The U.S. wireless industry is now facing its own version of a Cambridge Analytica-style public relations disaster.
Specifically, a hack into the website of a company called LocationSmart reportedly allowed anyone to obtain real-time location information for any mobile device from AT&T, Verizon, T-Mobile and Sprint. As reported by security researcher Brian Krebs and ZDNet, an “elementary bug” on the try-it-before-you-buy-it page on LocationSmart’s website could be exploited so that anyone could essentially obtain real-time location information on everyone who is carrying their phone in their pocket.
"I had a friend who was driving around Hawaii and [with permission] pinged the location and I could watch the marker move around the island. It's the kind of thing that sends chills down your spine," researcher Robert Xiao from the Human-Computer Interaction Institute at Carnegie Mellon University told ZDnet.
Beyond Cambridge Analytica
Clearly, this could turn into a major problem for the wireless industry. Wireless network operators are essentially the gatekeepers of this kind of information, and in this case they’ve failed.
The result is the exposure of perhaps the single most important piece of information that wireless carriers collect: your current location.
I also want to point out that this isn’t a new problem for the wireless industry. I wrote about this very topic in 2013. At the time I profiled a company called AirSage, which operated a business exactly like LocationSmart: It collected real-time location information from the nation’s wireless carriers and then sold that information.
“Big data vendors, and wireless carriers specifically, should tread carefully,” I wrote of the situation.
And now here we are, five years later, and the nation’s wireless carriers are going to have to explain to the wider public—as well as lawmakers who are looking into the issue—how exactly they created a business selling the location information of their users and how exactly that business resulted in the current LocationSmart debacle.
Indeed, today’s LocationSmart situation draws clear parallels to Cambridge Analytica, which improperly used data of 87 million Facebook users beginning in 2014. While the data involved in the Cambridge Analytica situation likely included things like political affiliation, relationships and photos, I would argue that real-time location is far more concerning.
Furthermore, today’s LocationSmart situation actually stems from another recent location security breach. The New York Times wrote earlier this month that Securus Technologies had been selling or giving away location data to a sheriff’s office in Mississippi County, Missouri, without court order or any kind of authorization. In fact it was that report that drove Xiao to begin poking around on LocationSmart’s website.
So how are the nation’s wireless operators responding to what might be a major public relations issue? So far things are pretty tepid.
"We have taken steps to ensure that Securus can no longer access location information about Verizon Wireless customers,” a Verizon representative told me in response to my questions on the LocationSmart articles. “Maintaining customer privacy is a top priority for the company. We have initiated a review of this entire issue. We will do what it takes to ensure that private customer location information is protected and secure.”
“We take the privacy and security of our customers’ data very seriously,” T-Mobile told me. “We have addressed issues that were identified with Securus and LocationSmart to ensure that such issues were resolved and our customers’ information remains is protected. We continue to investigate this.”
Neither company responded to my question about what other firms besides Securus and LocationSmart they are selling their location data to.
Not surprisingly, lawmakers are beginning to take notice. Sen. Ron Wyden, D-Ore., wrote to the FCC about the Securus situation and told Krebs today about the LocationSmart news that “this leak, coming only days after the lax security at Securus was exposed, demonstrates how little companies throughout the wireless ecosystem value Americans’ security.”
Now, to be clear, users’ location information has long been a source of concern. After all, virtually all of today’s smartphones sport GPS location data, and users can pretty easily give that data to third parties like Uber or Facebook via app permissions in iOS and Android. And there have been a number of location information dustups in recent years involving Apple and others and how they use that data.
Further, it’s worth noting that wireless operators have to collection users’ location information in order to properly manage their networks. After all, how can they move a signal from one tower to another without location data?
The problem here, however, is that the nation’s wireless carriers are selling their location data to third parties like LocationSmart. While that business likely is well covered in their terms of service, it’s still a business for which, ultimately, they have to take responsibility.
And in this case, the nation’s wireless carriers don’t appear to have done that. Thus, I suspect the situation will get worse before it gets better.
This article originally appeared on FierceWireless.com and can be found here