back to article Remember how you said it was cool if your mobe network sold your name, number and location?

US mobile phone companies appear to be selling their customers' private data – including their full name, phone number, contract details, home zip code and current location to third parties – all in the name of security. Security researcher Philip Neustrom found and linked to demo sites run by two mobile authentication …

  1. BrownishMonstr

    If you aren't paying for the product then you are the product...oh, wait...

    1. Teiwaz Silver badge

      You are the product, and you are being watched like a soap opera.

      Google and the 'free in return for slurp' were the foot in the door.

      Then some companies found they could get away with getting paid for the product and also get the usage and other personal data like it's a 20% extra free deal.

      Now it's just a free for all - Governments are all at it, the regulatory bodies are mostly laughable or toothless or both plus a few more shades of useless.

      If the phone buying masses ever become data aware, they'll be sims and broken phone screens in the streets...

      1. big_D Silver badge

        Re: You are the product, and you are being watched like a soap opera.

        Thank goodness for Max Schrems.

      2. Anonymous Coward
        Anonymous Coward

        Re: You are the product, and you are being watched like a soap opera.

        You can't even choose just to let one company (e.g. Google) slurp now, now slurping is done at every layer of the network, operator, and services you consume and their ad-mongering overloads to fund them.

        It's not really possible to read all these T&C in conjunction anymore.

        Basically, if you want privacy, get off the grid.

        If you want to give up privacy for some benefit to your own chosen provider, forget it, it's impossible.

        If you don't care, then just go ahead and watch your data spread like oil on water!

      3. phuzz Silver badge
        Headmaster

        Re: You are the product, and you are being watched like a soap opera.

        "Google and the 'free in return for slurp' were the foot in the door."

        They're just following in the footsteps of the old "fill in this survey and get a free widget" scams of yesteryear, or even "collect X tokens from promotional boxes of Y and send them to us along with your address and get a free Z".

        Offering something for free in order to harvest someone's address has been working for years.

    2. TheVogon Silver badge

      Thank goodness for the GDPR in the EU...

  2. JamesPond
    FAIL

    "very rigorous framework of security and data privacy consent".

    Target and Yahoo! and Sony and Experian et al said their customer's data and privacy were their highest priority....and then singularly failed to do very much to actually protect it. Not so much a police state as a commercial state. Lets face it, data on us is worth money to someone somewhere so is this latest revelation really news to us?

    1. John Brown (no body) Silver badge

      Re: "very rigorous framework of security and data privacy consent".

      It's the new generation of Robber Barons. They're making hay while the sun shines until one day, eventually, it'll all come crashing down around their heads. Except by then, they won't care because they'll have all the money they could ever need anyway. Just like Carnegie, Morgan, Vanderbilt, Rockefeller etc did in their day.

      The primary difference this time is that at least the last lot were, in general, producing useful output. The current lot don't seem to be producing anything. They just keep inventing new ways to skim a tiny little almost unnoticeable amount of other peoples transactions but on a massive scale and so get rich by doing pretty much no work at all, certainly nothing productive or useful.

  3. HieronymusBloggs

    Rigorous framework

    "very rigorous framework of security and data privacy consent"

    Meaning the default consent that users are tricked into giving is very rigorously enforced.

  4. big_D Silver badge

    Now Americans can see

    why having strong data protection regulations is a good thing.

    Data Protection laws should protect identifiable entities in data, not exempt big business from being accountable for misuse.

    1. Pascal Monett Silver badge

      Re: Now Americans can see

      Of course they can see. They just choose to ignore because - hey look, shiny !

      1. Mark 85 Silver badge
        Unhappy

        Re: Now Americans can see

        Of course they can see. They just choose to ignore because - hey look, shiny !

        Actually I doubt they even look much less see. Except for us IT types, most users haven't a clue what's going on or are even aware that their data is being slurped. Mainstream news isn't going to report because advertisers might just pull out. But then again, I doubt most users don't visit mainstream as much s getting their news filtered by FB.

  5. Khaptain Silver badge

    Bring on GDPR - Vive l'Europe

    Let's hope for once that our European overlords will bring us a modicum of privacy with the new GDPR laws. Lawyers are going to have a field day suing companies that don't adhere, class action law suits will bring many a CEO to his knees. Or am I just dreaming, well, I will continue to dream, at least here in Europe,

    Unfortunately I can't image that those across the big pond are ever going to come close to establishing honest GDPR laws. At least not until Uncle Sam manages to find a way to shaft the users at the same time...

    1. Steve Davies 3 Silver badge
      Black Helicopters

      Re: Bring on GDPR - Vive l'Europe

      Don't worry, the USA will ignore the GPDR.(as with every other bit of non US Law)

      1. TheVogon Silver badge

        Re: Bring on GDPR - Vive l'Europe

        "Don't worry, the USA will ignore the GPDR."

        The US itself might do, but it will be VERY expensive very quickly for any US company that does or any company that sends GDPR protected data to the US without obtaining specific informed consent. The potential fines are vast...

    2. Roland6 Silver badge

      Re: Bring on GDPR - Vive l'Europe

      >Unfortunately I can't image that those across the big pond are ever going to come close to establishing honest GDPR laws.

      Unfortunately, I can't see the current crowd at Westminster implementing honest GDPR laws either.

      Yet, you can be sure they will want to be 'in' the European data market, in a deep and meaningful way, but not held to the rules...

  6. Anonymous Coward
    Anonymous Coward

    Failure of democracy.

    The data we as individual citizens create, the data that we generate, the data that is an individual is owned by that individual. That is a basic right that cannot be signed away in fine print.

    Yet the systems responsible for protecting our basic rights have instead been selling them out to the highest bidder. We can now see that in the many trade deals and failed promises from the 1980's to present. A time period in which the rich have gotten fantastically rich and Western citizens have struggled to make any gains not taken by taxes and higher costs.

    This report and many other incidents are showing everyone that our present forms of governments do not, can not or will not represent the interest of citizens. As a result we cannot fix these issues by bringing in regulation. Regulations are "negotiated" with business and industry without anyone representing the rights of citizens at the table. Regulations made by the very agencies that sold us in the first place cannot be counted on to do anything but "manage the optics" or pacify the masses enough to ensure the fleecing continues.

    Citizens are going to have to take action themselves if they want their rights protected. The question is how, where, when, and how to counter the measures in place to prevent such things.

    1. Commswonk Silver badge

      Re: Failure of democracy.

      This report and many other incidents are showing everyone that our present forms of governments do not, can not or will not represent the interest of citizens.

      Well said; very well said actually. I just hope that nobody is particularly surprised at the statement because it's been bloody obvious for a long time.

      1. Hans 1 Silver badge
        Holmes

        Re: Failure of democracy.

        In the history of democracy, or time, for that matter, when has a government, any government, of any economic or political doctrine, ever represented the interest of mere "citizens" ?

        Thought so ...

        Water at 277K is wet, those in power lazy & greedy, hello, that is why they are in power ...

    2. Harry Stottle

      Re: Failure of democracy.

      Completely Agree but don't have the space or time to answer the questions in your final para

      The short version is

      1 Incentivise the use of private notarised personal data "wallets" securely stored in various devices and capable of providing the answer to some questions without revealing actual data (eg whether someone is above or below an age constraint can be revealed without revealing date of birth). Also capable - with the co-operation of couriers who buy into the idea in order to feed off the "privacy preferred" market - of supplying one time "address keys" which even the courier can expose only in sufficient detail for their current sorting requirements. (but the merchant or supplier never gets to see or store)

      2 in the few instances where data really does need to be warehoused, compartmentalise it so that one warehouse may hold, for example, address data but not names or other private data; while another might hold dates of birth etc. (Only linkable with more one time keys etc)

      3 impose strict video-logged access controls on such data warehouses so that if any human access the protected data, (publicly) trusted auditors will always be a) notified and b) able to discover exactly who, when, why and where they accessed the data (and, of course, have full legal rights to blow the whistle if they spot anything underhand).

    3. anoco

      Re: Failure of democracy.

      A possible solution, at least in the US, is the creation of the 28th amendment. To be known as the Right to Own Your Data. And hope that it doesn't take as long as the 27th to be ratified.

      But if we really want to solve it fast, it should go as a subset. Like 2a or something. Then we could have liberals and conservatives working together. ..and all of a sudden the universe stopped expanding...

      1. ThatOne Silver badge
        Big Brother

        Re: Failure of democracy.

        > the creation of the 28th amendment. To be known as the Right to Own Your Data.

        ...following which Google will henceforth *legally* own your data...

    4. Anonymous Coward
      Anonymous Coward

      'systems responsible for protecting basic rights have been selling them out to the highest bidder'

      It'd be nice to think that this was an isolated incident, but when you look at Global-Banking, EPA & Product Safety, Big-Pharma & Drug-Trials and most Trade agreements, the Dystopian future awaits!

  7. Hans 1 Silver badge
    WTF?

    Saturday, I went to a shop, let's call it WallMart. I later received a message on my phone reading the following:

    "Add Wallmart to your travel history ?"

    This is the last time I take my smartphone out of my house ...

    1. Doctor Syntax Silver badge

      "This is the last time I take my smartphone out of my house"

      How about making it the last time you visit Walmart?

  8. Anonymous Coward
    Anonymous Coward

    One day I am going to set about figuring out how it is that BT and others are sending promotional material to an alias which I have only ever used on the electoral register and has never been authorised to appear on the open register.

  9. redpawn Silver badge

    TPC is correct

    It is for your safety. This insures that you will not surprise the armed burglar who is exercising the right to bear arms.

  10. Bob Dole (tm)
    Coffee/keyboard

    Another day..

    Another day and yet more confirmation that even if the sheep wanted to do something about the situation there is literally nothing us pleebs could possibly do to turn the tide.

    There is no right to privacy. The very thought of it was crushed long ago.

  11. John Smith 19 Gold badge
    Gimp

    Well competition to be the second biggest data pimp on the planet is very strong.

    And I think we all know who the first is (My first is in "gibbet", my second in "ogle.")

    1. Anonymous Coward
      Anonymous Coward

      Re: Well competition to be the second biggest data pimp on the planet is very strong.

      gibogle?

  12. Cynic_999 Silver badge

    Good for business

    Having intermittent live location data on just about everyone enables my .onion site to alert my customers when all members of a given household are >20 miles from the house, and will give the earliest possible time that any could get home. Premium paying customers can be alerted when *any* house within a given area is empty, and highlight houses where the last reported U.K. location of all members of the household was an airport.

    All achievable by data-scraping. Obviously I cannot be held responsible for how anyone may choose to use such information.

  13. Richocet

    Solutions

    Let's hope some effective legislation is put in place to tackle this and they are enforced.

    I rate the chance as less than 50%. And the chances are lower in the US than EU.

    An effective tactic to sabotage this behavior is to feed bad data into these systems. They have been designed around the principles of obtaining as much data as possible, and just assume that the data they collect is accurate. Then it is freely sold, shared, compiled between the data companies.

    If 20% of the data was poisoned this would make intelligence drawn from the data too inaccurate to use. Correlation would produce significant numbers of false positives. The compilers of data wouldn't know which data was bad or when bad data started entering their systems. It would be unfeasible effort and time intensive to clean up the data.

    Web tracking cookies, ad tracking, and email tracking are all vulnerable to spamming junk data into the databases.

    A botnet would take this to another level with diverse geoip information spamming.

  14. Missing Semicolon
    Devil

    Google slurping is not the same as MNO slurping.

    With Google there's a deal. We give you all these free shinies, and you pay in personal data. The shinies are actually pretty good, so we accept the price.

    With Mobile Operators, I pay for the service already. The subsequent monetization of my PII is essentially theft.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019