Public-Private Partnerships: Sharing Data, Compromising Privacy

[Matrix]

Our privacy is up for sale to anyone—even government and law enforcement agencies

There are things that the government is allowed to do that private entities can’t. This includes activities such as arresting people and throwing them in jail, executing search warrants and engaging in electronic surveillance and wiretaps without the express or implied consent of at least one of the parties. At the same time, there are things that the private sector may be permitted to do that either may be prohibited to the government or which the government eschews because it is politically unseemly or untenable. While Facebook can collect and use information about your political affiliation, preferences and the like, the government doing so would be loudly decried as undemocratic and violative of citizen’s rights of free association, free expression and other rights. Similarly, the private sector can collect information about a citizen’s purchasing history, credit information, employment information and other data which, if collected by the government on innocent individuals not suspected of any crime, would cause a public outcry.

However, in the era of big data, we are seeing an increase in the government access to and use of data collected by the private sector. For example, U.S.-based Securus Technology collected the location data of cell phone users from another company called LocationSmart in Carlsbad, California. (Oh, and because Securus didn’t … well, secure us, the credentials of those who were authorized to access this database were not secured and the location data was similarly leaked to anyone who could access the database.) While federal law restricts telcos from sharing customer data with law enforcement officials, it permits (sometimes with consent buried in user agreements) sharing some of that data with third parties, who then are allowed to share the data with whomever they want.

Location data also can be collected by third-party apps—entities such as Facebook and Google or any website itself. So LocationSmart shares with Securus, and Securus shares the data with law enforcement officials, and voilà! Cops can pull up both near-real-time location data and historical location data on anyone in the United States with no warrant, no probable cause or no paper trail. No muss, no fuss and no notice to the data subject. North of the border in Canada, the big three telcos— Rogers, Telus and Bell—share customers’ location data with a company called EnStream, which may then share that data with the Mounties.

In other reports, private companies such as Forth Worth-based Digital Recognition Network and its sister company Vigilant Solutions use stationary and mobile cameras to capture the location of every vehicle through automated license plate readers (ALPRs). While government agencies may be precluded from collecting and storing such data on innocent individuals (and from conducting data analytics on such data), these restrictions do not necessarily apply to the private sector. These technologies have the ability to collect, store and process the location of every car (and presumably their owners, drivers or occupants) anywhere in America. The data is then sold to repo men to look for both stolen cars and those late on payments, as well as to law enforcement agencies for whatever use they may want.

If the police want to know if someone is home at a particular location, in many jurisdictions they can simply access the local public utility (gas company, electric company, etc.) and check to see if the lights are on in the home. In many cases, the police have agreements with utilities (including those owned by taxpayers) to share that data.

Social media facial recognition software can be used by law enforcement to match the identity of suspects with activities both online and offline. Credit reporting agencies databases can be used to track individuals.

The problem is not law enforcement access to these databases. It’s law enforcement access to these databases without a warrant, without probable cause and without any limitation on what they can do with them. In effect, we are turning the private sector into agents of the police—collecting, storing, analyzing and reporting information that we prohibit to the police. In the United States we may not care if Waze knows where we are, but we may very much care if police are using Waze to conduct surveillance of us. We may not care if security cameras at our local church, synagogue or mosque capture our image as we walk in to pray, but might object to the government using facial recognition software to keep tabs on our religious preferences.

We know that data leaks. It leaks (deliberately or inadvertently) from the private sector to the government and vice versa. It leaks from secure database to insecure ones and, ultimately, to hackers or foreign governments. While information-sharing is generally thought to be a good idea—and as part of the public-private partnership, it must be done with appropriate safeguards. You know, the ones the Founders envisioned: court-ordered warrants.

There’s an old joke that the difference between capitalism and authoritarianism is that in an authoritarian government the government represses rights, suppresses liberty and makes life miserable for the citizenry. But in a capitalist country, those things are left to the private sector. With public-private partnerships, we may no longer make such a distinction.

source

[steven36]

Wireless Carrier Abuse Of Location Data Makes The Facebook, Cambridge Scandal Look Like Amateur Hour

 

from the we-need-outrage-symmetry dept

As we've noted a few times now, however bad the recent Facebook and Cambridge Analytica scandal was, the nation's broadband providers have routinely been engaged in much worse behavior for decades. Yes, the Cambridge and Facebook scandal was bad (especially Facebook threatening to sue news outlets that exposed it), but the behavior they were engaging in is the norm, not the exception. And watching people quit Facebook while still using a stock cellphone (which lets carriers track your every online whim and offline movement) was arguably comedic.

 

As the recent Securus and LocationSmart scandal highlights, wireless carriers pretty routinely sell your location data to a laundry list of companies, governments, and organizations with only fleeting oversight. And while some lawmakers are pressuring the FCC to more closely investigate the scandal (which resulted in the exposure of wireless location data of some 200 million users in the U.S. and Canada), few expect the same FCC that just killed net neutrality to actually do anything about it.

 

When the previous FCC tried to pass some pretty modest privacy protections last year requiring that ISPs be more transparent about all of this, ISPs quickly took advantage of a cash-compromised Congress to scuttle those protections before they could even take effect:

 

Quote

 

Sorry to beat a dead horse, but @FCC's 2016 broadband #privacy rules would have required opt-in consent from customers 2 share cell phone location information. This Congress REPEALED those rules, w. all Senate Rs & all but 15 House Rs voting 4 repeal. https://t.co/LbawV3d5up

— Gigi Sohn (@gigibsohn) May 22, 2018

 

 

This collective apathy to routine telecom sector privacy abuses has been going on for decades. You might recall that multiple ISPs were accused years ago of collecting and selling consumer clickstream data. When they were pressed for details, many simply either denied doing it or refused to respond. As more sophisticated network gear like deep-packet inspection emerged, ISPs began tracking and selling your online browsing habits down to the millisecond, some even charging users extra if they wanted to protect their own privacy.

 

But things got immeasurably more profitable once wireless carriers began tracking user location data, which they now sell to everyone from urban planners to government agencies. Companies like Verizon Wireless were subsequently caught covertly modifying wireless user data packets to track users around the internet without telling them. It took security researchers two years to even discover this was happening and another six months of public shame before Verizon even provided an opt out option (a more powerful version of the tech is now being used by Verizon's Oath advertising brand).

 

And yet even in the wake of the LocationSmart fracas, which literally exposed the private data of nearly everybody in America, we're still somehow only seeing a fraction of the media, regulatory or public outrage we saw during the Facebook and Cambridge kerfuffle:

Quote

 

"You might think that the major wireless carriers would be facing intense pressure to account for their lax handling of customers’ data. You might think the story would be all over newspapers’ front pages and cable news. You might think their CEOs would be hounded by the media, as Facebook’s Mark Zuckerberg was after the Cambridge Analytica story broke. You might think they’d be dragooned into testifying before Congress.

 

You might think that, if you expected a reaction commensurate to the one that accompanied the Cambridge Analytica revelations. And it’s conceivable that it will still happen. But so far, there has been none of that."

 

It remains odd that the press and public still don't realize how deep this particular rabbit hole goes. And whereas the Cambridge scandal made headlines for months, the location data scandal has barely registered a fraction of the collective outrage in media coverage or in DC. Meanwhile, wireless carriers are effectively refusing to even acknowledge they work with companies like LocationSmart, and there's little to no indication accountability is heading their direction anytime soon.

 

Source