Select Page
Give Up Phone Number. Give Up Privacy.

Give Up Phone Number. Give Up Privacy.

I Shared My Phone Number. I Learned I Shouldn’t Have.

NYTImes Personal tech columnist asked security researchers what they could find out about him from just his cellphone number. Quite a lot, it turns out.


By

For most of our lives, we have been conditioned to share a piece of personal information without a moment’s hesitation: our phone number.

We punch in our digits at the grocery store to get a member discount or at the pharmacy to pick up medication. When we sign up to use apps and websites, they often ask for our phone number to verify our identity.

This column will encourage a new exercise. Before you hand over your number, ask yourself: Is it worth the risk?

This question is crucial now that our primary phone numbers have shifted from landlines to mobile devices, our most intimate tools, which often live with us around the clock. Our mobile phone numbers have become permanently attached to us because we rarely change them, porting them from job to job and place to place.

At the same time, the string of digits has increasingly become connected to apps and online services that are hooked into our personal lives. And it can lead to information from our offline worlds, including where we live and more.

In fact, your phone number may have now become an even stronger identifier than your full name. I recently found this out firsthand when I asked Fyde, a mobile security firm in Palo Alto, Calif., to use my digits to demonstrate the potential risks of sharing a phone number.

Emre Tezisci, a security researcher at Fyde with a background in telecommunications, took on the task with gusto. He and I had never met or talked. He quickly plugged my cellphone number into a public records directory. Soon, he had a full dossier on me — including my name and birth date, my address, the property taxes I pay and the names of members of my family.

From there, it could have easily gotten worse. Mr. Tezisci could have used that information to try to answer security questions to break into my online accounts. Or he could have targeted my family and me with sophisticated phishing attacks. He and the other researchers at Fyde opted not to do so, since such attacks are illegal.

“If you want to give out your number, you are taking additional risk that you might not be aware of,” said Sinan Eren, chief executive of Fyde. “Because of collisions in names due to the massive number of people online today, a phone number is a stronger identifier.”

There is no simple solution to this. In some situations, giving your digits to institutions like your bank provides an extra layer of security. But in most cases, the potential dangers and annoyances of handing out your number outweigh the benefits, as you will read below.

It took only an hour for my cellphone number to expose my life.

All that Mr. Tezisci, the researcher, had to do was plug my number into White Pages Premium, an online database that charges $5 a month for access to public records. He then did a thorough web search and followed a data trail — linking my name and address to information in other online background-checking tools and public records — to track down more details.

In an hour, this is what came up:

  • My current home address, its square footage, the cost of the property and the taxes I pay on it.

  • My past addresses from the last decade.

  • The full names of my mother, father, sister and aunt.

  • My past phone numbers, including the landline for my parents’ home.

  • Information about a property I previously owned, including its square footage and the mortgage taken out on it.

  • My lack of a criminal record.

While Fyde declined to hack into my accounts using the obtained information and my number, the company warned that there was plenty an attacker could do:

  • A hacker could try to reset my password for an online account by answering security questions like “What is your mother’s maiden name?” or “Which of the previous addresses did you live at?”

  • An attacker could use the personal information linked to my phone number to trick a customer service representative for my phone carrier into porting my number onto a new SIM card, thus hijacking my digits — a practice called SIM swapping.

  • A hijacker with control of my phone number could then break into my accounts if I had mechanisms in place to receive a security code in a text message when logging in to an online account.

  • A scammer could also use my hijacked phone number to trick members of my family into sharing their passwords or sending money.

  • A scammer could also target my phone number with phishing texts and robocalls.

  • An intruder could use knowledge of my phone number to call my voice mail inbox and try to crack the personal identification number to listen to my messages.

Marketers could also take advantage:

  • An ad tech agency could add my number to a detailed profile about me, linked to other information about my identity and web-browsing activities.

  • If I signed up for an internet service with my phone number, a brand that bought my digits from an ad firm could upload them into an ad tech tool to correlate the number with my online profile and serve targeted ads.

  • A shady marketing agency could add my number to a database to blast me with spam calls and text-messaged promotions.

There are some situations when sharing your phone number is reasonable.

When you enter your user name and password to get into your online banking account, the bank may call or text you with a temporary code that you must enter before you can log in. This is a security mechanism known as two-factor verification. In this situation, your phone number is a useful extra factor to prove you are who you say you are.

“A phone number is a better identifier than just your name, but sometimes you want that,” said Simon Thorpe, director of product for Twilio, a communications company that works with phone carriers on combating robocalls.

But which companies should you trust with your phone number? Here’s where things get tricky.

Plenty of tech companies let you use your phone number to protect your accounts from unauthorized access. But even some legitimate brands like Facebook have been scrutinized for improper use of phone numbers.

Last year, a study by the tech blog Gizmodo found that after a Facebook user set up two-step verification with his phone number, advertisers that uploaded his digits into Facebook’s database could match them to his Facebook profile and serve targeted ads. Separately, some people complained this year that the social network allowed them to look up a person’s Facebook profile just by typing a phone number into its search bar.

The company has removed the ability to find people’s profiles by entering their phone number, said Rochelle Nadhiri, a Facebook spokeswoman. She added that when a user set up two-step verification with a phone number, the company would not use the information to serve targeted ads.

But when large companies like Facebook abuse your digits, whom do you trust?

Unfortunately, there is no neat solution. It all involves work.

That includes first asking yourself whether the benefits of giving out your phone number outweigh the potential risks.

You might also want to set up a second phone number to cloak your personal digits altogether. You could share this second phone number with people and brands you don’t entirely trust. Apps like Google Voice and Burner let you create a different number that you can use for calls and texts.

As for two-factor authentication, most tech companies offer other verification options. They include apps that generate temporary security codes or a physical security key that can be plugged in. Generally, those are safer to use than a phone number.

Here’s a bonus piece of advice. If you have business cards with your personal number printed on them, shred them and order new ones with just your office line.

Eventually, I spoke to Mr. Tezisci about his experience tracking me. He said he was surprised by how easily a person could be targeted with a single set of numbers.

“I only spent an hour, and I was able to see all your addresses and all phone numbers,” he told me. “I think that’s scary, isn’t it? And I selected the legal options. If I were a scammer, I would have gone for your relatives.”


Brian X. Chen is the lead consumer technology writer. He reviews products and writes Tech Fix, a column about solving tech-related problems.

Why Aren’t We Being Protected?

Why Aren’t We Being Protected?

An excellent and important read to understand where we are as a country on this subject, and where we could/should be. Big as California is, they can’t get everything right.

In the big picture, successes and failures combined, California tries harder than most, if not all, of the other states in this country, to make their general population’s health and welfare a priority.
The rest of the country could follow that model to the benefit of us all. It needn’t take so long for Federal officials to figure things out.


Legislators should seize the moment to pass meaningful protections for the digital age.

Via NYTimes, The Editorial Board



In the past year, Congress has been happy to drag tech C.E.O.s into hearings and question them about how they vacuum up and exploit personal information about their users. But so far those hearings haven’t amounted to much more than talk. Lawmakers have yet to do their job and rewrite the law to ensure that such abuses don’t continue.

Americans have been far too vulnerable for far too long when they venture online. Companies are free today to monitor Americans’ behavior and collect information about them from across the web and the real world to do everything from sell them cars to influence their votes to set their life insurance rates — all usually without users’ knowledge of the collection and manipulation taking place behind the scenes. It’s taken more than a decade of shocking revelations — of data breachesClose X and other privacy abuses — to get to this moment, when there finally seems to be enough momentum to pass a federal law.

Congress is considering several pieces of legislation that would strengthen Americans’ privacy rights, and alongside them, a few bills that would make it easier for tech companies to strip away what few privacy rights we now enjoy.

[If you use technology, someone is using your information. We’ll tell you how — and what you can do about it. Sign up for our limited-run newsletter.]

American lawmakers are late to the party. Europe has already set what amounts to a global privacy standard with its General Data Protection Regulation, which went into effect in 2018. G.D.P.R. establishes several privacy rights that do not exist in the United States — including a requirement for companies to inform users about their data practices and receive explicit permission before collecting any personal information. Although Americans cannot legally avail themselves of specific rights under G.D.P.R., the fact that the biggest global tech companies are complying everywhere with the new European rules means that the technocrats in Brussels are doing more for Americans’ digital privacy rights than their own Congress.

The toughest privacy law in the United States today, is the California Consumer Privacy Act, which is set to go into effect on Jan. 1, 2020. Just like G.D.P.R., it requires companies to take adequate security measures to protect data and also offers consumers the right to request access to the data that has been collected about them. Under the California law, consumers not only have a right to know whether their data is being sold or handed off to third parties, they also have a right to block that sale. And the opt-out can’t be a false choice — Facebook and Google would not be able to refuse service just because a user didn’t want their data sold.

While the California Legislature is still working out the precise details of the law and its implementation, other states — including New York — are hard at work on their own privacy legislation. The prospect of a patchwork of state-level rules explains why tech companies are suddenly eager for Washington to step in to set a national standard.

If a weak federal privacy law pre-empts state law, it would roll back the protections that Californians are supposed to get — and it would make it impossible for other states to set the bar even higher. That’s exactly what’s going on with privacy bills introduced by Senator Marco Rubio (the American Data Dissemination Act) and Senator Marsha Blackburn (the Balancing the Rights of Web Surfers Equally and Responsibly Act). Both offer weak privacy protections bundled with federal pre-emption. If passed, they would gut the California law. In the House, Representative Suzan DelBene’s Information Transparency and Personal Data Control Act also pre-empts state law, while offering a respectable amount of privacy protection, like a requirement for companies to secure opt-in consent before collecting user data. Still, even that bill lacks some rights that the California law provides.

The Senate bills that take privacy seriously do not contain pre-emption clauses. Senator Catherine Cortez Masto’s DATA Privacy Act, for instance, bears similarities to the California law and to the G.D.P.R., as does Senator Ed Markey’s significantly more ambitious Privacy Bill of Rights Act. Although Ms. Cortez Masto’s bill does not create a private right of actionClose X — that is, the ability for consumers to sue tech companies for privacy violations — Mr. Markey’s does, and invalidates arbitration clauses that could otherwise shield companies from individual lawsuits. Consumer lawsuits are a hot-button issue — in the California law, the private right of action exists only in a limited form thanks in part to corporate lobbying. Most interestingly, Mr. Markey’s bill requires the creation of a public list of data brokersClose X in the United States — third party companies who buy and sell your data.

Not all bills on the table take an omnibus approach. Some appear to be highly specific swipes at Facebook. For example, a social media privacy bill introduced by Senators Amy Klobuchar and John Kennedy does not add very much to consumer privacy, but each of its provisions — like one that forbids a change to a product that “overrides the privacy preferences of a user” — seems to be a reference to something Facebook has done in the past. Senators Mark Warner and Deb Fischer have introduced a bill circumscribing experimentation on users without their consent. It might seem shocking that any company would do such a thing, but, in fact, Facebook tinkered with its News Feed in 2014 to test whether it could alter its users’ emotions. (The bill also bars designing sites targeted at children under the age of 13 “with the purpose or substantial effect of cultivating compulsive usage, including video auto-play functions initiated without the consent of a user” — a provision aimed at YouTube and its effect on children.)

Where the Warner/Fischer bill looks to alleviate the harmful effects of data collection on consumers, Senator Josh Hawley’s Do Not Track Act seeks to stop the problem much closer to the source, by creating a Do Not Track system administered by the Federal Trade CommissionClose X. Commercial websites would be required by law not to harvest unnecessary data from consumers who have Do Not Track turned on.

A similar idea appeared in a more comprehensive draft bill circulated last year by Senator Ron Wyden, but Mr. Wyden has yet to introduce that bill this session. Instead, like Mr. Warner, he seems to have turned his attention to downstream effects — for the time being, at least. This year, he is sponsoring a bill for algorithmic accountability, requiring the largest tech companies to test their artificial intelligenceClose X systems for biases, such as racial discrimination, and to fix those biases that are found.

A grand bargain privacy bill is said to be in the works, with a handful of lawmakers from both parties haggling privately over the details. Forward-thinking legislation — and the public hearings that would inform its passage — are urgently needed. Americans deserve a robust discussion of what privacy rights they are entitled to and strong privacy laws to protect them.

Congress’s earliest attempts to regulate computing in the 1980s and 1990s were embarrassing. The Congressional Record shows that the Computer Fraud and Abuse Act of 1984, for instance, was prompted by a fantastical Hollywood film about a boy hacker. The Communications Decency Act of 1996 — many sections of which were deemed unconstitutional by the Supreme Court in the following year — had its origins in a moral panic about internet pornography touched off by questionable research. All this lent support to the received wisdom that the tech industry is best left to its own devices without the interference of a clueless legislature. More recent attempts, like the abortive Stop Online Piracy Act, an overbroad piece of copyright enforcement legislation that was killed in 2012 after furious backlash from internet users, have not instilled much confidence in Capitol Hill’s understanding of technology. But encouragingly, many of the privacy bills introduced this session show a sophisticated understanding of the market for personal information, the nation’s woefully inadequate cybersecurity and the many dangers posed by a sector of the economy that has proved itself incapable of self-regulation. Legislators have stepped up their game.

A single bill is of course not the end of government’s responsibilities to its citizens. Any regulation must evolve alongside technology to safeguard fundamental freedoms. But a strong law would be a welcome start. The California privacy law will go into effect in less than seven months. Congress should seize the moment and the public momentum to enshrine digital privacy rights into federal law.

Google May Help Law Enforcement, But It Still Invades Privacy

Google May Help Law Enforcement, But It Still Invades Privacy

The headquarters of Google in Manhattan. Credit: John Taggart for The New York Times


Investigators have been tapping into the tech giant’s enormous cache of location information in an effort to solve crimes. Here’s what this database is and what it does.


Law enforcement officials across the country have been seeking information from a Google database called Sensorvault — a trove of detailed location records involving at least hundreds of millions of devices worldwide, The New York Times found.

Though the new technique can identify suspects near crimes, it runs the risk of sweeping up innocent bystanders, highlighting the impact that companies’ mass collection of data can have on people’s lives.

The Sensorvault database is connected to a Google service called Location History. The feature, begun in 2009, involves Android and Apple devices.

Location History is not on by default. Google prompts users to enable it when they are setting up certain services — traffic alerts in Google Maps, for example, or group images tied to location in Google Photos.

If you have Location History turned on, Google will collect your data as long as you are signed in to your account and have location-enabled Google apps on your phone. The company can collect the data even when you are not using your apps, if your phone settings allow that.

Google says it uses the data to target ads and measure how effective they are — checking, for instance, when people go into an advertiser’s store. The company also uses the information in an aggregated, anonymized form to figure out when stores are busy and to provide traffic estimates. And those who enable Location History can see a timeline of their activities and get recommendations based on where they have been. Google says it does not sell or share the data with advertisers or other companies.

Yes. Google can also gather location information when you conduct searches or use Google apps that have location enabled. If you are signed in, this data is associated with your account.

The Associated Press reported last year that this data, called Web & App Activity, is collected even if you do not have Location History turned on. It is kept in a different database from Sensorvault, Google says.

To see some of the information in your Location History, you can look at your timeline. This map of your travels does not include all of your Sensorvault data, however.

Raw location data from mobile devices can be messy and sometimes incorrect. But computers can make good guesses about your likely path, and about which locations are most important. This is what you see on your timeline. To review all of your Location History, you can download your data from Google. To do that, go to Takeout.Google.com and select Location History. You can follow a similar procedure to download your Web & App Activity on that page.

Your Location History data will appear in computer code. If you can’t read code, you can select the “JSON” format and put the file into a text editor to see what it looks like.

Yes. The process varies depending on whether you are on a phone or computer. In its Help Center, Google provides instructions on disabling or deleting Location History and Web & App Activity.

For years, police detectives have given Google warrants seeking location data tied to specific users’ accounts.

But the new warrants, often called “geofence” requests, instead specify an area near a crime. Google looks in Sensorvault for any devices that were there at the right time and provides that information to the police.

Google first labels the devices with anonymous ID numbers, and detectives look at locations and movement patterns to see if any appear relevant to the crime. Once they narrow the field to a few devices, Google reveals information such as names and email addresses.

Jennifer Valentino-DeVries is a reporter on the investigative team, specializing in technology coverage. Before joining The Times, she worked at The Wall Street Journal and helped to launch the Knight First Amendment Institute at Columbia University. @jenvalentino

A version of this article appears in print on , on Page A19 of the New York edition with the headline: Google’s Sensorvault: Here’s How It Works. Order Reprints | Today’s Paper | Subscribe