he was glad the FCC has opened an investigation into unauthorized cell-phone tracking. But he worried that Republican Chairman Ajit Pai “is more interested in protecting the wireless carriers than protecting the privacy and security of Americans.”
Some data-privacy experts are similarly put out by the lack of attention on this issue. “It is disappointing that there hasn’t been a more urgent response, but we’ll keep working on it,” said Michelle Richardson, the deputy director at the Center for Democracy and Technology’s Freedom, Security, and Technology Project. “This is a long arc.”
Falcon said that if Xiao had decided to download and release the real-time location data for tens of millions of Americans—instead of working to quickly plug the hole—the response would’ve likely been quite different. “If someone downloaded everything LocationSmart did and then uploaded it to a website for all to see, suddenly you would have a riot,” Falcon said.
“It reaches general, mass population when there’s a fire,” Falcon added. “I have complete confidence that the fire’s coming. It’s just a matter of when.”