Tag Archives: bulk data

How They Sold Us Out: Mobile Companies and Data Privacy

Leave a reply

On April 29, 2024, the US Federal Communications Commission (FCC) fined the
nation’s largest wireless carriers for illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure. Sprint and T-Mobile – which have merged since the investigation began – face fines of more than $12 million and $80 million, respectively. AT&T is fined more than $57 million, and Verizon is fined almost $47 million.

The FCC Enforcement Bureau investigations of the four carriers found that each carrier sold access to its customers’ location information to “aggregators,” who then resold access to such information to third-party location-based service providers. In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained.

This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access. Under the law, including section 222 of the Communications Act, carriers are required to take reasonable measures to protect certain customer information, including location information. Carriers are also required to maintain the confidentiality of such customer information and to obtain affirmative, express customer consent before using, disclosing, or allowing access to such information. These obligations apply equally when carriers share customer information with third parties.

“The protection and use of sensitive personal data such as location information is sacrosanct,” said Loyaan A. Egal, Chief of the FCC Enforcement Bureau and Chair of its Privacy and Data Protection Task Force. “

Excerpts from FCC Fines, ATT&T, Sprint, T-Mobile, and Verizon Nearly $200 billion for Illegally Sharing Access to Customers’ Location Data, FCC Press Release, Apr. 29, 2024

If the United States is a Surveillance State How Does it Differ from China?

Leave a reply

In November 2023, Michael Morell, a former deputy director of the Central Intelligence Agency (CIA), hinted at a big change in how the agency now operates. “The information that is available commercially would kind of knock your socks off…if we collected it using traditional intelligence methods, it would be top secret-sensitive. And you wouldn’t put it in a database, you’d keep it in a safe.”

In recent years, U.S. intelligence agencies, the military and even local police departments have gained access to enormous amounts of data through shadowy arrangements with brokers and aggregators. Everything from basic biographical information to consumer preferences to precise hour-by-hour movements can be obtained by government agencies without a warrant.

Most of this data is first collected by commercial entities as part of doing business. Companies acquire consumer names and addresses to ship goods and sell services. They acquire consumer preference data from loyalty programs, purchase history or online search queries. They get geolocation data when they build mobile apps or install roadside safety systems in cars. But once consumers agree to share information with a corporation, they have no way to monitor what happens to it after it is collected. Many corporations have relationships with data brokers and sell or trade information about their customers. And governments have come to realize that such corporate data not only offers a rich trove of valuable information but is available for sale in bulk.

Earlier generations of data brokers vacuumed up information from public records like driver’s licenses and marriage certificates. But today’s internet-enabled consumer technology makes it possible to acquire previously unimaginable kinds of data. Phone apps scan the signal environment around your phone and report back, hourly, about the cell towers, wireless earbuds, Bluetooth speakers and Wi-Fi routers that it encounters….The National Security Agency recently acknowledged buying internet browsing data from private brokers, and several sources have told me about programs allowing the U.S. to buy access to foreign cell phone networks. Those arrangements are cloaked in secrecy, but the data would allow the U.S. to see who hundreds of millions of people around the world are calling.

Car companies, roadside assistance services and satellite radio companies also collect geolocation data and sell it to brokers, who then resell it to government entities. Even tires can be a vector for surveillance. That little computer readout on your car that tells you the tire pressure is 42 PSI? It operates through a wireless signal from a tiny sensor, and government agencies and private companies have figured out how to use such signals to track people…

It’s legal for the government to use commercial data in intelligence programs because data brokers have either gotten the consent of consumers to collect their information or have stripped the data of any details that could be traced back to an individual. Much commercially available data doesn’t contain explicit personal information. But the truth is that there are ways to identify people in nearly all anonymized data sets. If you can associate a phone, a computer or a car tire with a daily pattern of behavior or a residential address, it can usually be associated with an individual.

And while consumers have technically consented to the acquisition of their personal data by large corporations, most aren’t aware that their data is also flowing to the government, which disguises its purchases of data by working with contractors. One giant defense contractor, Sierra Nevada, set up a marketing company called nContext which is acquiring huge amounts of advertising data from commercial providers. Big data brokers that have reams of consumer information, like LexisNexis and  Thomson Reuters, market products to government entities, as do smaller niche players. Companies like Babel Street, Shadowdragon, Flashpoint and Cobwebs have sprung up to sell insights into what happens on social media or other web forums. Location data brokers like Venntel and Safegraph have provided data on the movement of mobile phones…

A group of U.S. lawmakers is trying to stop the government from buying commercial data without court authorization by inserting a provision to that effect in a spy law, FISA Section 702, that Congress needs to reauthorize by April 19. The proposal would ban U.S. government agencies from buying data on Americans but would allow law-enforcement agencies and the intelligence community to continue buying data on foreigners…But many in the national security establishment think that it makes no sense to ban the government from acquiring data that everyone from the Chinese government to Home Depot can buy on the open market. The data is valuable—in some cases, so valuable that the government won’t even discuss what it’s buying. “Picture getting a suspect’s phone, then in the extraction [of data] being able to see everyplace they’d been in the last 18 months plotted on a map you filter by date ranges,” wrote one Maryland state trooper in an email obtained under public records laws. “The success lies in the secrecy.”

For spies and police officers alike, it is better for people to remain in the dark about what happens to the data generated by their daily activities—because if it were widely known how much data is collected and who buys it, it wouldn’t be such a powerful tool. Criminals might change their behavior. Foreign officials might realize they’re being surveilled. Consumers might be more reluctant to uncritically click “I accept” on the terms of service when downloading free apps. And the American public might finally demand that, after decades of inaction, their lawmakers finally do something about unrestrained data collection.

Excerpts from Byron Tau, US Spy Agencies Know Your Secrets. They Bought Them, WSJ, Mar. 8, 2024

See also Means of Control: How the Hidden Alliance of Tech and Government Is Creating a New American Surveillance State by Byron Tau (published 2024).

What Do You Do When You Are Up for Sale?

Leave a reply

Under an executive order issued on February 28, 2024, specific classes of Americans’ sensitive data, including genomic, biometric, personal health, geolocation, financial and certain types of personal identifiers, will generally be barred from being sold or transferred in vast tranches to “countries of concern” or vendors known to supply data to them. The countries of concern are China, Russia, North Korea, Iran, Cuba and Venezuela, and have a record of misusing data on Americans, an official said.

In 2023, the U.S. intelligence community issued a groundbreaking report acknowledging that the vast amount of Americans’ personal data available for sale, which are often bought and repackaged by data brokers and then resold through a labyrinthine ecosystem of vendors and resellers, has provided a valuable stream of intelligence for the U.S. government and adversaries alike. The report, commissioned by Director of National Intelligence Avril Haines, admitted that such streams created significant threats to privacy, and had rapidly grown in scale such that they had begun to replicate the results of intrusive surveillance techniques, such as hacking, that are typically more targeted.

The executive order is notably silent on the purchasing of commercially available data sets by the U.S. government.

Excerpts from Dustin Volz, U.S. Limits Sales of Americans’ Personal Data to China, Other Adversaries, WSJ, Feb. 129, 2024

Unstoppable: How the FBI Mines Personal Information

Leave a reply

The Federal Bureau of Investigation’s access to a controversial intelligence trove of intercepted emails, texts, and other electronic data should be curtailed following serial missteps that have damaged public and congressional trust in the surveillance tool, a White House panel of intelligence advisers has concluded. in July 2023. The recommendation and others made by the panel come as a challenge to the Biden administration, which has spent months aggressively lobbying lawmakers to preserve the spying program, which is set to expire at the end of 2023. At issue is the FBI’s access to a cache of data collected under what is known as Section 702 of the Foreign Intelligence Surveillance Act.(FISA)..Top Biden administration officials have said the program—classified details of which were revealed 10 years ago by former intelligence contractor Edward Snowden—is among the most vital national security tools in their possession, critical to preventing terrorism, thwarting cyberattacks and understanding the aims of adversaries such as China and Russia. It allows the National Security Agency to siphon streams of electronic data from U.S. technology providers such as Meta and Apple. The data, collected in intelligence repositories, can then be searched without a warrant by spy agencies including the FBI, which has a robust counterintelligence mission.

The board was critical of the FBI’s history of wrongfully plumbing American data in the Section 702 trove, which have included improper searches of George Floyd protesters and sitting lawmakers, and said reforms needed to be adopted and codified in law.

Excerpts from Dustin Volz, FBI Access to Spying Tool Should Be Restricted, Panel Advises, WSJ, July 31, 2023
See also pdf

Who Cares? Clicking Away Privacy Rights

Leave a reply

The latest developments in a high-profile criminal probe by  US special counsel John Durham show the extent to which the world’s internet traffic is being monitored by a coterie of network researchers and security experts inside and outside the US government. The monitoring is made possible by little-scrutinized partnerships, both informal and formal, among cybersecurity companies, telecommunications providers and government agencies.

The U.S. government is obtaining bulk data about network usage, according to federal contracting documents and people familiar with the matter, and has fought disclosure about such activities. Academic and independent researchers are sometimes tapped to look at data and share any findings with the government without warrants or judicial authorization…

Unlike the disclosures by former intelligence contractor Edward Snowden from nearly a decade ago, which revealed U.S. intelligence programs that relied on covert access to private data streams, the sharing of internet records highlighted by Mr. Durham’s probe concerns commercial information that is often being shared with or sold to the government in bulk. Such data sets can possess enormous intelligence value, according to current and former government officials and cybersecurity experts, especially as the power of computers to derive insights from massive data sets has grown in recent years.

Such network data can help governments and companies detect and counter cyberattacks. But that capability also has privacy implications, despite assurances from researchers that most of the data can’t be traced back to individuals or organizations.

At issue are several kinds of internet logs showing the connections between computers, typically collected on networking devices such as switches or routers. They are the rough internet equivalent of logs of phone calls—showing which computers are connecting and when, but not necessarily revealing anything about the content of the transmissions. Modern smartphones and computers generate thousands of such logs a day just by browsing the web or using consumer apps…

“A question worth asking is: Who has access to large pools of telecommunications metadata, such as DNS records, and under what circumstances can those be shared with the government?…Surveillance takes the path of least resistance…,” according to Julian Sanchez, a senior fellow at the Cato Institute.

Excerpts from Byron Tau et al., Probe Reveals Unregulated Access to Data Streams, WSJ, Feb.. 28, 2022