Want to see something crazy? Open this link on your phone with WiFi turned off:
https://bit.ly/crazymobiledemo (Note: this demo site may have been taken down after this report got traction)
Click “Begin,” enter the ZIP code and then click “See Underlying Data.”
What you should see is your home address, phone number, cell phone contract details, and — depending on what kind of cell phone towers you’re currently connected to — a latitude and longitude describing the current location of your cell phone.
Here’s simpler demo. This time, no ZIP code required:
https://bit.ly/mobilescary (Note: this demo site may have been taken down after this report got traction)
What’s going on here?
In December of 2013, AT&T announced their “Mobile Identity API”, available only through an enterprise contract with AT&T. Verizon later announced something similar. It looks like both Danal and Payfone are paying for access to these enterprise telco APIs[1], [2].
These services are using your mobile phone’s IP address to look up your phone number, your billing information and possibly your phone’s current location as provided by cell phone towers (no GPS or phone location services required). These services are doing this with the assistance of the telco providers.
These services claim to help detect fraud by cross-referencing user provided billing or phone number information with the cell phone provider’s information. Or, in the case of cell phone location, cross referencing phone-provided GPS location with the location of the phone as provided by cell phone towers.
While the two demos above require the lookup IP address to be the same as the requesting IP address, such safeguards may not be in place if you purchase contracts from these companies. For instance, the payfone.com API appears to allow customers to look up cell phone information just by saying the user has consented. Their API also allows batch lookups.
In 2013, news came to light that AT&T was providing the DEA and other law enforcement agencies with no-court-warrant-required access to real time cell phone metadata. This was a pretty big deal at the time.
But what these services show us is even more alarming: US telcos appear to be selling direct, non-anonymized, real-time access to consumer telephone data to third party services — not just federal law enforcement officials — who are then selling access to that data.
Given the trivial “consent” step required by these services and unlikely audit controls, it appears that these services could be used to track or de-anonymize nearly anyone with a cell phone in the United States with potentially no oversight.
2017–10–16: Follow-up notes —
It looks like the telco partners removed the demos once this article got traction. Payfone also made their previously public (and linked from their home page) API documentation private after the publication of this article. This article was updated to point to an archived form of their documentation.
AT&T’s “consumer choice” opt-out at https://att.com/cmpchoice didn’t appear to do anything to stop this, even after waiting the stated 48 hours. All of the demos were still working for me on the morning of 2017–10–15 after I had opted out on 2017–10–13. Many users on Twitter and elsewhere also report that AT&T’s opt-out process doesn’t do anything here. Verizon’s “opt-out” pages also may not do anything to prevent this, either (A, B).
There was a presentation by Bryan Hicks (AT&T) and Ritesh Jain (Danal Inc.) on YouTube (“AT&T and Danal Joint Presentation at CTIA — Sep 9, 2014”), posted by Ritesh Jain. After publication of this article, the video was made unavailable.
I found what looks like a third-party API implementation for a Korean Danal API on GitHub. The author wrote the code for South Korean telcos, so there may be differences with US carriers. The query parameters in the HTTP requests are similar to what I remember seeing in the Danal demo. It’s unclear from my reading of the code whether or not this API requires operation inside of e.g. a Danal Inc. hosted-iframe for identity confirmation. The diagram on page 4 of this documentation describing the Korean “Danal Pay” service appears to show the client interacting with the customer’s servers only.
2017–10–17: Follow-up notes —
The FCC privacy rule changes were made in 2017. These US telco partner services appear to have popped up around 2013.
Patents from these telco partners give detail on possible implementation: US20160050259 A1, US20160112872 A1, etc.
Two videos from Payfone demoing their “click to fill” service: [1], [2].
None of the telco partner demos worked when a VPN was enabled. But it’s possible these telco partner services — and/or customers of those services — may be able to track and/or profile using just a phone number and the authentication bits (e.g. ZIP code). For instance, the Payfone API docs seemed to indicate this was possible. If a mobile IP was required then it might be possible for these services (or customers of these services) to continue to request information from the telco APIs using the same mobile IP over and over again, as mobile IP addresses could persist for days. In these cases, it could take just a single deanonymization to continuously track and/or profile someone.
Thanks to Paul Lanzi for freaking me out and showing me the Danal demo site!
