"A little more about PD": US TV companies will stop selling customers geodata

Last week, American telecom companies Verizon, AT & T and Sprint Corp announced that they would no longer sell data on the location of user devices to brokers.

Under the cut - tell you why the telecom operators have made such a decision.


/ photo Bertram Nudelbach CC

Problem with geolocation data

A data broker is an organization that collects and sells information about users of various services. Brokers analyze the history of search and online purchases, as well as information provided in social media profiles (marital status, education, interests, etc.). Often their clients are companies that carry out targeted advertising campaigns. For example, the services of brokers resorted to Facebook .

Brokers also collect data on the geolocation of users - they buy this information from cellular operators. Data on the location of devices are used by anti-fraud systems and companies that provide emergency assistance on the roads - in the event of a vehicle breakdown or in the event of an accident.

However, at the end of June, it became known that a number of US telecommunications providers would stop selling location data for their customers' devices. The decision came after Senator Ronald Lee Wyden announced that some brokers transferred data to third parties, and they used it without the consent of users to “track” the phones.

It also became known that one of the brokers who collaborated with Verizon, passed geodata to organizations that used them to spy on people.

Therefore, Verizon announced that they would stop selling geodata to data brokers. Shortly after Verizon, AT & T, Sprint Corp, and T-Mobile providers also changed their policies regarding customer location data.


/ photo Book Catalog CC

Security issues

One of the reasons for refusing to sell these geolocations was also the fact that many of the “brokerage” sites are poorly protected. In the case of hacking one of them, hackers will be able to establish the location of any phone in the United States.

Security specialist and researcher Alex Haynes (Alex Haynes) analyzed US data broker sites for vulnerabilities and found out that half got less than A when they passed the SSL Labs test. And on a number of resources, he revealed SQL injections.

And there were cases when the information transmitted to brokers fell into the hands of third parties without the knowledge of the providers. In 2011, the attackers "hacked" the marketing company Epsilon, and the email addresses of millions of people (from the company's marketing list) leaked to the network. As a result, the owners of these e-mails were attacked by spammers and were victims of targeted phishing .

And in 2015, Experian data brokers hacked personal information of 15 million users, including their names, addresses, social security numbers and passports.

Regulation of data brokers in the United States

In light of recent events, and since brokers work with personal data of users, some lawmakers in the United States have decided to pay attention to the regulation of this area.

For example, in May of this year, the state of Vermont passed the H.764 law , according to which all data brokers operating in the state of Vermont or collecting information about its residents should be registered annually with local governments, comply with all security measures prescribed by law, and report data leaks to law enforcement agencies (which was not necessary before).

The authorities of other states also apply measures to tighten the requirements for processing PD. For example, from September this year, companies operating in Colorado will have to notify customers and state authorities of “leaks” of data within 30 days, and California residents may have additional rights regarding PD, if a new initiative “passes the test ".

Among these rights: the right to provide information collected by a company to the owner of the PD; the right to demand that companies not sell or provide PD to third parties for commercial purposes.

From this we can conclude that the government and US providers are gradually aware of the danger posed by leaks of personal data, therefore they are trying to protect the population from potential threats through more stringent legislative regulation.

---

PS Another couple of materials from the First Corporate IaaS blog:

• What refers to personal data from the point of view of the Russian regulator
• Personal data protection: a European approach
• Personal data processing: what the law says

PPS Posts on the topic from our blog on Habré:

• “According to the GDPR”: how do social networks change their privacy policies and how they work with PD
• Missed deadline, or why more than half of the companies were not ready for GDPR
• EU copyright reform can completely change the situation on the web

---

The main activity of the company IT-GRAD is the provision of cloud services:

Virtual Infrastructure (IaaS) | PCI DSS Hosting | Cloud FZ-152 | Rent 1C in the cloud

---