A researcher named Robert Xiao just found and reported a so-called vulnerability in a web service called “LocationSmart”. It turned out that anyone (yes, you, me your Dad, anyone) could easily find the real-time location of any cell phone in the US (and, presumably Canada) to within a few hundred feet! Want to stalk your ex-boy or girlfriend? Guess what, LocationSmart can help you do that. Want to see if your neighbours are out of town so that you can break in? Well… you get the picture.
The good news is, no, wait, there is no good news. The not terrible news is that the discovered vulnerability has been fixed, because Mr. Xiao is one of the good people: before he publicized the problem, he contacted US CERT (Computer Emergency Readiness Team), and he waited until it was fixed before disclosing it to the rest of the world. Now only customers of LocationSmart can track everyone.
I have complained in an earlier post about my phone company using tracking information. What I should have realized is that the problem goes so much deeper. If you go to the LocationSmart website, you will be confronted by the usual strange market speak, like:
Engage consumers with geo-relevant promotions. Location-based offers are proven to have higher levels of engagement and ROI.
What is not immediately clear is that this company has access, in real-time, to the location of every cell phone in the US (and, I assume, Canada). In fact, if you dig a little deeper on their website, you will see these claims:
Global reach to more than 120 million cell tower IDs. Monitor all devices even when roaming.
Obtain ubiquitous browser location for over 3.2 billion browsers worldwide. We support all modern browsers on all connected devices.
among other things.
Now, I do not attach any blame to this company – they recognized an opportunity, and are exploiting it. Good on them. But what bothers me is that they are getting the raw data from my cell phone provider and my internet service provider, and I have never been asked if this data could be shared. As I pointed out in my earlier post, there is no opting out on your device: only your provider is able to get the information and share it. And by share, I mean sell.
This should just not be allowed.