I just emailed this company at [email protected] (which is the address stated in their privacy policy [1]) to remove all of my information from all databases/backups and to never collect it again. Came back undelivered with a 550 error (Recipient address rejected: Access denied).
[1] https://danalinc.com/privacy-policy/ - "Danal is committed to ensuring that the information we obtain and use about you is accurate for its intended purpose. You can contact us at [email protected] at any time to review, update, delete or correct (for future use) your personally identifiable information maintained by Danal. We will reply to your request within thirty (30) days of submission. You can help us maintain accurate records by informing us of changes or modifications to your personal information."
Received an almost immediate message back from payfone:
"Hi [my name],
While we should explain more clearly that these services are used to protect consumers from fraud, with one's consent, you can set up what you are asking about with your phone company. We can send you the procedures to do that. I'd like to go a step further and see if we can just opt you out entirely across the board. I should also note that we do note store any current or historical personally identifiable data. Hold on for more info."
As an aside, I didn't provide [my name] with my request - of course they looked it up based on the phone number provided.
In addition to both sites correctly showing my full name, phone number, mailing address, and e-mail address, (and the Danal site showing my T-mobile phone plan info) the Payfone site shows this ominous description:
I've had someone tell me they visited a shopping site once and without giving the company any information, they got an e-mail from that company a day later. I told them it wasn't really possible (from just the browser's perspective) and that they must have been tracked through some 3rd party cookies.
Apparently that was false and it's totally possible for a site to use one of these APIs and instantly get your full name, phone number, e-mail address, and physical address just by looking up your IP, and then track you across "switching carriers, changing phone numbers, upgrading devices, and replacing lost devices". Scary shit.
MEO does that in Portugal. With your phone you visit (probably) an ad on a website and you're automatically subscribed to some 3rd party service that charges 3€ a week from your mobile operator credit.
Then you call MEO to cancel the service and then you learn they're not refunding your money and that instead of this 1€ call you could have disabled the 3rd party services through their web login.
It's incredibly hostile, and there are more dirty tricks they use.
> I've had someone tell me they visited a shopping site once and without giving the company any information, they got an e-mail from that company a day later.
I had this once from a Cisco reseller in Glasgow. It looked like they done a reverse DNS lookup on our office IP, then a Whois on the domain and just spammed the crap out of me. They started calling a day or two later. When I told them how creepy and inappropriate it was, they actually seemed proud of the lead gen system they subscribed to.
They emailed the admin contact of the domain, which is what tipped me off.
“We will not sell your personal information to anyone, for any purpose. Period.”
How is this not contrary to that?
Additionally, they define personal information as:
"Personal Information: Information that directly identifies or reasonably can be used to figure out the identity of a customer or user, such as your name, address, phone number and e-mail address. Personal Information does not include published listing information."
With T-Mobile USA, the 2nd link correctly identified my phone number.
In the 2nd link though: name, current address, email address, phone number, how long I've had the account, when it renews, who my previous carrier was, my phone hardware details and my current latitude/longitude!
This is scary that anyone can access this with just a site visit.
I have T-Mobile prepaid and they have all my info except my first/last name. They must have collected this info when I used my credit card for refilling.
This seems like an unfair claim. Since you didn't provide a citation, I looked for one. I found plenty of articles insisting that Ajit Pai and through association that Trump are both out to harm privacy online, but this is typically an inference based on the fact that Ajit is blocking more regulations placed on ISPs. His reasoning has consistently been anything that makes it harder to compete (the context is in small-medium businesses, think tiny companies trying to upset Comcast or AT&T) is bad, and specifically in this case that extra regulations on ISPs that businesses (read: the entities that actually have virtually all of your data) are not required to follow is unnecessarily limiting to competition. That's really not the same as "Ajit Pai is stoked about this." I will thus consider this bullshit until someone actually asks him what he thinks about this and whether he supports it. I doubt he does, because I doubt anyone does, and because it appears it may already be illegal.
The DNS entry for this site is already gone, though I can't tell if it was an action by GoDaddy or if it was explicitly removed to hide the page. In either case, that kind of response indicates guilt to me, and unless the ISPs are explicitly informing people that this is happening, it may already be illegal. I'd expect a class action lawsuit to determine that, and legislation to make it illegal for ANY ENTITY, be it a business operating on the internet or an ISP, to do this without consent from the user, which is what we really need.
I've been very annoyed at businesses like Spokeo that operate entirely in the realm of selling information about people, and they're fueled by shit that Facebook, Google, and friends freely offer about people, and now worse what about cross-referencing what they already have (everything in this case plus things like residential history, criminal history, etc) with your entire credit history and SSN and more thanks to Equifax and even hashed passwords due to the dozens of leaks we get every year.
I don't think this belongs in the FCC's wheelhouse, this belongs in Congress, because this kind of shit is getting out of hand, and it's not just ISPs.
So now I need a VPN for my cellular data connection. What happened to privacy laws? You could quickly grab highly personal identifying information by setting up an encrypted wifi network at a business with plenty of foot traffic and no open wifi networks. Then you could have a sign or placard directing passerbys to visit a URL of your choosing to get the wireless password. Then you'd implement this API on your website.
The claim is you need to be on the carrier’s mobile data network, the carrier gives you an IP address, then a website owner asks the carrier who is at that ip address and then the carrier gives the website owner the data that it has on you (your real name, the address where they send the bills, the phone number they assigned to you, etc)
This happens in several parts of Europe as well. It's part of the telcos' billing infrastructures, and many operators for example have middleboxes which allow TCP streams to be looked up against the billing system.
I believe the original idea was to allow companies selling ring tones to able to bill customers who downloaded their ring tones directly on the customers' telco bill.
From a privacy standpoint it's been a catastrophe. There are countless of operators who have been caught decorating customers' outgoing HTTP traffic with their mobile number or personal details. It's just a few years since one operator was caught doing this in Denmark [1].
Again, just a few years ago, in Sweden, a company setup porn sites and pretty much blackmailed their mobile visitors into paying $$$ for porn they supposedly had agreed to download. This company was using operators' billing APIs to lookup subscriber details from the IP:port numbers of connections to their porn sites [2].
In Norway, a company called MobileTech, use the same APIs to improve unreliable web tracking using cookies. By using these billing APIs they can assign a unique identifier to a particular subscriber regardless if this subscriber clears their cookies or share the connection across multiple devices. Their tracking script (b.mobiletech.no iirc) is embedded on many popular nordic sites. Their improved visitor tracking and demographic data is also sold to third party marketing companies such as Research International.
I have Verizon Wireless and have opted out of all of the options on their account privacy page a long time ago (at least a year), but I still show up in these tests.
A VPN. ISPs and Telcos have made it abundantly clear that without significant legal and financial pressure, they will never respect the slightest modicum of consumer privacy.
This is a race to the bottom. This industry is neck deep in perpetuating a culture of surveillance that most here benefit from, and see no problem in stalking people around. So much for techies improving the world.
That's why moral and ethical posturing must be met with ridicule and skepticism. When it comes to actual action most people are much more narrowly focused with a unique ability to live in dissonance and hand wave and brush away nearly anything.
Shamelessly plugging the Librem 5 [1] here, as this article demonstrates precisely why we need a privacy-focused, FOSS phone. While the carriers having access to some of this information would not be prevented on a carrier-based data plan (and I personally am not yet ready to switch to WiFi-only), using a non-proprietary Linux distro means much simpler VPN support (one year of free VPN is also one of the stretch goals!). It might also be possible to compartmentalize PII availability by using WiFi only with an external data hotspot (e.g. the ones sold by FreedomPop), perhaps in conjunction with a VPN.
I tried both demos mentioned in the article. The first loaded some generic looking data. The second pulled my phone number, name and address correctly.
Well this is scary. We should see more concentration on privacy/security at the mediocre tech companies (because engineer pay is a decent indicator of privacy standards and security strength), ISPs, health care companies and financial companies. They have very personal data and many of them actually sell the data (and apparently even unanonymized data).
I feel that all the talk of privacy at the big tech companies like Google, FB, etc. is unwarranted compared to the threat. They have solid security and don't actually sell data. Letting advertisers target viewers based on demographic data is different from providing anonymized data to people and they have policies that make sure that advertisers can't get too narrow with their targeting.
[+] [-] pde3|8 years ago|reply
Then one of the first things Trump and the Republicans in Congress did after the election was repeal the FCC's privacy rules :( https://www.eff.org/deeplinks/2017/03/five-ways-cybersecurit...
[+] [-] c_prompt|8 years ago|reply
[1] https://danalinc.com/privacy-policy/ - "Danal is committed to ensuring that the information we obtain and use about you is accurate for its intended purpose. You can contact us at [email protected] at any time to review, update, delete or correct (for future use) your personally identifiable information maintained by Danal. We will reply to your request within thirty (30) days of submission. You can help us maintain accurate records by informing us of changes or modifications to your personal information."
Edit: For payfone: https://www.payfone.com/company/privacy-policy/ - [email protected]
[+] [-] c_prompt|8 years ago|reply
"Hi [my name],
While we should explain more clearly that these services are used to protect consumers from fraud, with one's consent, you can set up what you are asking about with your phone company. We can send you the procedures to do that. I'd like to go a step further and see if we can just opt you out entirely across the board. I should also note that we do note store any current or historical personally identifiable data. Hold on for more info."
As an aside, I didn't provide [my name] with my request - of course they looked it up based on the phone number provided.
[+] [-] tehwebguy|8 years ago|reply
[+] [-] foodstances|8 years ago|reply
https://i.imgur.com/WkPj5Gb.png
I've had someone tell me they visited a shopping site once and without giving the company any information, they got an e-mail from that company a day later. I told them it wasn't really possible (from just the browser's perspective) and that they must have been tracked through some 3rd party cookies.
Apparently that was false and it's totally possible for a site to use one of these APIs and instantly get your full name, phone number, e-mail address, and physical address just by looking up your IP, and then track you across "switching carriers, changing phone numbers, upgrading devices, and replacing lost devices". Scary shit.
[+] [-] ino|8 years ago|reply
Then you call MEO to cancel the service and then you learn they're not refunding your money and that instead of this 1€ call you could have disabled the 3rd party services through their web login.
It's incredibly hostile, and there are more dirty tricks they use.
[+] [-] davb|8 years ago|reply
I had this once from a Cisco reseller in Glasgow. It looked like they done a reverse DNS lookup on our office IP, then a Whois on the domain and just spammed the crap out of me. They started calling a day or two later. When I told them how creepy and inappropriate it was, they actually seemed proud of the lead gen system they subscribed to.
They emailed the admin contact of the domain, which is what tipped me off.
[+] [-] chinathrow|8 years ago|reply
[+] [-] randomfool|8 years ago|reply
“We will not sell your personal information to anyone, for any purpose. Period.”
How is this not contrary to that?
Additionally, they define personal information as:
"Personal Information: Information that directly identifies or reasonably can be used to figure out the identity of a customer or user, such as your name, address, phone number and e-mail address. Personal Information does not include published listing information."
http://about.att.com/sites/privacy_policy
[+] [-] zymhan|8 years ago|reply
> Here are just some of the ways we use it. To: > Deliver Relevant Advertising; > Create External Marketing & Analytics Reports;
http://about.att.com/sites/privacy_policy/full_privacy_polic...
[+] [-] droopybuns|8 years ago|reply
https://cprodmasx.att.com/commonLogin/igate_wam/cmpmobile.do
[+] [-] shostack|8 years ago|reply
[+] [-] FireBeyond|8 years ago|reply
"We're not selling it, we license it."
[+] [-] jey|8 years ago|reply
[+] [-] nacs|8 years ago|reply
With T-Mobile USA, the 2nd link correctly identified my phone number.
In the 2nd link though: name, current address, email address, phone number, how long I've had the account, when it renews, who my previous carrier was, my phone hardware details and my current latitude/longitude!
This is scary that anyone can access this with just a site visit.
[+] [-] petilon|8 years ago|reply
[+] [-] confounded|8 years ago|reply
Well, anyone using your phone on LTE.
[+] [-] tehwebguy|8 years ago|reply
If you work for AT&T, Verizon, etc you have a responsibility to stop this even by sabotage.
[+] [-] tootie|8 years ago|reply
[+] [-] just2n|8 years ago|reply
This seems like an unfair claim. Since you didn't provide a citation, I looked for one. I found plenty of articles insisting that Ajit Pai and through association that Trump are both out to harm privacy online, but this is typically an inference based on the fact that Ajit is blocking more regulations placed on ISPs. His reasoning has consistently been anything that makes it harder to compete (the context is in small-medium businesses, think tiny companies trying to upset Comcast or AT&T) is bad, and specifically in this case that extra regulations on ISPs that businesses (read: the entities that actually have virtually all of your data) are not required to follow is unnecessarily limiting to competition. That's really not the same as "Ajit Pai is stoked about this." I will thus consider this bullshit until someone actually asks him what he thinks about this and whether he supports it. I doubt he does, because I doubt anyone does, and because it appears it may already be illegal.
The DNS entry for this site is already gone, though I can't tell if it was an action by GoDaddy or if it was explicitly removed to hide the page. In either case, that kind of response indicates guilt to me, and unless the ISPs are explicitly informing people that this is happening, it may already be illegal. I'd expect a class action lawsuit to determine that, and legislation to make it illegal for ANY ENTITY, be it a business operating on the internet or an ISP, to do this without consent from the user, which is what we really need.
I've been very annoyed at businesses like Spokeo that operate entirely in the realm of selling information about people, and they're fueled by shit that Facebook, Google, and friends freely offer about people, and now worse what about cross-referencing what they already have (everything in this case plus things like residential history, criminal history, etc) with your entire credit history and SSN and more thanks to Equifax and even hashed passwords due to the dozens of leaks we get every year.
I don't think this belongs in the FCC's wheelhouse, this belongs in Congress, because this kind of shit is getting out of hand, and it's not just ISPs.
[+] [-] ethbro|8 years ago|reply
[deleted]
[+] [-] droopybuns|8 years ago|reply
[+] [-] CommentCard|8 years ago|reply
Now you've got their personal info. Scary..
[+] [-] jpeg_hero|8 years ago|reply
The claim is you need to be on the carrier’s mobile data network, the carrier gives you an IP address, then a website owner asks the carrier who is at that ip address and then the carrier gives the website owner the data that it has on you (your real name, the address where they send the bills, the phone number they assigned to you, etc)
[+] [-] gras|8 years ago|reply
[deleted]
[+] [-] sslalready|8 years ago|reply
I believe the original idea was to allow companies selling ring tones to able to bill customers who downloaded their ring tones directly on the customers' telco bill.
From a privacy standpoint it's been a catastrophe. There are countless of operators who have been caught decorating customers' outgoing HTTP traffic with their mobile number or personal details. It's just a few years since one operator was caught doing this in Denmark [1].
Again, just a few years ago, in Sweden, a company setup porn sites and pretty much blackmailed their mobile visitors into paying $$$ for porn they supposedly had agreed to download. This company was using operators' billing APIs to lookup subscriber details from the IP:port numbers of connections to their porn sites [2].
In Norway, a company called MobileTech, use the same APIs to improve unreliable web tracking using cookies. By using these billing APIs they can assign a unique identifier to a particular subscriber regardless if this subscriber clears their cookies or share the connection across multiple devices. Their tracking script (b.mobiletech.no iirc) is embedded on many popular nordic sites. Their improved visitor tracking and demographic data is also sold to third party marketing companies such as Research International.
[1] https://www.version2.dk/artikel/mobilsurf-danske-teleselskab...
[2] https://www.svt.se/nyheter/lokalt/skane/fangelse-for-skaning...
[+] [-] QUFB|8 years ago|reply
[+] [-] jimktrains2|8 years ago|reply
What recourse do I have?
[+] [-] larkeith|8 years ago|reply
[+] [-] SubiculumCode|8 years ago|reply
[+] [-] throw2016|8 years ago|reply
That's why moral and ethical posturing must be met with ridicule and skepticism. When it comes to actual action most people are much more narrowly focused with a unique ability to live in dissonance and hand wave and brush away nearly anything.
Only regulation with laws and consequences works.
[+] [-] larkeith|8 years ago|reply
[1] https://puri.sm/shop/librem-5/
[+] [-] jimktrains2|8 years ago|reply
[+] [-] confounded|8 years ago|reply
[+] [-] philip1209|8 years ago|reply
[+] [-] libertyEQ|8 years ago|reply
http://democf.danalinc.com/sphere/
https://dev.payfone.com/test/mobileauthentication/
[+] [-] EGreg|8 years ago|reply
https://www.usatoday.com/story/tech/news/2017/04/04/isps-can...
And Trump signed it:
https://www.nbcnews.com/news/us-news/trump-signs-measure-let...
Hey Republicans in the audience, can you at least acknowledge that on this issue, the GOP may have gotten things wrong?
[+] [-] pxeboot|8 years ago|reply
I tried both demos mentioned in the article. The first loaded some generic looking data. The second pulled my phone number, name and address correctly.
[+] [-] home_boi|8 years ago|reply
I feel that all the talk of privacy at the big tech companies like Google, FB, etc. is unwarranted compared to the threat. They have solid security and don't actually sell data. Letting advertisers target viewers based on demographic data is different from providing anonymized data to people and they have policies that make sure that advertisers can't get too narrow with their targeting.
[+] [-] yardie|8 years ago|reply
[+] [-] throwanem|8 years ago|reply
https://i.imgur.com/woOZumM.jpg
ETA: The second one choked up a Wordpress error. So, not sure what to make of that.