Location Data

fcc-fines-big-three-carriers-$196m-for-selling-users’-real-time-location-data

FCC fines big three carriers $196M for selling users’ real-time location data

AT&T, Location Data, Policy, T-Mobile, verizon / /
Illustration with a Verizon logo displayed on a smartphone in front of stock market percentages in the background.

Getty Images | SOPA Images

The Federal Communications Commission today said it fined T-Mobile, AT&T, and Verizon $196 million “for illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure.”

The fines relate to sharing of real-time location data that was revealed in 2018. The FCC proposed the fines in 2020, when the commission had a Republican majority, and finalized them today.

All three major carriers vowed to appeal the fines after they were announced today. The three carriers also said they discontinued the data-sharing programs that the fines relate to.

The fines are $80.1 million for T-Mobile, $57.3 million for AT&T, and $46.9 million for Verizon. T-Mobile is also on the hook for a $12.2 million fine issued to Sprint, which was bought by T-Mobile shortly after the penalties were proposed over four years ago.

Today, the FCC summarized its findings as follows:

The FCC Enforcement Bureau investigations of the four carriers found that each carrier sold access to its customers’ location information to “aggregators,” who then resold access to such information to third-party location-based service providers. In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained. This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.

“Shady actors” got hold of data

The problem first came to light with reports of customer location data “being disclosed by the largest American wireless carriers without customer consent or other legal authorization to a Missouri Sheriff through a ‘location-finding service’ operated by Securus, a provider of communications services to correctional facilities, to track the location of numerous individuals,” the FCC said.

Chairwoman Jessica Rosenworcel said that news reports in 2018 “revealed that the largest wireless carriers in the country were selling our real-time location information to data aggregators, allowing this highly sensitive data to wind up in the hands of bail-bond companies, bounty hunters, and other shady actors. This ugly practice violates the law—specifically Section 222 of the Communications Act, which protects the privacy of consumer data.”

For a time after the 2018 reports, “all four carriers continued to operate their programs without putting in place reasonable safeguards to ensure that the dozens of location-based service providers with access to their customers’ location information were actually obtaining customer consent,” the FCC said.

The three carriers are ready to challenge the fines in court. “This industry-wide third-party aggregator location-based services program was discontinued more than five years ago after we took steps to ensure that critical services like roadside assistance, fraud protection and emergency response would not be disrupted,” T-Mobile said in a statement provided to Ars. “We take our responsibility to keep customer data secure very seriously and have always supported the FCC’s commitment to protecting consumers, but this decision is wrong, and the fine is excessive. We intend to challenge it.”

FCC fines big three carriers $196M for selling users’ real-time location data Read More »

some-calif.-cops-still-sharing-license-plate-info-with-anti-abortion-states

Some Calif. cops still sharing license plate info with anti-abortion states

automated license plate readers, California, First Amendment, Fourth Amendment, license plate data, license plate info, Location Data, location tracking, Online Privacy, police associations, Policy, rob bonta / /
Some Calif. cops still sharing license plate info with anti-abortion states

Dozens of California police agencies are still sharing automated license plate reader (ALPR) data with out-of-state authorities without a warrant, the Electronic Frontier Foundation has revealed. This is occurring despite guidance issued by State Attorney General Rob Bonta last year.

Clarifying a state law that limits state public agencies to sharing ALPR data only with other public agencies, Bonta’s guidance pointed out that “importantly,” the law’s definition of “public agency” “does not include out-of-state or federal law enforcement agencies.”

Bonta’s guidance came after EFF uncovered more than 70 California law enforcement agencies sharing ALPR data with cops in other states, including anti-abortion states. After Bonta clarified the statute, approximately half of these agencies told EFF that they updated their practices to fall in line with Bonta’s reading of the law. Some states could not verify that the practice had ended yet, though.

In a letter to Bonta, EFF praised the guidance as protecting Californians’ privacy but also flagged more than 30 police agencies that either expressly rejected Bonta’s guidance or else refused to confirm that they’ve stopped sharing data with out-of-state authorities. EFF staff attorney Jennifer Pinsof told Ars that it’s likely that additional agencies are also failing to comply, such as agencies that EFF never contacted or that recently acquired ALPR technology.

“We think it is very likely other agencies in the state remain out of compliance with the law,” EFF’s letter said.

EFF is hoping that making Bonta aware of the ongoing non-compliance will end sharing of highly sensitive location data with police agencies in states that do not provide as many privacy protections as California does. If Bonta “takes initiative” to enforce compliance, Pinsof said that police may be more willing to consider the privacy risks involved, since Bonta can “communicate more easily with the law enforcement community” than privacy advocates can.

However, even Bonta may struggle, as some agencies “have dug their heels in,” Pinsof said.

Many state police agencies simply do not agree with Bonta’s interpretation of the law, which they claim does allow sharing ALPR data with cops in other states. In a November letter, a lawyer representing the California State Sheriffs’ Association, California Police Chiefs Association, and California Peace Officers’ Association urged Bonta to “revisit” his position that the law “precludes sharing ALPR data with out-of-state governmental entities for legitimate law enforcement purposes.”

The cops argued that sharing ALPR data with cops in other states assists “in the apprehension and prosecution of child abductors, narcotics traffickers, human traffickers, extremist hate groups, and other cross-state criminal enterprises.”

They told Bonta that the law “was not designed to block law enforcement from sharing ALPR data outside California where the information could be used to intercede with criminal offenders moving from state to state.” As they see it, cooperation between state authorities is “absolutely imperative to effective policing.”

Here’s where cops say the ambiguity lies. The law defines public agency as “the state, any city, county, or city and county, or any agency or political subdivision of the state or a city, county, or city and county, including, but not limited to, a law enforcement agency.” According to cops, because the law does not “specifically refer to the State of California” or “this state,” it could be referring to agencies in any state.

“Had the legislation referred to ‘a State’ rather than ‘the State,’ there would be no debate about whether sharing was prohibited,” the police associations’ letter said. “We see no basis to read such a limitation into the legislation based on the word ‘the’ rather than ‘a.'”

The police associations also reminded Bonta that the California Legislature considered passing a bill that would have explicitly “prohibited the out-of-state sharing of ALPR information” with states interfering with “the right to seek abortion services” but “rejected it.” They told Bonta that “the Legislature’s refusal to adopt a position consistent with the position” he is “advancing is troubling.”

EFF said that California police can still share ALPR data with out-of-state police in situations permitted by law, like when out-of-state cops have a “warrant for ALPR information based on probable cause and particularity.” Instead, EFF alleged that cops are “dragnet sharing through commercial cloud storage systems” without warrants, which could be violating Californians’ right to privacy, as well as First and Fourth Amendment rights.

EFF urged Bonta to reject the police associations’ “crabbed interpretation” of the statute, but it’s unclear if Bonta will ever respond. Pinsof told Ars that Bonta did not directly respond to EFF’s initial investigation, but the guidance he later issued seemed to suggest that he got EFF’s message.

Police associations and Bonta’s office did not respond to Ars’ request to comment.

Some Calif. cops still sharing license plate info with anti-abortion states Read More »

nsa-finally-admits-to-spying-on-americans-by-purchasing-sensitive-data

NSA finally admits to spying on Americans by purchasing sensitive data

data brokers, Department of Defense, Government surveillance, Location Data, National Security Agency, NSA, Online Privacy, Policy / /

Leaving Americans in the dark —

Violating Americans’ privacy “not just unethical but illegal,” senator says.

NSA finally admits to spying on Americans by purchasing sensitive data

The National Security Agency (NSA) has admitted to buying records from data brokers detailing which websites and apps Americans use, US Senator Ron Wyden (D-Ore.) revealed Thursday.

This news follows Wyden’s push last year that forced the FBI to admit that it was also buying Americans’ sensitive data. Now, the senator is calling on all intelligence agencies to “stop buying personal data from Americans that has been obtained illegally by data brokers.”

“The US government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical but illegal,” Wyden said in a letter to Director of National Intelligence (DNI) Avril Haines. “To that end, I request that you adopt a policy that, going forward,” intelligence agencies “may only purchase data about Americans that meets the standard for legal data sales established by the FTC.”

Wyden suggested that the intelligence community might be helping data brokers violate an FTC order requiring that Americans are provided “clear and conspicuous” disclosures and give informed consent before their data can be sold to third parties. In the seven years that Wyden has been investigating data brokers, he said that he has not been made “aware of any company that provides such a warning to users before collecting their data.”

The FTC’s order came after reaching a settlement with a data broker called X-Mode, which admitted to selling sensitive location data without user consent and even to selling data after users revoked consent.

In his letter, Wyden referred to this order as the FTC outlining “new rules,” but that’s not exactly what happened. Instead of issuing rules, FTC settlements often serve as “common law,” signaling to marketplaces which practices violate laws like the FTC Act.

According to the FTC’s analysis of the order on its site, X-Mode violated the FTC Act by “unfairly selling sensitive data, unfairly failing to honor consumers’ privacy choices, unfairly collecting and using consumer location data, unfairly collecting and using consumer location data without consent verification, unfairly categorizing consumers based on sensitive characteristics for marketing purposes, deceptively failing to disclose use of location data, and providing the means and instrumentalities to engage in deceptive acts or practices.”

The FTC declined to comment on whether the order also applies to data purchases by intelligence agencies. In defining “location data,” the FTC order seems to carve out exceptions for any data collected outside the US and used for either “security purposes” or “national security purposes conducted by federal agencies or other federal entities.”

NSA must purge data, Wyden says

NSA officials told Wyden that not only is the intelligence agency purchasing data on Americans located in the US but that it also bought Americans’ Internet metadata.

Wyden warned that the former “can reveal sensitive, private information about a person based on where they go on the Internet, including visiting websites related to mental health resources, resources for survivors of sexual assault or domestic abuse, or visiting a telehealth provider who focuses on birth control or abortion medication.” And the latter “can be equally sensitive.”

To fix the problem, Wyden wants intelligence communities to agree to inventory and then “promptly” purge the data that they allegedly illegally collected on Americans without a warrant. Wyden said that this process has allowed agencies like the NSA and the FBI “in effect” to use “their credit card to circumvent the Fourth Amendment.”

X-Mode’s practices, the FTC said, were likely to cause “substantial injury to consumers that are not outweighed by countervailing benefits to consumers or competition and are not reasonably avoidable by consumers themselves.” Wyden’s spokesperson, Keith Chu, told Ars that “the data brokers selling Internet records to the government appear to engage in nearly identical conduct” to X-Mode.

The FTC’s order also indicates “that Americans must be told and agree to their data being sold to ‘government contractors for national security purposes’ for the practice to be allowed,” Wyden said.

DoD defends shady data broker dealings

In response to Wyden’s letter to Haines, the Under Secretary of Defense for Intelligence & Security, Ronald Moultrie, said that the Department of Defense (DoD) “adheres to high standards of privacy and civil liberties protections” when buying Americans’ location data. He also said that he was “not aware of any requirement in US law or judicial opinion” forcing the DoD to “obtain a court order in order to acquire, access, or use” commercially available information that “is equally available for purchase to foreign adversaries, US companies, and private persons as it is to the US government.”

In another response to Wyden, NSA leader General Paul Nakasone told Wyden that the “NSA takes steps to minimize the collection of US person information” and “continues to acquire only the most useful data relevant to mission requirements.” That includes some commercially available information on Americans “where one side of the communications is a US Internet Protocol address and the other is located abroad,” data which Nakasone said is “critical to protecting the US Defense Industrial Base” that sustains military weapons systems.

While the FTC has so far cracked down on a few data brokers, Wyden believes that the shady practice of selling data without Americans’ informed consent is an “industry-wide” problem in need of regulation. Rather than being a customer in this sketchy marketplace, intelligence agencies should stop funding companies allegedly guilty of what the FTC has described as “intrusive” and “unchecked” surveillance of Americans, Wyden said.

According to Moultrie, DNI Haines decides what information sources are “relevant and appropriate” to aid intelligence agencies.

But Wyden believes that Americans should have the opportunity to opt out of consenting to such invasive, secretive data collection. He said that by purchasing data from shady brokers, US intelligence agencies have helped create a world where consumers have no opportunity to consent to intrusive tracking.

“The secrecy around data purchases was amplified because intelligence agencies have sought to keep the American people in the dark,” Wyden told Haines.

NSA finally admits to spying on Americans by purchasing sensitive data Read More »

let’s-attempt-to-decode-google’s-confusing-new-location-data-settings

Let’s attempt to decode Google’s confusing new location data settings

Data Security, Google, google cloud, google maps, Location Data, Tech / /

Oh, good, my lawyer wanted a new porsche —

The new Google Maps Timeline plays a game of three-card monte with your location data.

Let’s attempt to decode Google’s confusing new location data settings

Google announced big changes to its most legally fraught set of user settings: your location data. Google’s misleading Location History descriptions in Google Maps have earned it several lawsuits in the US and worldwide. A quick count involves individual lawsuits in California, Arizona, Washington, a joint lawsuit in Texas, Indiana, and the District of Columbia, and another joint lawsuit across 40 additional US states. Internationally, Google has also been sued in Australia over its location settings. The point is that any change to Google’s location settings must have some motive behind it, so bear with us while we try to decode everything.

Google’s big new location data change is a new, duplicate data store that will live exclusively on your device. Google’s new blog post says data for the long-running Google Maps Timeline feature will now “be saved right on your device—giving you even more control over your data.” That’s right, one of the world’s biggest Internet data companies advocates for local storage of your location data.

The company continues, “If you’re getting a new phone or are worried about losing your existing one, you can always choose to back up your data to the cloud so it doesn’t get lost. We’ll automatically encrypt your backed-up data so no one can read it, including Google.” Users will apparently have lots of control over this new locally stored data, with Google saying, “Soon, you’ll be able to see all your recent activity on Maps… in one central place, and easily delete your searches, directions, visits, and shares with just a few taps. The ability to delete place-related activity from Maps starts rolling out on Android and iOS in the coming weeks.”

The new Google Maps Timeline pop-up.

Enlarge / The new Google Maps Timeline pop-up.

Google

Some companies pitch the “on-device storage” of data as a security feature. The idea is that on-device data isn’t in the cloud, and instead is encrypted on your device, and therefore is more secure since you must have physical access to the device to get the data. This is usually how biometrics are stored, for instance. That’s not happening here, though. Google’s post says, “The Timeline feature in Maps helps you remember places you’ve been and is powered by a setting called Location History.” Location History is all the location data collected by Google, and the Google Maps Timeline is only a subset of that data. So, with on-device storage, Google Maps Timeline will now be a second copy of a subset of your location data. Cloud-based Location History will still exist and still be collected. Instead of the additional security of encrypted on-device storage, this is less secure since your data will now be in two places, or maybe multiple places, if you have multiple devices.

Google was sued in nearly every US state because of its misleading communication about where your location data is stored and what the controls do. Before all the lawsuits, Google had a checkbox for “Location History” that you could turn on and off, but at the time, “Location History” didn’t mean “all the stored location history across your Google account.” Back then, “Location History” was the name of a specific page in Google Maps, and turning off the Location History checkbox just hid the Location History interface—it didn’t reduce Google’s location data collection and storage. Today, that has changed, and in the wake of all those lawsuits, Google says Location History actually controls the storage and collection of location data across your entire account.

Promoting controls for the “Google Maps Timeline” feels like Google is pulling the same old “Location History” trick. Data controls for the Maps Timeline don’t control the data for your entire account, but instead only control data for this specific interface in Google Maps. Google says you’ll get “the ability to delete place-related activity from Maps,” but that’s from Maps only. Let’s not fall for Google’s app-specific settings trick again: You don’t want the ability to delete location data “from Maps”; you want the ability to delete location data from “your entire account.”

Google's new delete button doesn't seem like it delete's much.

Google’s new delete button doesn’t seem like it delete’s much.

Google

My interpretation of the strategy is that Google’s going to make two different copies of your location data, a cloud-based one that it has access to (Location History) and a locally stored one that it does not have access to (Google Maps Timeline), and it’s going to dangle a bunch of controls in front of users that control the local data store only. A pop-up (shown above) briefly shown in one of the blog post videos seems to confirm this, with the “Delete Maps Activity?” pop-up saying it won’t delete data from Location History or Web & App Activity. I guess the hope is that interested users will be distracted by the upfront controls for the unimportant, private, local data store and then forget about the more hidden controls for the cloud-based one that Google has access to.

Any justification for why the company is creating more complicated and confusing location controls is absent from Google’s blog post. What is the benefit of having an extra copy of locally stored location data? Why would you want two different copies of location data to manage? The only new feature you’re getting is the ability to delete data from the new local data store, but you wouldn’t need those controls if the data store didn’t exist in the first place. Why would users want to delete data from their local location history but not the cloud? A local copy of location data only makes sense if Google stops collecting and storing location data in the cloud; I can promise you that it’s not doing that.

Let’s attempt to decode Google’s confusing new location data settings Read More »

how-to-geolocate-ip-addresses-on-linux-using-geoiplookup

How to Geolocate IP Addresses on Linux Using geoiplookup

Highlights, Install Software, IP Address, Linux, Linux Apps, Location Data, server / /

internal/modules/cjs/loader.js: 905 throw err; ^ Error: Cannot find module ‘puppeteer’ Require stack: – /home/760439.cloudwaysapps.com/jxzdkzvxkw/public_html/wp-content/plugins/rss-feed-post-generator-echo/res/puppeteer/puppeteer.js at Function.Module._resolveFilename (internal/modules/cjs/loader.js: 902: 15) at Function.Module._load (internal/modules/cjs/loader.js: 746: 27) at Module.require (internal/modules/cjs/loader.js: 974: 19) at require (internal/modules/cjs/helpers.js: 101: 18) at Object. (/home/760439.cloudwaysapps.com/jxzdkzvxkw/public_html/wp-content/plugins/rss-feed-post-generator-echo/res/puppeteer/puppeteer.js:2: 19) at Module._compile (internal/modules/cjs/loader.js: 1085: 14) at Object.Module._extensions..js (internal/modules/cjs/loader.js: 1114: 10) at Module.load (internal/modules/cjs/loader.js: 950: 32) at Function.Module._load (internal/modules/cjs/loader.js: 790: 12) at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js: 75: 12) code: ‘MODULE_NOT_FOUND’, requireStack: [ ‘/home/760439.cloudwaysapps.com/jxzdkzvxkw/public_html/wp-content/plugins/rss-feed-post-generator-echo/res/puppeteer/puppeteer.js’ ]

How to Geolocate IP Addresses on Linux Using geoiplookup Read More »