Episode 97: On eve of GDPR frightening lack of data privacy, security in US

In this episode, #97: we talk with Robert Xiao, the Carnegie Mellon researcher who investigated Location Smart, a free web application that allowed anyone track the location of a mobile phone using just the phone’s number. Also: we welcome University of Washington Researcher Kate Starbird back into the SL studio to talk about her latest research: examining the web of bloggers, news web sites, conspiracy theorists and government actors targeting human rights workers in Syria.

Data security in the US is so bad, it is scaring the researchers

The end times are upon us. This Friday, May 25th marks the go-live date for the European Union’s General Data Privacy Rule or GDPR. Like a train slowly moving down the track, GDPR’s arrival has been anticipated for months – if not years. (Check out our prior GDPR reporting here.) Still, only a minority of firms say they are prepared to meet the regulation’s stringent requirements to protect the data of EU citizens.

That’s especially true in the US, where de-regulatory fervor and the lack of a comprehensive, national data privacy law have left consumers and the public at the mercy of ham-fisted data brokers. For proof of that, look no further than the latest data privacy dust up, this linked to the actions of Location Smart, a third party location tracking firm.

[See also: Report: EU may slap new GDPR Fines on Old Data Breaches]

In stories last week by Krebs on Security, ZDNet, the New York Times and others  it was revealed that telecommunications firms, working with third party data brokers and mobile phone tracking services like Location Smart make the location of millions of US mobile phones (and thus their owners) available to anyone with the ability to pay for the service. In fact, in the case of Location Smart, that capability was available to anyone, regardless of their ability to pay thanks to a vulnerable web based application intended to demonstrate Location Smart’s abilities for would-be customers.

The work of Syrian Civil Defense workers (aka “White Helmets”) has been the target of online disinformation campaigns that portray them as terrorists and “crisis actors.” Russia-backed news outlets figure prominently in the campaign according to researchers.

Behind it all is a culture of data security and data privacy that has grown so lax that even the security researcher who discovered the Location Smart flaw said he found the whole situation scary and unnerving. I our first segment, we speak with that researcher: Robert Xiao, a graduate student at Carnegie Mellon about his work analyzing the Location Smart web application and the bigger issues facing US consumers.

False narratives haunt both heroes and victims

Another week, another deadly school shooting in the United States. This time, death and destruction were visited on the unsuspecting students at Santa Fe High School in Texas. But even as news anchors, parents and students tried to process their shock and horror over the carnage,  a quieter campaign was afoot online to deny the essential truth of the shooting.

In the hours after the teen-aged shooter was apprehended, unidentified actors sprang into action on Twitter and Facebook, twisting the facts of the event to serve larger narratives and even questioning whether the shooting itself was real. Terrified witnesses to the shooting who spoke to the media were assailed as frauds and “crisis actors.” The young man alleged to have carried out the attack was portrayed as a supporter of former Democratic candidate Hillary Clinton.

[You might also want to read: China Using Big Brother-Like System to Track, Monitor Minorities]

Figuring out how such online rumor mills operate is the specialty of Kate Starbird of the University of Washington. Starbird’s expertise is crisis informatics: how online communities respond to real world crises such as shootings, war and natural disasters. For our second segment, I invited Kate back to the SL studios to talk about the online rumors linked to the Santa Fe shooting and her latest research: on information sharing between disparate targeting so-called White Helmet human rights workers in Syria.


  1. There is videos of white helmets working with terrorists who executed a man point blank, and also the white helmets carry weapons which is a violation of international law when they are supposed to be a medical group. GPS in phones can be exploited but doing PR for the white helmets makes me question the judgement of the author and website.

  2. Pingback: GDPR is Here: What Now? | The Security Ledger

  3. Pingback: Episode 105: Is Trolling a Human Rights Abuse? Also: the Do's and Dont's of Ransomware Negotiation