Last week my cell phone rang, and the caller ID said it was my young son’s afterschool program. I don’t get calls from afterschool, so immediately I thought that my son was sick or hurt.
But when I picked up, it was just a robocall, specifically the Chinese consulate scam, spoofing the phone number belonging to the afterschool program.
(The Chinese consulate scam is a robocall targeting US phone numbers, where a recorded message in Mandarin says that the recipient must send money to either pick up a package at the consulate or fix some kind of paperwork problem. Last year the FTC noted that the Chinese consulate robocalls appeared to be targeting people with Chinese last names.)
My last name wouldn’t be mistaken as Chinese–BUT my son’s afterschool program serves mostly Chinese families and is located in an area of Chicago that has a significant Chinese population.
Could this robocall have been targeted to me based on my location? Was it a coincidence that my cellphone was in a neighborhood that, statistically, is more likely to reach a Mandarin speaker, and that the spoofed number was in the same neighborhood?
The Reply All team at Gimlet Media suggests it was no coincidence, and the idea that scammers have access to my real-time location data is frankly scary.
Until recently, major cell phone companies like AT&T, T-Mobile and Sprint had been selling your real-time location data to location aggregators. These companies in turn sell that data to other companies, which sell the data again, and so on.
The wireless companies would tell the data buyers that they could only use the location data collected if they had the consumer’s express consent, such as when a AAA member requests roadside assistance. But sometimes when the data gets resold several times, it ends up in a kind of black market accessed by parties such as used car salesmen, bounty hunters, and of course, scammers.
As a result of a few recent major articles about misuse of location data, 15 senators sent a letter to the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) in January demanding an investigation, noting that stalkers and domestic abusers as well as fraudsters could access location information. Several carriers, including AT&T and T-Mobile, then announced they will stop selling location data.
But scammers will not be stopped so easily. Apps that you download onto your smartphone can be mining all sorts of information.
There’s nothing wrong with authorizing an app to see your location to get directions or help you find a parking space, but the details of what information the apps collect and where that data goes may be hidden in hard-to-access privacy policies, written so vaguely that the user may not understand exactly what they are agreeing to.
Certain apps, often free apps, could be mining your phone for information such as your wifi network, your IP address, the serial number of your router, other apps that you have on your phone, your phone’s International Mobile Equipment Identifier (IMEI, a number that cell phones use to connect to cell phone towers)–and, of course, your phone number.
Even if an app doesn’t sneakily access your phone number–iPhones don’t allow that—it can persuade you to voluntarily provide your number in order to text you a code you must enter to use the app.
Then that information gets sold.
For example, The New York Times found that sports app theScore asked users to share their location data so it could “recommend local teams and players that are relevant to you.” The app then provided the users’ precise coordinates to no fewer than 16 advertising and location companies.
It’s clear that cellphone users’ personal information is being distributed and used in ways that they would never knowingly agree to, and it puts their security at risk.
“When stalkers, spies, and predators know when a woman is alone, or when a home is empty, or where a White House official stops after work, the possibilities for abuse are endless,” Senator Ron Wyden of Oregon told Motherboard.
Last month a bipartisan group of senators introduced legislation to fight spoofing, so be prepared to take action in the coming weeks.