US mobile phone companies appear to be selling their customers' private data – including their full name, phone number, contract details, home zip code and current location to third parties – all in the name of security.

Security researcher Philip Neustrom found and linked to demo sites run by two mobile authentication companies – Danal and Payfone – that showed both companies have access to a surprising amount of personal information, including real-time location data, about millions of people.

Both companies claim to have the consent of users but that was news to many – including other security researchers – who tested the demo sites and were amazed to find their private details appear on screen. Both sites have since been taken down, and a presentation that Danal gave to AT&T on its system has also been removed.

Dan Kaminsky, best known for a finding a critical flaw in the DNS, tweeted: "Huh. Confirmed that worked. Also had my address from around 15 years ago." But SwiftOnSecurity perhaps best summed up the response for many: "what the fuuuuuuuuuuuuuuuuuuuuuuuuuck."

The companies appear to be using AT&T's Mobile Identity API, which was announced in 2013 as a way to "help businesses make mobile transactions safer and easier". The service is intended to provide additional security for doing secure things like online banking through their phones: the idea being that it provides a double check by allowing them to cross-reference login details with mobile contract and location data.

Since many online banking apps only require a single password (as opposed to, say, two-factor authentication), the double check can be a valuable way to ensure hackers aren't accessing people's bank accounts.

Consent

Danal and Payfone are obliged to receive the consent of users before they allow companies to use their service – but the demos have put a huge question mark on whether that is the case.

Do cops need a warrant to stalk you using your cellphone records? US Supremes to mull it over READ MORE

Payfone insists that there is a "very rigorous framework of security and data privacy consent". But the fact that the information was readily available through an online demo had led many to speculate just how rigorous that framework really is.

The demos used your phone's IP address and only allow you to look up data on your own account. You can't, for example, type in someone else's name and gain access to their personal information. But if you are a customer of Danal or Payfone, you can access that data by simply stating that you have the user's consent. It is unclear how rigorous that check is or if companies simply default to stating consent has been given.

It's also not clear how anyone can check whether a third party feels they have given their consent to have their personal data accessed, or how they can opt out or decline to provide consent in future.

It's also not clear whether other mobile companies have a similar arrangement – supplying all their users' details to third parties that pay them, and then pushing off consent requirements to the companies below them. With a clear financial incentive to provide data on as many people as possible, confidence is not high that anyone in the chain is imposing strict requirements.

Regulation?

There is precedent that such an arrangement will fall foul of regulators. Back in 2016, Verizon was fined $1.35m for its use of "supercookies" that injected unique identifiers into every data request made by phone users and let the company track its users. That enabled the company to build a comprehensive profile of its customers which was then used to attract advertisers. Even if users opted out of Verizon's ad-tracking program, they were still tracked by the supercookies.

Verizon had started using the supercookies in 2012, were investigated by the Federal Communications Commission (FCC) in 2014, and the agreement was reached in 2016. But the fine was considered very small by privacy campaigners and the level of concern was such that some lawmakers promised to introduce new legislation outlawing it.

In addition to the fine, Verizon was told (PDF) by the FCC to inform all its customers that the supercookie existed and give them a simple option to have the tracker removed. It was also told it would have to actively seek permission from its millions of users before it could share the data it has amassed with third parties.

Rules that would have made it illegal for mobile and cables companies to introduce such schemes – both the use of supercookies and the third-party API data sharing that Danal and Payfone seem to be using – were due to come into effect earlier this year but were shot down at the last minute by FCC chair Ajit Pai, and then later pulled out by Republican Congressmen using an arcane law.

The use of location data is also especially sensitive at the moment with the courts debating what rules exist around such data and what legal standards have to be reached to grant access to it. ®