I'm definitely not a lawyer, but I'm starting to believe there is an argument that despite the fact that mobile phones and devices facilitate the generation of location data, that does not necessarily mean that the device manufacture 'owns' that data and can transact with it as they please.

This may all be moot because most of us agree to Privacy Policy contacts, but maybe a mind shift in treating data you generate as a type of property that is covered by property law is required to change behavior.

I never understood the whole concept of “bounty hunters” in the US it’s not the Wild West anymore.

The problem here is that “fugitive recovery” doesn’t need to meet any of the standards normal law enforcement does and unless they kill someone or injure bystanders there likely won’t be an investigation into their conduct and even if there is one the result is often that at worse that could happen is then loosing their license. Criminal investigations against fugitive recovery agents are pretty darn rare and there is no internal affairs or any body that really investigates their conduct on a regular basis.

I’m pretty sure that a large amount of these people violate much more than the privacy of their targets on a regular basis.

They didn't get that memo. The mentality and folklore is that it still is. Laws, politics, government, privacy, policing, social mores, business and especially foreign policy all seem to retain the idea they are a frontier society blessed with Manifest Destiny. Their way, however flawed, is the only way etc etc.

https://en.wikipedia.org/wiki/Letter_of_marque

https://news.ycombinator.com/item?id=18862432

My point is, this is not about effectiveness, but about legality. A constitutional democracy needs to stay constitutional and legal in its ways of delivering justice, otherwise it's not a constitutional democracy anymore but an anarchy.

Giving private individuals the right to legally kidnap people, as well as massive privacy violations like stated in the OP's article — without any oversight — at least to me looks like a massive violation of the Fourth Amendment.

As for the privacy aspect, well online privacy is observably a fiction and it always has been. Only naifs and fools believe otherwise in the face of overwhelming evidence. Sure there ought to be privacy online in some idealistic sense, but there isn’t in reality so act accordingly.

I somehow doubt that's what they make the money on because they make money on bail skippers usually a percentage of the set bail.

In any case if you need someone to appear in court there is something we call a police force which should be used.

We have contract law for a reason any contract can be made illegal regardless if someone has went into it of their own volition or not.

By this definition we can also legalize slavery or indentured servitude, not to mention that I wouldn't call a situation were the choice is either debt or prison having freedom.

Then you'd have to give up being able to afford bail; without bounty hunters, bondsman would have no recourse when you didn't show up to court and thus not much incentive to loan you bail money. You're not being legally kidnapped, you agreed to those terms when you borrowed the bond money for bail.

Most other countries have figured out how to serve justice without a system that discriminates against the poor.

Too many people can’t afford the down payment or can offer a collateral to get a bail financed those who can end up being indebted to them you are advocating for the legalization of loan sharks.

https://www.politifact.com/california/statements/2018/oct/09...

> "Only Duterte’s Philippines and Trump’s United States of America have money bail."

https://www.cbc.ca/news/canada/british-columbia/huawei-meng-...

If the bond costs 10% then you can’t pay bail if it’s set to 10 million or even a million or even lower for most people, if it’s capped at say $100 something that even some US states do then it’s not as much of a problem.

If you look at the US bondsman industry it’s focused on the states not with the highest average bail set but those with the highest prices on bail bonds.

It’s a multi billion dollar industry which effectively taxes the poor.

Make bounties illegal and it fill fall, once it falls the entire bail system in the US will have to be rethought as there isn’t a way to lock so many people up, more judges will release them until trial without setting a bail which they can already legally do and do so for minor offenses.

Also, Oregon doesn't just outlaw bounty hunters as part of our own process, we outlaw them altogether. Bounty hunting is classified as kidnapping.

While there are many things Oregon could do better, there are a whole bunch of things, like this, which I think we are absolutely right on.

In a country where judges are elected a multi billion dollar has a lot of power in determining how bail is set by the courts.

If you think that judges that get donations from bondsmen don’t take that into account when setting bail you are very naive.

This is the exact same problem as private prisons the justice system should not be monetized for profit.

A perfect, no-frills example of the typical dynamic between bail bondsmen and government.

How strange that I received the maximum possible bail amount for a crime that I didn't even commit. Surely there couldn't have been an incentive for the son of the guy who makes the laws to illegally prosecute and fine a minor whose only way to finish graduating high school is to pay the damn fine, so that the guy who makes the laws could collect that fine... That would just be corrupt.

https://www.cps.gov.uk/legal-guidance/bail

The whole concept of bail shouldn’t have a place in a modern society.

California did this last year. People still get released pending trial, they just aren't required to pay a private party for the privilege.

Because of this, black market re-sellers can operate with relative impunity. Most data brokers have a TOS that prohibits the re-selling of their data, but there isn't any copyright protection.

For example, if a company has location data, the only way for them to be held liable is for a particular company to prove they obtained that data directly from them. Once the data has reached a minimum of two parties, everyone now has plausible deniability. If this data was under copyright, the original copyright owner would always have a claim and it would be each parties responsibility to prove they had a right to hold and distribute it.

The lack of a copyright style concept of original owner allows data to flow freely even if that transfer is violating a specific TOS.

It doesn't need (and shouldn't be) "copyrighted".

It's enough that the law classifies it as private info, and protects it from any third party without an immediate consent.

With that said, I am certainly not a lawyer and was never directly involved. Which particular laws are you referring to?

Edit: I should mention I am aware of laws preventing the collection of certain types of data. But unaware of laws about possession of that data.

As a European, I wasn't saying that you have laws that classify it as "private info".

I'm saying that you _should_ have (or get) some such laws.

Including laws about the "possession of that data" -- GDPR for example covers both collection and possession, and which cases either brushes against the law.

That doesn't do diddly for us US citizens living in the US. Our data policy is "we will sell your data, too bad so sad".

Judging by the sentiment on HN when GDPR was coming into effect, if something like it came up for a vote in the US, a lot of HN users and other tech people would vote against it.

There was no shortage of angry geeks posting articles about their service turning away EU users rather than complying with GDPR.

Europeans aren't inherently better: if Facebook and Google were companies founded in Germany or France who knows if GDPR would exist.

The Data Protection Directive, which the GDPR merely extends and updates, is older than Google and almost as old as the web itself, and was an attempt to unify even older national laws regarding personal data. It's not a reaction to having "lost" the privacy-eroding race.

Unfortunately, many areas that would have been "safe" years ago, like games and standalone applications, are moving in the direction of violating privacy by phoning home and sending "telemetry" data, but there's still a lot of areas that are good.

We don't sell our data. We don't trade it. And we adhere to a fedramp medium (in spirit), even though the social media site wasn't checked for that.

Users have control over their profile, and we admins cant even read it (unless we read raw DB, and we dont). And deletion requests entail in zeroing out all user's data. The next day, zeroed data is then purged completely.

Seriously, companies can do this right. And I work for one that absolutely does this right.

Also I resent being told that anyone who works in tech gets their salary from eroding peoples privacy. I can guarantee you that hasn’t been the case for any of the jobs I’ve had in my career.

Further, and I want to make it clear that I don't mean this as a value statement, but is a printing company what most of us really think of a the "tech" industry? and by extension does that really make you the subject of what you are replying to?

The money they have to acquire companies raises the valuation of all startups.

I’m surprised most people don’t realize this.

Your own inherent weakness in morality doesn't implicitly infer that this is the inherent truth for everyone else in the tech or marketing industry. (Perhaps, moreso for tech than marketing but I digress.)

Not everyone in either industry is inherently on the "I'm just in it for the money" bandwagon.

That plus there are good historical reasons for our strong privacy laws.

Excluding the U.K. and Ireland (tax haven) the difference between the EU and U.S. is greater, but (eyeballing) only on the order of 30-50%--e.g. ~4% vs ~6%.

What's more surprising is how small the share of GDP is the digital economy in the U.S.

That said, "digital economy" may be a poor proxy for understanding the impact of privacy regulations. It's a superset of tech industries, including much more than those parts which broker private information and to that extent would overestimate the impact. OTOH, I presume "digital economy" excludes large parts of non-tech industries (i.e. traditional sales and marketing companies, TV and newspaper ads, etc) and thus underestimates the potential impact.

a) the longest comment I’ve ever read all the way through on HN

b) an interesting anecdote

but c) most likely a coincidence.

I agree that the likelihood of such a thing happening is miniscule. However, I’ve had all sorts of strange postage-system-related issues in my time (granted, I’m in the US, which has likely a much worse system) and it doesn’t seem that far out to me that such a letter would have been mishandled by what is likely an automated system.

Maybe if you buy a SIM card and send it to someone else, you can get more conclusive evidence about whether prepaid SIMs are genuinely slowed in transit or if you were just very unlucky. One occurrence does not a trial make.

b) Yes I also think it's very interesting. Initially before coming to these suspicions, I was pissed off about having to dissapoint my sister next time I see her, and the money that was lost buying the SIM card etc, ... but the longer I thought about it and noticed all the inconsistencies in what had happened, it's actually a nice puzzle/gift to receive! Turns out the journey really is the reward after all

c) I have also thought about possible mistakes, but really there is little that can go wrong with a strain gauge! And even if the strain gauge somehow broke, there would have been a long run of letters suddenly appearing for redirection, surely this would be noticed and the letters reweighted... And even if it is incorrectly marked with "insufficient postage" both the sorting which is supposed to redirect it to the return address, as the eventual post man who did not ring failed to see the return address! And with D+1, a delay of ~20 days is totally unheard of (counting up till Nov 7th when the strike was anounced)...

in my response to a sibling of your comment I describe we can simply dissolve a fresh prepaid SIM card to detect the presence of a possible RFID loop antenna

This is trivial to verify or falsify, just buy some acetone in the hardware store:

https://learn.adafruit.com/rfid-iphone/dissolve-the-card

I already bought the acetone, but I did not yet dissolve the SIM card, I want to do this in front of my sister, so she understands why I attach importance to finding out the origin of the unused expired SIM card she sent.

The card is supposedly expired anyway (well to be honest the validity date is printed on a sticker on the outside of the plastic foil package, so in theory it may be a still valid card with a fake early expiration date to encourage my sister to hurry with giving it away...).

I did not yet dissolve the card, but I feel pretty certain there is an RFID coil inside, and that is how they detected and stalled the letter without opening it. Stalled to determine if it is OK or not to allow the card to be sent on or not. "insufficient postage" to increase the possibility of the recipient deciding not to want the letter.

If you can't wait a couple of weeks to hear back from me if there is an RFID tag inside, you can try buying a prepaid SIM card and dissolving in acetone yourself. If you or someone tries this before february, I would like to know the result.

The whole story got me thinking that the human analysts that process and interpret red flags can easily build a repertoire of tricks to arrange for a red flag concerning a person to go off.

If my sister provides me with a name (perhaps even an address) of whoever gave her the card, I could consider tagging the person back (by sending the SIM card to him).

However I think it is unwise:

1) the person who gave it to her would not necessarily be the analyst, it may be an informant (perhaps a criminal turned informant, in which case I am effectively tagging myself into association with a criminal!)

2) if the person who gave it to her was the analyst, and I addressed the letter to Mr [name] "The Tagging Spook" [surname], and possibly arrange for the letter to have insufficient postage, while hilarious that my case file would then contain a red flag associating me with the analyst called out as a spook, it's unclear how he would react. Any future analyst could notice the burnt name of a colleague. He might need to self-report his bypassing of the automated system raising supposedly spontaneous red flags... Also, I estimate it would not be wise of me to go and poke the hornets nest. So I think I will stay with just observing and learning...

https://patents.google.com/patent/US7784693B2

Neat read, and Godspeed.

Not sure whether your theories on there actually being an infrastructure for doing these sorts of things is correct, but even a 5 minute google search seems to suggest it is well within technical capabilities to do so.

Might do some more searching for ISO's and other Engineering standards related to them. Telephony is highly dependent on uniform technical standard adherence, so it's out there somewhere. I doubt that the RFID is in the plastic containg the card, it's probably in the card itself.

The unusual coincidences should be pretty easy to replicate with a P.O. Box, and could be consistent with holding times for information propagation or authorization.

Definitely seems like something to mess with if you are bored!

You'll be amazed the things you can find out when you start to peel back the layers, but don't be disappointed if it's just a coincidence.

The infrastructure would just be an (perhaps surveillance grade) RFID reader and a small office or locker where the suspect letters end up at each post sorting facility, so a security officer or perhaps just the branch manager can store these until the surveillance state replies what to do with the letter.

I also believe it is probable the standards are visible somewhere, just like I remember the bulk of the surveillance state in Europe was/is visible pre-snowden in very high detail through the ETSI (european technology and standards institute) standards.

> I doubt that the RFID is in the plastic containg the card, it's probably in the card itself.

I may have used the incorrect word with "contain", so first the SIM card and the PIN and PUK card are one and the same card, before breaking out the SIM card. I mereley suspect the larger PIN/PUK card to contain the RFID coil, because the perforated C-shape around the SIM has the open part of the C directed at the closest edge. Of course it is possible that the RFID coil is in the smaller piece of SIM card itself, but I don't think so because: the contact pads would provide shielding to the coil, and to have the same total area as a 4 turns in a Credit Card size, the coil would need many more loops. As a designer I would prefer putting the RFID loop in the larger card.

So I did not mean to say that the coil is in the plastic wrap or anything, in case that was how you understood me.

It may seem weird that (if I am right) the surveillance state designed the SIM cards so the connection with the RFID coil breaks, why not design it monolithically such that you can also track used SIM cards in the mail? I simply predict that there is demand for clean SIM cards on the market, and unopened prepaid packages are considered clean, but then the coil is not broken yet... so used SIM card's may turn out safer (if the previous usage was clean)...

I agree the holding times would be roughly reproducible, but I don't want to cram my file full of red flags...

Yeah, spying involves lots of deceit, and as everyone (hopefully) rememmbers from kindergarten, the web of lies only grows (and the observable inconsistencies grow with them)

If it hadn't been stalled, I would probably have ended up calling some friends from university time, probably only spent 2/3's of the call credit before it expires, then simply went on with my life. It's their reckless tradecraft that betrayed them. I have no problem talking openly about what I suspect, I am pretty sure plenty of actual criminals have noticed this before me, but they probably don't talk about it in public fora...

Odds are, you could get a generic reader to get a chirp out of an RFID even without the PIN/PUK card that wouldn't be present in any other package.

IF I were an evil surveillance state taking an interest in mail borne SIM cards in ANY state (I mean think about this, if you could automate it, figuring out the networks of people who often send SIM's to each other in and of itself is a useful data point) I'd exploit using a small machine that can be innocuously placed on the sorting line to get that chirp.

Biggest problem I imagine would be possible tipping off through damage caused to EMF/RF sensitive packages, but I've not really looked up the math or engineering involved enough to make an educated guess.

Like I said. Interesting problem, and I seriously hope you're not right. That's levels of cyberpunk dystopia that just shouldn't be possible in anything remotely resembling a healthy society.

People break the law all the time, and if you're high enough up the food chain Eric Holder will leave you be.

What gets me is that the writing on wall appears to be that this data did not come from an app on the phone but from the phone company themselves, data collection that is required by the government.

"A couple of blocks from where the target was" implies to me that it was locating the nearest tower. Lat/Long coordinates of the phone within 300 meters is required by the FCC to be received by the telephone companies for Phase II of Enhanced 911. They might be snapping the lat/long to the tower, and then calling that de-identified enough to sell.

If a bounty hunter can get your snapped lat/long on demand because of E911 requirements, you better believe a TLA can as well--and probably unsnapped.

https://www.lawfareblog.com/summary-supreme-court-rules-carp...

Meaning: Thanks to e911, a seemingly perfectly acceptable requirement, we now carry around devices that can be used to locate us. Warrant or not. Because "Let's require everyone to carry around a transponder" doesn't work whereas "We are just trying to protect you!" does.

Why don't I own the copyrights to my location data, and why doesn't the carrier need to license it from me in order to sell on to these bounty hunters?

If you filmed yourself walking around like an airplane you would own the clip. Blog about it and you own the article. But the space you occupied at 10:35AM last Thursday is a singular indisputable fact with not an ounce of creativity. In fact more to the point even what they have is actually facts about their own equipment like which tower you were close to at that time which its hard to imagine you owning.

There are laws designed keep people from collecting and misusing your data in countries not run by morons. There is no reasonable way you are going to acquire this same privacy and protection by trying to misuse copyright creatively. I'm sure actual lawyers are likely to regard interesting legal theories the same way engineers regard interesting theories on how to make engines run forever for free via magnets.

For those unfamiliar with Strava art: https://www.cyclingweekly.com/news/latest-news/five-best-str...

Meaning small amounts properly contained (i.e. in a smoke detector) is fine and if you need to collect and especially concentrate larger amounts you should need to go through a whole lot of useful hoops to weed away less serious companies.

maybe in the western world. in a lot of other places the whole “privacy” thing is fuzzy.

They (mobile carriers) already do charge me money... What's your point?

I know many people don't get enough value out of services like Facebook, but I do. There is a price I'd pay to Facebook to use their services to not have my data sold.

AT&T/Verizon/T-Mobile --> Zumigo --> Microbilt --> Bail bond company --> Bounty Hunter --> Motherboard

> Zumigo is a pioneer of mobile services providing _deeper insights_ into consumer behavior to help secure transactions, devices and identities.

https://www.crunchbase.com/organization/zumigo

> Intel Capital

> Aligned Partners

I would be very surprised if it wasn't full of abuse stories.

London's self-proclaimed "Thief-Taker General" is a good example. A gang leader who made money through both committing and "solving" crime.

https://en.wikipedia.org/wiki/Jonathan_Wild

Human rights is a recent development, that does make them a bad idea? Or justify violations :)

The concept of a professional trained police force is well proven by now, I see no reason to question it :)

https://www.youtube.com/watch?v=UxcOf9nwwKE

"You're telling me there's a poorly trained, quasi-legal police force that operates with few, if any government controls? ... It's about time."

US companies need to understand this, or risk losing trading abilities with citizens and organisations in EU member states.

https://www.compliancejunction.com/does-gdpr-apply-to-eu-cit...

https://ec.europa.eu/info/law/law-topic/data-protection/refo...

Thanks for the correction.

That pretty much sums up how much carriers care about this. But it is nice to see Senator Ron Wyden is still doing good work, almost restores my faith in politics.

Selling real time location data to wholesalers in the bail bonds industry? Who would think there would be abuse?

Only license actions and criminal penalties will stop this kind of abuse.

And...is that bad? The availability of bonds factors in to the level at which bail in a money bail system is set to give reasonable assurance of compliance, so the main effect of available bail bonds is to make purchasing a bond instead of paying cash necessary by driving up money bail prices.

> Maybe there are better systems for ensuring compliance with orders to appesr in court than that of Bail

Certainly there are better ideas than money bail structured to support a commercial bond industry.

> but as long as the concept of Bail exists, private Bail Bonds will have to be a necessary part of the system

No, because bail systems outside of the US and the Phillipines (as well as D.C. and California in the US) are not money bail systems.

It sounds good on paper but how does it account for a citizen of "good" character per the algorithm being charged with a major felony or violent crime? If they are innocent, there is a meaningful likelihood they are denied release, thus ruining their life. If they are guilty, there is a meaningful likelihood they aren't reputable enough to ignore the chance to cut off their ankle bracelet and go underground.

Are there any systems that allow for something akin to "bail" (as in a way to be releaswd from custody while awaiting trial while also holding the individual accountable to return) that rely on things asids from cash or trust in an "algorithm"? I'm currently doing some reading on the subject so don't jump down my throat, I'm just skeptical of any other system's ability to balance availability with accountability for those with few to no assets.

There are myriad ways to ensure compliance, nearly all of which would be better than enabling a privatized, unaccountable para-police force.

It’s worth the $1/month expense to have a number to hand out to people I don’t want to be available to.

And, in a way, it keeps me available when I’m overseas and don’t have my usual SIM card installed.

I use VoIP.ms

I wonder if the fact that services like this won't work on VoIP numbers is a reason why. Regardless of the motivation, it's annoying because I don't give out my real mobile number to hardly anyone for this--and spam call/text avoidance--reason.

If Venmo were a brick and mortar business, they could just ask you to come by a local office so they can verify your ID in person. But they don't have a local office; so the reasonable and profitable solution is to preemptively ban you.

Ie: some firm is renting VoIP numbers for a month for $1, creating accounts on 100 services and then moving to the next VoIP number.

Perhaps the VoIP firms support this whenever they get a block of « virgin » numbers before putting them in their regular pool of numbers for rent.

Thanks

I use a SIP desk phone, have calls forwarded to my mobile, and also get voicemail recordings in mail.

(Going back to the original article -- I can't say if this actually protects you from such tracking. Maybe stalkers could find your actual mobile number by some other means, or for all I know customer-identifying parameters could be used without even knowing the phone number.)

No software or server running on my end. It’s all on theirs.

I originally set it up when my phone provider wanted to charge me several dollars per month for a less useful voicemail system, so I set up such a thing by telling my provider to forward unanswered calls to that other DID.

I wonder why that is. Maybe outdated databases?

e.g. if my "real" email account is through Yahoo, but I tell the public about my GMail address which autoforwards to Yahoo, it wouldn't be straightforward (though it would be obviously possible) for Yahoo to deal with a request stated as "Please give me info about the email account, danspublicemailaddress@gmail.com".

Especially messaging providers identify users based on phone numbers, but also a lot of websites started requiring a phone number verification. Those virtual phone numbers are often rejected. This can cause situations in which you have different phone numbers on 2 services.

#2 They'd be helping their rivals with such data

#3 Sharing might kill the golden goose (bad press etc)

...

1. https://twitter.com/sephr/status/1082711937257893888

https://krebsonsecurity.com/2018/05/tracking-firm-locationsm...

How can one avoid this kind of aggregated location tracking?

If you have tons of money, satphone is always an option.

VoIP and then VPN/tunnel/whatever (or just opportunistic wifi use) to connect and pull down messages is the only reasonable way.

Its reasonable that a hospital would know a good deal about me. They'll know current diagnoses, previous diagnoses, medications, probably some generalized family medical history, extensive identification numbers, etc. Its important for them to be able to have this data for them to do their job of healing me. However, its unreasonable for them to then just sell this data on the open market. That's why we passed HIPAA/HITECH.

Write your representatives, explain the problem, and ask them to fix it.

Unless you meant eliminating all forms of bail involving money. I actually have no idea how that works here in the Netherlands.

Interestingly, I find your viewpoint to be just as absurd. Why shouldn't data about me belong to me? Why can't I tell people not to collect data about me when they are providing me with an unrelated service?

  - my mobile phone
  - my landline phone
  - all credit cards and bank accounts
  - all hosted email solutions
  - all other hosted ways of communication (social media, messaging apps)
  - all ways of transport unless I own the devices (and even some cars you could own have telemetry these days...)

I see little benefit in developing an alternative system of payment to the dollar, some form of intellectual nudity, implications of which I don't fully understand. The dollar is fine, charge me and leave me alone.

Probably now AT&T execs are looking at increasing prices on such data. This is very valuable to be sold so cheap.

  - Call history, including metadata and potentially also contents;
  - Text messages, same as with calls: metadata and potentially the contents;
  - Location history;
  - Data connection activity, again: metadata and potentially the contents;
  - IMEIs of the devices I used.

I submitted a GDPR request to my GSM provider a few days ago, but I'm not fluent in legalese, so may not reach as far as someone fluent in it. Still awaiting initial response.

Background story: Malte Spitz, a Green Party member, sued to get all data collected and retained (according to a law which has been overturned since) by his carrier. Die ZEIT/OpenDataCity cross-referenced the data with publicly available information from his Twitter and party website and compiled it all into one visualization.

Unfortunately, they seem to have stopped paying for the Google Maps integration, but you should still be able to follow along just fine.

[1]: https://www.zeit.de/datenschutz/malte-spitz-data-retention

Also, EU readers: why not ask your own provider today?

Apart from location I'm still concerned about actual data transferred via those networks (calls, text and data).

Yes. The Netherlands, carrier is called Youfone.

They have very, very little data on me: they claim not to be able to see which cell tower I'm even connected to (which would be tracking info), which makes me wonder how they even provide their service. They say it's all outsourced to third parties, one of which is the network operator, KPN, and they cannot list those parties for commercial reasons. I doubt that's legal (I'd assume you can't just stuff everything into subsidiaries and go "sorry can't tell, business secrets": either you have to get it from the subsidiaries, or you tell me who they are and whom to talk to), but the Authoriteit Persoonsgegevens (local authority) seems to have their hands full, as do I, so I did not bother pursuing it.

The info I did get was: everything I provided (name, DOB, bank account), everything you would commonly expect (call logs (though that is not as common in Germany, it is everywhere else afaik), the invoices based on those call logs, data usage per month, etc.), and I think one or two uninteresting pieces of information (probably SIM card number and such). They also provided storage time limits for the data.

I feel like they did not have the process in place yet before my request, as a dude quite high up in the orga replied to my support ticket and they exceeded their response deadline. After two months they gave me a professional-looking PDF with the data, so I think they quickly set that up because GDPR was fairly new (few months after May 2018). They're also cheap, I'm sure the mails back and forth (not to mention the investment in that "data to pdf" system) cost them much more than my 8,50/month subscription would warrant. I kind of want to cut them some slack for working on it rather than bother those who try. Maybe I'll pursue it again later. Or maybe someone else can ask better questions based on my experience.

In any case - I agree with you that this seems like a shitty legal pseudo-loophole. At the very least the company you sign mobile contract with needs to share your phone number with those infra subsidies. But then according to GDPR: "15. 1. The data subject shall have the right to (...) access to the personal data and the following information: (...) (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed". Following this rule one should be able to reach the bottom of the data processing chain.

> or categories of recipient to whom the personal data have been or will be disclosed

They provided that by saying it's for network operators.

Could probably send the GDPR-request to Huawei and Ericsson as well.

Just keeping track of phones permissions in the network 100 times/second is an insane amount of data, but there could be leaks/compromised systems somewhere in the User -> Apps -> Phone -> Network -> Provider chain.

Ericsson provides operations service for a number of telecom operators. This means, the operators own the equipment and make the decisions, while Ericsson does the maintenance, supervision and troubleshooting of the network. This is usually done on contracts of three to ten years, after which time the operator may choose to renew or to contract with one of our competitors.

I could certainly be wrong, but my impression is that in this scenario Ericsson is not the data custodian according to the GDPR. It would be interesting to know what the outcome is, if anyone were to make a GDPR request to my employer.

Also, more specifically about the Right to Access, Recital 63 says: "Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data". (emphasis mine)

I planned to document it and share with wider audience in case I find something out of the ordinary. For example, if they kept my location history for longer than is necessary to just route my data through their network, or if they had the contents of my texts, or DNS requests history.

Not sure how to pressure into the Google-style solution, but I think knowing would be a fist step.

I am a/an [OPERATOR] subscriber, identification data: (...)

I would like to get a complete list of personal data that [OPERATOR] stores about me:

  - The history of telephone calls, metadata (when and where [to which number] I called or when and who [what number] called me) as well as the data itself (the content of the calls themselves);
  - The history of text messages, as in the case of calls - metadata and the data itself;
  - History of data transfer (Internet), as above - metadata and the data exchanged itself;
  - Connection history - when my phone was connected to the [OPERATOR]'s network, when in [OPERATOR'S COUNTRY] or when via roaming;
  - Location history - where my phone was located, e.g. which base stations it was connected to or from which country it was connecting or any other information allowing to determine my location more accurately than "Planet Earth";
  - History of used devices - IMEI numbers as well as other data collected about my device / devices;
  - Any additional information collected about me.

The right to access your data is Article 15 of GDPR. Section 1 lays out what they have to provide you. Part (b) of that is "the categories of personal data concerned." I'm no lawyer, but I take that to mean that they have to provide you with the complete list of processing they do.

If I were making this request, I would scrap the entire bullet-point list you wrote and say that I'm invoking my Article 15 rights to be informed of the categories of personal data that [OPERATOR] processes about me.

Relevant law text: https://gdpr-info.eu/art-15-gdpr/

Thanks, makes sense. I wanted to make it clear I'm not happy with a response "Yeah sir, you live here and here, and your device model is X. That's your personal information.". But I'll keep pressing them, as I seriously do not entertain the idea that someone may store all the data that can be inferred from my activity in a mobile network.

edit: I mention this downstream, but it's worth correcting myself. The article prominently features a company named Zumigo, which provides mobile device location data in India as well as North America. So adding "in the U.S." to the (already altered) post title is not needed, especially since it could obfuscate the fact that these location companies do operate internationally.

[0] https://zumigo.com/zumigo-introduces-breakthrough-mobile-loc...

And not just the mobile companies, but the middlemen who provide this location data. Zumigo [0], one of the companies mentioned, has an office based in India and counts Indian banks among its clients for its "first-of-its-kind global location and identity platform".

[0] https://zumigo.com/zumigo-introduces-breakthrough-mobile-loc...

I was unaware of bounty hunters being aserious profession in any particular EU country. Then again, i don't know any EU country where an accused can bail themselves out of jail till the court case.

Germany (1), UK (See Assange) I’d assume that most European Countries have a similar system. However, it’s comparatively rare that bail is set in Germany. If I follow the US bail reform debait correctly I get the impression that jail before trial (Untersuchungshaft) is comparatively rare in Germany and requires specific reasons (2) while it’s comparatively normal in the US.

Both might be contributing reasons why the bail system is not commercialized as in the US. Generally, the European Systems frown upon private law enforcement much more, that might be another reason for the nonexistence of bounty hunters.

(1) §116 StPO https://www.gesetze-im-internet.de/stpo/__116.html

(2) mostly Fluchtgefahr (Danger the accused may flee and leave the country, Verdunklungsgefahr (The accused might hide evidence, the danger of repeating the offense on violent offenses) §112 StPO https://www.gesetze-im-internet.de/stpo/__112.html

While some other countries have cash deposits as part of bail, the US and the Phillipines appear to be the only countries with widespread commercial bail bonds system.