Mobile carriers sell users’ personal information to third parties

Some U.S. mobile carriers seem to be providing personal information, such as your name, address and the real-time location of your phone, to mobile authentication companies. Although it is doubtful you willfully agreed to this, you are most likely opted-in, as this is supposedly being done for security — for fraud detection purposes.

The discovery that mobile phone companies provide API access to personal information was made by software engineer Philip Neustrom. He provided two demo links to mobile authentication companies Danal and Payfone as proof.

Had Danal not taken down the link after publication, then visiting https://bit.ly/crazymobiledemo on your phone while Wi-Fi was turned off and then inputting your ZIP code would have shown “your home address, phone number, cell phone contract details, and  —  depending on what kind of cell phone towers you’re currently connected to  —  a latitude and longitude describing the current location of your cell phone.”

Payfone’s demo, https://bit.ly/mobilescary, which was also taken down, didn’t even require a ZIP code before returning your personal information that is on file at your mobile carrier.

Before the companies could yank the demos, thousands of people tested them out and then confirmed it worked via Twitter, Hacker News and other sites.

Mobile identity APIs used by AT&T and Verizon

Neustrom explained that AT&T launched its Mobile Identity API in 2013, and Verizon followed suit later. The data is available to companies that pay for enterprise contracts with the mobile carriers.

“These services are using your mobile phone’s IP address to look up your phone number, your billing information and possibly your phone’s current location as provided by cell phone towers (no GPS or phone location services required),” wrote Neustrom. “These services are doing this with the assistance of the telco providers.”

Payfone struck a deal with AT&T in December 2013. After publication of Neustrom’s article, Payfone made its API documentation private; an archived version of the previously public API documentation can be found here.

Data provided without user consent

Did you even consent to that? In some cases, it doesn’t seem to matter. For example, when looking at Payfone’s documentation, the example URL request shows “ConsentStatus”:”optedIn” — but the description under product certification makes it very plain to understand: “The consent-based services are always optional, meaning you will still receive data back from the Payfone APIs even if consent is not provided.” The API even allows for batch lookups.

Payfone CEO Rodger Desai tried to clarify the process, telling TechCrunch:

There is a very rigorous framework of security and data privacy consent. The main issue is that with all the legitimate mobile change events fraudsters get in… For example, if you download a mobile banking app today, the bank is not sure if it is you on your new phone or someone acting as you — the fraudster only needs your bank password. PC techniques like certificates and device printing don’t work well — since it is a new phone.

Danal and AT&T did a joint presentation showing how it works back in 2014, but after this hit the news, the YouTube video was taken down, too. A live demo during a 2015 AT&T presentation (pdf) provided the link demo.billtomobile.com to show what data can be retrieved, gave a “brief history” of Danal, and suggested possible use cases that range from risk and fraud detection to checkout autofill to “covert visits into sales” and “reduce chargebacks.”

Danal’s legal page states: “The location service is available only on AT&T, T-Mobile, Sprint, Verizon Wireless and US Cellular.”

After claiming mobile phone user privacy is “extremely important,” it adds, “location coordinates for your mobile device are only gathered after the mobile phone user has consented to use of location information. Location coordinates (longitude, latitude, and radius) will be obtained only when we have proper authorization from the user.”

But again, did you actually consent?

At least one Twitter user pointed out that AT&T said to opt out under privacy choices, but Neustrom said he did opt out and it did nothing to stop his data from showing up.

A commenter on Hacker News claimed, “I have Verizon Wireless and have opted out of all of the options on their account privacy page a long time ago (at least a year), but I still show up in these tests.”

As Neustrom pointed out, we learned in 2003 that AT&T was providing the DEA and other law enforcement agencies with access to real-time phone metadata — no warrant required.

But what these services show us is even more alarming: US telcos appear to be selling direct, non-anonymized, real-time access to consumer telephone data to third party services — not just federal law enforcement officials — who are then selling access to that data.

Given the trivial “consent” step required by these services and unlikely audit controls, it appears that these services could be used to track or de-anonymize nearly anyone with a cell phone in the United States with potentially no oversight.