Suppose a company hired to focus on monitoring calls from inmates (and only inmates) is selling the location data of regular citizens to law enforcement as well. Doesn't this company seem like the last place you'd trust your personal or business security?
First Published 18th May 2018
When is data collection an overreach?
4 min read | Reflare Research Team
Last week the New York Times reported that a company ostensibly monitoring calls from inmates was selling location data of regular citizens to US law enforcement. This week, Securus - the company in question - was hacked due to what appears to be bad security practices.
In this briefing, we will take a look at how Securus apparently operated and why they presented such a weak target.
How was data acquired?
Securus has allegedly made contracts with mobile carriers to receive location data for marketing purposes. Such location data usually contains a list of devices that are active in a specific region so that advertisements can be delivered to them.
While this practice is not illegal under US law and many companies use data acquired this way to deliver targeted ads or coupons to customers, the practice is not well known among consumers, and provisions for allowing it are usually contained in the fine print of mobile service contracts. Securus acquired this advertising data on a large scale and then used it to build a database of many if not all mobile phones operating on US networks.
This data in turn was then sold to law enforcement agencies which used it to track the location of individual phones.
How is this possible?
At first glance, it seems odd that a service meant to deliver ads to users in a specific location could be abused to track individuals. However, the pattern is very common in information security. Let’s assume for the sake of an easy explanation that there are 100,000 cellphone towers in the United States. The advertising systems were designed with the idea that companies may ask for all users close to one or two of these towers.
In these cases, only the presence of a user at a specific time can be deducted. While the tactic is dubious and may not sit well with some consumers, it falls far short of complete tracking capabilities.
However, now imagine if a company were to request (and pay for) advertising datasets from all 100,000 cellphone towers. Since any given phone must be connected to a tower to have reception at any given time, the company buying the data can now correlate the data and track devices as they move between towers. Since the location of each tower is known, this allows phones and their owners to be tracked.
For advertisers, such tracking would be prohibitively expensive. But by finding a new market for the processed product (law enforcement agencies), Securus appears to have been able to make the economics work and profit in the process.
Why is this issue getting so much attention?
While any tracking of citizens is going to draw criticism, the large amounts of media coverage the incident receives is likely due to the sub-par legal mechanisms used by Securus. While the company only sells its data to law enforcement, it claims that it is not required to verify the legality of tracking requests. In official statements made to the New York Times, the company stated that “it required customers to upload a legal document, such as a warrant or affidavit, and certify that the activity was authorized”.
While warrants are grounds for tracking users, affidavits by themselves are not. From a legal perspective, this amounts to a private company providing data on private citizens to law enforcement potentially without a court warrant or judicial oversight.
Why was the company so easily hacked?
Less than a week after Securus became the focus of the Time’s expose, it was hacked by an unknown individual or group. Data gathered in the hack was provided to the IT news website Motherboard. The datasets contain records of customer accounts belonging to law enforcement and weakly hashed passwords. Motherboard claims that they have confirmed the dataset to be authentic.
While the methods of the hack are unknown, the quick timing and weak protection of the data indicate that Securus’ information security safeguards and policy were sub-par. While it may appear strange that a company dealing in high-tech surveillance would have weak information security, it makes sense if you consider that the company’s core business was not security but data analysis. In addition, the data analysis required to deduct trackable movement patterns from cell phone tower data is not very complicated.
Summary
There are two main takeaways from this briefing:
Data that is relatively harmless if only a small subset is available may become critical if the whole dataset is acquired. This is true for large-scale applications such as phone location data as well as for small-scale applications such as PC memory access times.
Just because a company deals in a high-tech and high-security product doesn’t mean that the company itself is technical or secure. Especially in cases where data sets are assembled to create a more critical product, the company doing the assembly is often more of a sales than an IT firm.