In this case, the site was selling real-time location data from cell carriers, meaning that there was virtually nothing that an individual could use to protect themselves (short of using a burner or no phone at all).
It’s great to see some strong action is being taken here against the sale of location data, and I hope the bans can be extended more broadly (and to Canada, please!)
"Krebs went on to cite an official at the Electronic Frontier Foundation who said cellular carriers by law are required to know the approximate location of customers in the event it's needed by emergency 911 services. Whether the carriers are permitted to sell or otherwise provide the information to other third parties is less clear. Expect there to be much more scrutiny about this in the coming weeks and months."
To see this in practice, check out MVNOs offering prepaid mobile service. Some will disable certain features unless this physical E911 address is submitted by the customer.
What if there were a limitation on how that data can be used.
> Krebs went on to cite an official at the Electronic Frontier Foundation who said cellular carriers by law are required to know the approximate location of customers in the event it's needed by emergency 911 services.
IANAL but the RAY BAUM’S act (yes, it's all caps because it's a silly initialism) only applies to location data that goes "with" a particular 911 call. Not your location before the call, nor your location after the call.
So if your cell-carrier is recording your location at all moments and persisting it indefinitely, or sharing anything beyond the data generated for that particular 911 call, no law is forcing them to do that, they are choosing to disrespect your privacy for their own profits or laziness.
E911 came about to address lost and immobilized callers.
Unfortunately, it's inconsistently deployed and not universally usable. This is likely the result of a lack of a sufficiently-staffed regulatory body auditing for compliance and correctness because it doesn't work everywhere with all phones on all carriers even when there is the technical ability, e.g., phone has a fix. It hasn't delivered completely on its promise because it's an under-funded, under-audited mandate that needs serious carrots and sticks to ensure it's reliable.
No, "finding lost and immobilized callers" was the cover-story nominally used when E911 legislation was pushed hard in Congress in 1999/2000 (by the wireless industry, not directly by law enforcement).
Do we really believe that Congress authored a law to improve "safety" but that had enormous negative privacy implications, while accidentally forgetting to even speak to the other 99.999+% of the time that the average person's location data is not involved with an emergency? Why were the legislation (and debate) conspicuously silent on limiting (let alone criminalizing) use and retention of location data, let alone resale (e.g. to data brokers or private parties?)
Let's not pretend this exact outcome wasn't predicted and raised in strenuous objections by consumer advocates back in 1999; the following reads like a to-do list from lobbyists (why e.g. did the industry push for immunity for non-911 calls?)
> 10/4/1999 WIRELESS 911 BILL HITS LIABILITY, PRIVACY OBSTACLES
> Failure to pass the 911 bill-the centerpiece of the wireless industry’s lobbying campaign in 1999-would be a serious setback for carriers and 911 vendors that want immunity from lawsuits before rolling out... caller identification and position location.
> Holding the bill over until 2000 could prove highly problematic for industry, given it is an election year. Moreover, a delay would buy time for consumer groups and others that are beginning to surface and speak out on wireless liability issues pending before Congress, the Federal Communications Commission and state courts.
> In addition to liability protection for 911 and non-911 wireless calls...
> Such broad liability immunity for wireless carriers has caused an uproar from consumer advocates who claim 911 legislation is part a master plan by industry to secure shielding from virtually all lawsuits.
> In some state courts, consumers have brought litigation against wireless firms for being charged for rounded up and dropped calls, fraudulent advertising and other carrier practices. [boo hoo hoo]
Great job on exposing this. Do you think Canadian carriers are providing access to this type of information to third parties? Are there any you would expect are not, eg. who have a track record of ethical behaviour and consumer advocacy (eg. like tbe TekSavvy of carriers)?
Look around you. See all those cameras? Not just the ones above your head in the supermarket that advertise HERE I AM, I'M A CAMERA, but every camera on every phone in the hands of every person you see can identify you and identify your exact location to the meter instantly based on your face and x other biometrics.
Everytime you speak, your voice pattern identifies you instantly.
Burner phones are a thing of the distant past. The moment you speak, the moment the camera "sees" you, your burner phone's IMEI is/can be mapped to your identity in double time.
The methods in use today are just way more sophisticated than the tech you've read about.
A drone at 20,000 feet can identify you in a crowd of 2,000 people based on the sound of your heart, your respiration, the shape of your head, your ears, your nose, your face, your facial profile, the shadow your body casts at x time of day, and/or the uniqueness of your gate. Combine them altogether with a scant amount of stat analysis and you can't hide even with effort.
This is why I think technical solutions alone to privacy are mostly pointless. There’s 7 billion people in the world—at some point (if we haven’t already reached it) monitoring all of us in real-time will be trivial. Even people who live “off the grid” in a cabin in the woods will be trackable.
What’s needed is an agreement between all of us, in the form of privacy laws, that make certain uses of this data illegal.
In the future if you’re caught committing a crime by data captured in a manner illegal under these laws, it would have to be thrown out and can’t be used against you. Corps would also be banned from collecting, storing, and using personal data in an unlawful manner.
Feels like a pipe dream since there’s so much money in the industrial advertising complex, but I’m pretty sure that’s what it will take achieve reasonable levels of privacy.
> This is why I think technical solutions alone to privacy are mostly pointless.
Technical solutions to privacy are not required to be alone. They're required to be ubiquitous. If your country is an authoritarian hellhole, you encrypt everything to help you not get murdered by the secret police. If your country has strong privacy protections, you encrypt everything to help ensure that it never becomes an authoritarian hellhole, and protect you against bureaucratic failures as defense in depth.
To invade your privacy, an attacker should have to break the law and break the encryption.
Life in an authoritarian hellhole almost by definition means technology won't save you. If they can haul you off when you're walking down the street, who cares whether your stuff is encrypted? They'll make something up.
Even if you're innocent, they'll make something up. I lived for a year in one of those authoritarian hellholes and in that time knew two people who were arrested and hauled from station to station til someone paid a bribe- these weren't the dissidents either, just some guys. The dissident was stabbed to death on his doorstep.
Encryption is good to save us from marketing, from megacorps making our lives hell. Laws and norms constrain the rest.
Authoritarian hellholes will make something up when they don't like you, but they'll also spy on everyone to decide who they don't like. At which point anyone attempting to resist them is going to want to get extremely familiar with operational security before they get dead, and a big part of that is things like encryption and steganography.
Encryption will not keep you hidden from an authoritarian government for long, and certainly not for long if you're trying to build a movement with any sort of wide-spread support.
Agreed that this is not a problem that can be solved via a technical solution. However, I don't think a political solution is possible either. Even in the US, police can literally get away with murder today. Why would they have any difficulty getting away with privacy violations? Big Brother is inevitable. All you can do at this point is teach children and future generations to live with the understanding that they are being monitored at all times. This isn't me trying to be edgy or cynical. The genie's out of the bottle at this point and it's just reality.
The way to fight back is ubiquitous public monitoring of the state. We should understand that the state is always watching, but the state should also be aware that all its actions will be public knowledge.
Note the increased awareness brought by widely available cameras with immediate upload capability. The commenter above implied this is dystopian, but the opposite seems to have occurred -- as the public gains the capability to surveil the state, it constrains the state.
This is a good point. Of course anyone who thought the MSM, or print journalism, were in business to reveal the actual truth really needs to review their history. The worst part is that Julian (whether intentionally or not) probably made that sacrifice for nothing. At least here in the US most people don't know or care. That's a shame. And an embarrassment.
I had a second part to my comment about how web3 was the answer, but the public have been largely convinced that it's synonymous with get rich quick schemes or a worse version of Twitter. Where is the next WikiLeaks?
He could just stop fighting the extradition unless there are concerns he wouldn’t get a fair trial in the US. I haven’t heard of such concerns and he could probably get a solid legal defense team with private donations.
I have no particular viewpoint regarding Assange, but depending on your understanding of "fair", there are probably many whose fairness can be questioned. Partiality of judges, imbalance of legal team budgets, etc. Look at any case brought up by a patent troll against a small/medium business.
One case that personally always bothers me was regarding the murder of Philando Castile.
The technology exists but the false positive rate is high, most cameras don't actually implement these things and there is no convincing evidence that all cellphone cameras are secretly always on (though a compromised device could be).
I tend to think of it this way: it's theoretically within our technological capabilities, and has been for at least a decade. However, it's fractally difficult - there are technical challenges, political issues, PR issues, principal-agent problems, all mixing together - and importantly, there is no strong enough economical (or political) incentive to do it. Not when doing a small fraction of work, and a shitty job at this, still showers you with money while avoiding most of the problems.
An not to push my favorite TV show that doesn't involve aliens from outer space too much, but recent advances in AI are changing the equation here, making Person of Interest even more accurate and relevant than it already was.
The more disorder we see, the more people are going to reach for these extremist solutions.
It's all scary - until one is the victim of a crime and the police don't think it's worth following up, or the presiding judge decides your time and suffering is less important than the future prospects of the criminal.
It sounds logical but at least in the case of China there was no disorder to begin with, it's always been relatively safe in terms of violent crime. In China, the violent criminals are the government and the police. You can become a torture victim for as much as splashing ink on a Xi poster or just being Uyghur and existing.
The cameras are not there to protect you from crime, they're there for control, to protect the CCP from the people.
I'm not principally against surveillance for public security but it's very hard to not have it abused - for a start you need authorities and a police force that have good intentions and work for the people, not against them. In most countries that's not a given.
"Massachusetts lawmakers are weighing a near total ban on buying and selling of location data drawn from consumers’ mobile devices in the state, in what would be a first-in-the-nation effort to rein in a billion-dollar industry.
The legislature held a hearing last month on a bill called the Location Shield Act, a sweeping proposal that would sharply curtail the practice of collecting and selling location data drawn from mobile phones in Massachusetts. The proposal would also institute a warrant requirement for law-enforcement access to location data, banning data brokers from providing location information about state residents without court authorization in most circumstances.
...
No state has gone so far as to completely ban the sale of location data on residents. The most common approach in other states is to require digital services and data brokers to obtain clear consent from consumers to collect data and put some restrictions on transfer and sale."
Yep, policymaking is largely a process that has something in common with erosion. You want a statue of David, the other guy wants a statue of Michelangelo, and each of you has influence over what the temperature of the rain is. Eventually you both end up with a statue of shredder from ninja turtles and somehow the guy whose land the statue is on is now a billionaire.
I think consent has proven to be a flawed mechanism on its own. GDPR’s requirements around legitimate/required processing show a way forward.
1. A site can’t require me to consent to unnecessary permissions just to use the site.
2. I can always revoke/delete my data grants and that must be transitive (the site has to delete all downstream data it shared with subprocessors, and have contractual guarantees that they can honor that before sharing any data with them).
I have to disagree with your comment regarding the GDPR. I like the concept, but the legalities could have been better. I do hope a treaty can be struck between the EU and the US, however.
Why? Pass a law with sufficient penalties (say, $10K) and include lawyer fees. This'll result in a cottage industry in any state. Enough civil litigation and companies will finally decide it's not worth it and MA billing zip codes will be excluded from sale of location data. This has worked in other industries.
Radio (including cell phones) has been regulated at the Federal level for almost 100 years. It is likely any state law would not hold up ... civil or criminal. Additionally the FCC and NTIA would likely challenge an attempt by a state to regulate anything to do with radio.
MA has a Commonwealth-specific DNC registry and the AG has successfully taken action against cell phone solicitations under the relevant statute. Just because radio is regulated by the Federal government doesn't mean that states have no sovereignty over commerce that happens within their jurisdiction.
We're not talking about regulating or auctioning spectrum. We're talking commerce.
which is exactly how it has to be! I can't imagine a world where 50 states have 50 different sets of wireless bands, regulations, etc. It would be impossible.
the US constitution contains an Interstate Commerce clause, which bars individual states from interfering/obstructing interstate commerce. Does banning the sale of location data in Massachusetts do anything?
Short version: no. Since Wickard v Filburn, the interstate commerce clause has been a blank cheque for the federal government to regulate anything at all as it pleases, as the case allows regulation of goods down to the level of things that are made on and will never leave an individual's property.
Long version: probably. Allowing the sale of location data would be deeply unpopular among the general public. Under stare decisis, the federal government would have a good chance at beating the state in a court case, but it would still be a risk- why risk the power for an unpopular case?
See also: marijuana legalization and immigration. Arizona tried codifying the federal statutes on immigration into its own state laws- not superceding, just mirroring. The federal government took them to court and won. OTOH, marijuana is also distinctly within the federal government's purview, and Wickard would apply very easily to pot laws as well... And yet, they have done nothing at all, likely because pot is too popular to risk a court case (or an election, I suppose).
> Short version: NO[?] Since Wickard v Filburn, the interstate commerce clause has been a blank cheque for the federal government to regulate anything at all as it pleases
but it's not a blank check for the state of Massachusetts to regulate anything outside of Massachusetts, so you 1000% failed to address the question I raised. (1000% because you wrote a lot while not addressing the question about Massachusetts law being effective in this case where there is no countervailing US law)
I see- I didn't realize the opening bit of your question was a non-sequitur.
Yes, Massachusetts may enforce the law within its own borders. Companies which buy or sell location data may not operate in Massachusetts without risking enforcement actions. If someone with a company's app travels through MA, their location data may likely still be sold if the company itself is not registered at all in MA.
HOWEVER, the law must also survive the inevitable federal court challenge when a company headquartered in another state, but with some small operating presence in MA, falls under some enforcement action... rendering the original question entirely moot, as I suspect there are no shortage of companies who would challenge the law.
How does this square with broad reaching commerce-regulating state laws like the CCPA or CEQA? Also, for federal supremacy/the Commerce clause to apply to something like this, doesn't the Federal government first have to have legislated in this area?
The reason this is tricky is that Wickard v Filburn is just a terrible, terrible decision. It massively expanded what the federal government can do, without a bright line of any sort to limit it.
These things, imho, are rightfully within the purview of the states to implement. However, should the federal government declare there is a national interest (justification) for national regulation, then per court precedent it would compel the state to change. I do not believe there is any sort of jurisprudence for "grandfathering in" existing state laws. Just as prosecutors have discretion over what cases they actually prosecute, the government may choose to look the other way when state laws overlap the feds jurisdiction.
If they tried, though, the state would still have the recourse of attempting to go before the supreme court, which would involve upending existing precedent. I suspect the current court would be about as favorable towards limiting the interstate powers clause as it gets, but it isn't a given by any means.
if vendors from outside states follow the rules for what can be sold in CA, then they can sell in CA also; CA can't favor its own farmers. Also CA can't control what those same producers sell outside of CA, but they can control any production within the state.
The only other aspect I think has to do with whether federal FDA and Agriculture regulations take any precedence over CA, but that's not interstate commerce.
If anyone is curious, weather apps tend to be some of the most egregious and common offenders of this. Obviously people want their weather widget to update with where ever they are, and on the back end these weather apps (which are just passing you freely available NWS data) are selling everything they can on you.
This was a big reason for Apple’s purchase of the DarkSky app I believe. Fold in the tech to the native weather app to close the security hole of external apps.
> which are just passing you freely available NWS data
The Android weather widget gives more localized forecast data than the NWS web site which pretty much always locks you on to the local airport. Proximity to a great lake means that my local weather can be significantly different than the airport even though it's relatively near by. It all obviously comes from the NWS but they don't provide easy access to everything.
The NWS site may give measurements for the airport, but it'll give predictions for the much smaller area you select. It's the only site I've found I can trust for Yosemite Valley, for example, since I can have visual confirmation that it's actually talking about a narrowly defined area. Today, moving that patch of land around just slightly will show you forecasts that are 10 or 20 degrees cooler than El Cap meadow.
Unless you travel all the time, there’s no reason your weather app needs anything more than one (or two if your workplace is very far from home) static city/town/zip code. And most people don’t travel all the time.
I know this is a crazy idea but just hear me out. What if any government agency at any level were required to get a warrant signed off by a judge, that showed probable cause, before they could get your data from a 3rd party, and what if the 3rd party was required by law to notify you before turning over that data, so that you could get a lawyer and challenge the warrant?
I know, crazy, right? It’s like what if we actually honored the 4th amendment.
> The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Which part of the 4th amendment is being violated by the government in this case?
I would say we reinterpret the 18th century definition of "papers". I quite like Alan Kays comment in a talk sometime in the 1980's where he said something of the effect that a blue thought in the 1960's was to realize that paper is just computer memory you can't change.
I think if you try to define what was interpreted by "papers" in a pre-digital context you would conclude it is sufficiently analogous to many things in our modern world. By "papers" they likely meant diaries, personal mail, accounting logs, ship manifests, personal inventories, order histories, receipts for travel. All things which may have been written down on a piece of paper which are now logged on our phones.
If you take an originalist argument that the constitution is static and cannot be reinterpreted/amended you have to first justify why you think amendments like the banning of slavery or women's voting rights amendments are not legitimate in the United States. We certainly have a culture of defining rights which our predecessors did not explicitly call out in the early years of its history. Even male suffrage (non-land owning males) in the late 19th century was a revolutionary step in the definition and expansion of citizens rights.
> If you take an originalist argument that the constitution is static and cannot be reinterpreted/amended you have to first justify why you think amendments like the banning of slavery or women's voting rights amendments are not legitimate in the United States
Holy straw man Batman! What kind of crazy "originalist" believes the constitution can't be amended? There's a literal provision in the constitution for amending the constitution!
Originalism just means you don't use the courts to invent new rights out of thin air, or nullify rights you don't agree with, not that you can't amend the constitution at all. And even by originalist standards I don't think interpreting "papers" to include digital records is a stretch, anymore than interpreting "press" to include blog posts is.
> I think if you try to define what was interpreted by "papers" in a pre-digital context you would conclude it is sufficiently analogous to many things in our modern world. By "papers" they likely meant diaries, personal mail, accounting logs, ship manifests, personal inventories, order histories, receipts for travel. All things which may have been written down on a piece of paper which are now logged on our phones.
Considering data digital as papers is perfectly reasonable but the government still isn't searching or seizures your papers. They're buying someone elses "papers".
This whole concept that "oh a private company has stolen my papers, well that's not a problem" doesn't seem to reflect a strict textual reading of the 4th amendment.
The only thing my original comment only talks about what is protected by 4th amendment. If your test results aren't protected by the 4th, why bring them up?
I think it’s covered by the 4th amendment based on the words as written and the intent at the time of writing it. So, yes I absolutely think the 4th amendment protects such documents.
The Supreme Court has uses a narrower definition. That’s doesn’t mean they are correct but the justice system isn’t actually based on the constitution directly it’s based on past rulings by the Supreme Court.
My bringing up HIPPA was simply pointing out that even though the legal system doesn’t protect them based on the 4th, it does protect them. Further the reason this part of HIPPA exists is the same reason the 4th was written.
Uh, the part where they track people’s location based on cell phone location data purchased without a warrant, for purposes of criminal investigations?
That would be the “secure in their persons”, and probably “secure in their papers” (the latter has been broadly interpreted by the courts to include electronic information, not just physical papers).
US courts have widely ruled that data a that a third party collects/generates/maintains on a person does not fall under the 4th amendment. Many other western countries have actually decided the opposite, that you have a privacy right in data about you.
Personally I think US interpretation is wrong and inconsistent with the 4th amendment. Congress could easily settle the issue wrt federal law enforcement.
It’s public information if a law enforcement officer happens to see you in public. It’s not public information if their surveillance is via a 3rd party whose information is not public.
Arguably even if you’re in public, surveillance (looking for you specifically) should require a warrant. We could debate that.
I'm not a lawyer but why would your location be considered “secure in their persons”? If you show up on a traffic camera somewhere for example they don't need a warrant or anything to find out your location or whereabouts. Your location isn't protected at all.
So where can I, as an individual looking to do research, purchase a data set like this? What about my company wanting to to targeted outbound sales, are we able to purchase a data set like this?
I see the headlines. I understand there are companies that offer this as a service to LEO. I believe the data would need to be de-anonymized to be useful.
Nobody sells it to individuals. Sprint sold customer location data through a subsidiary called Pinsight. Advan Research, Placer.ai, and SafeGraph are some current companies selling location data.
> I believe the data would need to be de-anonymized to be useful
I'm not aware of anyone selling person-level location data. Everyone in the ecosystem is far too scared to do that (and honestly not clear how to monetize).
It's all about foot traffic patterns and getting demographics, seeing what kind of other businesses they visit, etc IME. General location business analytics stuff.
This is the article I am building my hypothesis on. If I am able to correlate place of business with an out of town event like a conference and then further refine with gender and ethnic filters.
I understand that companies will perform this analysis on your behalf. Can anyone recommend a "reputable" one?
I'm not saying it's impossible to put this together sometimes, I just don't think anyone is attempting to do so at a commercial level. It's really pretty unusual that you can heavily monetize the location of a single, real person.
If you just want to track a few individuals... Enumerate all those who possess the data. Now look for data brokers that they deal with (as commenter korse said) and recurse. Find all the employees of every company in question. Muster a few hundred bucks or so, seems to be the market price, and there you go[0].
For research I dunno. You'd probably have to make a deal directly with one of these companies, one way or another, so I would start by talking to them.
This reminded me of how MA passed a right to repair law in 2020. It led me to google about it, and apparently the NHTSA has overruled it [1]. :/
It's good that states are pushing the envelope on digital rights – hopefully, this one has a brighter future. I can't think of any industry-captured federal agency that has the jurisdiction to overrule this one.
This is the laboratory of democracy. States pass a patchwork of laws which get challenged in the courts. Law is revised and the process repeats. Eventually we understand it well enough to pass similar laws everywhere or even nationally.
I find it creepy when I’m visiting a place and I start getting spam calls from that area code. It’s clear that companies (and unsavory ones at that) know I’m not home, and they know where I am.
Huh, that happens to you? I live in Seattle but I still have an Idaho number. Almost all of my spam calls come from Idaho. It's especially funny because my iPhone includes the approximate area of the calling number and Idaho only has one area code. So the calls come from numbers in towns I have never visited.
Yeah, I live in SV but when I visit other parts of CA I get spam calls from the local area code. This happens when I have not made any phone calls to local numbers.
I do sometimes get calls when I'm at home from these area codes, but when I'm traveling my spam calls are always from these area codes, which makes it very unlikely it's just random chance.
I answer every spam call. I do not speak, i just let them talk, or the robot play (and then they talk - they think they've got your interest)...and wait for the caller to hang up. You soon get taken off lists.
With your approach how many calls do you get per month?
About a decade ago I just started ignoring unknown numbers that didn't make sense. I still get some spam calls from Idaho numbers. Especially early in the morning. I assume because that's when people are more susceptible.
Banning sale just moves the problem. The carriers have already mostly stopped "selling" the data by moving the advertising analytics and other mining in house and selling access to that instead of the raw data. They probably make more money on the analytics than just the raw data, win win for them.
I can't wrap my head around it. Selling location data is so obvious violation of privacy (don't even start with that "anonymized" BS), that selling and also buying it should just be a federal offence right off the bat.
That's because, the general availability of such data is of benefit to the government. Who needs the permission of the courts when the data is legally available "on the streets."
Laws are old. Wiretapping is a crime. Harvesting web browsing history is not. US Mail is legally protected. Email is not. Until a law is passed data brokers will ply their trade. Even after they will work right up to the legal limit.
That's part of the problem. Judges interpret these Constitutional rights narrowly. There's no fundamental right to privacy, just criminal procedure rights. The US Constitution applies to the government not companies.
Searching US Mail? Need a warrant. Searching emails? Third party doctrine means it's A-OK as long as the emails are older than 180 days. Banning a book is not okay but seizing a domain is fine. Searching your briefcase requires a warrant but searching your Dropbox.com does not. It's like our rights end at the intersection between the real world and the Internet. I predict a huge scandal has to happen before privacy laws explicitly include digital personal info. Even the Snowden leak only lead to a law protecting phone call logs but not Internet footprints.
I'm still hoping if the 'the government can't bypass the first amendment' case that's currently going on over the government talking to private companies (social networks) is found to have merit it will then set precedent for 'the government can't bypass the constitutional right to privacy' via the government talking to private companies.
Once the lobbyists descend on Mass to ensure a precedent or momentum is not started, anything passed may have loopholes such as for government or allowing the collection and sale from other states or offshore. I implemented countermeasures years ago and will stick with them. Hope is not a good strategy, but I support the efforts.
When I first read this phrase, I thought you meant "en masse". But then I saw that this is actually about Massachusetts, so your phrasing was probably on purpose. Funny multi-word homophone!
Means absolutely nothing if license plate tracking, biometric (facial et al) tracking, financial tracking, and other more sophisticated forms tracking, from link tracking (follow your social grouping = easily follow you) to drones and beyond.
We'll get none of it as long as vested interests strenuously and financially (read: lobbying/PAC-political donations) object to the very construct of an implicit right to privacy, and the possibility of an explicit right that, say, adds superpowers to 4th Amendment is so far off that one sees the fall of humanity on the horizon long before any such thing is put to bill.
Are we talking 1. app level, 2. os-app level, and/or 3. phone carrier level?
There is/was an ability to track the location of any non-US cellphone through shady data broker websites that allowed collection of carrier-to-carrier metadata such as current location to be purchased by anyone. This ability was not allowed in the US.
So what has changed about collection and resale of US-based location data since then? Is there evidence carriers are actively selling data?
Edit: Also, what about non-mobile device location data from other sources such as laptops, desktops, tablets, and other consumer electronics?
Good. Still not far enough to account for unreasonable search. GPS a little inaccurate? Suddenly you’re in a data slurping dragnet for “standing” in the middle of a Capital riot, while you’re not really there at all.
Nope, not for wifi calling. The moment your phone connects to cell towers, they siphon location information to what is known as a Gateway Mobile Location Center (GMLC) which collects and aggregates location data on phones connected to the cellular network.
Theoretically, you could perform wifi calling without any connection to a base station, which could then protect your location data (assuming you use an IP hiding service such as a VPN). But you can't just "turn off" cell tower associativity on your phone. They're on whether you want them to be or not--short of taking your battery out of your phone or physically disabling the baseband on your phone, there's nothing to stop it.
> But you can't just "turn off" cell tower associativity on your phone.
That's what airplane mode does, because it's not good for the cell network if you can be heard by two base stations that share bands (and are normally too far away to interfere with each other) and easily happens when you have altitude.
You can usually turn on WiFi/BT w/o exiting airplane mode, because lower-powered radio devices are typically permitted in situations that cell itself isn't.
sim-less phones typically don't maintain association, because it costs battery to do so, and they only start talking to towers during an emergency call. However, there is no requirement one way or the other.
The easiest way to tell is if the clock of a sim-less phone drifts over a month or two from something it was sync'd to, note that using GPS at all will often sync the clock, and some devices will "wake" the GPS module to allow it to keep an up-to-date almanac and tracking (the math kind, not the surveillance kind) parameters, so it is best to disable location entirely, instead of just avoiding using it.
If the phone has been used for a long time with a reliable time source available (tower/gps/ntp/etc), it may have a pretty good drift calibration, so it may take quite some time for drift to be visible.
They should not only be banning the buying and selling of this data, but any type of sharing as well. You may only share this information with another party with the permission of a judge.
Are you suggesting that Massachusetts legislators watched 2000 Mules, realized that their efforts to throw the election in favor of Biden had been detected, and then sought to make it impossible to catch them next time?
In this case, the site was selling real-time location data from cell carriers, meaning that there was virtually nothing that an individual could use to protect themselves (short of using a burner or no phone at all).
It’s great to see some strong action is being taken here against the sale of location data, and I hope the bans can be extended more broadly (and to Canada, please!)