LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers


[H]F Junkie
Apr 25, 2001
According to KrebsonSecurity, LocationSmart has been leaking real-time location data for mobile carrier customers on their web site to anyone that wanted to get it because of a bug. Apparently, this data was free for the taking without any form of authentication required. LocationSmart claims that they don't release this type of information without consent and have removed the offending service from the site. However, the simple fact of the matter is due to their failure to properly protect the data they put many people in jeopardy of stalking or worse. The major carriers need to screen their third party customers better.

But these assurances may ring hollow to anyone with a cell phone who’s concerned about having their physical location revealed at any time. The component of LocationSmart’s Web site that can be abused to look up mobile location data at will is an insecure “application programming interface” or API — an interactive feature designed to display data in response to specific queries by Web site visitors.
Why would you be using their services to begin with? I am not actually sure what benefits it provides.
Whats more troubling is that they had this data in the first place. Why does the carrier send them this data?

IMO this should only be available to law enforcement and only with a warrant.
Whats more troubling is that they had this data in the first place. Why does the carrier send them this data?

IMO this should only be available to law enforcement and only with a warrant.
$$$$$ money talks
Since any data is always a target for misuse, the only way to guarantee security is to never collect the data in the first place.

We needs laws for this shit ASAP.

I've had it with companies large and small making a mockery of privacy.

I propose rules like these:

1.) No organization shall collect, store, monetize or use user data without the explicit consent of the user, and when the users consent is given it must be for a specific purpose, and only for this specific purpose, no blanket permissions.

2.) Data may only be used for the exact purpose which it was collected or shared, even if posted publicly. This includes any and all data harvesting or mining.

3.) It must be made illegal to withhold or alter services if a user decides not to provide consent.

4.) If you offer a service for free that collects data on its users, you must also offer said service for free to those who elect not to consent to shared data. Same if you offer a paid service, this service must be offered at the same price regardless of whether users opt in or not.

5.) All data sharing options must default to decline sharing.

6.) Some services require user data in order to function. In this case the data may be collected, but may not be used for any other purpose than directly providing the service unless the user explicitly opts in, as in #1

7.) You may ask your users to support you, by voluntarily agreeing to share their data, but if they decline you may not spam them with requests. If they decline, you must wait one year before asking again.

8.) All previous user data collected, not in compliance with the above must be permanently erased.

9.) Context based advertising based entirely on what is currently on screen, and does not store any user data is not prohibited by these rules.

10.) The rules above apply to all organizations operating on U.S. soil or with any presence in the U.S. regardless of the nationality of the users, AND to organizations operating anywhere in the word with users located in the U.S.

11.) Minimum fines of $1,000 per database record per day to be assessed for any non-compliance

12.) If the offending organization cannot be fined (due to bankruptcy or location outside of jurisdiction) any subsidiary or parent organization inside U.S. jurisdiction will be assessed in their place.

13.) Exemption: Credit agencies are exempted from these regulations, however, credit agency data may only be used to check credit history in support of a loan application, and then only after an end user has requested a line of credit. The data may not be shared or used for marketing purposes. The credit agency data may not be monetized in any other way except by charging a fee to a financial institution looking to assess the risk of a loan provided to a person.

14.) Exemption: Background checks. Similarly Background checks are exempted from these rules, but may only be used to establish the civil infraction and criminal backgrounds of any person, and only by prospective employers (private persons or companies) Background check data may not be monetized in any other way except a fee to the requesting company or person.

I do not care what this does to the economy, shareholders or the job market. It needs to happen and it needs to happen immediately! This bullshit has been going on WAY too long.
Last edited:
Wait, someone is surprised that these personalized tracking devices are spying on you and reporting in near real time where you are, what you are doing, who you are near, how much you just spent, etc. and that the information collected is being made available to many others? Say it isn't so!

Keep in mind the irony that the personalized tracking devices have GPS capability by government mandate so 911 systems could find you in a emergency, yet it is those same 911 systems that have the MOST problems figuring out where you are when you call. Good luck being found if you are bleeding out somewhere but if you are in the condom section in a drug store, Google knows exactly where you are.