Yeah, a friend of mine was tracked by a stalker ex boyfriend who worked at a Telco.
It was irritatingly difficult to avoid because it seemed he could look up her SIM card by name and then get her location no matter what (new SIM, new phone)
Anyone who reports this kind of thing to the police just sounds irrational and crazy and gets ignored.
It's literally a known thing at telcos in various roles they find people looking up folks dox regularly. If someone registers a complaint that someone access their data they'll look it up and deal with them.
I once asked someone on the security /investigations side if you are logging what everyone is doing can't you easily find when folks are looking up stuff unrelated to their job? Their answer: we'd have to fire over half the people here - everyone is constantly looking up people's PII - celebrities, friends, enemies, etc. it's almost considered a unofficial perk of the job. This was from one of the largest US Telco carriers circa 2010. Maybe things have changed, hopefully.
In Western Europe they would get fired and go to jail. That's why Western Europe doxx information is considered the most expensive in the world. It wasn't complicated to create that situation. They can just fire a few, drag one to court, and rely on the chilling effect.
Calling BS on that story. You don't need to fire anyone. You just rate limit access to lookups where the customer didn't initiate a support call themselves, and require supervisor approval and audit of said approvals on a regular basis. I've also worked on systems where accounts could be marked as sensitive (e.g. the celebrities) and those needed additional sign off to be accessed.
Sounds like something worth reporting as it is an offence in Australia at least. The police would certainly investigate such an allegation and charges could be laid if there was sufficient evidence and a conviction was possible.
> The police would certainly investigate such an allegation and charges could be laid if there was sufficient evidence and a conviction was possible.
I'll let you know when I finish laughing.
This is 100% false. You can serve up all the evidence on a silver platter the the police will ignore it. I know, I've tried, specifically in a stalking case. They don't care.
It's true in Australia, true in the US, true broadly in the UK and Europe. Where do you live where it's not the case? I once got mugged, had the perpetrator's ID and a video recording of them doing it, and they got a slap on the wrist.
After being stalked myself, for years, across borders, I can tell you the police doesn't care unless you can prove real, imminent danger. I have no idea how to prove that short of a written confession. A message from the stalker with a picture of them holding a knife at the door of my building, and the text I came to "visit" you but you had guests/witnesses for example didn't reach the bar of imminent danger.
The police is made of people who want to do the job but are swamped with bigger problems, and people who don't want to do any real job.
Things are very different in the US. Police do not exist to uphold the law or protect civilians from anything. There are specific rulings in our legal code that flatly state police are not obligated to protect anyone.
Police in the US exist mainly to suck up tax money and harass and murder civilians and escalate peaceful protests into riots to justify suppression and murder. They're merely an instrument of an increasingly authoritarian government.
Yeah, if you gave police here a complaint with all the evidence in the world, there is absolutely no obligation for them to investigate or take any action. And there's really no recourse.
Maybe you're being Naive? Just because there are laws doesn't mean there going to be enforced. Especially with what's going on right now with governments becomming authoritarian.
Yeah it was reported, but the telcos systems were such a load of slop there wasn’t any specific evidence recorded (logs etc), and besides nobody knew what to ask for, so it couldn’t be taken seriously.
I don’t remember the exact circumstances of how they got a confession years later, I think bragging, but he did get convicted and the Telco eventually fired him, which stopped the stalking.
I’m spitballing here but it seemed like his job was a kind of ITS/technician job in the core infrastructure, and it seemed like he didn’t need to go through normal channels to get the information he wanted, ie he could just like pcap a tower with a filter or whatever in a routine kind of way that I guess didn’t create any specific logs. If there were any relevant logs they would have had to give them to the police. And I know that at a high level Telcos are heavily regulated, so there should have been logs.
Doesn’t surprise me at all. I signed up for an internet plan with a provider once, but they never let me login to pay the bills. After they started threatening me with collections and several phone calls layer it turned out they were billing someone in a completely different city. Complete shambles.
I have a comparable dispute with an old ISP from an old apartment. Their system had me as still receiving services there for many months after I cancelled and moved. Every year they send me a final warning saying it'll go to collections (the fact that it hasn't actually gone to collections more or less tells me I'm right, lol). Every year I'm grateful it's "just" an ISP and not the government because the government would've escalated the fine to a bajillion dollars and issued a bench warrant by now.
On the other hand, at least with a bench warrant you get to go to court and tell the judge "look, I cancelled this service years ago and I don't live there any more, and they confirmed the cancellation" and the judge would tell the opposing party to go cry about it.
I've seen people getting fired in BigTech for using the platform to stalk their ex-es. It's usually an alert that goes off when employees access internal dashboards for a certain profile, too many times.
Some systems, like lawful intercept, are designed to be hidden even from telco network management systems. The LI console that set up a wire tap might log activity at that particular console at that particular law-enforcement agency. But if you don't know where to look exactly, good luck.
This is why the Chinese picked lawful intercept as a hacking target for the salt typhoon exploit. It's almost impossible to know whether that exploit is continuing or when exactly it began.
SS7 access - you still have to hack the system to acquire the data yourself, and I believe it creates a log that you roamed to that country, and briefly disconnects your cellphone from the network? It's far from invisible.
Assuming he had access to a database with (lat, long, SIM) data, if she got a new phone he could just use the known (lat, long pairs) from the old sim and lookup to get the new sim. Then bam, you can get all of the new lat longs.
It’s impossible to avoid unless you simultaneously move to a new house / apartment when you get your new phone, and never bring the new phone to any previous low-traffic location you brought the old phone to.
If the person was deep enough into the system to have access to location data, then they'd probably be able to just directly look up customer details (likely easier).
Are you in a small company where most people wear lots of hats, or in a big company that has siloed off groups? Am guessing it's more of the big company approach that silos things off?
Built-in positioning of network traces is relatively recent in mobile network equipment and dedicated probes.
If that happened more than 5-6 years ago, it would sound even less likely. Most telcos never bothered doing the processing needed to position raw events based on timing advances. They'd simply offload that to third party companies. These solution providers aren't crazy, they don't touch data that isn't already anonymized. It's even less probable that a random employee would have access to the multiple datasets needed to piece someone's personal data together.
Well, my privacy-o-meter made me have my phone with no sim card and always airplane mode, and the sim card is in a dumb phone in my house, that I also barely turn on unless needed. Not perfect, but still far better than being tracked with telecoms.
So what you’re saying is if you were secretly a psycho and wanted to stalk your ex-girlfriend, you work at a Telco and basically have access to the tools to do it?
So putting aside the fact you’re a reasonable person, anyone who works themselves up to a similar seniority and job description in a Telco as you, could in fact do exactly what the article is saying is an issue for the victims.
Stalker terrorises woman, she reports it, nothing happens, stalker kills her. Queue hand wringing.
It’s played out a lot of times, in a lot of places, I don’t know why everyone here is so cynical.
Even in pretty dysfunctional countries, or pro-business ones like the US, where nothing like the GDPR exists, telcos management have a strong interest in not letting just any rank and file employee spy on subscribers.
Most breaches are not in the interests of management, but they happen anyway as management wants to save money or doesn't understand how it could happen.
> 50M+ subs operator, at least 10 employees can have both location and CRM data, I guess it's pretty typical.
This shouldn't be the case anywhere in Europe or regions with similar laws. And we have a lot less than 50M subscribers.
Anyway, there's really nothing that justifies having access to both. If you work on network quality and need enriched traces, personal data is completely useless. Most business cases don't even need stable, let alone clear IMSI. Very few people will need to look at a clear MSISDN for troubleshooting, and if you do things properly they shouldn't get blanket access to terabytes of daily telemetry.
Aggregated CRM data can be useful to more high-level business cases, nothing that can be used to identify someone personally. Our data governance office doesn't even let us correlate anonymized and GDPR compliant data that we buy from third parties when the IDs are too stable, as it'd be fairly easy to match raw network traces.
> so you do have access :)
No I don't. Sometimes people move to different teams you know, and access to datasets I had in the past is mutually exclusive with some that I do have now.
> correct for LI, not for emergency.
If people that can see E112 payloads with GNSS locations exist, then I don't know they are, but I'm sure they can't have access to stuff relevant to the discussion here. On the network telemetry side, our job is monitoring and quality assurance. Anyway this kind of data is too sparse to be abused by a stalker.
I'm glad to hear that your random telco's governance and influence has spread around the entire world to every other telco.
FYI: from the fact it's hard (not impossible) to see the data mentioned and it's possible (not guaranteed) that the caught offender would be punished is a VERY long way to "you lie".
Theirs was anecdata, yours is anecdata but you're additionally rude.
> And obviously, a simple email to the data governance and privacy office would be taken extremely seriously.
What is this based on? I used to work for a data governance and privacy vendor that supplied data for audits. Tons and tons of customers asked us to fudge their data.
This is after the Delve scandal, where the hottest tech compliance company was completely fraudulent and numerous other hot tech companies also had completely fraudulent audits.
Ah, I remember back in the day when "trust me I work in a telco and this is just dumb" people were really really silent after the room 641a stuff got leaked.
So now the random ex-boyfriend has access to the same tools as 3 letter agencies, got it.
If you live in a country where you cannot trust law enforcement then there isn't much your telco can do. But specifically, these surveillance tools are not available to us.
you are close to a system in a way that those guardrails are clear and present; the story is from the point of view of a victim, and it is possible that they were indeed a victim. Therefore the means of the stalking is not known at all via this story, but somehow, something did occur. It is not surprising on either side, and they do not necessarily contradict each other IMHO
I'm specifically talking about the technical aspect. Even with non-existent separation of concerns, and abysmal practices related to data governance which would be breaking the law in most of the developed world, the story sounds like bullshit. Extracting points of interest and reconstructing paths from raw network telemetry isn't trivial.
The likelihood a random employee could run a quick SQL join to stalk someone based on their name is zero.
The problem is the bar of expectation has really raised since AI, now you absolutely must have a fancy website with 3-dozen pages and SaaS-like styling.
Before, you could get away doing business with a basic 1-pager, which is about the same as what everyone else had, but these days looks lazy/incompetent.
You don’t have any more time to throw it together than you did before so… yeah I guess slop it is. Probably not going to be humans reading it past the front page anyway. If you want to engage humans, use LinkedIn or TikTok or something.
The special screwdriver isn't supplied with the product, and Apple doesn't sell spare parts. I guess "regular" isn't the right word, but it's easy and inexpensive to buy the right tools.
Surely waiting for the US to return to normal IS a viable strategy. The rest of the world won’t let this madness go on for… decades.
Even the US itself, a country full of guns, won’t let this go on for much longer before there is either civil unrest or an assassination of some kind.
What is Canada expecting to do anyway by spending money on defence. They can’t protect the Canada-US border any more than Trump could build a wall across it if he tried. And Trump is already in extreme debt, what’s he even going to do to keep a hold of Canada - put it under martial law and treat it like Minnesota until the end of time, all the while haemorrhaging money?
Sorry to be that chap, but UX is not a synonym for UI
I'm not a UX person, but have seen an increasing trend of the two terms being used interchangeably - it's actually a really interesting and nuanced field (more rooted in psychology, information architecture, and human centred design).
It's sorta like how a lotta folk assume SRE is just a neologism for "devops" and in the process miss out on the really interesting differences
There are sites where you can buy 200 different shape stencils for $100, and most logos are just those with text added.
When I found out years down the track that I paid like $1000 for a “premium experience” to be offered 6 or so stencils like this, I was pretty furious. Luckily, I picked none of them, and made the artist draw it exactly as I later described.
In some circumstances, yes (usually when the system itself acts as an integrator somehow). Aircraft controls do not strike me as a system where this is sensible (trimming an aircraft is basically an integral control process).
(d'oh, should have read the specific context: in the case mentioned, it is where the system acts as an integrator (pitch -> altitude), and so pure P control is pretty reasonable)
… how are you getting actual usable output at that scale? I have to baby my AI in 1 minute increments or it just doesn’t arrive at the correct solution at all.
Perhaps the prompts you are using could do with some love. We're pretty consistently getting great results up to and beyond the 10 minute mark in a large monorepo.
Due to prolonged stress, which lack of control is the main contributor e.g. you have expectations, you cannot control variable x,y,z, which leads to stress, which over long period of causes burn out.
In case it wasn’t obvious, I was being facetious. You can’t just let the AI rip without putting effort into constructing good input and verifying the output and expect anything good to happen, which is what the gp was asking.
There’s no secret into how people are getting “10x”, or at least claiming to, they’re just working more.
The big question is: does it still just write slop, or not?
Fool me once, fool me twice, fool me for the 32nd time, it’s probably still just slop.
reply