American carriers have long been accused of tracking users without their consent. Now, a new report shows that the phone tracking activities of carriers may be much worse than expected.
In 2016, Verizon was punished by the FCC when the carrier was caught injecting information into its subscribers’ traffic, allowing subscribers to be tracked without their consent.
Despite the FCC’s punishment, a new report shows that practice is still alive and well. Despite being disallowed in a ruling from March 2016, companies can still effectively buy customer information from carriers.
In a blog post earlier this week, Neustrom found a pair of websites that, if visited from a mobile data connection, report back immediately with full details about the customer.
How It Works
Neustrom began his blog post with a link to a simple website: https://bit.ly/crazymobiledemo
When you open that link on your mobile device, you’re in for a scary experience.
That website has since been taken down. However, prior to its removal, you could click “Begin” on the website, enter a zip code, then click “See Underlying Data”. Within seconds, you’re looking at your home address, phone number, cell phone contract details, and even latitude and longitude describing your position.
On another, similar website, you don’t even need to enter a zip code: https://bit.ly/mobilescary
According to Neustrom, the customer’s full name, billing zip code, current location (based on cell tower data), and other information is revealed through the websites.
This wasn’t just Verizon. Instead, the SMS tracking exploit seemed available on every carrier, although the results varied between carrier.
The exploit, however, can be linked back to a unique technology used by Verizon called Unique Identifier Head.
Verizon and Other Carriers Could Be Selling Customer Data to Any Company Willing to Buy It
The issue seems to be related to Verizon’s Unique Identifier Header, or UIDH. Here’s how TechCrunch explained the exploit:
“The UIDH was appended to HTTP requests made by Verizon customers, allowing websites they visited to see their location, billing data and so on (if they paid Verizon for the privilege, naturally). The practice, in common use by carriers for a decade or more, was highlighted in the last few years and eventually the FCC required Verizon (and by extension other mobile providers) to get positive consent before implementing.”
This isn’t necessarily a scam. The data can be useful for a number of different reasons. An administrator might want to make sure an employee’s phone is in their reported location, for example. Or, companies might skip the password and use the UIDH to verify a login request.
Some companies do use it for these purposes – including Payfone and Danal. With both companies, users must opt in to this type of tracking. Payfone, in a statement, also said they have “a very rigorous framework of security and data privacy consent” in place to protect customers.
Those “data privacy consent” standards sound good. Unfortunately, “mobile providers don’t appear to be working very hard to verify that consent,” according to the TechCrunch report. The two websites listed above provide demos of the functionality. The websites ping mobile providers for data, then present it.
There’s no text or email asking for permission from your carrier. That information is just given away.
As TechCrunch explains, this opens up the possibility to carriers selling your information for a profit:
“Without rigorous consent standards, mobile companies may as well be selling the data indiscriminately the same way they were before advocacy groups took them to task for it. For now there doesn’t appear to be a way to officially opt out.”
Conclusion: Yes, Carriers Track Your Data
Ultimately, it’s no secret that carriers track your phone. However, this issue opens up the possibility of carriers not only tracking your data – but selling that data to third parties. That’s a frightening possibility – and it’s one for which the FCC punished Verizon last year.
If you want to track your phone in a legal and easy way, download SpyStealth. It works within minutes to track SMS messages and other smartphone activity. From kids to spouses, you can track virtually any smartphone.