#135 Robocall: Bang Bang
January 31, 2019
How to listen:
Subscribe (it’s free!) in your favorite podcast app.
This week, Alex investigates the rise of one of the most hated businesses: Robocalls. And Damiano tries to figure out if a robocaller is tracking his every move.
PJ VOGT: From Gimlet, this is Reply All. I’m PJ Vogt.
ALEX GOLDMAN: And I’m Alex Goldman.
DAMIANO MARCHETTI: Um, Hi PJ, hi Alex.
PJ: Hey, Damiano.
ALEX: Producer Damiano Marchetti, hello!
PJ: What are you here for? What’ve you got?
DAMIANO: So you guys know that I, like, I sort of talk about robocalls a lot.
PJ: (quietly) Oh my god. Yes, you talk about robocalls a lot.
DAMIANO: And, um, my–
PJ: Why do you find robocalls fascinating?
DAMIANO: Um, I feel like it's one of the things where I've just got to like watch a scam develop and change over time. And like, there was, there's just been so many different versions of them. Like–
PJ: You feel like you're a robocall epidemiologist.
DAMIANO: Yeah, and it's just fun to be like, what are they up to this week?
DAMIANO: And like, normally like my curiosity takes me as far as like I pick up the phone get to listen what’s new in the world of robocallers then I hang up. But then like, a couple months ago, this thing happened that made me want to find out a like so much more? It actually just felt like for the first time kinda scary.
DAMIANO: Well, alright, so just like, wait, first of all, like, do you guys get robocalls?
DAMIANO: Both of you do?
PJ: I get, I didn't use to. Like, I used to occasionally get them. And I don't know what I did wrong, but I get a lot of them now. All the time.
DAMIANO: Yes, me too.
PJ: Like, like everybody's been complaining for the past like couple years about like, oh we're getting all these calls, like we've done stories about these calls (sighs). Up until six months ago, when people talked to me about it, I was like, “Okay, this really easy, just download–there's like a bunch of apps that you can get for your phone, I use one called 'Hiya,' and it's almost like the way your email has a spam filter, this kinda puts the equivalent of a spam filter on your phone.”
PJ: And I was like very–I don't know, people think that I have answers to tech questions. I almost never do and I felt very cocky about like actually being like, "Oh, there’s a new fix." And then like for me... maybe three months ago, it just, it was like the dam broke and like, "Oh, my God! I'm getting so many." Like every morning, every night. And they don't just call once, like they'll just call over and over and over again until I actually go to my phone and block the number. Like if I don't it'll be like 30 in a row. It's like harassing and aggressive and weird. And always like whatever number starts calling keeps calling.
DAMIANO: Yes. And they're always calling from like these phone numbers that are completely fake. Like, you can't call them back and get someone on the line. It's either like a dead line or it's like somebody else's phone number and like this thing they are doing it’s called call spoofing.
ALEX: Yeah. There are a lot of programs that allow people who are making robocalls to make it look like they're dialing from whatever number they want.
PJ: So the way I get them, it’s always the same one, it's this one that's like, um, it's some weird Medicaid-based scam.
DAMIANO: Yes, that’s the one I get too. And it’s always like, “Hi, this is Anne. Do you have insurance for you and your whole family?” Or something like that.
DAMIANO: But, what happened in like October was that I went home to California, and I noticed that all of the phone numbers that were calling me, like all the robocalls–not like the Anne one a different call–were suddenly like California numbers?
PJ: Like the area code was California?
DAMIANO: Yeah, which was weird because I looked back at my phone history and I realized that like before I had gone to California, they were always New York numbers.
ALEX: They know where you are!
DAMIANO: I mean, I don't- uh—my first thought was like you're like–
PJ: It must be a coincidence–
DAMIANO: It’s- it’s–
PJ: Like probably it's all sorts of numbers and you just didn't notice it, but you noticed it when it's where you are.
DAMIANO: Yeah, but- it–but then I realized that like my number, like my- my–area code is 707, which is a Bay Area number.
DAMIANO: And so, all of the time that I've been getting calls in New York, robocalls in New York, been being like, "Oh, you know, it makes sense, it's a New York number, I'm in New York." It's like, "Oh no! That doesn't make sense at all!"
PJ: No! That doesn't make any sense.
DAMIANO: Like you would think that they would be like mimicking my area code not mimicking my location, which obviously like they shouldn’t know.
PJ: It's also super creepy because it's like if the robocall place, if their business model is that they call like a million people everyday–
DAMIANO: Mhm, mhm–
PJ: And you're one of those million people, and they know where you are.
PJ: That means they know where everybody is.
PJ: In a way that must be very easy for them, in a way that I find, assuming that's what's happening, pretty creepy.
DAMIANO: Right, like, the idea that like some company that wants to steal from–money from me can figure out exactly where I am all the time, that freaks me out.
DAMIANO: And so like that’s what I want to figure out. Like am I just being crazy, or like is something really going on here? Like, are they really tracking me and making calls based on my location?
PJ: OK. I mean I think if they are it’s a big deal. I do want to say just like full disclosure I err on the side of thinking that you might actually be being paranoid. Just because it would be such an invasive thing to do on such a large scale. But I do think you should find out.
Also, if you’re going to find out, the other thing, I just like want to know, I have questions about just like what is happening with robocalls right now. Like I don’t understand, it feels like there are way more than there were. It feels like something actually changed. If that’s true I would like to know what happened. Like why the dam broke.
ALEX: You know I’ve honestly been wondering the same thing and I would be happy to look into that.
PJ: Okay, awesome.
DAMIANO: Alright. Alex and I are back.
ALEX: We are.
PJ: So what’d you guys find?
DAMIANO: So, we've gone out and like talked to a bunch of people and like actually learned some things that are really surprising and exciting. And um I think it actually makes sense for Alex- for like–for you to go first.
ALEX: Alright. So, just to start I’ve always assumed that any robocall that I get is just going to be a scam. Like, it’s someone in their basement with a computer making phone calls trying to steal my identity or whatever. Like the IRS one where they call you and say you owe back taxes, or there’s one where someone calls you and says like "Hey I'm from the fraud department at your bank. I've detected fraud on your account. Can you please give me the last four digits and the expiration date?" And then they'll like, be like, "Oh, hm, that's not coming up. Can you give me your CVV number?"
PJ: And they just slowly get your credit card number–
ALEX: Slowly get your credit card number.
PJ: So shady–
ALEX: People who just try to steal your identity, steal your credit card or whatever.
PJ: Like can you just send me your actual cash in an envelope because I want to confirm that you have it?
PJ: Like can you just send me your actual cash in an envelope because I want to confirm that you have it?
ALEX: (laughs) Right. But I looked into the specific call that you two are getting. The like, “hi this is Anne,” healthcare call, that call is actually an altogether different thing. And I think I actually found a recording of the call you guys are getting. It’s cut off at the top, but just imagine it starts with “Hi! This is Anne!” Check it out.
PHONE CALL: You can now get a great insurance plans at the price you can afford. We make it hassle free to sign up with the policies from Signa, Blue Cross, Aetna, United, and many more. Press one now to get hassle a free assessment or press two to be placed on our do not call list. Thank you and as always be happy and blessed.
PJ: (whispers) Yes!
DAMIANO: Oh God, yeah this definitely the one I get.
PJ: Oh that voice makes my skin freeze. Yeah. Will you please stop the recording? I- I’m–hearing it makes me feel like the Manchurian candidate.
ALEX: So I was surprised to learn that this call comes from an actual company that's selling an actual product.
PJ: And who is doing it?
ALEX: The company, ok, well, as you would imagine with a company that’s making like tons–millions of robocalls, um, they–
PJ: Healthcare Holdings LLC.
ALEX: (laughs) It was Health Plan Intermediaries Holdings, which is also known as Health Insurance Innovations?
PJ: Got it.
ALEX: Um which is uh located in Tampa. And here, check this out. This is the "about us" video on their website. It is very well produced.
VIDEO: At HIIQ we believe it starts with the individual. We’re not an insurer (PJ: Uh huh.) and we don’t take on claims risk. Instead, we work with leading carriers to deliver the best value options for the consumer.
DAMIANO: It looks surprisingly legitimate to me. It looks like a commercial that would be on TV, like, it looks professional.
VIDEO: And feedback from thousands of agents.
ALEX: So I was like, OK this is great. What does this company do?
ALEX: And they have this funny role in the insurance marketplace and like I couldn’t find other–many other companies like them. So what I learned is that HII is basically like a middle man.
What they do is they talk to insurance companies, they put together like insurance plans that people can buy. Um, and then they sell those. So when they get people on the line, they say like, “What are your insurance needs? How much coverage do you need? Do you have kids?” And those people will say, “Yes.” And then they’ll recommend a plan that the person can buy.
PJ: Yeah that sounds like what a health care provider would do. (ALEX laughs) Or like a health insurance company, rather than them.
ALEX: But they let you pick from many different health insurance companies. That’s, that’s their promise basically.
ALEX: So what HII does is, they subcontract all these call centers essentially to sell them–sell their products for them. And the company's constantly getting complaints saying like, they completely misrepresented what the plan was supposed to do.
Like, I read someone saying like, “The agent told me I was getting an insurance plan, when I actually got sick I went to the doctor and they said, ‘You don’t have insurance. You have a prescription discount card.’” And the person had been paying like $200 dollars a month for it.
PJ: So, it’s like they’re selling people bad insurance or like no insurance and they’re trying to make it sound like actual insurance.
ALEX: I mean, if you look on their Better Businesses Bureau page, it’s a, it’s an F. And it’s all people saying like,“They charged me after I canceled. They promised me coverage I didn’t get. I’m a million dollars in debt because of healthcare coverage that they told me I would have.”
ALEX: But the thing that was super surprising to me is that this company, which seems so controversial and would–I would imagine would totally operate under, under the table and like super sketchily.
ALEX: Is making money hand over fist. They are thriving in a crazy way. There’s a page on their website that says that they were projected to make 290 million dollars in 2018.
Alex: And, they appeared on Fortune 100’s “Fastest Growing Companies of the Year” in the first place spot.
PJ: And do they just- are they–is there a part of their business that is not this? Or is it pretty much all this?
ALEX: It’s all this. They say they work very hard on compliance. That they don’t get many complaints. They had, um they had had like a lot of class action lawsuits with people saying like, “Hey! You know, I didn’t get the stuff I was promised.”
ALEX: I talked to an HII spokesperson and he told me that they don’t use robocalls at all that if someone got an Anne phone call and it was their product that it was a third-party call center working on its own without HII’s permission.
Given how well documented it is that people say the received unsolicited calls from HII that feels hard to believe, but that’s what they say.
PJ: Huh okay. It is weirdly satisfying to know where my robocalls are coming from.
ALEX: Now, there might be more than one “Hi this is Anne…”
PJ: No. Just let me believe.
ALEX: This is the guise–
PJ: Let me believe! Just let me believe.
ALEX: So, it’s clear that HII and probably a lot of other companies are making a ton of money off of robocalls right now. And the question is like, why right now? Why are they making so much money at this particular moment in time? And I looked into it and there’s actually like a pretty clear reason why there’s been a dramatic increase in robocalls.
ALEX: So I talked to this woman named Margot Saunders, she’s an attorney with the National Consumer Law Center.
ALEX: Where are you located?
MARGOT SAUNDERS: I work out of my home on the top of a mountain in West Virginia.
ALEX: Oh my God. I'm so jealous.
ALEX: Margot advocates for the interests of low-income consumers and she has dedicated herself to stopping people from getting harassed by robocalls.
ALEX: When did robocalls first come on your radar?
MARGOT: So we became involved in the issue in 2014. I think as consumers we've all been aware of robocalls for many years before that. And we noticed that there were really no consumer–really active consumer advocates protecting consumers before the FCC. So we stepped in to try to fill that gap.
ALEX: So right about that time the Obama FCC was trying to reduce the amount of robocalls that were being made. And so in 2015, they wrote an order, which cracked down on autodialers.
PJ: An autodialer is like the robo that is calling in a robocall.
ALEX: Right. And what the robocallers did so they weren’t technically using an autodialer was they hired a bunch of people whose job, sole job, was to manually click buttons to make calls.
ALEX: Just to avoid being- them saying–
PJ: So would it be just rooms full of people who are actually, like–
ALEX: It would be like a whole call center–
PJ: Human calls not robocalls–
ALEX: It would be like a whole call center of people who were going to be making- who–who were going to be receiving calls and then one person whose job it was to take the mouse and press click, click, click, click, click, click, click, so the calls would go as fast as they could go.
PJ: But when you picked up the phone to–
ALEX: You'd still get a robot.
PJ: You'd still get a robot. It was just that a human had dialed to connect you to a robot.
PJ: Because the problem is not the robo, it's the autodialer.
PJ: That's wild.
ALEX: And so, for a while, it seemed like this was actually having like a positive effect. Like, the number of calls went down. But, the FCC's order didn't last very long.
MARGOT: In March of 2018, the D.C. Circuit Court issued an opinion that undermined the 2015 order of the FCC that significantly protected consumers.
ALEX: Okay, so this is actually kinda bonkers. But the thing that the court was looking at in this case was one sentence defining what an autodialer is.
PJ: What was the sentence?
ALEX: The sentence described an autodialer as, quote, “equipment which has the capacity to store or produce telephone numbers to be called using a random or sequential number generator.”
PJ: That seems like actually- I was–that seems like a fine definition.
ALEX: So what they took issue with was the word “capacity.” They were like, “Well you could very easily write an app for a phone that could autodial, so that technically has the capacity to become an autodialer.” So anybody–
PJ: That feels really like annoying.
PJ: Like that feels–you know what I mean? Like, it just feels like very pedantic.
DAMIANO: It feels like someone looking for a reason to strike something down.
ALEX: Right. So the court overturned the FCC’s entire autodialler order.
MARGOT: So that decision sent the issue back to a perceived consumer unfriendly FCC and the industry said, it looks like, "Wow! Now we can make all the robocalls we want."
ALEX: So now the robocallers are like out in force. And I talked to this guy, Alex Quilici, he’s the CEO of this company called YouMail, which makes an app that can block robocalls, sort of like the one you use, PJ. And he said that at this point, it could not be easier to become a robocaller.
ALEX QUILICI: You can set up and become a, a robocaller and annoy a small city in about five minutes.
ALEX GOLDMAN: Woah!
ALEX QUILICI: You upload a list of numbers, hit a button and now you’ve just annoyed San Francisco.
ALEX: So Alex has been watching as his users block more and more incoming robocalls. Like, he says that basically since March of last year the number of incoming robocalls has skyrocketed.
ALEX QUILICI: If you look at 2018, robocalls went up about 80% from the beginning of the year to the end of the year. So (ALEX: Wow.) there were 48 billion robocalls in 2018. So it, it feels like you're getting a lot more because you are.
PJ: So it's what it feels like.
ALEX: Yeah. It's totally, totally what it feels like.
ALEX: After the break. Are robocallers tracking your every move?
DAMIANO: Hi guys.
DAMIANO: So I’ve been trying to figure out just like if I’m totally paranoid or–
PJ: Which is what I believe.
DAMIANO: (laughs) You’ve made that very clear.
DAMIANO: Or if there is like a, a possibility that these scammers really are like tracking me and making calls based off of my location.
DAMIANO: So I’ve looked into it and I think that I have an idea of what might be going on here.
DAMIANO: So the first like small thing is I was talking to Alex Quilici with Alex Goldman and I just mentioned it to him the thing that had been happening to me and he was immediately like, “oh, the same thing I think has been happening to me.”
PJ: He also when he travels around gets robocalls that look like they are coming from wherever he is?
DAMIANO: Yeah, like he was like, “I was in DC recently and I landed and like within a couple days like all the robocalls were from D.C. and then I flew somewhere else and the same thing happened.”
DAMIANO: Which felt like- it just felt like a nice little piece of like, maybe you are not crazy.
PJ: Somebody else is having this.
DAMIANO: Yes. But the place where I really started feel like I was gaining steam, like I was shedding my paranoia was like I talked to a guy who explained to me really really like how my location data could have possibly like gotten out into the real world.
JOSEPH COX: Hello, can you hear me?
DAMIANO: Joseph, how’re you doing? Yes, I can hear you.
JOSEPH: I’m good. How’re you?
DAMIANO: I’m good, I’m good.
DAMIANO: So that’s Joseph Cox, we’ve had him on the show a bunch of times, he’s a tech and cybersecurity reporter for Motherboard. And, a few weeks ago, he published this story about how, like, big cell phone carriers, like AT&T and T-Mobile and Sprint, have been selling our location data and that information has been making its way down to like bounty hunters.
ALEX: That’s wild.
DAMIANO: So recently, Joseph tried this experiment. He met this bounty hunter, who said that if Joseph gave him like a couple hundred bucks, he could track Joseph’s location.
So Joseph gives him the money and the phone number of a person in New York who was willing to be like a guinea pig for this test.
And a few minutes after the payment goes through, he’s sitting at his desk.
JOSEPH: Waiting anxiously, probably drinking too much coffee. I get a message from the source, if I recall correctly it didn't even include any text.
DAMIANO: Uh huh.
JOSEPH: It was just the screenshot of the Google Maps interface showing where that phone was located in Queens, New York–
DAMIANO: Holy crap–
JOSEPH: I then asked the person whose phone we were tracking with consent, "Is that accurate?" And they confirmed pretty quickly, "Yeah, that's where I was." (laughs)
DAMIANO: And so Joseph explained to me like how it was this bounty hunter was able to track down this person’s phone. And the first he told me that all these telecoms they were actually selling real-time location data. Not like, PJ was here one time six months ago and now he's here now like–
PJ: Which would also be horrifying.
DAMIANO: But like real time location data, like pinging your phone, like where's your phone now, where's your phone now, where's your phone now–
PJ: That is nuts.
DAMIANO: And Joseph, he explained to me like how that information got from these like big telecoms down to this bounty hunter.
JOSEPH: Originally the data comes from the telecommunication companies (DAMIANO: Mhm.), T-Mobile, Sprint, AT&T.
JOSEPH: They then sell that for a profit to so-called, location aggregators. These are sort of middleman companies whose main purpose is just to sell that data onto other people. Below that, you have companies like the one we looked at called MicroBilt, which provides it to used car salesmen, landlords, and bounty hunters.
So like a wide array of industries underneath them then have access to this data. Then you have the bounty hunter companies or whoever it may be. And that's where the quote unquote "legitimate trade" ends and the blackmarket begins.
PJ: Nobody would agree to this. Like, nobody, nobody would say to–if AT&T called had, like, me and been like, "Hey, would you be cool with if we told people where you were all the time?" Nobody would be okay with that.
DAMIANO: Well, it's funny like, that's supposed to be the rule. So they’ve actually changed their policy since October, but back when I was I getting the robocalls the way it was supposed to work like what these big telcoms said was that like you are only allowed to use this data if you have the expressed consent of the consumer, like of the person with the cell phone number.
PJ: I would never give it to anybody.
DAMIANO: And so they gave it to these location aggregators, like these middlemen companies, and the idea was always supposed to be like, "Only use this if you get the person with the cell phone number's consent.” So like, for example, if you’re a AAA member, you’ve given AAA permission to find you like if your car breaks down on the side of the road they can find you.
PJ: It's also–the other reason it's so bad is because you can already, within your phone, you can say that you want to allow a specific app to have access to your location, some of the time or all the time.
And like it's pretty transparent, like you get a, a permission (DAMIANO: Mhm.) and if you start to feel like, “Wait, why did I let Shazam know where I was?” You can delete the app or you can change the permission. The idea that it would happen, the phone company would do it and they would do it through your phone number, it's like, it's so much less, like, just the place where you would give or not give consent has just be like *ffp* [makes mouth sound].
DAMIANO: Yeah it feels like, it feels awful. Um, and at this point, like it seemed pretty clear that my location data could definitely be out there. But the thing I still wasn’t sure of or didn’t really understand was whether a robocaller could get their hands on it? Right?
DAMIANO: In every example that I had, like in Joseph's story, like, this is a bail bondsman, like, a person who's highly motivated to like track somebody down.
ALEX: Right, it seems like a lot of work to get location information just to fool someone into picking up a robocall.
DAMIANO: Right. Like, it didn't quite describe the thing that was happening to me.
Like I still wondered if it was like, if there was like a scenario where like someone was going after like thousands, like, was like casting like a very wide net. Like–
ALEX: Like getting a massive trove of location information.
DAMIANO: Basically. And then Joseph connected me to this other guy. This guy who just like- it just felt like if he had access to this information .it seems completely possible that a robocaller would.
PJ: Who's this?
DAMIANO: So I didn’t realize this before like I started reporting on this story but there’s people whose entire job is just like owning a big 1-800 number, so like 1-800-LAWYERS or 1-800-CONTACTS. And the guy I talked to who works in this business, his name Bruno Tabbi
PJ: Real name?
DAMIANO: Bruno Tabbi’s his real name.
PJ: Good name.
DAMIANO: Good name.
BRUNO TABBI: Hello?
DAMIANO: Hey, Bruno! It's Damiano.
DAMIANO: How you doing?
BRUNO: Good, how are you?
DAMIANO: So Bruno at some point like a decade ago was very smart and realized that these numbers were going to be worth a lot of money, so he went out and bought some like very catchy 1-800 numbers.
PJ: Got it.
BRUNO: We have national clients, 1-800-MECHANIC, 1-800-COMFORT, 1-800-DRYWALL, you know, uh, California Closets is a customer of ours. So most of our clients, a good quarter of our clients, are small businesses. They do advertising in local markets and they want access to a phone number that’s really memorable. So, it's about memorability just very kind of like foundational marketing stuff.
DAMIANO: So, this is his website. Um, like these are all his clients.
PJ: This is everything he's got? Oh, these are the companies that work with him.
DAMIANO: And so, what his business is, is like, say like one of his clients is like someone who that treats varicose veins like and I’m making this up a varicose Vein Institute of Poughkeepsie.
DAMIANO: Say, you own the Vein Institute of Poughkeepsie. You would love a piece of the 1-800-VARICOSE toll-free–like toll-free number.
DAMIANO: Because if someone's calling 1-800-VARICOSE, that's like, that’s like someone you have on the hook.
DAMIANO: And what would be even better is if like, that person who wants to get their varicose veins removed lives in Poughkeepsie.
DAMIANO: But like you probably, like the Vein Institute of Poughkeepsie probably can't afford, in the first place, to own 1-800-VARICOSE because it's really expensive, probably Bruno's not going even sell it to you at this point.
ALEX: So, they rent it from them?
DAMIANO: So, yeah he like licenses it them. So, what Bruno does is, he like, he's got this pie, which is 1-800-VARICOSE, and he just like splits it up. Like, he has all of these varicose clinics all over the country who pay him for a piece.
PJ: That's wild!
DAMIANO: Yeah. It’s totally wild. And like the only way for Bruno’s business model to work is if he can get the location information for all the people calling into like 1-800-VARICOSE.
And so this is how Bruno explained it to me. Like, this is how he set up his system: you call 1-800-VARICOSE, Bruno gets your number and he sends it to one of these location companies and he says “Where is Damiano calling from?” And he gets back information that’s not as specific as what Joseph Cox got for his bounty hunter. He actually just gets like a zip code. So, Bruno gets my zip code and he says “Oh! This guy calling from the 707 number, he’s actually in Brooklyn. Let’s send him to like the Brooklyn Varicose Institute.”
PJ: So, even if, even if you're area code was California for your cellphone if you were in Brooklyn, he'd be able to route you to the right place.
DAMIANO: He would route me to the right place.
DAMIANO: And to Bruno, like, that’s pretty much how he imagined this technology being used.
BRUNO: The original intent for this was like a franchise has, you know, 1,500 locations. They want to route callers to their nearest, you know, Jimmy John's or nearest, you know, Napa Auto Parts Store or whatever. So, like, that's where that technology came in. What we don't know, what we didn't realize was like, the idea that like uh- uh—a bail bondsman or a bounty hunter was using this thing- like, uh- if you would have asked me if that was an approved use case. I would say, "No way! That's crazy. They, they, they would never allow that!" And, um, low and behold you know they were–they weren't managing who was using the data.
DAMIANO: What happened recently is that because of Joseph Cox’s story about the bounty hunter and how the bounty hunter was able to get access this like real-time location data and actually also because of like a New York Times story that came out last year that sort of was about a similar example of like misuse of this data.
The telecoms they came out and said, we’re not going to let anyone access this data anymore. By March, we’re just going to cut everyone off.
PJ: That seems better.
DAMIANO: Yeah, and um, I’ve actually been in touch with some of these like location services companies.
PJ: The companies that they- were buying it from the phone companies and giving it to other people.
DAMIANO: Yes, yes. And according to them robocallers have not gotten an access to location data.
PJ: According to them they are doing a good job and everything is fine and everyone should stop freaking out.
DAMIANO: Yeah, basically. Basically they are say like they’re getting consent from people like they are supposed to and there’s a very rigorous process for companies who do want to get access to location data, to get access to it.
DAMIANO: But. After like reporting on all this and talking to a bunch of people like that does not match up with the stories that I have heard. Like, people are definitely getting tracked without their consent. And like Joseph told me that like one of the ways that bounty hunter companies were getting access to this data was by posing as other companies.
PJ: It just- it just–it just doesn’t even have to go that wrong to feel like why should this exist in the first place.
DAMIANO: Well it just feels like in general like this area is- people weren’t paying attention and it just feels a little bit like the wild west.
DAMIANO: And we still just don’t quite have a good understanding of like everyone who got this data and what’s going on here.
So I think that like a totally like plausible theory for how these robocallers might have gotten their hands on like my, Damiano Marchetti’s, location data is that like somewhere like down in Boca Raton there’s a call center that’s using some service like Bruno had access to where they can just ping a server and be like, "Where's Damiano now?”
DAMIANO: Where's Damiano now?
PJ: And they are just doing it to lots of people at the same time.
PJ: That's wild. God, I really thought that my sense of like cynicism and paranoia was calibrated correctly and it's not.
DAMIANO: Yeah. I feel like, oddly comforted.
PJ: Just because you're learning (DAMIANO: laughs) that you yourself are not paranoid. That's the only reason you feel good about this.
PHIA BENNIN: Hey, guys.
PJ: Phia Bennin.
DAMIANO and PJ: Hi, Phia.
PHIA: Um, well okay so, I’m sorry to butt in, but I’ve been helping Damiano with some of this story.
PHIA: And Damiano, I think your theory is fine.
PHIA: But I actually have a different theory that I’ve been looking into. That like–
PJ: I like that Damiano is just ambiently infected everyone with his mystery.
PHIA: Oh my gosh. I'm very interested in this. And, um, and so I've been looking into this different theory that I–I find fascinating.
PHIA: So my theory is that it has something to do with the apps on Damiano's phone.
PHIA: As we all know apps are collecting a lot of information about us all the time.
DAMIANO: Yes, I do know that.
PHIA: And so, the other day I asked Damiano if I could see his phone.
PJ: Sometimes–sometimes Phia is collecting information on us all the time (laughing).
DAMIANO: We’re sitting in the small office and Phia grabbed my phone–
DAMIANO: And then looked at me and realized that she needed my fingerprint to get into my phone (ALL: laughs) and then was upset and had to ask my permission to use my phone.
PHIA: That- that's true. So, Damiano has wonderful apps on his phone.
PJ: What do you mean wonderful apps?
DAMIANO: Oh my God, this is gonna really suck.
PHIA: (laughs) He has- I just–you learn a lot about a person from what apps they have.
DAMIANO: (grumble) I don’t like this–
PJ: God, this is a very vulnerable moment.
DAMIANO: I don't like this–
PJ: I feel for you–
PHIA: OK, it is very vulnerable. So Damiano has apps like Cellar Tracker?
ALEX: What is that?
PJ: What's Cellar Tracker?
DAMIANO: (mumbles) This is so horrible.
ALEX: Cellars' don't move. Why do they need to be tracked?
PJ: Like wine cellar? What is it? What is Cellar Tracker? Basement Finder was too expensive?
DAMIANO: It's like a wine researching app.
PJ: It's okay to drink wine.
PHIA: And Delectable Scan and Rate Wine.
DAMIANO: Oh my God.
PJ: Oh my God, you're a wine snob! (laughs)
DAMIANO: Aggghhhhhhhhhh! I hate this!
PJ: Tannin detector (laughs).
PHIA: Nobody will be surprised that he has Italian translator offline.
PJ: That's fine.
ALEX: Mhm. OK.
PHIA: Um, Ab and Core Workout.
ALEX: That's not bad.
PJ: You look great.
PHIA: (laughs) Um, and then–
PJ: Just drinking wine, doing sit-ups.
DAMIANO: God, I didn’t, I didn’t actually think–
PJ: Saying things in Italian.
DAMIANO: I didn't pick–
ALEX: Hey, could you pass me that red. I need to do a wall sit real quick.
DAMIANO: If you said to me like, “oh, someone's gonna look at all the apps you downloaded.” I wouldn't–it doesn't feel that scary.
PJ: Oh, I would know it was scary.
PHIA: Um, and then this category of apps that like I don't personally relate to and maybe you guys do more. Games like–
DAMIANO: Oh god.
PHIA: Steampunk Defense.
DAMIANO: All right. Wait, wait, wait, let me stop her.
PJ: Steampunk Defense?
DAMIANO: Let me, let me just say–
PJ: Is this just like an app that when you’re wearing like–
DAMIANO: I fully admit–
PJ: Weird goggles and a top hat–
DAMIANO: Wait! I will fully–
PJ: It gives you reasons why that's okay?
DAMIANO: I can fully admit. I feel like–
PJ: It's okay to have junky games.
DAMIANO: I feel like this is–yeah, I download lots of like just very terrible games.
PJ: That's fine.
ALEX: I have a game on my phone called my phone called Jump Car and it's just like a car where when you press the screen it jumps up to the next level.
PHIA: Matt has that.
ALEX: Jump car?
PHIA: I think so–
PJ: That sounds like a thing that like you would put over a baby's bed so they could sleep. Like it's like sounds like a mobile.
ALEX: It kind of is.
PJ: Yeah that too.
DAMIANO: Can I just say like I love playing video games on my phone to the point where like one of them that I was really obsessed with like my 9- and 11-year-old cousins showed me over like some break when I was home. And I left for six months and was like obsessed with it and like watching YouTube tutorials on it. And came back like six months later and was like, "Hey guys, you want to play?" And I was like a super good at it. (PJ laughs) And they were–
PJ: They didn't care.
DAMIANO: They were like–
ALEX: We moved on from this.
PJ: So what does this have to do with–
PHIA: Okay. Okay. So I took all 95 apps that (PJ laughs) Damiano has downloaded at some point to his phone.
PJ: None of these sound like paid apps either. It's sounds like they're all free ones.
DAMIANO: They’re all free. I don't think I've ever paid for an app.
PHIA: And I sent them to this guy named Joel Reardon.
DAMIANO: Oh great, now another person has them.
PHIA: (laughs) Yes, and he's an assistant professor at the University of Calgary and he’s done a bunch of research on cell phones and apps.
PHIA: So, um, what he basically said from the jump and like maybe you already know this but is that like apps can be collecting information, like um, your Wi-Fi network?
PJ: I didn't know that.
PHIA: The serial number of your router? Uh, like your location information, your IP address.
PJ: Which IP address would already be enough actually.
PHIA: There's just like all these little weird details it–that they can be collecting all the time. Um, and then, and like what other apps you've downloaded. So, like, Joel said, they’re just like giving the whole picture of who Damiano is.
JOEL REARDON: Like if it's just the case that you have five apps installed, then it's not going to be very interesting. But if someone's actually using their phone and, and they have, in this case like nearly 50 apps or so or a hundred apps, like that's a very unique fingerprint of a person. And it tells a lot of like, you know, basically valuable information to marketers who want to micro-target advertising.
PHIA: And you're saying it's going to multiple advertising companies?
JOEL: Exactly. Yeah, the way these apps can make money even though they're like ostensibly free–
JOEL: Is that they get fractions of fractions of cents for each user who uses the app and uploads information to some company or, or serves an ads on behalf of these companies. And there's no real restriction in how many add libraries or analytics libraries some app includes. You just keep including them. You can include more and then you'll get more fractions of cents.
PHIA: So your free- free apps are actually paying for themselves by selling them to all of these marketing companies. My theory is that a robocaller bought that information from one of these marketing companies.
PHIA: Or that maybe they wrote a little bit of code and is just paying an app directly to collect that information for them.
ALEX: Oh my God.
PHIA: So, I sent him the 95 apps as I mentioned.
DAMIANO: Oh, Lord.
JOEL: So I took a list of these–the list you sent and then just did some searching on our data set to see if any of them were sending the phone number of the device and sufficient information to obtain location.
JOEL: And I did find one.
DAMIANO: Oh, no!
PHIA: Um, do you want to tell us about Mobile Legends: Bang Bang?
DAMIANO: That's the one my cousins played!
ALEX: Mobile Legends: Bang Bang!
DAMIANO: That's the one!
PJ: It sounds like a fake video game.
ALEX: It does. It sounds like something that would be in a–in like a network television show. Or network television drama–
PJ: Yeah, or somebody was like, somebody was like, I think I- I- I think–like I don't know what you're up to. I don't know where you're spending all your time. "Oh, the video game? It's a Mobile, Mobile Legends: Bang Bang.
DAMIANO: Oh my God. I need to warn my 9- and 11-year-old cousins.
ALEX: They're probably getting, their phones are ringing off the hook.
PJ: So, what uh, like- what—so what struck him as particularly dicey about Mobile Legends: Bang Bang?
PHIA: Okay, so Mobile Legends: Bang Bang.
DAMIANO: Oh my god, wait, millions of people play that game. That’s–
PJ: Millions of people get robocalls.
DAMIANO: I, okay, as I was being defensive I realized how it dorky it was.
PJ: It's cool that you do this. (DAMIANO: But like–) I think everyone agrees it's good.
PHIA: Um, so, Joel specifically focuses on Android phones, but he says if you had an Android and you've downloaded that game, what–what jumped out to him is it is a game that sends your phone number.
JOEL: In our study the equivalent app on Android sent location information and IP information, internet, the internet address of the phone.
JOEL: And generally you can, with the internet address, you can figure out what city they're in and certainly what state they're in.
JOEL: The real scandal is sending the phone number, right? Like why is it sending the phone number out to some company? What purpose do they need it for?
And in the case of this, this game, they were sending not only the phone number but the IMEI and the IMSI of the phone. The IMEI is the International Mobile Equipment Identifier. It's a number that cell phones use to connect to cell phone towers and it really serves no other purpose.
PHIA: That's crazy.
JOEL: There’s- I- I–I have not thought of a legitimate reason why this should be collected.
PHIA: So, so this game is sending out that information to these advertising companies.
JOEL: Um, actually, so in this case, I don't know where, who gets this information. They don't have a, a name like an advertising company.
PHIA: So this game is sending the location information–
JOEL: And the phone number.
PHIA: And the phone number to some place–
JOEL: To some random place on the internet that doesn't have a name
PHIA: That doesn't have a name.
PHIA: So Damiano downloaded a very suspicious game.
JOEL: I would, I would say so.
PHIA: So after the call with Joel actually found out where Mobile Legends: Bang Bang sending information and it’s six different places. Um, but that mysterious one, the random place on the Internet as Joel calls it, that’s actually something called “Young Joy Game.” But we have no idea what that is.
PJ: So the idea is that either it's sending, it's possible, that this app or another app on Damiano's phone is sending his information to the robocallers or sending them to some broker (PHIA: Mhm.) that then sell them to the robocallers.
PHIA: Right. Another possibility is that there's a vulnerability in any of this and so a robocaller is just like getting that code (PJ: Right.) without paying or–
ALEX: You're a real Mobile Legend.
PHIA: God (laughing). So the thing is that if you had an Android that would be true. Now, on an iPhone, you're not actually, they aren't allowed to collect your phone number. But he said, the thing is, that if any of the apps that you ever downloaded have prompted you to put in a phone number, like say they were like, "We'll text you a code that you have to enter."
PHIA: Then you would have willfully handed over your phone number and they could send that to whoever then.
PHIA: So the question is, Damiano, have you ever given your phone number to any app that you've ever used?
DAMIANO: Definitely. I mean definitely.
ALEX: For sure he has.
PJ: Like, oh yeah, you want me to send you a little code?
DAMIANO: No. Also, I'm not worried about my phone number. Like I- I would–I would rather put my phone number than my email address for like a shitty game. Do you know what I mean?
PJ: Yeah, I would do the same thing.
DAMIANO: Like if someone was like, “Can I have your email address?” I’m like, “You're gonna spam me. Oh, phone number. What are you gonna do with that?”
PJ: Follow me around everywhere and try to sell me bad insurance.
PHIA: Just to be clear, I don’t know for sure that that’s what happened. I reached out to Mobile Legends and never heard back. So that’s my best guess.
DAMIANO: Wow, that’s a lot. Thank you, Phia.
PHIA: I'm sorry for razzing you.
PJ: I still feel gross and paranoid about the world.
DAMIANO: I feel a little bit like I've just been snitching on myself.
PJ: Are you going to change your behavior? Are you going to get rid of, what’s it called?
ALEX: Mobile Legends: Bang Bang.
Reply All is hosted by PJ Vogt and me, Alex Goldman. We’re produced by Sruthi Pinnamaneni, Phia Bennin, Damiano Marchetti, Anna Foley, and Jessica Yung. Our show’s edited by Tim Howard. We’re mixed by Rick Kwan. Fact-checking by Michelle Harris. Our intern is Christina Ayele Djossa. Our theme song is by the mysterious Breakmaster Cylinder. Our ad music is by Build Buildings.
Special thanks to Aurelius Value Blog, Patrick Traynor, Robert Xiao, Joseph Cox, James Brown, and the California Department of insurance.
If you want to hear more about Joseph Cox’s story about the bounty hunter, Joseph has his own podcast called Cyber where they did a follow up episode with more of his reporting. Go check it out.
Matt Lieber is this guy the free samples of fudge you get on the boardwalk by the beach.
You can listen to the show on Spotify, iTunes, or wherever you get your podcasts. Thanks for listening. See you in two weeks.
Latest from Reply All
Latest Gimlet Episodes