![](\"https:\/\/media.wired.com\/photos\/5aff47679b3a517fcaece13b\/master\/pass\/LocationServices-M6T94H-(1)-w.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Sat, 19 May 2018 11:00:00 +0000<\/strong><\/p>\n There are plenty <\/span>of guides available on how to protect your data<\/a>, how to secure yourself online<\/a>, and how to stop digital snoops from tracking you<\/a> across the web and then profiting from that intrusion. (Sorry, \u201cmonetization\u201d.) You should do these things. But if a cascading series of revelations this past week has taught us anything, it's that all of those steps amount to triage. The things you can control add up to very little next to the things you can\u2019t.<\/p>\n It\u2019s an obvious point, especially if you follow the privacy headlines. But a recent example of location-tracking gone wrong\u2014in fairness, it rarely goes right\u2014that unfolded over the last week or so underscores the severity of what you\u2019re up against.<\/p>\n On May 10, a New York Times report<\/a> detailed a service, called Securus, that allegedly allowed a former sheriff to track people\u2019s location, practically in real-time, without a court order. Securus technically requires legal documentation that authorizes use of its services. But senator Ron Wyden (D – Oregon) says<\/a> Securus told his office that the company \u201cnever checks the legitimacy of those uploaded documents,\u201d and that it does not feel obligated to do so. It offers a rubber stamp, then, to letting people know where virtually anyone in the US is standing at any given moment.<\/p>\n On the heels of that report, ZDNet detailed<\/a> how all four major US carriers sell location data to companies you\u2019ve never heard of, without your explicit permission. In this specific case, Securus bought its access from a location aggregator called LocationSmart, which in turn bought it from the telecoms. All of these corporate relationships are arguably legal.<\/p>\n "We don\u2019t really have federal laws that are focused on that backend sale of personal data," says Alan Butler, senior counsel at the Electronic Privacy Information Center. "A lot this is just the Wild, Wild West, honestly. That\u2019s why the companies do whatever they want."<\/p>\n 'If they\u2019re going to have this data and a claim to use it, then they absolutely have a responsibility to make sure it\u2019s locked up tighter than Fort Knox.'<\/p>\n Robert Xiao, Carnegie Mellon University<\/p>\n That alone would be cause enough for alarm. There\u2019s no opt-out for any of this location sharing. It happens simply by dint of having a cell phone plan. In a very real sense, you\u2019re powerless to prevent your location being used as chattel. Google knows where you are most of the time too, but at least it lets you turn off location tracking<\/a>, and to delete your history. The company also ostensibly uses the information to help Google Maps, search, and other services that benefit consumers to some degree. The only value AT&T and Verizon create by selling location data to brokers lands on their bottom line.<\/p>\n Also, it gets worse.<\/p>\n By Wednesday, hackers breached Securus, passing some of the data on its servers\u2014including usernames, email addresses, and hashed passwords\u2014along to tech site Motherboard<\/a>. On Thursday, security reporter Brian Krebs revealed<\/a> that LocationSmart had a security meltdown of its own; while the company says it abides by privacy best practices, including a requirement<\/a> that someone give consent before being tracked, Carnegie Mellon researcher Robert Xiao discovered that a bug on its web site allowed anyone to locate around 200 million people in the US without their knowledge.<\/p>\n \u201cLocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process,\u201d the company said in a statement Friday. LocationSmart says also that the bug has been fixed, and that it had not been exploited prior to Xiao\u2019s discovery. When asked how they were sure that Xiao was the first to exploit the bug, LocationSmart told WIRED that it \u201creviewed its historical logs.\u201d<\/p>\n Xiao urges some skepticism regarding that last claim. \u201cI would be curious to know how they know that,\u201d he says. \u201cThe attack flow looks fairly normal. If they looked at their server logs, it would be hard to distinguish what I was doing from normal use.\u201d<\/p>\n Regardless, the absence of exploits wouldn\u2019t excuse the sloppiness that created the bug in the first place. Xiao says it took only about 15 minutes of prodding to discover it, and that it stems from an unused feature that the company apparently never bothered to secure. It\u2019s an unconscionable lapse, especially given the sensitive nature of LocationSmart\u2019s business.<\/p>\n \u201cI\u2019d almost prefer that they didn\u2019t have access to this in the first place, that this business model didn\u2019t exist,\u201d says Xiao. \u201cBut if they\u2019re going to have this data and a claim to use it, then they absolutely have a responsibility to make sure it\u2019s locked up tighter than Fort Knox.\u201d<\/p>\n It\u2019s a responsibility LocationSmart, and so many others who hold onto your data, abdicated. \u201cBecause they value profits above the privacy and safety of the Americans whose locations they traffic in, the wireless carriers and LocationSmart appear to have allowed nearly any hacker with a basic knowledge of websites to track the location of any American with a cell phone,\u201d Senator Wyden said in a statement Friday. \u201cThe dangers from LocationSmart and other companies are limitless. If the FCC refuses to act after this revelation then future crimes against Americans will be the commissioners' heads.\u201d (An FCC spokesperson says that "the matter is being referred to the Enforcement Bureau," with no further comment.)<\/p>\n Wyden\u2019s office also confirmed that none of the four major carriers have responded to letters he sent last week, asking each of them to audit what third parties have access to location information, if and how their customers consented, and urging safeguards to better manage the fallout of these incidents.<\/p>\n 'No individual consumer has any power to do anything about it. And where in the system does the solution come from?'<\/p>\n Alan Butler, EPIC<\/p>\n You couldn\u2019t hope for a much better encapsulation of the hopeless state of data privacy in the US today. You can see the same casual security sloppiness with which LocationSmart and Securus treated your location in the countless exposed databases<\/a>\u2014revealing everything from personal information<\/a> to voter records<\/a>\u2014or in the extremely, entirely, embarrassingly preventable Equifax breach<\/a>. The same system that allows AT&T, Verizon, T-Mobile, and Sprint to sell your location to companies you\u2019ve never heard of also allows thousands of barely regulated, shadowy data brokers<\/a> to know everything about not just where you are but who<\/em> you are, and what you do online. And lack of tangible progress, the sense that this has all happened before and will happen again, the resignation; that\u2019s the cumulative effect of years of breaches and leaks and carelessness that make this all feel so futile. This keeps happening, and keeps not getting fixed.<\/p>\n "No one takes the lead," says Butler. "People acknowledge that it\u2019s a problem, but no individual consumer has any power to do anything about it. And where in the system does the solution come from?" Laws do restrict what consumer-facing companies can do with your data, but the data broker industry has largely slipped through the cracks. And without a centralized agency taking the lead on privacy in the US, or an omnibus law like Europe's GDPR<\/a> to act as a wider safety net, that's not going to change.<\/p>\n None of which means you should give up. You should still follow those guides, and adjust those settings. But you should also know that better privacy can only come if and when companies respect you enough to grant it. And if they continue not to, your only option is to yell loudly enough\u2014at the FCC, at lawmakers, at anyone who will listen\u2014that they no longer have a choice.<\/p>\n