Slashdot Mirror
Sprint Web Phones Leak Users' Phone Numbers
Anonymous Coward writes: "Tasty Bits From the Technology Front says that Sprint PCS phones leak your phone number when browsing the Web. The unique ID number each phone has to help assure privacy is ... your phone number." (And TBTF is a good read anyhow.)
Stop posting duplicate stories. :P
There's a much longer article on this here.
-------------------
-------------------
This is my SIG. There are many like it, but this one is mine.
Ahh just think now someone could ring you up and offer you genuine university degrees, ow wait that already happens
...though for a second I though /. got redesigned...
Looks like it's a good thing that I don't have a cell phone.
This is nothing new. I have a Sprint PCS Phone (Samsung 3500, great phone!) and I wrote a little perl script which checks my IMAP mail. While doing that I found lots of resources at phone.com. They have example perl scripts included in their development tools which show you everything your phone gives away.
(If there is interest in the IMAP mail checking script for HDML phones, let me know.)
Scuse me? Why do so many people think that a cell phone is a good medium from which to browse the web? I think wireless is _awesome_ for things like monitoring and notification, but, really, most of those phones have like 10x20 screens.. I don't really think that's "browsing' Size.. Sure, you can get some stock quotes or something..
:P
Does anyone else wonder if the over-hyping of everything internet related will die down any time soon, and just become another information medium?
Does anyone else PRAY for it every day?
--
blue
i browse at -1 because they're funnier than you are.
An international Uber-corporation violating it's privacy policy - DEAR GOD! we must contain these types of problems before they spread, and other companies get the same ideas!!!
LMAO!
-FluX
-------------------------
Your Ad Here!
-------------------------
"It is seldom that liberty of any kind is lost all at once." -David Hume
My experience with Sprint PCS and the 'Wireless Web':
It costs a lot (at least when I used it) about 35 cents a minute, with a minute minimum. I would logon, schlep through the crappy four line text menus only to get to a 'this feature coming soon' message. 35 cents down the drain.
It is almost unusable. Do you want to order a book from Amazon after going 19 levels deep in a text menu, typing your credit card number and address on a numeric keypad? gimme a break.
The features you would want just aren't there. How about a user customizable 'home page'. Quick shortcuts to stock quotes, weather, news briefs, sports scores - nope, have to navigate the menu system to get anywhere. Usability testing - anyone, anyone?
Spring PCS service just sucks period. At least in Chicago. My phone dropped nearly half the calls I made, and failed to ring on incoming calls more times than I care to count.
Just avoid Sprint period. My terrible experience with them just makes me laugh at the irony of their TV adds. 'Crystal Clear'? Can't they be sued for outright lies?
-josh
On the other hand, the damn thing doesn't work half the time, giving all kinds of arcane errors.
Sure, I once spent $3.50 browsing through amazon, but it would have taken me about $5.00 just to enter my address and credit card number. thanks but no thanks Sprint.
Want to work at Transmeta? Hedgefund.net? Priceline?
Can your IM do this?
And the only one that counts is "Microsoft". Yeah, it's probably a coincidence, but it does seem odd that this would happen just when MS is gearing up their new web-phone strategy. Their Spring holdings will lose some value, but not much, and to MS the affect on consumer thinking will be worth a billion or so dollars more. In the coming weeks, you can expect to see a lot more "freak malfunctions" in the telecom industry, all tending to convince people that the old tech doesn't work.
If you ask me, it's a bit disgusting: Peoples' security is being compromised, just for the sake of helping somebody's marketing strategy. Oh, well, that's capitalism! Anything goes, as long as it makes a buck.
Imagine if someone tries to hack your server using one of these accounts. You could give him/her a call, and congratulate them on trying...
JB
Feed The Need[goatse.cx]
And analog works in more places than digital. And when reception is bad, analog might cut in and out but still be understandable. Poor reception on digital breaks up into an unintelligible buzzing rasping noise, that often does not recover, unlike with analog. And what's with the tinyness of new phones? I see people constantly shifting microsized cell phones from ear to mouth to ear to mouth to ear to... There is such a thing as too small. I love my old Mot flip phone. Always works. When the company switched to these LGI pieces of crap, we had to swap 'em out 3 times cause some of them kept quietly going into 'roam mode' afterwhich no calls could be mace or received, until you rebooted the phone. Yeesh. It's just like a PC.
i can crash it just by reading /. ! or cnn ! or microsoft.com ! or opening up IE ! and this is supposed to be new ?
Who would have thought that cell phones also contributed to the revealing of personal info on the net? Web browsers allow cookies. They give out referrer fields, etc. Cell phones don't have the memory space for cookies. They aren't advanced enough for referrer fields and they don't run Windows. But giving out your PHONE NUMBER to anyone??? That's even worse, IMHO. Of course, you can't actually surf the web, yet. But in a few years, cell phones will go the way of the Palm Pilot, with color screens, and proper browsers. THEN anyone with a web page need only go through the server logs and get phone numbers to sell to telemarketers. Or maybe telemarketers might set up pages with popular content people might access from their phones...
This
Have you ever heard of Ameritech (i'm sure other Telco's offer similar offers) Privacy Manager? If you don't have Caller ID info sent, it'll make you record your voice (like when calling collect), and it'll ask if you'd like to accept the call from the person.
My paranoid conspiracy theory: Sprint purposely is doing this so that they can offer similar services on their cell phones.
I have a StarTAC dual band Sprint PCS phone with the web browser. Its totally useless. The whole service is designed to take as long as possible to use, and at 95cents a minute, its very costly. And you only have about 4 different sites that work anyway. I suspect most users, like me, played with it once, saw their first bill, and never used it again. I don't see much of a privacy threat from something that people never use.
AT&T declined to say whether it automatically gives out customers' phone numbers to the Web sites they browse. Spokesman Ken Woo would only say that ``it's not an issue'' because the company hasn't received any complaints.
This is a small part of this article, which went up Tuesday March 7, 2000. It's not an issue because they haven't recieved any complaints.
Hmmm...Maybe the reason for this could be that the telephone owners don't know that its going on!! I doubt the phone flashes a little message that says, "I'm about to send your phone number to this web site. Do you wish to continue?". Also, this is relatively new news to most people.
1. If you can find someone else's unique ID (easy because they used the phone number), you can get them in trouble by impersonating them to websites.
2. Websites can track you without cookies - and this includes tracking across websites.
No, Sprint needs to set up a proxy that gives a number unique to each website by which Sprint can track abusers.
--
The shareholder is always right.
This has been known since the inception of the browser. You can actually find lots of personal info about a user aside from the phone number. Especially when WAP becomes fully accepted.
In a nutshell:
They said that they have a agreement with websites that they won't use the phone number for telemarketing. I don't remember getting asked, do you?
Really? Then why are you posting anonymously? Methinks that your statement might have more weight if you had logged in in, sirrah!
...is if it turned out they were transmitting both halves of the MIN/ESN pair, and thereby providing instant cloneability for anyone with access to the server logs.
OTOH, I'm sure that will happen at some point soon anyway.
spawn_of_yog_sothoth
dood....just stop using netscape.
I have and use Sprint PCS. And the phone I use the Denso Touchpoint, the phone used to launch these services in the US. I am extremely satisfied with the voice service. I rarely have a problem with signal getting through, and it's a dual-band phone, which means I can switch to analog if digital doesn't get through. Above all, I have been most impressed with the quality of calls. Back to the topic, I did manage to rack up more than $20 in the first month playing around with the web.
The service can be extremely useful and useless at the same time. All depends on how you want to use the service because of the weakness of the software used to browse. I found it was awesome for 3 main uses. First is stock and news information. It was easy enough to use the phone get this information from CNN and Yahoo!. Second, I found that the Mapquest can be useful. Although it can be cumbersome to use, it could serve a purpose to get direction from zip code to zip code or from address to address. But what impressed me the most was Yahoo!'s personalized services. You can check your email from the phone and even get access to a web scheduler or something like that (didn't bother exploring it).
Overall, the service is cool, until you consider the alternatives. It's a pain the ass to even log in considering you have to punch the buttons 16 times for an 8 letter login. I've also seen those RIM two-way pagers in action, and got damn can it do so much more so much faster. As much as people are screaming about the need for better screens and speed, until there is a way to input with something over than keypad these things will remain only toys.
The difference between a cell phone that can surf the web and one that doesn't is probably a $0.50 computer chip. If there's any difference at all. Sure it might not be the BEST idea. Sure there are probably better solutions down the road. But what's the problem if the carriers want to give you MORE capability with your existing hardware? Isn't that classic geek?
I complained to SprintPCS in February about this problem. If you'd like to hear about my saga and also run a script to test your phone for this privacy problem, see http://snafu.fooworld.org/~fubob/ hdmlprivacy.html.
Isn't putting the phrase "Unique ID number" next to "privacy" a contradiction?
Sprint seems to have a skewed idea of privacy...
Anonymity is privacy!
-An Anonymous CowHerd.
If you were worried about Big Brother coming and putting a silenced bullet in your back, don't you think one of the last things you would consider is talking on a damn cell phone?
Frankly, I don't give a crap what the gov't knows about me. Hell, if a team of spooks is working round the clock just to track everything I do, that's almost flattering. In any case, my life isn't interesting or dangerous enough to warrant investigation.
Don't get all giddy yet. I have some concerns. Wireless carriers have a direct monitary incentive to compell you to use on-line services so they can get their 90 cents a minute. On-line services have an interest in having whatever personal information they can get through your patronage. I'm also sure there are several government agencies, commercial entities, etc, that would love to know where you are, where you're going, and who you're going to meet. The possibilities range from the most innocent (showing you a banner ad for someplace you're going to pass near, remember the Ericcson Banner Ad article a couple days ago?) to the most egregious (i.e., everything Big Brother wants to know, you give without even thinking about it). If I've thought about it, you can bet that smarter people with power and influence have thought about it too.
You're probably thinking to yourself how far fetched this is. Is it that far-fetched? If a phone is giving up your phone number to every web site it visits, all someone needs to do is connect that phone number to whoever the owner is. The comment I'm replying to mentioned that Yahoo has a personal scheduler service on-line and accessible from web-browsing phones. If you're asking a site for directions from Point A to Point B, chances are, you're either at Point A, or will soon be at Point B. What better way to keep tabs on people's activities then to have their phone number associated with personal information you deposit in centralized computer systems? As is it now, you can already be somewhat tracked down by carrying your cell phone when it's turned on.
I see two possibilities: A) Phones will become simply wireless phone that double as a decent portible web terminal with better displays and input options, or B) Phones will become a combination of a wireless phone and a powerful PDA as well as a great solution for mobile web browsing.
Of course, solution A offers more profit and more power then option B. So naturally, which option do you think we'll get offered?
--
Intelligence is definitely a recessive trait.
I'm the person that runs the Uplink servers for AT&T. (Uplink = Phone.com phone gateway software)
AT&T is doing it right. We don't use phone numbers for subscriber IDs.
Thou I do tend to use phone numbers for my test phones.
Phones never talk to any web site directly, they use a proxy agent.
The IP that is logged shows the agent IP, not the cell phone.
Alot of posts bashing sprint. Just some quick information about Sprint vs. AT&T Wireless.
Sprint uses on their own network and charges per kilobyte of SMS traffic.
AT&T has roaming agreements with other cdpd carriers. (Larger coverage area)
AT&T also has an unlimited usage plan.
As for the phones being usable. They are not over hyped.
You can view html web sites, but hdml and wap/wml/wml+ sites are native to the phone. (No translation needed.)
Some of the interesting things you can use them for, Email, Info services (news, stocks, sports scores, phone book, fax, games), customized apps (Server status, ping, traceroute, circuit testing...), e-commerce (flowers, food, movie tickets), and on and on..
One of the hottest usages are for dispatch customers. Check your next delivery, pickup, work order, etc...
At work we can access our Exchange server to read our email and view our calendars. (This is priceless in a large company.)
Most configuration for phones are done with a personalized web site. You use your personal computers web browser too setup your Email, Bookmarks, Calendar (sync to your exchange, notes, schedule+, etc.)
Hookup a special cable to your internet phone and make your laptop wireless.
If you just want the one piece wireless solution, get a sierra wireless air card (pc card).
You need to think of the internet phone as a PDA. Extend your office, have quick access to your information. The biggest mistake I see people do is try to replace their laptop.
IMHO,
-Brook Harty
(All comments are my own and not the opinion of AT&T Wireless.)
PS. Whats the largest IPO ever? AT&T Wireless.
Did I make any sense? Is what Is anything I said in the realm of possibility? Or am I just going completely Oliver Stoner?
--
Intelligence is definitely a recessive trait.
First of all, this is like saying "SHOCKING!!! Oh my god, your computer gives away your IP address."
Your phone number is like your IP address people! Welcome to reality. You call me, I use callerID and nail you, or I refuse to return your packets.
On the wireless web, the phone number "airlink address" is your phone number.
Its also nice not to have to enter a username/password on your phone, but to have a website identify you via your phone, and store your preferences.
I hate this stOOOPID "shocking" privacy expose's. Some idiot learns how to print HTTP headers and thinks he's a friggin genius who discovered the New World.
Why suggest proprietary software when instead we could tout free software? gv/gs (what have you) has read any/all pdf's i've fed it. You can even get an addon to read encrypted pdfs.
Personally I have a gripe with adobe for "expanding" postscript and the forcing people to pay (for everything but the reader that is). Adobe, You make so many great software packages, but Acrobat sucks. It is just glorified postscript (which i don't have a problem with), but it 1. It is not terribly stable here at work or at home [if it works for one of you out there, please no flames... It doesn't concern me if it works on your hardware, unless you are planning on giving said hardware to me (Which would be greatly appreciated...)] 2. Reminds me of windows (Again, if you disagree, piss off) and 3. it is ugly, especially when compared to ghostview.
I'll kill everything, and everyone in sight
When resources and connectivity is what you pay for, and not airtime(like flat rate fees for normal phones) what you can get is a mixed voice activated PDA/cell/thingy
You speak into the phone, it transmits to a processing center, does the appropriate action, and sends you back data.
Of course, this does nothing for privacy, but is loads faster when trying to, say, browse a map, or find a restaurant, etc.
Why put any processing power into a cell phone when it is already a wireless device?
-AS
-AS
*Pikachu*
This was reported by HackerNewsNetwork.com a few days ago. Apparently (according to hackernewnetwork.com) Sprint intends to change their policy. Check out the article.
If you're looking for a way to comunicate with clients, family and friends while on the go, I think you'll have better "crystal clear digital clarity" if you put your message on a wadded up spit ball and did a 'drive-by straw-spit' on their house.
On a lighter side, I really had to laugh at the headline and it's use of the word "Leak": Sprint Web Phones Leak Users' Phone Numbers
As if to imply: "those pesky little phone numbers wouldn't leak out onto every server log on the net if it wasn't for that hole on the bottom of the router." Perhaps if we tried asking the little dutch boy to come along and put his finger in the leak, we could prevent this leaking travesty from befauling inosent Sprint and it's happy users.
It's a molicious attempt to make money from the tracking data on a conection that the user pays for at the expense of privacy, and it's wrong.
_________________________
Furthermore, does WAP protocol enable giving out unique identifiers, or has this been surpassed at the wireless service provider level?? As much as I know, WAP services are always for a fee, so the WAP service provider has to be able to track customers usage. This is propably most relevant in a situation, where a third party WAP service provider provides its services directly to customers' phones.
Anyway, I'm guessing here. Does anyone know these issues? -mjpk
The privacy thing is a bit worrisome, and Sprint should consider identifying a phone to the net using something other than its number. It's just too easy to abuse.
However, that's just common sense and isn't the reason why I'm posting. What stikes me is that a lot of the posts here sound like they're written by people who just don't get it. Web phones are in their infancy - think back to the web in 1992, when every browser was incompatible with all the others and each new release broke pages which worked fine before. That's the way it is with web phones now.
This is new technology, and still has a lot of rough edges as site designers learn how to work within the limitations of the devices. The content designers are going to get better, and the phones themselves are going to improve. The keyboards are always going to be small, as are the displays (although the resolution will improve). Complaining that a phone keypad isn't good for entering lots of text. Well, duh! We'll just have to find a better way, like speech recognition or maybe setting up shortcuts using a full size keyboard and loading them into the phone.
The pricing model sucks right now, but remember the web at 2400bps with time metered usage. We didn't give up on it just because it wasn't perfect. In fact we loved it and the competition soon brought prices down. That's what's going to happen with web phones, and right now is the most fascinating part, seeing all the possibilities and being able to influence how it all turns out.
I guess I'm just surprised to see people on Slashdot slagging off these devices just because they're new, unfamiliar and still a bit clunky. To those people, all I can suggest is that they stick with their nice comfortable rotary dial phone and leave all this new fangled stuff to us nerds who like that sort of thing.
(No, I don't work for Sprint, but I do work with web phones, so maybe I'm biased.)
I didn't think you were biased at all. I thought what you said was very -insightful-, and me without moderator points.. *sigh*
Sigs are awesome huh?
If the phone cannot handle cookies, then the server would have to do something to remember your last page hit. Who wants to surf the net on such a little and underpowered device? Connection bandwidth iss low and the browser is like lynx on acid. I would rather tote along a pda or laptop.
Romanes eunt domus? People called Romanes, they go the 'ouse? It says Romans go home. No it doesn't. What's Latin fo
And here was me expecting to get flamed into a pair of smoking boots. Nice to know there are other neophiles out there.
From what I understand, they fixed this problem last week. I saw it on ZDTV...Take it with the reliability that you credit to them as a news source...
Eh...
SprintPCS web phones use the phone.com browser, which provides cookies by storing them on a gateway server.
--
Do I look like I speak for my employer?
This is a very extreme oversite don't you think? I hope someone is getting seriously fired over this.
WURD!!
But.. hahahahahahahahaha. This is nearly as funny as the .CIL flaw in Microsoft Office 2k. I swear, some designers just totally overlook the obvious.
What seems to be missing in the discussion here is how essential being able to identify the phone number of the handset is in order for "m-commerce" to work at all.
Because Sprint is a non-GSM service that, like most American cellphone companies, focuses on contract accounts, any transactions generated by m-commerce on a Sprint handset are billed either to the contract or to a credit card entered on the handset.
This will not be the model used in the future in the US nor indeed the rest of the world. The world's dominant cellphone standard is GSM, and a large portion of the world's GSM users (the quickest-growing segment) are pre-paid cards.
There is *no* way to identify these customers other than their GSM number. Any m-commerce transactions generated from such a handset will have to be billed directly to the pre-paid SIM card; that's they way it's expected to work, and the only assurance vendors will have of being paid. That means identifying customers by phone number.
...one who says: "This is old, and therefore good."
.0 release for real work.)
/. I think part of having perspective comes from having lived through evolutionary periods enough to see that what goes around comes around again later.
and one who says: This is new, and therefore better."
I have found a happy middle ground - I'm a furious "early adopter", but only for things that aren't mission critical. (e.g. I never run a
I am often surprised at the degree of xenophobia and Luddite-esque commentary on
Does anyone else think after years of decentralization and PC "freedom", the a web browser looks an awful lot like a 3279G block mode terminal with a server sitting in a closet somewhere that's not next to your desk?
Most of the handheld satellite telephony projects
(See "RIP Iridium" elsewhere for more on one.) have provisions for squirting user location from either embedded GPS receivers or satellite triangulation up to the gateway in order to effectively accommodate country-specific access requirements or tariff structures.
We know that people want to sell location-based services. (They're already threatening to with my SprintPCS Neopoint phone, which apparently has a GPS pod one can clip onto the side.)
I can't imagine the satellite phone companies won't want to shovel this data around too.
And just wait, ALL U.S. cellphone subscribers will eventually have user location information gathered on a per-call basis, because the U.S. gov't wants it for Enhanced cellular 911 services. My take is that the carrot for deployment of 911 location services is the ability to make money by selling you door-to-door routing on your cellphone.
> What most folks don't seem to realize is that no
> new legislation or technology is required for a
> cell phone provider to get a fix on your
> location: *they already have this ability*. All
> they need to do is triangulate based on the
> relative signal strength received from two or
> more nearby towers.
Uhhm, *cough* not true *cough*.
The legislation is under a modification to the FCC
E911 regulations, requiring cellular network operators
to provide the location of a caller to the
emergency services in case of an emergency call.
The reason for this is that the percentage of
E911 calls coming in via cell phones is on the
up-and-up and since the landline telco provides
location info during E911 calls, the logic follows
that the cellular operators should too.
There are several competing technologies for
locating cellular users, and while your statement
about signal strenght is true-ish, that sort of
system is not very accurate, and is too complex
to be used in the mass market, i.e. the cell ops
are not tracking you right now, but are actively
looking at technological solutions to be able to
do so.
No doubt the network ops will look for commercial
opportunites for the data they will be able to
collect, I certainly would not spend upwards of
UKP100M on a UK-sized network w/o having some
possibility of getting a return on it, and there
will probably be a can-o-worms about who gets
access to the data, and under what circumstances,
but I'm still in favour of it since it will bring
a shed load of useful location-based services.