Reply All - #135 Robocall: Bang Bang
Episode Date: January 31, 2019This week, Alex investigates the rise of one of the most hated businesses: Robocalls. And Damiano tries to figure out if a robocaller is tracking his every move. Learn more about your ad choices. Visi...t podcastchoices.com/adchoices
Transcript
Discussion (0)
From Gimlet, this is Reply All.
I'm PJ Vote.
And I'm Alex Goldberg.
Hi, PJ.
Hey, Damiano.
Producer Damiano Marquetti.
Hello.
What are you here for?
What have you got?
So you guys know that I...
Like, I sort of talk about robocalls a lot.
Oh, my God.
Yes, you talk about robocalls a lot.
And my...
Why do you find Robo Calls fascinating?
I feel like it's one of the things where I've just got to, like, watch a scam develop and change over time.
and like there was there's been so many different versions of them like you feel like you're a robocall
epidemiologist yeah and it's just fun to be like what are they up to this week okay and like normally
like my curiosity takes me as far as like i pick up the phone i listen i get to like hear what's new in the
world of like robocallers and then i hang up but then like a couple of months ago this thing happened
that made me want to find out like so much more because it actually just felt like for the first time
kind of scary.
Okay.
Well, all right.
So just like, wait, first of all, like, do you guys get robocalls?
Yes.
Mm-hmm.
Both of you do?
I get, I didn't used to, like, I used to occasionally get them, and I don't know what I did
wrong, but I get a lot of them now all the time.
Yes, me too.
Like, everybody's been complaining for the past, like, couple years about, like, oh,
we're getting on these calls.
Like, we've done stories about these calls.
Up until six months ago, when people talked to me about it, I was like, okay,
this is really easy.
Just download.
There's, like, a bunch of apps you can get for your phone.
I use one called Haya.
And it's almost like the way your email has a spam filter,
this kind of puts the equivalent of a spam filter on your phone.
And I was like very, I don't know,
people think that I have answers to tech questions.
I almost never do.
And I felt very cocky about like actually being like,
oh, there's a new fix.
And then like for me,
maybe three months ago,
it just,
it was like the damn broke and like,
oh my God,
I'm getting so many.
Like every morning,
every night.
And they don't just call once.
Like they'll just call over and over and over again.
until I actually go to my phone and block the number.
Like, if I don't, it'll be like 30 in a row.
It's, like, harassing and aggressive and weird.
And always, like, whatever number starts calling keeps calling.
Yes.
And they're always calling from, like, these phone numbers that are completely fake.
Like, you can't call them back and get someone on the line.
It's either, like, a deadline or it's somebody else's phone number.
And, like, this thing that they're doing, it's actually, it's called call spoofing.
Yeah.
There are a lot of programs that allow people who are making robocalls to make it look like they're dialing from whatever number they want.
So the way I get them, it's always the same one.
It's this one that's like, it's some weird, like, Medicaid-based scam.
Yes, that's the one I get to.
And it's always like, hi, this is Anne.
Do you have insurance for you and your whole family?
Or something like that.
Yeah.
But what happened in, like, October was that I went home to California.
And I noticed that all of the phone numbers that were calling me, like all the robocalls,
not like the and call, but like a totally different call,
were suddenly like California numbers.
Like the area code was California?
Yeah, which was weird because I looked back in my phone history
and I realized that like before I had gone to California,
they were always New York numbers.
They know where you are.
I mean, I don't, my first thought was like, you're like...
It must be a coincidence.
Like probably it's all sorts of numbers and you just didn't notice it,
but you notice it when it's where you are.
Yeah, but it, but that's,
then I realized that like my number, like my, my area code is 707, which is a Bay Area number.
Yeah.
And so all of the time that I've been getting calls in New York, Robocalls in New York, been being like, oh, you know, it makes sense.
It's a New York number.
I'm in New York.
It's like, oh, no, that doesn't make sense at all.
No, that doesn't make any sense.
Like, you would think that they would be like mimicking my area code, not mimicking my location, which obviously, like, they shouldn't know.
It's also super creepy because it's like, if the robocall place, if they're.
their business model is that they call like a million people every day and you're one of those
million people and they know where you are, that means they know where everybody is. Yes.
In a way that must be very easy for them in a way that I find, assuming that's what's happening,
pretty creepy. Right. The idea that like some company that wants to steal from money from me can
figure out exactly where I am all the time, that freaks me out. Right. And so like that's what I
want to figure out. Like, am I just being crazy? Or like, is something really going on here?
Like, are they really tracking me and making calls based on my location?
Okay.
I mean, I think if they are, it's a big deal.
I do want to say, just like full disclosure, I err on the side of thinking that you might
actually be being paranoid just because it would be such an invasive thing to do on such a large
scale.
But I do think you should find out.
Also, if you're going to find out the other thing, I just like want to know.
I have questions about just like what is happening with robocalls right now.
Like, I don't understand.
It feels like there are way more than there were.
it feels like something actually changed.
If that's true, I would like to know what happened.
Like, why the damn broke.
Yeah.
You know, I've honestly been wondering the same thing,
and I would be happy to look into that.
Okay.
Awesome.
Cool.
All right, Alex and I are back.
We are.
So what did you guys find?
So we've gone out and, like, talk to a bunch of people
and, like, actually learn some things that are really surprising and exciting.
And I think it actually makes sense for Alex, for, like, for you to go first.
All right.
So just to start, I have always assumed that any robocall that I get is just going to be a scam.
Like, it's someone in their basement with a computer making phone calls, trying to steal my identity or whatever.
Like the IRS one where they call you and say you owe back taxes.
Or there's one where someone calls you and says like, hey, I'm from the fraud department at your bank.
I've detected fraud on your account.
Can you please give me the last four digits in the expiration date?
And then they'll be like, oh, hmm, it's not coming up.
Can you give me your CVV number?
And they just slowly get your credit card.
People who just like try to steal your identity, steal your credit card or whatever.
Can you just send me your actual cash in an envelope because I want to confirm that you have it?
Right.
But I looked into the specific call that you two are getting.
They're like, hi, this is an health care call.
That call is actually an altogether different thing.
And I think I actually found a recording of the call you guys are getting.
It's cut off at the top, but just imagine it's starting with,
Hi, this is Ann.
Check it out.
You can now get a great insurance plan at the price you can afford.
Yes.
We make it as a free to sign up.
With policies for Zina, Blue Cross, Etna,
United, and many more.
Press one now to get a hassle-free assessment.
Or press two to be placed on our doing that call with.
Thank you.
Hearing it makes you feel like the Mancharing candidate.
So I was surprised to learn that this call comes from an actual company that's
selling an actual product.
And who is doing it?
The company, okay.
Well, as you would imagine with a company that's making like millions of robocalls, they...
Health Care Holdings LLC.
It was Health Plan Intermediaries Holdings, which is also known as Health Insurance Innovations.
God.
Which is located in Tampa.
And here, check this out.
This is the About Us video on their website.
It is very well produced.
At HIIQ, we believe.
it starts with the individual.
We're not an insurer
and we don't take on claims risk.
Instead, we work with leading carriers
to deliver the best value options for the consumer.
It looks surprising and legitimate to me.
It looks like a commercial that would be on TV.
Like, it looks professional.
And feedback from thousands of agents.
So I was like, okay, this is great.
What does this company do?
Yeah.
And they have this funny role
in the insurance marketplace.
And like, I couldn't find many other companies like them.
So what I learned is that HII is basically like a middleman.
What they do is they talk to insurance companies.
They put together like insurance plans that people can buy.
And then they sell those.
So when they get people on the line, they say like, what are your insurance needs?
How much coverage do you need?
Do you have kids?
And those people will say yes.
And then they'll recommend a plan that the person can buy.
Yeah, that sounds like what a health care provider do or like a health insurance company rather than that.
But they let you pick from.
many different health insurance companies.
That's their promise, basically.
Okay.
So what HII does is they subcontract all these call centers, essentially, to sell them,
sell their products for them.
And the company is constantly getting complaints saying, like, they completely misrepresented
what the plan was supposed to do.
Like, I read someone saying, like, the agent told me I was getting an insurance plan.
When I actually got sick, I went to the doctor and they said, you don't have insurance.
You have a prescription discount card.
the person had been paying like $200 a month for it.
So it's like they're selling people bad insurance or like no insurance and they're trying
to make it sound like actual insurance.
I mean, if you look on their Better Business Bureau page, it's like it's an F and it's all
people saying like, they charged me after I canceled.
They promised me coverage I didn't get.
I'm a million dollars in debt because of health care coverage that they told me I would have.
Jeez.
But the thing that was super surprising to me is that this company, which seems so controversial and
would imagine would totally operate under the table and like super sketchily. Yeah.
Is making money hand over fist. They are thriving in a crazy way. There's a page on their website
that says that they were projected to make $290 million in 2018. Jesus. And they appeared on Fortune
100's fastest growing companies of the year in the first place spot. And do they just, are they,
is there a part of their business that is not this or is it pretty much all this? It's all this.
They say that they work very hard on compliance, that they don't get many complaints.
They have had a lot of class action lawsuits with people saying like, hey, you know, I didn't get the stuff I was promised.
Yeah.
I talked to an HII spokesperson and he told me that they don't use robocalls at all, that if someone got an and phone call and it was selling their product, that it was a third party call center working on its own without HII's permission, given how well documented it is that people say they receive.
un-solicited calls from HII that feels hard to believe, but that's what they say.
Huh.
Okay.
It is weirdly satisfying to know where my robocalls are coming from.
Now, there might be more than one hi, this is and.
No, just let me believe.
Let me believe.
Just let me believe.
So it's clear that HII and probably a lot of other companies are making a ton of money off
of robocalls right now.
And the question is like, why right now?
why are they making so much money at this particular moment in time?
And I looked into it, and there's actually like a pretty clear reason
where there's been a dramatic increase in robocalls.
So I talked to this woman named Margo Saunders.
She's an attorney with the National Consumer Law Center.
Where are you located?
I work out of my home on the top of a mountain in West Virginia.
Oh, my God, I'm so jealous.
Margot advocates for the interests of low-income consumers,
and she has dedicated herself to stopping
people from getting harassed by robocalls. When did robocalls first come on your radar?
So we became involved in the issue in 2014. I think as consumers, we've all been aware of robocalls
for many years before that. And we noticed that there were really no really active consumer advocates
protecting consumers before the FCC. So we stepped in to try to fill that gap. So right about that time,
The Obama FCC was trying to reduce the amount of robocalls that were being made.
And so in 2015, they wrote an order which cracked down on auto dialers.
An auto dialer is like the robo that is calling in a robocall.
Right.
And what these robocallers did so they weren't technically using an auto dialer was they hired a bunch of people whose sole job was to manually click buttons to make calls.
Whoa.
Just to avoid being, them saying.
So it would be just rooms full of people who are.
actually like it would be like a whole call center.
It would be like a whole call center of people who were going to be making, who
were going to be receiving calls.
And then one person whose job it was to take the mouse and press click, click, click, click, click, click, click, click, click, click.
So then calls would go as fast as they could go.
But when you picked up the phone.
You'd still get a robot.
You'd still get a robot.
It was just a human had dialed to connect you to a robot.
Right.
Because the problem was not the robot.
It's the auto dialer.
Right.
That's wild.
And so for a while, it seemed like this was actually having like a positive effect.
Like the number of calls went down.
but the FCC's order didn't last very long.
In March of 2018, the D.C. Circuit Court issued an opinion that undermined the 2015 order of the FCC that significantly protected consumers.
Okay, so this is actually kind of bonkers.
But the thing that the court was looking at in this case was one sentence defining what an autodiler is.
What was the sentence?
The sentence described an auto dialer as, quote, equipment which has the capacity to store or produce telephone numbers to be called using a random or sequential number generator.
That seems like actually, that seems like a fine definition.
So what they took issue with was the word capacity.
They were like, well, you could very easily write an app for a phone that could auto dial.
So that technically has the capacity to become an auto dialer.
So anybody feels really like annoying.
Like that I feel, you know what I mean?
Like, it just feels like very pedantic.
It feels like someone looking for a reason to strike something down.
Yeah, right.
So the court overturned the FCC's entire auto-dialer order.
So that decision sent the issue back to a perceived consumer unfriendly FCC.
And the industry said, it looks like, wow, now we can make all the robocalls.
want. So now the robocallers are like out in force. And I talked to this guy, Alex Colici. He's the
CEO of this company called U-mail, which makes an app that can block robocall, sort of like the one that
you use, PJ. And he said that at this point, it could not be easier to become a robocaller.
You can set up and become a robo caller and annoy a small city in about five minutes. You upload a list of
numbers, hit a button, and now you've just annoyed San Francisco. So Alex has been walking.
as his users block more and more incoming robocalls.
Like, he says that basically since March of last year,
the number of incoming robocalls has skyrocketed.
If you look at 2018, robocalls went up about 80%
from the beginning of the year to the end of the year.
So there were 48 billion robocalls in 2018,
so it feels like you're getting a lot more because you are.
So it's what it feels like.
Yeah, it's totally, totally what it feels like.
After the break, are robocallers tracking your every move?
Hi, guys.
Hey.
Hey.
So I've been trying to figure out just like, if I'm totally paranoid.
Which is what I believe.
You've made that very clear.
Yes.
Or if there is like a possibility that these scammers really are like tracking me and making calls based off of my location.
Okay.
So I've looked into it.
And I think that I have an idea of what might be.
going on here. Okay. Okay. Um, so the first just like small thing was that I was talking to Alex
Klaichi with Alex Goldman. Uh-huh. And I just like mentioned it to him like the thing that had been
happening to me. And he was immediately like, oh, the same thing I think has been happening to me.
He also, when he travels around, gets robo calls that look like they're coming from wherever he is.
Yeah. Like he was like I was in D.C. recently and I landed and like within a couple days, like all the
the robocalls were from D.C. And then I flew somewhere else and the same thing happened.
which just felt like, it just felt like a nice little piece of like, okay, maybe you're not crazy.
Somebody else is having this.
Yes.
But the place where like I really started to feel like I was like gaining steam that I was shedding my paranoia was like I talked to a guy who explained to me like really, really like how my location data could have possibly like gotten out into the real world.
Hello, can you hear me.
Joseph, how are you? Yes, I can hear you.
I'm good. How are you?
I'm good. I'm good.
So that's Joseph Cox. We've had him on the show.
a bunch of times. He's a tech and cybersecurity reporter from Motherboard. And a few weeks ago,
he published this story about how, like, big cell phone carriers, like AT&T and T-Mobile and Sprint,
have been selling our location data. And that information has been making its way down to,
like, bounty hunters. That's wild. So recently Joseph tried this experiment. He had met this
bounty hunter who said that if Joseph gave him like a couple hundred bucks, he could track Joseph's
location. So Joseph gives him the money and the phone number of a person in New York who's willing
to be like a guinea pig for this test. And a few minutes after the payment goes through, he's sitting at
his desk. Waiting anxiously, probably drinking too much coffee. I get a message from the source.
If I recall correctly, it didn't even include any text. It was just the screenshot of the Google Maps
interface showing where that phone was located in Queens, New York. I then asked the person whose
phone we were tracking with consent, is that accurate? And they confirmed pretty quickly,
yeah, that's where I was. And so Joseph explained to me how it was that this bounty hunter was able
to track the location of this person's cell phone. And the first thing he told me was just that
like all these telecoms, they were actually selling real time location data. Not like,
PJ was here one time six months ago and now he's here now.
Which would also be horrifying.
But like real time location data like pinging your phone, where's your phone now?
Where's your phone now?
Where's your phone now?
And Joseph, explain to me like how that information got from these like big telecoms
down to this bounty hunter.
Originally the data comes from the telecommunication companies, T-Mobile, Sprint, AT&T.
They then sell that for a profit to so-called location aggregating.
These are sort of middlemen companies whose main purpose is just to sell that data onto other people.
Below that you have companies like the one we looked at called Microbuilt, which provides it to used car, salesmen, landlords and bounty hunters.
So like a wide array of industries underneath them then have access to this data.
Then you have the bounty hunter companies or whoever it may be.
And that's where the quote unquote legitimate trade end,
ends and the black market begins.
Nobody would agree to this.
Like, nobody, nobody would say that if AT&T had called, like, me,
and been like, hey, would you be cool with if we told people where you were all the time?
Nobody would be okay with that.
Well, it's funny, like, that's supposed to be the rule.
So they've actually changed their policy since October.
But back when I was getting the robocalls, the way it was supposed to work,
like, what these big telecoms said was that, like,
you are only allowed to use this data if you have the express,
of the consumer, like of the person with a cell phone number.
I would never give it to anybody.
And so they give it to these location aggregators, like these middlemen companies.
And the idea was always supposed to be like, only use this if you get the person with the
cell phone number's consent.
So like, for example, if you're a AAA customer, you give AAA consent.
And then like if your car breaks down on the side of the road, they can find you.
It's also, the other reason it's so bad is because you can already, within your phone,
you can say that you want to allow a specific app to have access to your legal here.
some of the time or all the time.
And like, it's pretty transparent.
Like, you get a permission.
And if you start to feel like, wait, why did I let Shazam know where I was?
You can delete the app or you can change the permission.
The idea that would happen, the phone company would do it.
And they do it through your phone number.
It's like, it's so much less, like, just the place where you would give or not give consent has just been like, yeah.
It feels like, it feels awful.
And at this point, like, it seemed pretty clear.
that my location data could definitely be out there.
But the thing I still wasn't sure of or didn't really understand was whether or not a robocaller
could get their hands on it.
Sure.
In every example that I had, like in Joseph's story, like this is a bail bondsman, like a person
who's highly motivated to like track somebody down.
Right.
It seems like a lot of work to get location information just to fool someone into picking up
a robocall.
Right.
Like it didn't quite describe the thing that was happening to me.
Like I still wondered if it was like someone was going after like thousands.
like casting like a very wide net.
Like getting a massive trove of location information.
Basically.
And then Joseph connected me with this other guy.
This guy who just like,
just felt like if he had access to this information,
it seems completely possible that a robocall would.
Who's this?
So I didn't realize this before, like,
I started reporting on the story.
But there's people whose entire job is just, like,
owning a big 1-800 number.
So, like, 1-800 lawyers or 1-800-cliars.
or 1-800 contacts.
And the guy I talked to who works in this business, his name is Bruno Tabby.
Real name?
Bruno Tabby is real name.
Good name.
Hello.
Hey, Bruno, it's Damiano.
How you doing?
Good.
How are you?
So, Bruno, at some point, like a decade ago, was very smart and realized that these
numbers were going to be worth a lot of money.
So he went out and bought some, like, very catchy 1-800 numbers.
Got it.
We have national clients, 1-800 mechanic, 1-800 comfort, 1-800 drywall,
California closets is a customer of ours.
So most of our clients, a good core of our clients, are small businesses.
They do advertising in local markets, and they want access to a phone number that's really
memorable.
So it's about memorability, just very kind of like foundational marketing stuff.
So this is his website.
Like these are all his clients?
Is everything he's got?
Oh, these are the companies that work with him.
And so what his business is, is like, say, like, one of his clients is, like, someone who treats varicose veins.
Like, I'm making this up, like, the varicose vein institute of Poughkeepsie.
Okay.
So, say, you own the vein institute of Poughkeepsie, you would love a piece of the 1-800-veracose toll-free number.
Yeah.
Because if someone's calling 1-800 varicose, that's like someone you have on the hook.
Yeah.
And what would be even better is if, like, that person who wants to get their varicose from veins removed lives in Poughkeepsie.
Right.
But you probably, like, like, the Vane Institute of Poughkeepsie probably can't afford in the first place to own 1,800 varicose.
Because it's really expensive.
Probably Bruno's not going to even sell it to you at this point.
Should they rent it from him?
So, yeah, he, like, licenses it to them.
So what Bruno does is he's like, he's got this pie, which is 1,800 varicose.
And he just, like, splits it up.
Like, he has all of these varicose.
Euracos clinics all over the country who pay him for a piece.
That's wild.
Yeah, it's totally wild.
And, like, the only way for Bruno's business model to work is if you can get the location
information for all of the people calling into, like, 1,800 varicose.
And so this is how Bruno explained to me.
Like, this is how he set up his system.
You call 1,800 varicose.
Bruno gets your number, and he sends it to one of these location companies, and he says,
where is Domiano calling from?
And he gets back information
that's not as specific
as what Joseph Cox got
for his bounty hunter.
He actually just gets like a zip code.
So Bruno gets my zip code
and he says,
oh, this guy calling from the 707 number,
he's actually in Brooklyn.
Let's send him to like
the Brooklyn Veracose Institute.
So even if your area code
was California for your cell phone,
if you were in Brooklyn,
he'd be able to route you to the right place.
He would route me to the right place.
And to Bruno, like,
that's pretty much how he imagined
this technology being used.
The original intent for this was like a franchise has, you know, 1,500 locations.
They were on a route callers to their nearest, you know, Jimmy Johns or nearest, you know, Napa Auto Parts store or whatever.
So, like, that's where that technology came in.
What we don't know, what we didn't realize was like the idea that like a bail bondsman or a bounty hunter was using this.
Like, if you would have asked me if that was an approved use case, I would say, no way, that's
crazy. They would never allow
that. And
lo and behold, you know, they were
managing who was using
the data. What happened
recently is that because
of Joseph Cox's story
about the bounty hunter and how that
bounty hunter was able to access this like real time
location data and actually also because
of like a New York Times story that
came out last year. That sort of was about a
similar example of like misuse of this data.
The telecoms
they came out and said, we're not
going to let anyone access this day anymore. By March, we're going to just cut everyone off.
Seems better. Yeah. And I've actually been in touch with some of these location services
companies. The companies that they were buying it from the phone companies and giving it to other
people. Yes. Yes. And like, according to them, like, robocallers have not gotten access
to location data. According to them, they're doing a good job and everything's fine and everyone
and stop freaking out.
Yeah, basically.
Basically, they say, like, they are getting consent from people, like, they're supposed to,
and that there's, like, a very rigorous process for companies who do want to get access
to this location data to get access to it.
Okay.
But after, like, reporting on all this and talking to a bunch of people, like, that does not
match up with the stories that I've heard.
Like, people are definitely getting tracked without their consent.
And, like, Joseph told me that, like, one of the ways that the bounty hunter companies were
getting access to this data was by posing as other companies.
It just doesn't, it, like, it doesn't even have to go that wrong for it to just feel like
why should this exist in first place?
Well, it just feels like in general, like this area is people weren't paying attention
and it feels a little bit like the Wild West.
Yeah.
And like, we don't quite know, like, we still just don't quite have a good understanding
of like everyone who got this data and what's going on here.
So I think that like a totally like plausible theory for how these,
robocallers might have gotten their hands on my Damiano Marquetti's location data, is that
somewhere like down in Boca Raton, there's a call center that's using some service like Bruno
had access to where they can just hang a server and be like, where's Domiano now?
Yeah.
Where is Domiano now?
And they're just doing it to lots of people at the same time.
Yeah.
That's wild.
God, I really thought that my sense of, like, cynicism and paranoia was calibrated correctly,
and it's not.
Yeah. I feel like oddly comforted.
Just because you're learning that you yourself are not paranoid.
There's the only reason you feel good about this.
Yes.
Hey, guys.
It's Pia.
Hi, Fia.
Well, okay, so I'm sorry to butt in, but I've been helping Damiano with some of this story.
Yeah.
And Damiano, I think your theory is fine.
Uh-huh.
But I actually have a different theory that I've been looking into.
I like that Damiano was just ambiently infected everyone with his mystery.
Oh my gosh.
I'm very interested in this.
And so I've been looking into this different theory that I find fascinating.
Okay.
So my theory is that it has something to do with the apps on Damiano's phone.
Interesting.
As we all know, apps are collecting a lot of information about us all the time.
Yes.
I do that.
And so the other day, I asked Damiano if I could see his phone.
Sometimes Fia is collecting information
We are sitting in the small office
And Fia grabbed my phone
And then looked at me
And realized that she needed my fingerprint
To get into my phone
And then was upset and had to ask my permission
To use my phone
That's true
So Damiano has wonderful apps on his phone
What do you mean wonderful apps?
Oh my God, this is gonna really suck
he has i just you learn a lot about a person from what apps they have yes
this is a very vulnerable moment okay i don't like it is very vulnerable
so domiano has apps like seller tracker what's that seller tracker
sellers don't move why do they need to be tracked like wine cellar what is it wait what is
cellar tracker basement finder was too expensive it's like a wine researching app it's okay to
drink wine.
And delectable
scan and rate wine.
Oh my God,
you're a wine.
It's not.
I hate this.
Tannen detector.
Nobody will be surprised
that he has
Italian translator
offline.
That's fine.
Avancore workout.
That's not bad.
You look great.
Yeah.
Just drinking wine,
doing sit-ups.
God, I didn't actually think
in Italian.
I didn't.
Hey, can you pass me that red?
I need to do a wall sit real quick.
If you said to me like, oh, someone's going to look at all the apps you downloaded, I wouldn't, doesn't feel that scary?
Oh, I would know it was scary.
And then this category of apps that, like, I don't personally relate to, and maybe you guys do more.
Games like war bits.
War bits?
Steam punk defense.
All right, wait, wait, wait, let me stop.
Steampunk defense?
I mean, it would just say.
Is this just like an app that we're wearing like weird goggles and top hat?
I will fully.
It gives you reasons why.
That's okay.
I can fully admit,
I feel like,
it's okay to have junkie games.
Yeah,
I download lots of,
like,
just very terrible games.
That's fine.
I have a game on my phone
called Jump Car,
and it's just like a car
where when you press the screen,
it jumps up to the next level.
Matt has that.
Jump car?
I think so.
That sounds like a thing
that, like,
you would put over a baby's bed
so they could sleep.
Like, it sounds like a mobile.
It kind of is.
Mobile?
Mobile.
Yeah, that too.
Can I just say,
like,
I love playing video games
on my phone to the point
where, like, one of them that I was really obsessed with,
like, my nine and 11-year-old cousins
showed me over, like, some break
when I was home.
And I left for six months and was, like, obsessed with it
and, like, watching YouTube tutorials on it
and came back, like, six months later and was like,
hey, guys, you want to play?
And I was, like, super good at it.
And they didn't care.
They were, like, weird.
We moved on from this.
Oh.
So what does this have to do with?
Okay.
Okay.
So I took all 95 apps that Domiano has downloaded at some point to his phone.
None of these sound like paid apps either.
they're all the free ones. I don't think I've ever paid for that. And I sent them to this guy
named Joel Reardon. Right now another person has them. And he's an assistant professor at the
University of Calgary. And he's done a bunch of research on cell phones and apps. So what he basically
said from the jump, and like maybe you already know this, but is that like apps can be collecting
information like your Wi-Fi network.
I didn't know that.
The serial number of your router.
Like your location information, your IP address.
Which IP address would already be enough, actually.
There's just like all these little weird details that they can be collecting all the
time.
And then, and like what other apps you've downloaded.
So like Joel said they're just like giving the whole picture of who Domiano is.
Like if it's just the case that you have.
have five apps installed, then it's not going to be very interesting. But if someone's actually
using their phone and they have, in this case, like nearly 50 apps or so or 100 apps, like that's
a very unique fingerprint of a person. And it tells a lot of like, you know, basically valuable
information to marketers who want to micro-target advertising. And you're saying it's going to
multiple advertising companies. Exactly. Yeah. The way these apps can make money, even though they're
like, ostensibly free, is that they get fractions of fractions of sense for each user who
uses the app and uploads information to some company or serves an ad on behalf of these
companies.
And there's no real restriction in how many ad libraries or analytics libraries some app includes.
You just keep including them.
You can include more, and then you'll get more fraction.
of sense. So your free, free apps are actually paying for themselves by selling your information
to all of these marketing companies. And my theory is that a robocaller bought that information
from one of these marketing companies, or that maybe they wrote a little bit of code and is just
paying an app directly to collect that information for them. Oh, my God. So I sent him the 95
apps, as I mentioned.
Oh, Lord.
So I took a list of the list you sent, and then just did some searching on our
dataset to see if any of them were sending the phone number of the device and sufficient
information to obtain location.
Mm-hmm.
And I did find one.
Oh, no.
Do you want to tell us about Mobile Legends Bang Bang?
That's the one my cousins play.
Really?
Mobile Legends Bang Bang.
That's the one.
It sounds like a fake video game.
It does.
It sounds like something that would be in like a network television show.
A network television drama.
Somebody's like, I think, I don't know what you're up to.
I don't know where you're spending on your time.
It's like, oh, this is a video game.
It's a mobile, mobile legends bang bang.
Oh my God.
I need to warn my 9 and 11 year old cousins.
They're probably getting, their phones are ringing off the hook.
So what, like, what struck him as like particularly dicey about mobile legends bang bang?
Okay, so mobile legends, colon bang bang.
Wait, millions of people play that game.
Millions of people get robocalls.
As I was being defensive, I realized how to it was.
It's cool that you do this.
I think everyone agrees it's good.
So Joel specifically focuses on Android phones, but he says,
if you had an Android and you've downloaded that game,
what jumped out to him is it is a game that sends your phone number.
In our study, that equivalent app on Android sent location info.
and IP information, internet, the internet address of the phone.
And generally, you can, with the internet address, you can figure out what city they're in and
certainly what state they're in.
The real scandal is sending the phone number, like, why is it sending the phone number out
to some company?
What purpose do they need it for?
And in the case of this game, they were sending not only the phone number, but the IMEI and
the IMSI of the phone.
The IMEI is the international mobile equipment identifier.
It's a number that cell phones use to connect to cell phone towers, and it really serves no other purpose.
That's crazy.
I have not thought of a legitimate reason why this should be collected.
So this game is sending out that information to these advertising companies.
Actually, so in this case, I don't know where, who gets this information.
They don't have a name like an advertising company.
So this game is sending the location information and the phone number and the phone number to some place.
To some random place on the internet that doesn't have a name.
That doesn't have a name.
So Damiano downloaded a very suspicious game.
I would say so.
So after that call with Joel, he actually figured out where.
mobile legend bang bang is sending information and it's six different places but that mysterious
one the random place on the internet as Joel calls it that's actually something called the young
joy game but we have no idea what that is so the idea is that either it's sending it's possible
that this app or another app on domi on his phone is sending his information to the robocallers
or sending them to some broker that then sells them to the robocallers right another possibility is
that there's a vulnerability in any of this.
And so a robocaller is just like getting that code without paying or...
You're a real mobile legend.
God.
So the thing is that if you had an Android, that would be true.
Now, on an iPhone, you're not actually...
They aren't allowed to collect your phone number.
But he said the thing is that if any of the apps that you ever downloaded have prompted
you to put in a phone number, like say they were like, we'll text you a code that you
have to enter, then you would have willfully handed up.
over your phone number and they could send that to whoever then.
So the question is, Damiano, have you ever given your phone number to any app that you've
ever used?
Definitely.
I mean, definitely.
Like, oh, yeah, you want to send me a little code?
Also, I'm not worried about my phone number.
Like, I would rather put my phone number than my email address for like a shitty game.
Do you know what I mean?
Yeah, I would do the same thing.
Like if someone was like, can I have your email with someone?
You're going to spam me.
Oh, phone number.
What are you going to do with that?
Follow me around everywhere and try to sell me bad insurance.
Just to be clear, I don't know for sure that that is what happened.
It's my theory.
And I reached out to mobile legends.
They did not respond to me.
So that's my best guess.
Wow.
That's a lot.
Thank you, Fia.
I'm sorry for razzing you.
I still feel gross and paranoid about the world.
I feel a little bit like I've just been snitching on myself.
Are you going to change your behavior?
Are you going to get rid of, what's it called?
No.
Mobile Legends Bang Bang.
Reply All is hosted by PJ Vote and me, Alex Goldman.
We're produced by Shreuthi Pinnaman, Fianna Marni,
Damiano Marquetti, Anna Foley, and Jessica Young.
Our show's edited by Tim Howard.
We're mixed by Rick Kwan.
Fact-checking by Michelle Harris.
Our intern is Christina Ayale de Josa.
Our theme song is by The Mysterious Breakmaster Cylinder,
and our ad music is by Build Buildings.
Special thanks this week to the Aurelius Value blog, Patrick Traynor, Robert Shaw, Joseph Cox, James Brown, and the California Department of Insurance.
If you want to hear more about Joseph Cox's story about the bounty hunter, Joseph has his own podcast called Cyber, where they did a follow-up episode with more of his reporting.
Go check it out.
Matt Lieber is those free samples of fudge you get on the boardwalk by the beach.
You can listen to the show on Spotify, iTunes, or wherever you get your podcasts.
Thanks for listening.
We'll see you in two weeks.
Thank you.