A Summary of Securus Troubles
Our story so far… If you haven’t been tracking this one, there are a lot of moving parts to fill you in on. Securus is front and center in a developing controversy including illegal access to your cell phone location data, selling that data to law enforcement who uses that to illegally tracking you without a warrant, and now Securus has been attacked and breached by a hacker. It turns out that all major US cell phone carriers are selling our location information. All of them. AT&T, Verizon, Sprint, T-Mobile, US Carriers, etc. Chances are, your phone is included in those even if not directly because smaller carriers piggyback off the big guys. All the Canadian carriers on in this mess as well. That’s nothing new really, but it could violate some federal laws and regulations. Especially when it’s sold to a company that aggregates location information, then sells that to other third-parties (such as the main actor in our thickening plot, Securus) that work with the government and law enforcement to sell them a new form SaaS, Surveillance as a Service which violates additional federal laws and constitutional rights since they can, and evidently have, do this to anyone, without a warrant. Combine this with a sheriff in Missouri by the name of Cory Hutcheson, who has been suspended and facing all sorts of criminal and civil lawsuits, who used the service to track campaign rivals, judges, and state troopers. All of this mess has brought the attention of Sen. Ron Wyden who is hopping mad and calling for an FCC investigation in the whole excrement festival. Let’s not stop there though, now we have news that Securus, the company that is behind all these shenanigans facilitating warrantless privacy invasion and surveillance, has been attacked and breached by a hacker who successfully pulled account and login information with weak password encryption from the servers of the company. What we have here is a good old fashion dumpster fire.
Selling Your Privacy
So the journey into the mess begins with the fact that the carriers have decided to not only sell you service but go ahead and sell you to other people. Now there is some debate on if they should even be able to do that without consent. This is generally done so apps can trigger certain things based on your location. In those cases, you do opt-in to get notifications from the app. Say for example you are inside a store and the app alerts you of a coupon or current sales. In order to do this, rather than handle all the location data themselves, the carriers have decided to give that data to third parties such as LocationSmart. I don’t recall opting into that, do you? Nevertheless, without a company like that, you wouldn’t get the convenience of location-based apps.
So what we have here is all the carriers are dumping all your data to various aggregators who collect your information to sell it to app makers to use it to make better applications to sell or give to you. Tired of being passed around? Too bad.
Who is Securus
Securus operates private telephone services for prisons and jails. Their service allows inmates to make collect and prepaid calls to people on the outside. They are already under fire for the incredibly high cost of their service, about $1.22 a minute in some reports with an additional charge of $7 for every $25 put on the prepaid card. The company is the target of a lawsuit to end what can be best described as a racket as they are named along with a Massachusetts Sheriff whose contract with Securus includes an illegal pay off. They pay off the necessary authorities to get exclusive rights to provide the service to the inmates. In turn, they charge these ridiculous fees to recover their pay off. That racket is not limited to Securus. That is standard practice in the inmate phone services market.
That’s their main service, but hey, as long as they have that connection to law enforcement (which already seems pretty crooked), why not sell them on location services to track people through their connection to LocationSmart and their tie-ins to the phone carriers? That’s exactly what they have done, and as a result, a lot of surveillance has gone on without warrants. AS it turns out, we have laws that protect your data from law enforcement getting it from a carrier without a warrant, however, the law doesn’t say they can’t get it from a third-party who gets it from the carrier.
Sheriff Cory Hutcheson is in Trouble
To be fair, he has a number of indictments, but no convictions as of yet. Innocent until proven guilty and all. We can extend him the courtesy that he allegedly did not extend to citizens. He has over two dozen charges for state and federal crimes, including robbery and identity theft. He has been using the Securus tracking service for years. At least as far back as 2014. All that Securus requires is the customer upload a document that says they have authority to look up the number, and they get instant access. Note that it is not a warrant, just a document that says they have permission. Also, note it is not reviewed since access is granted immediately.
Among his list of troubles, a filing states that he used the service in 2014 to track troopers, the sheriff (and future campaign adversary) at the time, and a judge. According to State Police, he uploaded a bogus affidavit that claimed he had a right to the data without a warrant. They allege the document is easily identifiable as a fraud and Securus accepted and granted acc
Sen. Ron Wyden Calls for FCC Investigation
Sen. Wyden has sent letters to the carriers demanding they stop sharing location information of their customers. He has further contacted the FCC demanding an investigation as this appears to violate FCC requirements of notification when customer data is accessed without permission by a third party.
This also may violate the 4th Amendment. There is currently a case being reviewed by the supreme court that asks the question of whether or not the 4th Amendment requires law enforcement to obtain a warrant to get location data.
A Wild Hacker Appears: Data Breach of Securus
As if the poo-poo parade wasn’t already enough to rile up those who are concerned with civil liberties, unlawful spying, racketeering, consumer rights, morally corrupt law enforcement, business ethics, privacy… Yesterday a hacker contacted Motherboard, with information he acquired by hacking into the servers of Securus. He provided a sample of the stolen data, including some login credentials to the site. Motherboard confirmed the accounts were valid by filling in the username field with information from that list, as well as made up account names. The made-up account names returned errors, while the names from the list asked for the password. I can’t begin to tell you how bad of a security practice that is. Anyone with a little scripting knowledge can get a list of valid accounts by trying random things in what is called account enumeration. Not good. Not only is Securus spying on everyone with a cell phone, and selling your location to the government, they show no regard for protecting that data from malicious attacks. That account enumeration thing is Security 101 stuff. It is absurd to find that on any login, let alone one that contains a wealth of Personally Identifiable Information (PII).
Will this result in some major ramifications for all parties involved, from law enforcement who have abused it, all the way down to the carries who sold out their customers? We’ll have to wait and see.
Contact Us Today
Contact us today to learn how we can help you secure your workplace and your world.