Mastodawn

Mark Eldridge Oct 23, 2024

I thought I understood the extent to which the broad availability of mobile location data has exacerbated countless privacy and security challenges. That is, until I was invited along with four other publications to be a virtual observer in a 2-week test run of Babel Street, a service that lets users draw a digital polygon around nearly any location on a map of the world, and view a time-lapse history of the mobile devices seen coming in and out of the area.

The issue isn't that there's some dodgy company offering this as a poorly-vetted service: It's that *anyone* willing to spend a little money can now build this capability themselves.

I'll be updating this story with links to reporting from other publications also invited, including 404 Media, Haaretz, NOTUS, and The New York Times. All of these stories will make clear that mobile location data is set to massively complicate several hot-button issues, from the tracking of suspected illegal immigrants or women seeking abortions, to harassing public servants who are already in the crosshairs over baseless conspiracy theories and increasingly hostile political rhetoric against government employees.

https://krebsonsecurity.com/2024/10/the-global-surveillance-free-for-all-in-mobile-ad-data/

The Global Surveillance Free-for-All in Mobile Ad Data – Krebs on Security

BrianKrebs Oct 23, 2024

Other reporting on this:

404 Media's take: https://www.404media.co/inside-the-u-s-government-bought-tool-that-can-track-phones-at-abortion-clinics/

NOTUS: https://www.notus.org/technology/cell-phone-tracking-law-enforcement-abortion-clinic

Haaretz (English version should be available in a few hours): https://www.haaretz.co.il/news/security/2024-10-23/ty-article-magazine/.premium/00000192-b90c-dc97-a593-f96f50800000

Not sure when the NYT will be publishing. My impression was they were planning to cover the regulatory side of this in detail.

Inside the U.S. Government-Bought Tool That Can Track Phones at Abortion Clinics

Privacy advocates gained access to a powerful tool bought by U.S. law enforcement agencies that can track smartphone locations around the world. Abortion clinics, places of worship, and individual people can all be monitored without a warrant.

404 Media

BrianKrebs Oct 23, 2024

From the story:

"Georgetown Law's Justin Sherman said the data broker and mobile ad industries claim there are protections in place to anonymize mobile location data and restrict access to it, and that there are limits to the kinds of invasive inferences one can make from location data. The data broker industry also likes to tout the usefulness of mobile location data in fighting retail fraud, he said.

"All kinds of things can be inferred from this data, including people being targeted by abusers, or people with a particular health condition or religious belief," Sherman said. "You can track jurors, law enforcement officers visiting the homes of suspects, or military intelligence people meeting with their contacts. The notion that the sale of all this data is preventing harm and fraud is hilarious in light of all the harm it causes enabling people to better target their cyber operations, or learning about people's extramarital affairs and extorting public officials."

Karl Auerbach Oct 23, 2024

@briankrebs And when assertions are made about the safety of anonymous or anonymized data sets one should think back to Lance Hoffman's piece in the 1970s about "Extracting Personal Information From An Anonymous Database" (or similar title.) (I would give a citation, but I can't find it online.)

Fritz Adalis Oct 23, 2024

@briankrebs
NYT is probably figuring out spin on how it hurts Biden's reelection chances.

gregg r Oct 23, 2024

@briankrebs @pluralistic This feels exactly like something Masha and Zoth would have done.

Brokar Oct 23, 2024

@briankrebs The government simply can get all the data from Google. They've been collecting that data for years with everyones consent.

So maybe this is an opportunity to finally get the people to wake up and see that the statement "i don't care, they can have my data, i've got nothing to hide" can one day bite you in the ass and you don't even know it yet.

EFF and everybody else was warning about this for like forever.

So if you want an abortion or do other crime, leave you phone at home.

Led By Gilded Fools Oct 24, 2024

@briankrebs ICYMI You are also cited in this ArsTechnica article https://arstechnica.com/information-technology/2024/10/phone-tracking-tool-lets-government-agencies-follow-your-every-move/

Location tracking of phones is out of control. Here’s how to fight back.

Unique IDs assigned to Android and iOS devices threaten your privacy. Who knew?

Ars Technica

BrianKrebs Oct 23, 2024

This story gave me an opportunity to link to this incredible report from Politico on academic research that showed how the mobile advertising data they acquired allowed them to link visits from investigators with the U.S. Securities and Exchange Commission (SEC) to insiders selling stock before the investigations became public knowledge.

The researchers in that study said they didn’t attempt to use the same methods to track regulators from other agencies, but that virtually anyone could do it.

https://www.politico.com/newsletters/digital-future-daily/2024/09/23/tk-alfred-top-00180521

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4941708

abacabadabacaba Oct 23, 2024

@briankrebs The correct amount of commercial data-brokerage for America is zero.

https://pluralistic.net/2024/09/19/just-stop-putting-that-up-your-ass/#harm-reduction

Pluralistic: Thinking the unthinkable (19 Sep 2024) – Pluralistic: Daily links from Cory Doctorow

Pino Carafa Oct 23, 2024

@briankrebs Very good. And what happens when you do that on locations in the EU? If that works in the EU then this falls afoul of GDPR regulations

Justin Mason Oct 23, 2024

@rozeboosje @briankrebs I would also love to know. Let's see if our regulations are actually being acted on (and enforced)....

econads Oct 23, 2024

@jmason
Some of them are already. Fines and whatnot. I believe.

@rozeboosje @briankrebs

BrianKrebs Oct 23, 2024

@rozeboosje I believe the investigators said the platform they had access to also included location data on mobile users throughout Europe.

Cairo Braga [toot]Oct 26, 2024

@briankrebs @rozeboosje this is, AFAIK, a gross violation of EU's regulations. the @EUCommission must be informed, investigate and act accordingly.

Cairo Braga [toot]Oct 26, 2024

@briankrebs @rozeboosje @EUCommission pinging @d3

A⍼ex Oct 23, 2024

@rozeboosje @briankrebs

Shlee fooled around &Oct 23, 2024

@briankrebs Thanks for giving me the fear.

Ed Oct 23, 2024

@briankrebs we truly live in a terrifying world

legraLeGra Oct 23, 2024

@briankrebs This is pretty scary.

Apple used to have the ‘reset personal identifier’ option. Now it has a toggle for no private ads.
Is this meaningful? (Aside from hitting FBs bottom line.)
Or has that anonymization / less accurate location made for an identifier that has just not been engineered yet?
Are most all location services prone to this kind of exploit eventually?
Scary article for sure.

Justin Derrick Oct 23, 2024

@briankrebs First…. Terrifying. Second, I’m glad my paranoia about giving apps location / local network access is justified. Going to go review the list of apps with location access again.

BlueTurtle Oct 23, 2024

@briankrebs I have disabled sharing of IDFA in iOS. Does this mean, location data for me could exist, but it can’t be used to create a profile and possibly identify me?

Gilgwath Oct 23, 2024

@briankrebs I'd love to show this to some people who said I was a doomsayer back in the day, when I told people this is where all that tracking crap will lead to. They'd probably still shrug and repeat their favourite trueism of "if you got nothing to hide, you got nothing to fear" 🫣

econads Oct 23, 2024

@gilgwath
"Unlock your phone and give it to me then. Oh you don't trust me? But you trust a stranger? Thanks a lot"

verified_dragon

@gilgwath @briankrebs If you care to respond to people who say that, tell them privacy is about basic dignity not guilt, and let them try to square that with their moral code!

ilikecats Oct 23, 2024

@briankrebs How about Linux phones and the like? I have a phone that has hardware switches that are accessible even when the phone is on, and the modem stays hard off most of the time. Of course, I don't use it very often anyways.

econads Oct 23, 2024

@ilikecats
As some others have said, it's a feature of accessing the masts, so if you can make and receive calls you have this problem.

Wolf480pl Oct 23, 2024

@briankrebs
> the problem is that anyone with enough money can build this capability themselves

I'd argue that if anyone in the world has that capability, that's already a problem.

You don't want your own government to have that capability, at least not without a warrant.

And you don't want the data to be in a place where some other state which does not give a fuck about your law can break into and use that to influence elections or start a war.

So that data must not exist.

This is Hell Oct 23, 2024

@briankrebs @courtcan 😱😱😱

@briankrebs people ask in surprise why I’m frantically working to leave the US if the government flips…

Kool Depeche Moe Dee Oct 23, 2024

@hacks4pancakes @briankrebs wherever you wind up, they’ll also ask you why you left. Everyone knows Trump and how dangerous he is, but people elsewhere have a hard time imagining leaving a U.S. salary. It’s always the first thing that gets brought up. I think many young people outside the U.S. don’t understand just how dangerous it will become (and already is to some degree) for minorities, women, and anyone who opposes the government.

Kool Depeche Moe Dee Oct 23, 2024

Then we tell them how much it cost for my wife to have a baby and they’re like WHAT?! 😂

@eviljarred yea… we get paid more but I spend thousands on medical care as a healthy person with decent insurance

Locksmith Oct 23, 2024

@hacks4pancakes @eviljarred

I would surmise people outside of the US would easily understand why one emigrated with the orange man back in power.

Kool Depeche Moe Dee Oct 23, 2024

@locksmithprime @hacks4pancakes they understand that he is bad but many people I talk to just sort of imagine that you can still get by day to day, live a good life, ignore politics, and it will all be fine.

They aren't thinking about your friends, family, coworkers, etc. that you have to watch suffer through this.

Additionally many of them are CIS white males.

Of course you can't generalize everyone outside of the US but I have this conversation a lot.

Locksmith Oct 23, 2024

@eviljarred @hacks4pancakes

Indeed that is how I thought before I came to the US: differences between Democrats and republicans were in policies, but the baseline was similar and one could go through life without immense impacts. More conservative, less conservative, but in general respect to law, principles, integrity, work for the people.

Then the orange man happened. My naiveté, gone.

econads Oct 23, 2024

@eviljarred
US has never been high on my list, but you wouldn't be able to pay me to visit if that happened.

@locksmithprime @hacks4pancakes

Martin Seeger Oct 23, 2024

@hacks4pancakes Yeah, some people may ask, but most would just nod and offer you a drink. We have some experience due to Brexit supplying us with some good people @briankrebs

Oliver Vanderb Oct 23, 2024

@hacks4pancakes @briankrebs

Come to germany. We have Bratwurst and Autobahns. 😊

econads Oct 23, 2024

@Ollivdb
But maybe wait till next year before making a decision. The AFD is equally scary, and if they end up king makers..

@hacks4pancakes @briankrebs

Oliver Vanderb Oct 23, 2024

@econads @hacks4pancakes @briankrebs

Jep. Then I would prefer Norway. They have huskies 😊

@Ollivdb @briankrebs I’m one generation off from birthright, it’s so sad. But I don’t speak German.

DeeAnn Little Oct 23, 2024

@hacks4pancakes I moved to Germany from California about eight and a half years ago not knowing German and learning it as I go. It's doable. @Ollivdb @briankrebs

Alostkender Oct 23, 2024

@hacks4pancakes @briankrebs I'm honestly considering it, but I just don't know where I'd be welcomed / even useful.

🚫👑Oct 24, 2024

@alostkender @hacks4pancakes @briankrebs no one would accept hubby and me.

rye Oct 23, 2024

@briankrebs Well this is pretty scary not gonna lie.
Especially when paired with the sidewalk surveillance posts.

Andy Dressel Oct 23, 2024

@briankrebs nothing bad could happen here, right?

This is far beyond what Orwell could have even imagined. No one agreed to this, no debates were held, and, I suspect, most would oppose such surveillance vigorously. We need enforceable national privacy protections.

AI6YR Ben Oct 23, 2024

@adressel @briankrebs

"...Babel Street’s LocateX platform also allows customers to track individual mobile users by their Mobile Advertising ID or MAID, a unique, alphanumeric identifier built into all Google Android and Apple mobile devices...."

LOL tracking your unique identifier is a built-in-feature of your phone? LOL. (not surprised, but tells you a lot).

AI6YR Ben Oct 23, 2024

@adressel @briankrebs

"One unique feature of Babel Street is the ability to toggle a “night” mode, which makes it relatively easy to determine within a few meters where a target typically lays their head each night (because their phone is usually not far away)."

absurd.space Oct 23, 2024

@briankrebs This is alarming.
Is bound to be misused by all kinds of players - Government, corporate or otherwise.