Hacked - News Update - 200 Million Dollar Location Tracking
Episode Date: March 10, 2020Jordan & Scott discuss FCC fines regarding location tracking. Learn more about your ad choices. Visit podcastchoices.com/adchoices...
Transcript
Discussion (0)
This opening story and news update is about $200 million in federal fines,
and it starts with a Missouri sheriff named Corey Hutchison.
Back in 2014, in Mississippi County, Missouri, right in the boot heel of the state,
the county started contracting out its prison phone system to a company called Securus.
Prison phones are lucrative business, but the competition is really fierce,
so these companies bundle other services in to try and make their offerings
more compelling to law enforcement.
One service, Securus offered, was a location tracking service
that essentially allowed law enforcement
to find the whereabouts of almost any cell phone in the country within seconds
by going through this system that's typically used by marketers
to get location data from major cell phone carriers.
Mobile carriers know where you are based on cell tower triangulation,
and they're allowed to sell that data to businesses
that want to market you based on location.
as long as, and this is really important, they get your consent.
The only other way you can track someone's location legally is if you're law enforcement and you have court documents like a warrant.
So what happened was this company Securus made a deal with cell phone carriers to buy that location data,
which they would provide to law enforcement for a fee as long as law enforcement uploaded those court documents,
which is where Corey Hutchison shows up.
Because according to prosecutors, between 2014 and 2017,
Corey tracked hundreds of people without their consent.
While he pled guilty to one count each of identity theft and wire fraud,
he was originally charged with nearly 30,
which even then pales to witness testimony from another sergeant
that said that Hutchison personally tracked him 64 times, 24 in a single day.
All in, Sheriff Hutchison applied for thousands of searches and illegally accessed hundreds of people's information according to prosecutors.
And if you're wondering, hey, I thought law enforcement had to upload a warrant to get this info.
This is how we get to those fines.
Mobile carriers are legally responsible for the safety of your personal information.
When they license it to a company like Securis, it's the carriers that are responsible for making sure that,
Securis isn't giving out that info to anyone they're not supposed to.
So when?
Instead of warrants,
Sergeant Hutchison uploaded completely irrelevant documents,
including his health insurance policy,
his auto insurance policy,
and pages from the sheriff's training manual,
Securis should not have given him that private information,
but they did.
And since the telecoms gave it to them,
We arrive here, where last week, the FCC proposed 200 million in fines to the telecommunications companies for failing to secure their data.
We're going to talk a little bit more about what that means on this Hacked News update.
We're not even going to talk about the FCC fines that long. It's going to get real exciting.
Oh, you have my attention.
Fire it up. Take me through this fine.
Sure. So the sell companies, the telcos, know where you are roughly based on what tower you're connected to. And they have the ability to sell that data. And they do. Who do they sell it to?
Well, they sell it to a variety of people. You know, this one is they've sold it to a third party who then resells it to, you know, marketing companies and or, you know, law enforcement.
Say we were hypothetically marketers.
Hypothetically.
What utilities that information have?
Me knowing where someone's cell phone is, I'm trying to advertise to them.
Why is that useful?
Yeah, well, this form of data is not actually that great
because this form of data is just literally which tower they're connected to.
So it's a rough kind of proximity.
But it's very valuable in a sense of being able to deliver an ad that's geo-targeted,
which is kind of like a very basic premise.
of like, you know, online digital advertising.
Right.
So I'm a marketer.
I want to be able to say,
someone just walked into a smoothie shop.
I'm going to, with their consent,
deliver them an advertisement for smoothies.
You in that statement are assuming that
knowing which cell tower they're connected to
will tell you that they're in the smoothie shop.
But it doesn't mean you can't get that data.
How do you get that data?
So this isn't really have anything to do with this fine,
but it's more of just like a public service podcast, I think.
but most of the apps that you have on your phone
when they ask you for your location data
whether they can have it always or just when you're in the app
they often resell that data
which is pinpoint accuracy of where you are
and they resell that to marketing companies.
Do they need, so I know in this story
the telecommunications companies
when they sell it to a third party
who's going to do something with it,
that third party is responsible
in a contract with the telcos for getting your consent,
is an app saying,
hey, we use your location data.
Does that qualify as consent in the same kind of legal sense?
Yeah, and it'll be in the terms of service.
So you passively, tacitly, accept their conditions?
Out of curiosity, this situation,
they know where your location is based on which cell phone tire they're connected to.
When I do it in an app, is it just GPS coordinates?
Very much so.
So it's vastly more accurate.
So like the being people that theoretically work in marketing, we, if you just Google, like everybody should just open a web browser and Google location-based advertising, we can literally draw a geo fence around the coffee shop at the end of the block and just deliver ads to people that are sitting in that coffee shop.
And no one's ever accepted a condition to have their pinpoint location give them.
even out.
It's sort of a side effect of just using the apps that we all use on a daily basis to exist
in the world.
Yeah, and it's major apps, too.
It's not just like, you know, grungy third-party Android apps.
We're talking about, you know, premium media company apps that gather location data and
resell it back to people.
So there's a myriad of different ways that my location can be sold off as data to some
third party.
Can they figure out that it's me or do they just know that there's a person going to these
places. Yeah, they can figure it out. How? Because everyone's tracking everything these days through
location pixels, tracking pixels, tracking, you know, all this variety of digital tracking methods
that we've added. It used to be primitive cookies. And now we have this much more intensive
suite of tools to do this. And the same thing with location data. Your device has a unique
ID. So eventually they can pair your device ID to other tracking pixels, which allows them to
tag you with geographic, demographic, and psychographic data that they're pulling from
your other social media platforms.
So it's kind of about cross-referencing.
It's about the fact that they know this device was here, and then they know that that device
went to this site that had this tracking pixel, and they're able to kind of create this sort
of like mesh by which they reverse engineer, like, kind of your habits and traffic, which
they're able to commodify and sell off to other people.
Yeah, right.
So, like, say, you know, in the location-based advertising games, say, you know, we're a major
coffee franchise and we really want to target people that have, you know, when they're in our shop,
we want to present them with this offer. And if they're of this psychographic makeup, that's
really possible. You know, we've willingly torn down all the walls of our privacy in certain ways.
Inherent to this whole discussion, there's this idea that being a company that has this
information about you is a privileged position. It's sensitive information and this proposed FCC
defined as a result of the fact that the cell phone companies behaved in a way, they treated
the information very cavalierly.
They gave it out to someone who had not checked all the boxes and was giving out to people
that shouldn't have access to it at all.
That's with the cell phone companies.
This other thing we're talking about, where you're able to be tracked based on kind of GPS data
through mobile movement and websites, do you happen to know if there have been any giant
lawsuits about that?
I don't think so.
There's definitely been no curtailing of that industry.
It's only growing and expanding.
And sorry for kind of hijacking this from about talking about the FCC fine and stuff,
but I feel like this is the natural progression of that conversation.
Sure.
No, it makes sense to me.
Like cell towers seem so blazze when you can, you know,
know that Jordan goes into this Starbucks at this time every day.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just,
couldn't keep up. Arctic Wolf set out to solve that problem by rebuilding security operations
from the ground up for a world where attackers are already using AI. They created the Aurora
Super Intelligence Platform, a fully agenic system powered by the swarm of experts. Instead of single-purpose
bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire
workflows. Humans stay in the loop and on the loop to validate the critical decisions and keep
everything trustworthy. And all of this is just off running on their secure operations,
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week
and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto a lot.
an old model. They rebuilt the model entirely. What makes it even more effective is how it works
with Arctic Wolf's concierge experience. The team brings customer-specific context directly into
the platform so every AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and proactive
risk reductions while the agents handle the grind. If you want to see what trustworthy,
the production-ready AI and security operations actually looks like, go to arcticwolf.com
slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches, from sophisticated
ransomware operators to AI-enabled attacks that turn defenses on their head.
Organizations around the world saw headlines they never expected and cybersecurity teams
were tested like never before, but here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving to the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened,
but why these attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving,
how defenders are responding,
and what strategies can help you stay ahead of the next big breach.
It's not fear mongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
T-Mobile, which is one of the biggest proposed fine recipients.
I think it was like 91 million for them.
I think they had 2018 revenue of 43 billion
and like a net income of 2.8 billion.
Yeah.
So this is a slap on the wrist.
This is a symbolic gesture from the FCC saying,
hey, we had rules in place.
We actually got rid of a lot of those rules over the last three years,
and you still managed to find a way to break them.
This is a symbolic nod that doesn't really get to the heart of the problem.
Does this kind of just fall on consumers at this point if they want to keep this data private?
Because it doesn't seem like there's a lot of teeth with which to control these companies.
Is it really just on you to lock down your data if that's something you care about?
Yeah, well, I think the reason this is a slap on the wrist.
is because it's old now.
There's better ways to do this that are more accurate
that we've kind of tacitly agreed to.
Society is kind of tacitly agreeing to this, like, move through it,
giving up tons of our privacy,
and we all seem to be tacitly okay with it.
And I think that that's, like, I'm not wearing a tinfoil hat
running around saying that everything's broken
and that the world's burning, even though it kind of is.
But the reality is that, you know, we don't take it seriously.
like I have location base turned off on my phone, but most people don't.
No.
It's interesting to me that the cell phone carriers at this point,
like, if we think of like the value of these different types of information,
the really granular stuff, you're in a coffee shop.
Not in this exact coffee shop.
This coffee shop is worth more than you're in this general geographic area.
It seems interesting that the cell companies have had to resort
to selling to certain types of law enforcement.
where it's like, no, we don't need your consent because we're not marketing to you.
We're trying to track, like, a criminal.
Like, it's the quality of the information isn't that good, so they're having to find new customers to sell it to?
Yeah, and the thing is, is, like, since this case began, like, 2014 to 2017, I think,
like, location-based advertising, like, as people that theoretically work in marketing,
we get calls from vendors that want to sell us this service and have had those calls coming in since probably 2015, 2014.
So, I, you know, what they were doing, sure, terrible.
The fact that somebody exploited it, terrible.
But the fact that it is constantly exploited every day by other people, we tacitly accept.
We seem to be okay with it.
Yeah.
Well, you know, there's even, like, set up a new laptop the other day.
And it asked me if I was okay with a unique advertiser ID to track me as a person and what I psychographically wanted to see.
So that the ads had served me would be, you know, more refined.
to my tastes.
And this is the same thing.
It's just the exact same thing except it's happening on our phone.
And when you install that like sports news app that everybody has on their phone,
they're also just selling your location data constantly if you let them access it.
The reason this whole story broke.
The reason the FCC got interested was because the New York Times, I think,
wrote a story about Securus.
And the whole Securus story turns on the fact that there was one guy who was manipulating this.
And we could all wrap our heads around that.
We could picture one guy sitting in a computer
looking at something he shouldn't have
because he had privileged access to information
that he had no right getting access to.
There's trickle-down effect of corporate.
I don't know what.
Maybe no one just kind of paying enough attention.
It's interesting that that's what it takes
to get people to pay attention
specifically to have there be a legal response to it.
A whole bunch of media attention
has to get pointed like a spotlight
on one of these things before
there's going to be any kind of a response.
I think that that day is coming for a location-based advertising.
Like, it's just so effective.
Like, if you imagine it, like, we'll tell the scenario of this that people will like.
You know, imagine we run the independent coffee shop on the block,
and there's a Starbucks on the corner.
And we geo-fence the Starbucks and run shop local ads to everybody that goes there
to try and drive them to the independent coffee shop.
But in reality, the opposite is happening,
where they're, you know, selling Starbucks ads to the independent, but whatever.
but the gist of it is
is
it's very effective
but at the same time
it's I don't know
it's ridiculous
yeah water boiling and the frog
not realizing it
kind of situation
yeah
thanks for listening to this hacked update
if you like the show
write and subscribe
or check us out at patreon.com
slash hacked podcast
find us everywhere
at hacked podcast
talk to you next week