You may remember that last year, Verizon (which owns Oath, which owns TechCrunch) was punished by the FCC for injecting information into its subscribers’ traffic that allowed them to be tracked without their consent. That practice appears to be alive and well despite being disallowed in a ruling last March: companies appear to be able to request your number, location, and other details from your mobile provider quite easily.
The possibility was discovered by Philip Neustrom, co-founder of Shotwell Labs, who documented it in a blog post earlier this week. He found a pair of websites which, if visited from a mobile data connection, report back in no time with numerous details: full name, billing zip code, current location (as inferred from cell tower data), and more. (Others found the same thing with slightly different results depending on carrier, but the demo sites were taken down before I could try it myself.)
It appears to be similar to the Unique Identifier Header used by Verizon. The UIDH was appended to HTTP requests made by Verizon customers, allowing websites they visited to see their location, billing data and so on (if they paid Verizon for the privilege, naturally). The practice, in common use by carriers for a decade or more, was highlighted in the last few years and eventually the FCC required Verizon (and by extension other mobile providers) to get positive consent before implementing.
Now, this is not to say that the whole thing is some huge scam: that data could be very useful for, for instance, an administrator who wants to be sure that an employee’s phone is actually in the location their IP seems to indicate. Why bother with a text-based one time password if a service can verify you’re you by querying your mobile provider? It’s at least a reasonable possibility.
And that’s what companies like Payfone and Danal are using it for; furthermore, users of their services would by definition be opting into this kind of tracking, so there’s no problem there.
I asked Payfone CEO Rodger Desai for a little clarification. He wrote back in an email:
There is a very rigorous framework of security and data privacy consent. The main issue is that with all the legitimate mobile change events fraudsters get in… For example, if you download a mobile banking app today, the bank is not sure if it is you on your new phone or someone acting as you – the fraudster only needs your bank password. PC techniques like certificates and device printing don’t work well – since it is a new phone.
But as Neustrom found out, mobile providers don’t appear to be working very hard to verify that consent. Both sites provide demos of their functionality, pinging mobile providers for data and presenting it to you.
Of course, if you want the demo to work, you kind of opt into the tracking as well. But where’s the text or email from the mobile provider asking you for verification? It seems that this kind of request could be made fraudulently by many means, since the providers don’t verify them in any way other than a few programmatic ones (matching IPs, etc).
Without rigorous consent standards, mobile companies may as well be selling the data indiscriminately the same way they were before advocacy groups took them to task for it. For now there doesn’t appear to be a way to officially opt out — but there also doesn’t appear to be a clear and present danger, such as an obvious scammer or wholesaler using this technique.
I’ve asked T-Mobile, AT&T, and Verizon whether they participate in this kind of program, providing subscriber details to anyone who pays — and who, in turn, may provide to to others. I’ve also asked the FCC if this practice is of concern to them. I’ll update this post if I hear back.