Verizon catches flak for bragging about value of spying on customers

Credit:Twicepix via Flickr

Compared to free public wireless networks at coffee shops, airports, and other public places, the encrypted, proprietary, heavily secured cellular networks carriers offer to companies look like Fort Knox.

In a coffee shop, all it takes for a hacker to eavesdrop on "private" network connections is a WiFi device and a piece of freeware that takes the work out of snatching, storing and analyzing packets of data from other latte sippers.

Logging in to a cell network requires hardware- and software-based authentication, a device that can speak politely to a specific carrier's network and powers of hackery great enough to overcome security that prevents end-user devices from talking to each other or anything else that isn't a carrier-owned switch or router, military grade encryption and password-cracking apps and the time to make it all work.

If it were easy to log in to a carrier's network without permission, no one would pay a fortune for the privilege of being able to use the network without interference.

But what happens when it's the carrier, not a hacker, who's doing the eavesdropping?

Stories broke yesterday about a business unit called Precision Market Insights, which runs the monitoring program under which Verizon Wireless collects data on the activity of its 94 million customers.

In addition to monitoring each end user device to establish location, authenticate it, and send advertisements its way, Verizon records every URL a customer visits using a Verizon Wireless device, every app, every download, every location, every change in configuration, text, phone call, upload or download.

Verizon Wireless combs and cleans that data, combines it with information on customer shopping habits, age, gender and other demographic data purchased from third-party data brokers, and packages the results for sale to customers with a source of high-volume, real-time data on how customers behave.  

The result is a massive invasion of customers' privacy and possibly a new violation of federal wiretap laws for every customer whose Internet activity is monitored, according to Electronic Frontier Foundation staff attorney Hanni Fakhoury

Verizon announced its plan to collect user data a year ago, and is apparently pleased enough with it that it sent the head of PMI's U.S. operation to a PricewaterhouseCoopers event to show it off.

"We're able to view just everything that they do," according to a May presentation from Bill Diggins, U.S. chief for the Precision Market Insights program.

"We're able to identify what that customer likes not by filling out a form, but by analyzing what they do on a day-to-day basis. We're able to serve them products that we know they like because we've seen that they've gone through and downloaded products like it," Diggins said in the video.

Verizon Wireless removes personal names from the data, but packages the rest in a series of preconfigured subscription services aimed at media companies, retailers, owners of arenas and other public venues and other vertical market segments.

It is not clear whether the Verizon program violates either privacy or wiretap laws, but does undermine the assumption of reliability that should exist between enterprises and the network providers trying to deliver secure network services in what is already a challenging environment,  according to Forrester analyst Chenxi Wang.

Random monitoring gives carriers a valuable, constantly renewed new product to sell, but delivers no benefit to either the end user or his or her employer, so the data collection is impossible to justify as a business transaction according to a CSO story quoting Christopher Soghoian, principal technologist with the ACLU Project on Speech, Privacy and Technology.

Collected data also puts the company at risk by making it theoretically possible for rival companies to buy or steal data that is not anonymized, allowing them to track the activity of individual users.

Law enforcement agencies can also subpoena un-anonymized records, which are far more complete than the lists of phone calls or downloads of aging, cloud-based emails they are able to access under the Patriot Act and other legislation authorizing digital eavesdropping, Soghoian said.

Verizon urges business customers to use virtual private networks, encryption, virtualization clients on smartphones, and other means to isolate, encrypt or protect data flowing across its networks.

Employees enrolled in BYOD programs, however, go mobile on their own dime. Employers can minimize security exposure by encrypting handsets or installing VPNs. Employers can't negotiate security requirements that would put every employee under the protection of a Verizon-maintained virtual network, ban the carrier from monitoring employees, or even ask Verizon to notify them an employee is being monitored.

Join the discussion
Be the first to comment on this article. Our Commenting Policies