- LocationSmart is a location-as-a-service company that allows you to track people’s mobile phones (with their consent).
- However, the online demo at the LocationSmart site could be hacked to show the location of anyone, no consent needed.
- LocationSmart took down the demo, but the damage is done. How is this not regulated?
LocationSmart is a private service that enables people to track the locations of smartphones connected to the four biggest wireless carriers in the United States: Verizon, AT&T, T-Mobile, and Sprint. The company only provides this service when people consent to its use.
However, a reporter, via ARSTechnica, recently unearthed the fact that, using the online demo software at locationsmart.com, pretty much anyone could track someone in the United States using that person’s mobile phone number – no consent required.
After the reporter published the information, LocationSmart removed the demo from its site. There are still links and buttons that say “Free Demo” littered around the pages, but the buttons simply refresh the page.
LocationSmart is what’s called a “location-as-a-service” company. An example of its use would be to give management members of a company the ability to track the whereabouts of employees using the employee’s phone as a geotracker. The employees would consent to this practice as part of the job.
But the demo didn't require any consent. You could use it to track almost everyone in America.
The demo formerly hosted at the LocationSmart site allowed you to test the service on yourself. You would enter in your information – including your phone number – and then receive a text from the LocationSmart system. You would confirm your consent through the text, and then instantly in the demo you would see your current location, within the range of 100 yards.
However, reporter Brian Krebs got creative with the system and figured out a way to determine the general whereabouts of anyone with a phone connected to one of the Big Four carriers. He did this by querying LocationSmart’s service to ping the cell tower closest to a given mobile phone number. That in itself will provide you with a reasonable approximation of a person’s location, but it could be in a range of miles or more.
But Krebs simply performed the test numerous times, over and over, which created a list of general locations of the cell number in question. He plugged those coordinates into Google Maps and was able to track the movement of the mobile device with relative accuracy.
He tried this out on a friend whom he knew was walking through town to see if it would work. It did.
Krebs then asked five different associates for their consent to track them, without knowing their actual locations. Within seconds, he was able to determine the near-exact location of one of the volunteers, and the relative location of the other four.
Krebs reached out to the Big Four carriers to ask them about their association with LocationSmart. All four declined to confirm or deny association with the company, despite the fact that the company logos are all over LocationSmart’s site.
This is scary stuff, and goes to show how little regulation there is when it comes to commercial location tracking of the public.