2. Cell Site Location
Information
• Carriers are required to triangulate
phone locations for e911 service
• As tower density increases, location
becomes more precise
• 3 antennas per tower - 120º range each
• Signal strength per tower triangulated
• Carriers choose to store this data, some
as long as 3 years
3. Who can access your Cell
Site Location Info?
• Not you! (Wired survey published 09.28.11)
• Anyone the carrier wants to share it with?
• Most are unwilling to risk selling it
outright
• Sold “anonymized” or aggregated.
• Law Enforcement (for a fee)
• Warrant, order or subpoena not
necessary. (Maybe?)
4. Why Is Data Available?
Why Is Data Available?
• No Supreme Court decision: decided by lower courts,
each differently.
• Cell Site Location Data may be a business record
owned by carrier. (Governed by US v. Miller (1976) RE: Taxes & Bank account)
(Covered by Stored Communications Act 18 U.S.C. § 2703)
• Cell Site Location Data may be covered by
“Pen/Trap” statute. (18 U.S.C. § 3122)
• May be covered by Telecom Act. ensuring privacy
and providing customers access
(47 U.S.C. § 222)
• ”Color of law” (Not legal)
5. Privacy Between You and
Corporations?
• Generally, when you send information
to someone, unless otherwise agreed, it
becomes theirs, depending on expectation.
• Application providers, cell phone
manufacturers and cell phone
providers may make requests for data.
• What they may do with that data
depends on expectations that are set.
6. CarrierIQ and You
• BIG question: Can someone put
something on your phone to collect
data on you.
• Short answer: If that “someone” is you.
• Longer answer: Maybe if you let them.
Or it was there when you bought it or...
(In re IPHONE APPLICATION LITIG. (2012): CarrierIQ class action,
mostly dismissed, but no final judgement or appeals)
7. Pushing Software
• Only vague consent for tracking objects
required.
In re DoubleClick Inc. Privacy Litig. (Dist. Ct. 2001): Cookies are legal.
• Can collect anything so long as the user
doesn’t object
• Social Engineering on a corporate scale
8. Enter the Federal
Communications Commission
• FCC is an agency: “rules” instead of
“statutes”. Heard by special courts.
• Act of Congress for FCC to enforce:
Telecommunications Act of 1996 (47 U.S.C. § 222)
• “EPIC CPNI Order” requires opt-in consent
for selling customer data to third parties
Telecommunications Act of 1996 Implementation: Telecommunications Carriers
Use of Customer Proprietary Network Info. & Other Customer Info. Ip-Enabled
Services , (2007)
• Challenged by carriers (!) and upheld:
Nat'l Cable & Telecommunications Ass'n v. F.C.C. (D.C. Cir. 2009)
9. The FCC is Considering the
Problem
• Looking for input on privacy issues that
Carrier IQ raises. (Comments closed July 30, 2012)
• All carriers argue they need to give 3rd
parties personal data on their customers
to maintain good service.
• Carriers may be held responsible for
privacy of data stored on the phone.
10. The Federal Trade
Commission Is Interested
• (FTC) Deceptive Trade Practices Act: privacy
policy must be accurate and understandable to
average users (15 U.S.C. § 45)
• “Legalese” no longer cuts it.
(why it did before is a longer discussion)
• “Opt out” (e.g. Facebook Consent Order): Fined
• Now looking at other businesses, specifically
including Carrier IQ issues
• Vagueness or obfuscation in apps catches the
attention of the Federal Trade Commission.
11. You Expected Privacy?
You Expected Privacy?
• “Computer use” policy can also apply
to phones, pagers.
(City of Ontario, CA v. Quon (2011): Explicit pages get exposed)
• If you don’t own it, you can’t count on
privacy. (From people who do.)
• (Pagers? 2011? Says something about the speed of courts, doesn’t it?)