Earlier this week Philip Neustrom, co-founder of Shotwell Labs, discovered something interesting and documented his findings in this blog post. Neustrom discovered a pair of websites that, when visited by a mobile device over a cellular connection, appeared to easily glean numerous personal visitor details, including the visiting user's name, billing zip code, location data, and more. Users simply needed to input a zip code, and the carriers providing your cellular service seemingly provide oodles of personal data without user consent or an opt out.What's actually happening here?
According to Neustrom, the two websites demonstrated the existence of services that use your mobile phone's IP address to look up your phone number, your billing information and possibly your phone's current location as provided by cell phone towers and mobile carriers. Said services purportedly help detect fraud by cross-referencing user provided billing or phone number information with the cell phone provider's information or GPS location.
Such systems have practical security uses; for example letting a company verify a customer or employee is who they say they are. But while the intention may not be nefarious, the implementation is troubling all the same, Neustrom noted.
"US telcos appear to be selling direct, non-anonymized, real-time access to consumer telephone data to third party services -- not just federal law enforcement officials -- who are then selling access to that data," he stated. "Given the trivial "consent" step required by these services and unlikely audit controls, it appears that these services could be used to track or de-anonymize nearly anyone with a cell phone in the United States with potentially no oversight."
Attempting to opt out of this information sharing via T-Mobile ,AT&T and Verizon's opt out systems appears to do nothing. The discovery parallels the discovery a few years ago that found Verizon was covertly modifying wireless user data packets to track their online activity without informing them or allowing them to opt out.
Neustrom's discovery does appear to have touched a nerve. Not only were both websites quickly pulled offline by telco partners like Payfone once his post appeared, but Payfone also made their API documentation private. After the article publication, a joint video presentation by AT&T and Danal documenting the uses of this technology was also pulled offline.Neither telco has been willing to comment publicly yet about the discovery.