Pixel Envy

Written by Nick Heer.

Archive for January, 2019

FTC Close to Ending Its Facebook Investigation

Cecilia Kang, New York Times:

The Federal Trade Commission is in the advanced stages of its investigation into whether Facebook violated privacy rules and is expected to seek large fines from the company, according to two people familiar with the inquiry.

[…]

The highest financial penalty imposed on a tech company was Google’s $22 million settlement in 2012 for privacy violations. In the December meeting, the commissioners discussed a higher fine for Facebook, the people said.

John D. McKinnon, Wall Street Journal:

The FTC has been probing whether Facebook violated terms of an earlier consent decree when data of tens of millions of its users was transferred to Cambridge Analytica, a data firm that did work for the campaign of President Trump.

News of the investigation’s status was first reported by Tony Romm and Elizabeth Dwoskin for the Washington Post.

So far in its current fiscal year, Facebook has made over $17 billion in profit before taxes. The company will announce its fourth quarter results at the end of the month; typically, that’s its biggest quarter. A fine of approximately the same size as was paid by Google is simply a business expense for a company with a bank account like Facebook’s. Hitting them hard in the pocketbook with a fine in the hundreds of millions of dollars might produce long-lasting change, but I’m not optimistic. There’s just too much money to be made when every data point collected on individuals has value, and there are few restrictions on how it may be acquired or used. This industry needs to be regulated.

How Secrecy Fuels Tech Paranoia

John Herrman, New York Times:

The biggest internet platforms are businesses built on asymmetric information. They know far more about their advertising, labor and commerce marketplaces than do any of the parties participating in them. We can guess, but can’t know, why we were shown a friend’s Facebook post about a divorce, instead of another’s about a child’s birth. We can theorize, but won’t be told, why YouTube thinks we want to see a right-wing polemic about Islam in Europe after watching a video about travel destinations in France. Everything that takes place within the platform kingdoms is enabled by systems we’re told must be kept private in order to function. We’re living in worlds governed by trade secrets. No wonder they’re making us all paranoid.

This was published a day after an op-ed in Wired theorized that the “2009 vs 2019” comparison really exists to teach artificial intelligence how human ageing works. I think that piece is utter nonsense, but I get where that sentiment comes from.

Jack Dorsey Has No Clue What He Wants

Ashley Feinberg of the Huffington Post interviewed Jack Dorsey recently, and came away with the titular conclusion:

In other words, the most the CEO of Twitter was able to tell me about specific steps being taken to solve the rampant, site-wide harassment problem that’s plagued the platform for years is that they’re looking into maybe making the report button a little bigger, eventually.

Or consider later, when I asked whether Trump tweeting an explicit call for murder would be grounds for removal. Just as he seemed about to answer what seemed like an easy question, he caught himself. “That would be a violent threat,” he started. “We’d definitely … You know we’re in constant communication with all governments around the world. So we’d certainly talk about it.”

They would certainly talk about it.

Feinberg’s question is, of course, questioning Twitter’s rules at their limits. But it’s baffling that something so clearly beyond the realm of what Twitter should support prompts such an uncertain and confused answer from Dorsey.

The rest of this interview is more of the same.

Pew: 74% of Facebook Users Have No Idea How Its Ads Work

Natasha Lomas, TechCrunch:

Pew found three-quarters (74%) of Facebook users did not know the social networking behemoth maintains a list of their interests and traits to target them with ads, only discovering this when researchers directed them to view their Facebook ad preferences page.

A majority (51%) of Facebook users also told Pew they were uncomfortable with Facebook compiling the information.

While more than a quarter (27%) said the ad preference listing Facebook had generated did not very or at all accurately represent them.

This is one reason why I think a legislative approach is critical to protecting user privacy. Users don’t know how these things work because Facebook buries the truth and its handful of privacy controls in abstruse language beneath layers of menus and controls. They have reached the size where there simply isn’t any incentive for them to be more transparent, and existing regulatory agencies are either unwilling or unable to take action.

Tim Cook’s Time Magazine Editorial on Privacy

Tim Cook in Time:

Meaningful, comprehensive federal privacy legislation should not only aim to put consumers in control of their data, it should also shine a light on actors trafficking in your data behind the scenes. Some state laws are looking to accomplish just that, but right now there is no federal standard protecting Americans from these practices. That’s why we believe the Federal Trade Commission should establish a data-broker clearinghouse, requiring all data brokers to register, enabling consumers to track the transactions that have bundled and sold their data from place to place, and giving users the power to delete their data on demand, freely, easily and online, once and for all.

Setting aside the actual point of this essay — which, by the way, is an excellent summary of why privacy legislation for user data is sorely needed — something that’s kind of interesting is how it reads in a very Tim Cook kind of way. Much as Steve Jobs had a unique voice in both his speaking and writing, so, too, does Cook. It doesn’t feel like it’s an essay produced by some copywriter to which Cook’s name is later affixed; it’s clear to me that this is something that truly matters to him, and which he probably wrote himself.

Nilay Patel linked to the essay on Twitter and attached a screenshot of the top apps in the App Store, clarifying in a reply:

The iPhone’s value is built on these services. Pushing for a law is great, but it is telling that they won’t use their own platform dominance to forbid these practices.

“These services” refers to apps like Gmail and Instagram, both of which are run by companies that show virtually no respect for users’ privacy. This seems to come up frequently in conversations about Apple, and it’s something lots of people mention, so I don’t mean to single out Patel here. But I think it’s a horribly lazy take.

Can you imagine the scale of the shit fit that would be thrown if Apple completely prohibited apps from Google and Facebook in the App Store? Not just from users, either: tech publications, mainstream newspapers, and regulators would be apoplectic, given the obvious antitrust questions that would likely be provoked by this kind of power move.

For what it’s worth, Apple has strict guidelines on the collection and use of users’ data. These rules require that developers collect opt-in permission, prohibit apps from requiring personal data unless it’s necessary for the app’s core functionality, and encourage minimization of data collection overall. That’s not to say the company is perfect. For example, you cannot post photos to an Instagram story if you’ve denied microphone access to Instagram, despite Apple’s developer guidelines using basically this scenario as a prohibited example. I wish Apple were stricter in enforcing the rules they already have, but their reluctance to create a PR and antitrust catastrophe is understandable.

In general, however, enforcement of online privacy should not be Apple’s job. Cook is right in stating that this should be dealt with in policy, not on individual companies’ terms. Frankly, Apple’s ability to use privacy as a differentiating characteristic is embarrassing for the tech industry and its regulators. Users should not have to be wary of compromising their privacy or worried that they will lose control over their personal details every time they use a tech product, an app, or a website.

Website Subscriptions Are Not Dead

Colin Devroe (via Brent Simmons):

This isn’t the first nor the last article to cover the creation of the RSS standard, its rise to relative popularity with Google Reader, and its subsequent fall from popularity.

But the big point that many of these articles dismiss lightly or directly omit is that RSS is still used as the underpinnings of so many widely popular services today. Apple News, Google News, Flipboard (each with likely tens of millions of users or more) and many others use RSS it is just that people do not know it.

We should likely stop talking about RSS. We need to simply start calling RSS “Subscribing”. “Subscribe to my blog” is the only thing we need to say.

Most users don’t care about the underlying technology; Devroe is right in that sense. However, while RSS may be succeeding in developers’ terms, subscription options should be more visible for users — ideally at the system level. The kind of users who aren’t necessarily aware of the format aren’t going to poke around for software to read feeds with.

In regions where Apple News is available — the U.S., U.K., and Australia — iOS and MacOS will handle RSS subscriptions more-or-less gracefully. Elsewhere, however, the system just doesn’t know what to do with the feed URL if you do not have an RSS reader installed, and will offer to send you to the App Store to download a feed reader using a link that, as far as I can tell, doesn’t work.

Signal v. Noise Leaves Medium

David Heinemeier Hansson:

When we moved over, Medium was all about attracting big blogs and other publishers. This was going to be a new space for a new time where publishers could find a home. And it was. For a while.

These days Medium is focused on their membership offering, though. Trying to aggregate writing from many sources and sell a broad subscription on top of that. And it’s a neat model, and it’s wonderful to see Medium try something different. But it’s not for us, and it’s not for Signal v Noise.

[…]

That doesn’t mean we regret our time at Medium. Being on Medium helped propel some of our best writing to a whole new audience. But these days there’s less of a “what Medium is doing for us”, and a whole lot more of “what we’re doing for Medium”. It was a good time while it lasted, but good times are gone.

It was just a few years ago that a bunch of publications were enticed by Medium to migrate their websites; now, nearly all of them have left the platform. I say good riddance; if you take your writing seriously, you should have as much control over it as possible.1

Update: Manton Reece:

Medium.com was swinging in the wrong direction, especially with the change last year to no longer allow custom domain names. I think 2019 is going to be a great year for blogging.

I think so, too.


  1. This, by the way, is exactly why I have misgivings about video on the web. Any cheap hosting is good enough for a blog, and even moderately-priced hosting could work for a podcast. But hosting video files requires far more robust hosting and bandwidth; that’s why there’s basically only one hugely-popular video platform on the web. YouTube’s monopoly is not healthy for creators or the open web. ↩︎

In Europe, the New York Times Switched From Ad Exchanges to Direct Selling, and Grew Revenue

Jessica Davies, Digiday:

When the General Data Protection Regulation arrived last year, The New York Times didn’t take any chances.

The publisher blocked all open-exchange ad buying on its European pages, followed swiftly by behavioral targeting. Instead, NYT International focused on contextual and geographical targeting for programmatic guaranteed and private marketplace deals and has not seen ad revenues drop as a result, according to Jean-Christophe Demarta, svp for global advertising at New York Times International.

[…]

The New York Times has 2.9 million paying digital subscribers globally, and 15 percent of the publisher’s digital news subscribers are from Europe. Digital advertising in Europe also remains an important revenue stream for the publisher. The publisher’s reader-revenue business model means it fiercely guards its readers’ user experience. Rather than bombard readers with consent notices or risk a clunky consent user experience, it decided to drop behavioral advertising entirely.

It’s worth noting that there are few web properties with the brand clout of the New York Times. Direct selling may not be a realistic solution for all websites — including, I should say, this one. There should be a more direct relationship between the publisher and the advertiser, while still preserving editorial independence. Where direct selling is not viable, ad exchanges should exist that carefully vet ads and are not dependent on behavioural targeting; the Deck was ahead of its time.

But this report demonstrates that third parties are still interested in buying advertising, even when they can’t have their adtech toys. That’s great news. Let’s have more of this.

Ajit Pai Refuses to Brief Lawmakers Over Phone-Tracking Scandal, Dubiously Blames Shutdown

Dell Cameron, Gizmodo:

In a letter to the FCC chairman last week, [Rep. Frank Pallone, Jr.] said it was paramount his committee investigate the matter at once and that it could not wait “until President Trump decides to reopen the government.” However, committee members said on Monday that Pai had declined to brief them citing the shutdown, while asserting (in Pallone’s words) that the matter was “not a threat to the safety of human life or property.”

Neither Pai nor his chief of staff, Matthew Berry, placed the call notifying Pallone’s office of his refusal, according to a senior Democratic aide, who said the news came instead from a lower-level staffer.

Pallone responded to Pai’s decision in a statement, saying, “There’s nothing in the law that should stop the Chairman personally from meeting about this serious threat that could allow criminals to track the location of police officers on patrol, victims of domestic abuse, or foreign adversaries to track military personnel on American soil.”

American telecom companies must be thrilled to have a key regulator who has no sense of urgency to do his job, nor any compulsion to hold their feet to the fire.

Apple Releases Smart Battery Cases for iPhone XS, XS Max, and XR

Last time Apple did a battery case, it only worked with the 4.7-inch iPhone 7. The battery life claims for this one on the two larger iPhone models, in particular, are ridiculous. Juli Clover, MacRumors:

Each case provides a varying amount of battery life depending on device. The iPhone XS Battery Case, when paired with the iPhone XS, offers up to 33 hours of talk time, up to 21 hours of internet use, and up to 25 hours of video playback.

The iPhone XS Max with the XS Max Smart Battery Case offers up to 37 hours of talk time, up to 20 hours of internet use, and up to 25 hours of video playback.

The iPhone XR with the XR Battery Case offers up to 39 hours of talk time, up to 22 hours of internet use, and up to 27 hours of video playback.

If you travel a lot, this might just be the quickest purchase you make. Curiously, the iPhone X is not officially supported by the iPhone XS case; I wonder if it’s just a slight difference in the size of the camera cutout — which, I bet, would be trivial to work around — or if there’s some other compatibility roadblock.

Update: Rene Ritchie says that the iPhone X fits in the XS case, more or less, but there are mixed reports about its functionality.

DuckDuckGo Integrates Apple’s MapKit for Location Searches

DuckDuckGo’s press release:

We’re excited to announce that map and address-related searches on DuckDuckGo for mobile and desktop are now powered by Apple’s MapKit JS framework, giving you a valuable combination of mapping and privacy. As one of the first global companies using Apple MapKit JS, we can now offer users improved address searches, additional visual features, enhanced satellite imagery, and continually updated maps already in use on billions of Apple devices worldwide.

With this updated integration, Apple Maps are now available both embedded within our private search results for relevant queries, as well as available from the “Maps” tab on any search result page.

For years, the default choice for developers embedding a map on a website was to use one of Google’s. There have been a couple of alternatives — OpenStreetMap isn’t bad — but none seem like they could shake Google’s dominance quite like Apple’s MapKit JavaScript framework. It’s early days; Apple does not yet have a Maps website where users can easily create custom map embeds, for example. But, for developers, the MapKit framework is a viable choice. It looks great, the data quality really is getting better — albeit very slowly — and it respects users’ privacy.

It’s very cool to see DuckDuckGo as the first major implementation of this framework. I search the web almost exclusively with DuckDuckGo, but one area where it struggled for me was for business searches around me. Because I often forget that I even have a Maps app on my Mac, I would habitually load Google Maps. I should have to do that far less often now.

One thing I noticed is that, while DuckDuckGo’s integration makes use of MapKit everywhere, Apple Maps directions are only available when searching on iOS. I’m not sure if there’s a technical limitation involved; it appears that MapKit’s route API would work fine to return driving directions on the web. Perhaps it’s simply a case of DuckDuckGo not wishing to ask users for their precise location as a privacy measure. I get that, but offloading the task to Bing Maps, by default, for non-iOS users is kind of a clunky workaround.

Bear with me, but, speaking of Google Maps, what the hell happened to that website? At some point, basically everything became a click target, from businesses to neighbourhood names. But Google Maps has also retained the double-click-to-zoom gesture, so every time I try to zoom in, I invariably click on something, which causes that information panel I hid seconds prior to reappear with the hours for a business I don’t care about. In particularly dense cities, using Google Maps requires finding a ten-by-ten pixel square that miraculously does not contain a clickable object.

The only thing I use Google Maps for on a frequent basis is Street View, and they’ve even managed to make that worse. There are so many Photo Sphere images and indoor tours that overlap with Google’s own Street View. It’s a usability nightmare. I can’t imagine a typical Street View user wants to stumble into a grainy immobile snow globe submitted by someone with half their finger on the camera lens.

Update: I got two things wrong on this. The first is that the Directions button connects to Apple Maps on both iOS and MacOS; when I tried it this morning on my Mac, it only displayed the dropdown with options for Bing and other providers. Also, apparently, DuckDuckGo will prompt for a precise location for some queries — though I haven’t been able to trigger the location request dialog — so a reluctance to ask for location can’t be the reason they haven’t implemented the route API.

iTunes Movies and TV Shows Kremlinology

Call it whatever you like — good logic, Kremlinology, or wishful thinking — but this theory from MG Siegler, about the clumsily-named “iTunes Movies and TV Shows” feature coming to Samsung TVs, makes a whole lot of sense to me.

A quick, related thought: imagine Apple does introduce a Netflix-competitive streaming video subscription; and, perhaps, a news subscription, too. A user may well subscribe to both, plus Apple Music, iCloud, and — perhaps — be on the iPhone upgrade plan, too. That’s a lot of discrete monthly payments. A universal subscription that covers, at the very least, all of Apple’s services would be far more elegant; I’d love to see that.

Talking About Big Tech Monolithically Is Missing the Big, More Complex Picture

David McCabe and Scott Rosenberg, Axios:

For several years it has made sense, in some quarters, to lump together the tech giants — chiefly Google, Facebook, Apple, and Amazon, sometimes also including Netflix or Microsoft. But talking about “big tech” is beginning to offer diminishing returns.

[…]

As different pressures come to bear on each of these companies, they are likely to end up taking roads that differentiate them from their competitors — and make “big tech” less useful as an idea or a category.

A suspicion I’ve long harboured is that the bad actors in the tech industry make it much harder to trust any company. I know a few people who refuse to use Touch ID or Face ID on their devices because they’re convinced that their fingerprints and faces are being sent to Apple. The company is also increasingly focused on health, which makes some people skittish. And there’s a fair reason for that; users should be cautious about which companies they’re sharing their most personal details with.

Yet sales of in-home devices from Amazon and Google — with microphones and, in many cases, cameras — are up every year. User tracking is becoming more pervasive and difficult to avoid, and huge data brokers aggregate even more information but are not household names. In a survey last year, more people believe Amazon and Google care about user privacy than Apple. This situation is getting worse, not better, and it is eroding confidence that any part of the tech industry can be good.

The last time the tech industry was the subject of widespread worries about trust was in the wake of Edward Snowden’s NSA disclosures. This isn’t external; it can’t be smoothed over by denials or press releases bragging about how secure the databases are. This is internal, and it has effects throughout the industry on good actors and bad. But this discussion needs a greater level of specificity and nuance.

Sources Say Amazon Ring Home Security Videos Were Stored Unencrypted and Were Widely-Accessible Internally

Matt Drange and Reed Albergotti, reporting last month for the Information:

But former employees said that wasn’t always the case, and that when the Kiev office was launched, customer videos were widely shared there. It couldn’t be learned when Ring began to restrict this access. Ring’s terms of service don’t inform customers who opt in to the community watch feature that their videos are used for image-recognition research. Mr. Siminoff said he believed Ring’s disclosures to customers were sufficient.

Ring has had other issues with security. As The Information reported earlier this year, a software flaw allowed former users of shared accounts to continue to view doorbell video.

Ring has added additional security measures since being acquired by Amazon in April. Employees in Ukraine are no longer allowed to download and store videos on their computers, for example. An Amazon spokeswoman didn’t respond to questions about security measures, or what due diligence the company conducted prior to acquiring Ring.

Sam Biddle, reporting today for the Intercept:

At the time the Ukrainian access was provided, the video files were left unencrypted, the source said, because of Ring leadership’s “sense that encryption would make the company less valuable,” owing to the expense of implementing encryption and lost revenue opportunities due to restricted access. The Ukraine team was also provided with a corresponding database that linked each specific video file to corresponding specific Ring customers.

At the same time, the source said, Ring unnecessarily provided executives and engineers in the U.S. with highly privileged access to the company’s technical support video portal, allowing unfiltered, round-the-clock live feeds from some customer cameras, regardless of whether they needed access to this extremely sensitive data to do their jobs. For someone who’d been given this top-level access — comparable to Uber’s infamous “God mode” map that revealed the movements of all passengers — only a Ring customer’s email address was required to watch cameras from that person’s home. Although the source said they never personally witnessed any egregious abuses, they told The Intercept “if [someone] knew a reporter or competitor’s email address, [they] could view all their cameras.” The source also recounted instances of Ring engineers “teasing each other about who they brought home” after romantic dates. Although the engineers in question were aware that they were being surveilled by their co-workers in real time, the source questioned whether their companions were similarly informed.

Davey Alba, of Buzzfeed, on Twitter:

We reported on Orlando PD’s use of Amazon Rekognition in October & discovered Orlando had made a deal with Ring to crowdsource footage from the app. When we asked, Amazon would not commit to keep the data generated by Ring and by Rekognition separate.

Let’s be charitable here: Amazon, at the very least, acquired a company with poor security practices that sells cameras for use inside customers’ homes.

I don’t have any “internet of things” devices — partly because I’m not really able to replace the thermostat or electrical outlets in my rented apartment, and partly because I don’t want to deal with more software updates. But the security and privacy concerns with these kinds of devices are very real, and should not be underestimated. Consumers should have the confidence that buying one of these products will not make their homes less secure or private in exchange for a marginal gain in efficiency.

After Vice Report, AT&T, T-Mobile, and Verizon Say Again They Will Stop Selling Location Data

Two days after Joseph Cox reported that the real-time location of virtually every phone in the United States could be bought with few restrictions, Hamza Shaban and Brian Fung are reporting for the Washington Post that three providers have said that they would stop selling customers’ location data to third parties:

AT&T had already suspended its data sharing agreements with a number of so-called “location aggregators” last year in light of a congressional probe finding that some of Verizon’s location data was being misused by prison officials to spy on innocent Americans. AT&T also said at the time it would be maintaining those of its agreements that provided clear consumer benefits, such as location sharing for roadside assistance services.

But AT&T’s announcement Thursday goes much further, pledging to terminate all of the remaining deals it had — even the ones that it said were actively helpful.

[…]

In characteristic fashion, T-Mobile chief executive John Legere tweeted Tuesday that his firm would be “completely ending location aggregator work” in March. Verizon said in a statement Thursday that it, too, was winding down its four remaining location-sharing agreements, which are all with roadside assistance services — after that, customers would have to give the company permission to share their data with roadside assistance firms. A Sprint spokeswoman didn’t immediately respond to a request for comment.

Legere said last year that T-Mobile would “not sell customer location data to shady middlemen” and promised to “wind down” agreements to share location data. In communications to U.S. Senator Ron Wyden, AT&T and Verizon also promised to stop selling location data last year. Without legislation and enforcement, I doubt shady practices like these will stop.

Facing Slowdown in China, Samsung Copies Apple

Kenichi Yamada, Nikkei Asian Review:

Samsung Electronics’ disappointing fourth-quarter earnings report comes less than a week after Apple cut its revenue estimate, underlining the global repercussions of the Chinese economic slowdown.

Both of the South Korean company’s core businesses — memory chips and smartphones — are facing downturns this year. With no other growth business to fill the hole, Samsung finds itself scrambling to trim the fat.

Samsung said Tuesday that operating profit plunged 29% in the three months ended in December, to 10.8 trillion won ($9.6 billion). The preliminary guidance represents the company’s worst quarter since July-September 2016, with the drop exceeding analyst expectations by 2 trillion won to 3 trillion won.

That second quoted paragraph is particularly interesting: Samsung is doubly exposed because it makes its own consumer electronics and sells components for other companies’ products.

Anyway, it wouldn’t surprise me to see reports like these from several other companies in the coming weeks.

European Regulators Try to Rein in Data Brokers

Aliya Ram and Madhumita Murgia, Financial Times:

Data brokers mine a treasure trove of personal, locational and transactional data to paint a picture of an individual’s life. Tastes in books or music, hobbies, dating preferences, political or religious leanings, and personality traits are all packaged and sold by data brokers to a range of industries, chiefly banks and insurers, retailers, telecoms, media companies and even governments. The European Commission forecasts the data market in Europe could be worth as much as €106.8bn by 2020. 

“The explosive growth of online data has led to the emergence of the super data broker — the ‘privacy deathstars’, such as Oracle, Nielsen and Salesforce, that provide one-stop shopping for hundreds of different data points which can be added into a single person’s file,” says Jeffrey Chester, executive director of the Center for Digital Democracy based in Washington. “As a result, everyone now is invisibly attached to a living, breathing database that tracks their every move.”

Over the past five years, the data broker industry expanded aggressively in what amounted to a virtual regulatory vacuum. The rise of internet-connected devices has fuelled an enhanced industry of “cross-device tracking” that matches people’s data collected from across their smartphones, tablets, televisions and other connected devices. It can also connect people’s behaviours in the real world with what they are doing online. 

The reluctance in virtually every country to restrict the purchase and sharing of user data without explicit consent is a complete regulatory failure. Nobody would tolerate someone asking them to submit a list daily of everything they’ve bought, every page they’ve seen online, every ad they’ve viewed, and everywhere they’ve been — not because that would be a lot of work, but because it would feel invasive. There shouldn’t be a “data market” at all.

Dates and Times With Siri

I love this collection of examples by Dr. Drang of how Siri handles date and time questions. In some instances, its understanding of context is remarkably good; in a few, it’s disappointing. The key point, for me, is something Drang writes at the end:

The upshot is that Siri can be good at date and time math, but it needs the right syntax. Not surprising for a computer program, but not how Siri has been promoted by Apple.

I was chatting with a friend about this. Make no mistake: Siri is far better at parsing different variations of sentence construction than traditional voice control systems. But users must still learn some syntactical tricks to ensure Siri understands the precise intention and context of what is being said.

I also wonder how much of this is because of the English language; many other languages create more rigorously-structured sentences.

Vice Investigation Reveals Obtaining Real-Time Smartphone Location Data Has Virtually No Oversight

Joseph Cox, Vice:

Nervously, I gave a bounty hunter a phone number. He had offered to geolocate a phone for me, using a shady, overlooked service intended not for the cops, but for private individuals and businesses. Armed with just the number and a few hundred dollars, he said he could find the current location of most phones in the United States.

The bounty hunter sent the number to his own contact, who would track the phone. The contact responded with a screenshot of Google Maps, containing a blue circle indicating the phone’s current location, approximate to a few hundred metres.

Queens, New York. More specifically, the screenshot showed a location in a particular neighborhood — just a couple of blocks from where the target was. The hunter had found the phone (the target gave their consent to Motherboard to be tracked via their T-Mobile phone.)

The bounty hunter did this all without deploying a hacking tool or having any previous knowledge of the phone’s whereabouts. Instead, the tracking tool relies on real-time location data sold to bounty hunters that ultimately originated from the telcos themselves, including T-Mobile, AT&T, and Sprint, a Motherboard investigation has found. These surveillance capabilities are sometimes sold through word-of-mouth networks.

Dell Cameron, Gizmodo:

The story follows reporting last year by the New York Times, which kicked off after Sen. Ron Wyden, a Democrat and privacy hawk of Oregon, revealed the existence of this dubious location-data trade in a letter to the Federal Communications Commission. Through this, we learned about Securus Technologies, a company that profits off inmate phone calls and secretly provided phone-tracking services to low-level law enforcement without so much as a court order.

Securus and other companies, such as those described in Tuesday’s Motherboard story, rely on loose regulations around the aggregation of location data, which can be bought and sold legally for marketing purposes, among other types of services. Numerous companies appear to be exploiting this loophole to quietly offer location services for unsanctioned uses on the cheap, or are otherwise contributing unwittingly through their own negligence to a prosperous underground market.

Let’s set aside the truly diabolical lack of ethics for a moment because there’s something else nagging at me. For the past couple of years, the general public has started to become wise to the privacy nightmare created by companies like Facebook and Google. Frequently, this is expressed by the claim that these companies are “selling users’ data”. That’s wrong — they’re selling advertisements against enormous dossiers of data points — but it has stuck nevertheless as a symbol of how untrustworthy these companies are.

T-Mobile, AT&T, and Sprint apparently want to be more untrustworthy than Facebook and Google when it comes to user data. They’re not just selling ads; they’re selling the location itself. That’s fucked. I read through T-Mobile’s many end-user contracts today and couldn’t find anything that clearly says you give us permission to sell a third-party the location of your phone in association with its number. Maybe it’s buried in there, translated into some abstruse legalese. But can you imagine having an abject lack of ethics that you could think selling user location is totally fine?