The Federal Communications Commission is planning to open an investigation into how a bug in a data aggregator’s website gave anyone the power to get up-to-the-minute location data for a huge number of mobile phones. The investigation could provide a window into the practices of both data aggregators and the companies they do business with, and, depending on which rocks the FCC decides to kick over, a look at the enormous private surveillance industrial complex in the United States.
Last week, a security researcher disclosed a flaw in the website of LocationSmart--a firm that provides location services for enterprises--that could enable anyone to locate a mobile device using only a phone number. The bug was in a demo application and researcher Robert Xiao of Carnegie Mellon University found that by modifying a request to the tool to track a given phone number, he could get the full location data of the device without the intended permission request going to the target device. The vulnerability is a simple one but it had a rather large potential effect, given that LocationSmart has real-time location data from all of the major U.S. mobile carriers.
“If you make the same request with requesttype=locreq.json, you get the full location data, without receiving consent. This is the heart of the bug. Essentially, this requests the location data in JSON format, instead of the default XML format. For some reason, this also suppresses the consent (‘subscription’) check,” Xiao wrote in his explanation of the flaw.
On Friday, Reuters reported that the FCC is investigating the vulnerability and its implications for users’ privacy. The commission hasn’t said publicly how far the investigation will go, but if the FCC expands its interest beyond just LocationSmart and this particular flaw, there’s no shortage of interesting potential targets. LocationSmart is by no means unique. It’s just one piece of a much larger puzzle.
The business of America is surveillance. And business is booming.
Since details of the extent of the intelligence community’s surveillance of the Internet began to emerge a few years ago, there has been plenty of hand-wringing and righteous indignation about the vast amounts of data that these agencies are collecting. While there have been some reforms in the post-Snowden era, with the courts reeling in some of the intelligence agencies’ collection capabilities in certain cases, the NSA, CIA, and other agencies mostly still go about their business the way they always have: efficiently and in the shadows.
What should be more worrisome to most people is the massive and mostly anonymous private surveillance infrastructure that has sprouted in the U.S. and around the world in the last decade. The global spread of the Internet has brought connectivity and communication to billions of people, and it also has provided a worldwide platform for pervasive monitoring and surveillance on a scale that was never possible before. This is a dream not just for intelligence and law enforcement agencies, but also for marketers, advertisers, and many others in the private sector.
Until relatively recently, government agencies were the only real aggregators of significant amounts of personal data. But that’s all turned around. We’re in the age of social media, when people willingly share publicly the kinds of personal details they would’ve never dreamed of mentioning at a dinner party 15 years ago. And that information, along with birth, death, marriage, employment, and other records, are stored, bought, and sold by data brokers and aggregators every day. Those data brokers exist in a grey area and largely operate outside the notice of the people whose data they use to build their businesses.
But government regulators are well aware of those companies and know the kind of data they hold on hundreds of millions of people. It’s unlikely, though, that the FCC, Federal Trade Commission, or other agency will take a deep dive into that world. It’s a messy world with lots of entanglements and rafts of money flowing in every direction.
The business of America is no longer business. The business of America is surveillance. And business is booming.