May 19, 2018 7:00 AM

A Location-Sharing Disaster Shows How Exposed You Really Are

The failures of Securus and LocationSmart to secure location data are the failures of an entire industry.

Image may contain Tarmac Asphalt Human Pedestrian Person Road and Intersection

There are plenty of guides available on how to protect your data, how to secure yourself online, and how to stop digital snoops from tracking you across the web and then profiting from that intrusion. (Sorry, “monetization”.) You should do these things. But if a cascading series of revelations this past week has taught us anything, it's that all of those steps amount to triage. The things you can control add up to very little next to the things you can’t.

It’s an obvious point, especially if you follow the privacy headlines. But a recent example of location-tracking gone wrong—in fairness, it rarely goes right—that unfolded over the last week or so underscores the severity of what you’re up against.

On May 10, a New York Times report detailed a service, called Securus, that allegedly allowed a former sheriff to track people’s location, practically in real time, without a court order. Securus technically requires legal documentation that authorizes use of its services. But US senator Ron Wyden (D–Oregon) says Securus told his office that the company “never checks the legitimacy of those uploaded documents” and that it does not feel obligated to do so. It offers a rubber stamp, then, to letting people know where virtually anyone in the US is standing at any given moment.

On the heels of that report, ZDNet detailed how all four major US carriers sell location data to companies you’ve never heard of, without your explicit permission. In this specific case, Securus bought its access from a location aggregator called LocationSmart, which in turn bought it from the telecoms. All of these corporate relationships are arguably legal.

"We don’t really have federal laws that are focused on that backend sale of personal data," says Alan Butler, senior counsel at the Electronic Privacy Information Center. "A lot this is just the Wild, Wild West, honestly. That’s why the companies do whatever they want."

That alone would be cause enough for alarm. There’s no opt-out for any of this location sharing. It happens simply by dint of having a cell phone plan. In a very real sense, you’re powerless to prevent your location being used as chattel. Google knows where you are most of the time too, but at least it lets you turn off location tracking and delete your history. The company also ostensibly uses the information to help Google Maps, search, and other services that benefit consumers to some degree. The only value AT&T and Verizon create by selling location data to brokers lands on their bottom line.

Also, it gets worse.

By Wednesday, hackers breached Securus, passing some of the data on its servers—including usernames, email addresses, and hashed passwords—along to tech site Motherboard. On Thursday, security reporter Brian Krebs revealed that LocationSmart had a security meltdown of its own; while the company says it abides by privacy best practices, including a requirement that someone give consent before being tracked, Carnegie Mellon researcher Robert Xiao discovered that a bug on its website allowed anyone to locate around 200 million people in the US without their knowledge.

“LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process,” the company said in a statement Friday. LocationSmart says also that the bug has been fixed, and that it had not been exploited prior to Xiao’s discovery. When asked how it could be sure that Xiao was the first to exploit the bug, LocationSmart told WIRED that it “reviewed its historical logs.”

Xiao urges some skepticism regarding that last claim. “I would be curious to know how they know that,” he says. “The attack flow looks fairly normal. If they looked at their server logs, it would be hard to distinguish what I was doing from normal use.”

Regardless, the absence of exploits wouldn’t excuse the sloppiness that created the bug in the first place. Xiao says it took only about 15 minutes of prodding to discover it, and that it stems from an unused feature that the company apparently never bothered to secure. It’s an unconscionable lapse, especially given the sensitive nature of LocationSmart’s business.

“I’d almost prefer that they didn’t have access to this in the first place, that this business model didn’t exist,” Xiao says. “But if they’re going to have this data and a claim to use it, then they absolutely have a responsibility to make sure it’s locked up tighter than Fort Knox.”

It’s a responsibility LocationSmart, and so many others who hold onto your data, abdicated. “Because they value profits above the privacy and safety of the Americans whose locations they traffic in, the wireless carriers and LocationSmart appear to have allowed nearly any hacker with a basic knowledge of websites to track the location of any American with a cell phone,” Senator Wyden said in a statement Friday. “The dangers from LocationSmart and other companies are limitless. If the FCC refuses to act after this revelation then future crimes against Americans will be the commissioners' heads.” (An FCC spokesperson says "the matter is being referred to the Enforcement Bureau," with no further comment.)

Wyden’s office also confirmed that none of the four major carriers have responded to letters he sent last week, asking each of them to audit which third parties have access to location information, if and how their customers consented, and urging safeguards to better manage the fallout of these incidents.

You couldn’t hope for a much better encapsulation of the hopeless state of data privacy in the US today. You can see the same casual security sloppiness with which LocationSmart and Securus treated your location in the countless exposed databases—revealing everything from personal information to voter records—or in the extremely, entirely, embarrassingly preventable Equifax breach. The same system that allows AT&T, Verizon, T-Mobile, and Sprint to sell your location to companies you’ve never heard of also allows thousands of barely regulated, shadowy data brokers to know everything about not just where you are but who you are and what you do online. And lack of tangible progress, the sense that this has all happened before and will happen again, the resignation; that’s the cumulative effect of years of breaches and leaks and carelessness that make this all feel so futile. This keeps happening and keeps not getting fixed.

"No one takes the lead," Butler says. "People acknowledge that it’s a problem, but no individual consumer has any power to do anything about it. And where in the system does the solution come from?" Laws do restrict what consumer-facing companies can do with your data, but the data broker industry has largely slipped through the cracks. And without a centralized agency taking the lead on privacy in the US, or an omnibus law like Europe's GDPR to act as a wider safety net, that's not going to change.

None of which means you should give up. You should still follow those guides and adjust those settings. But you should also know that better privacy can only come if and when companies respect you enough to grant it. And if they continue not to, your only option is to yell loudly enough—at the FCC, at lawmakers, at anyone who will listen—that they no longer have a choice.