CerCareOne

How easy is it for someone to find you? There are lots of different ways, of course, but consider this cautionary tale from the United States:

Mobile phone companies in America collect precise GPS data on the location of mobile phones. When privacy advocates complained about this type of surveillance, the phone companies had a two-pronged defence: 1) that their use of this data was governed by Section 222 of the Communications Act which supposedly guards users’ privacy; 2) that there were a number of cases where people’s lives could have been saved if only emergency services were able to access precise GPS location data.

The problem (apart from the greed of the companies involved) seems to be that the weakness of Section 222 is that it only requires companies to “consider” user privacy. The mobile phone companies worked around this by saying that they were only selling data to trusted partners. The private intelligence companies then worked around this by realising that if they used a third “clean” company as a cut-out then the abuse of the service would never show up.

And this is exactly what happened. A company called CerCareOne was set up and the phone companies sold users’ GPS data to it as a trusted partner. Meanwhile, CerCareOne then made itself difficult for the public to track down. Its main website was always “under construction”, but for those in the know there was another portal by which access could be gained for mobile phone data requests. Those using the service had to sign a contract promising to keep the service a secret. Each request cost $1100. The service was used tens of thousands of times before the abuse was discovered so it is calculated that the company made millions of dollars each year. The chief users of the service were bounty hunters looking for fugitives, but others could use it as well. The data sold included a user’s full name, phone number, address, contract details (including payment information) and current location (this last piece of data is not only accurate to a few feet, but also includes height in case the target in a high rise building).

The FCC refused to investigate stating that it was satisfied that mobile phone companies were immediately cutting off offending parties so there was really no problem. But of course, as the case of CerCareOne shows, if you can’t see that they are breaking the rules, you can’t cut them off and if you don’t cut them off, it looks as though there isn’t a problem! And so the abuse continues. Privacy groups such as “Public Knowledge” have condemned FCC Chair Ajit Pai claiming that “We have a chairman who doesn’t want to do his job.” The Senator for Oregon, Ron Wyden, has accused Pai of “rewriting the rules to help phone companies rake in more profit.”

This story is about access to your data by private companies, but it should also serve as a reminder of three things: 1) Despite government assurances, where profit and privacy guarantees collide, profit usually wins; 2) how much the state can find out about you anytime it wishes to; And 3) that foreign intelligence agencies that hack into these companies’ systems will have access to exactly the same data.

Leave a Reply

Your email address will not be published. Required fields are marked *