27k unique visitors in the last 3 days

Why Is ChatGPT Giving HLR Data about Your Phone to Anyone Who Asks for It?

OpenAI has made it easy for anyone to get HLR data for free without questioning if they have a legitimate need for it.

For this article, I want to focus on two words that the global communications industry does not like to talk about: legitimate interest. And I want to make this article personal, relating it to the concerns that we all have as human beings. I want to do this in case follow-on articles get drawn into any potential dissembling or obfuscation by OpenAI, a USD300bn business founded by Sam Altman (pictured), a billionaire who spends a lot of time telling world leaders about how to write laws that will determine the future of data and automation.

Having a legitimate interest matters. There are many violations of privacy by people who have no legitimate reason to access personal data. Regular readers know about the growing concern surrounding access to data maintained by comms providers. Despite a lot of circumstantial evidence to the contrary, people keep pretending that no laws have ever been broken when businesses look up data from Home Location Registers (HLRs), those familiar old databases that every mobile operator needs. There are legitimate reasons to interrogate HLR data. But not every reason to interrogate this data will be legitimate. Here are a few motives that would not be legitimate.

  • A criminal wants to know your location so they can steal from your home when you are away, or to pinpoint where to send your murderers, as was the case with the assassination of Mexican journalist Fredid Román Román.
  • A criminal wants to know which telco is providing the service for your mobile number so they can contact your telco and persuade them to perform an unauthorized SIM swap.
  • A criminal wants to perform a spearphishing attack on you, and they first seek confirmation that they have a number for you which is capable of receiving the SMS message they will use to instigate the attack.

So the questions I want to ask every reader are as follows.

  • How do you feel about anyone in the world being able to use ChatGPT to query the HLR data for your phone number? Or for your child’s phone number?
  • How do you feel about this data being supplied to anybody free of charge?
  • How do you feel about this data being supplied without anybody questioning if the recipient of the data has a legitimate interest?

Studies indicate approximately 5% of human beings exhibit sociopathic traits. I sometimes wonder if that ratio is higher for the people I meet in the communications industry. My experience certainly fits with the empirical observation that psychopathy is more common amongst people at the top of businesses. We all have phones but when I have spoken to decision-makers in this industry they have often behaved as if the bad things that this industry enables could not possibly happen to them as individuals, or to anyone they care about. That is why I feel the need to make this article about your phone, your safety, and the safety of your child, if you have one. Ignore the amount your employer pays you for your part in exploiting this data. Put aside the legalistic shenanigans of amoral lawyers whose job is to win on behalf of their clients, even if it means society loses as a whole. I want you to think about how you feel about a series of businesses interacting with each other so that data stored in the HLRs of every mobile operator can be taken by another business, who then supplies it to OpenAI, so they can provide a free and simple interface that will supply that data to anybody anywhere. Is this a sensible way to run a planet? Is this a wise choice by our species?

To prove the point that any idiot can query HLR data about any phone, I logged on to ChatGPT and used it to obtain HLR data. It cost me nothing. It was quick and easy to do. And to be clear, I have no legitimate reason to obtain any of that data, except to prove it can be done. OpenAI created a custom ‘Telecom GPT’ interface for their large language model (LLM) that literally advertises the fact that it can perform HLR queries when you first access it. The interface does this by displaying an example phone number to query, as shown in the following screenshot.

And these are the results when you follow the prompt to execute this particular HLR lookup.

I could share examples of other numbers I queried but you now know the essential format of the output: country; national phone number format; international format; current telco; original telco; network type; ported status; roaming status.

The good news — as far as there is any — is that none of my queries yielded information about the roaming status. I used several gambits to trick the LLM into showing me any phone number where the roaming status had been determined. Every attempt failed, despite the LLM initially providing me with a list of those networks which…

…commonly return roaming status (roaming.status) as “roaming” or “not_roaming” in HLR responses

So the service is not leaking as much personal data as it initially suggests, although a more persistent cybersecurity researcher might spend longer challenging the LLM in order to prove me wrong.

Nevertheless, this is still a violation of the law. The data I obtained through these queries meets the definition of personal data per Europe’s General Data Protection Regulation (GDPR). Crucially, I had no legitimate interest that justifies my obtaining it. Nobody has a legitimate interest in supplying that data to me. Because I was interrogating an LLM, I could ask it how to interpret GDPR and the legality of what had just happened. These screenshots show how it responded, beginning with the question about whether the data is personal.

Next comes the matter of when it would be legal to supply HLR data.

So, we now have straightforward evidence that the law was broken because I was able to get data from HLRs without having a legitimate interest. The next step was to challenge the LLM about whether OpenAI was breaking the law by providing this data to me. The lawyers at OpenAI evidently anticipated this question and had trained their LLM accordingly.

That is an interesting dodge. Although I was interacting with a product developed and operated by OpenAI, there was no admission of responsibility as either a data controller or a data processor per the way those terms are defined in data protection law. The easiest way to shoot down that pretense would be to show that OpenAI had gained access to the data by entering into a contractual relationship. And the simplest way to do that would be to confirm that OpenAI is paying for the queries, because I certainly had not paid for them. The LLM was again able to dodge some of my follow-up questions by saying it did not know if OpenAI was paying for the data because that would require it to be trained with confidential contract information.

Instead of taking responsibility, OpenAI wanted me to focus on the company they obtained the data from, TelecomsXChange (TCXC). But I have no desire to tackle TCXC because bad actors typically win by hiding in the murk created by intermediaries. OpenAI would like to divert me to TCXC, then TCXC would send me on other diversions, and the goal of the exercise morphs from addressing a real public danger to finding ways to waste the time of anyone who asks uncomfortable questions about obvious illegality. The comms sector has a track record of failing to deal with ongoing risks by shifting responsibility so furiously that nobody is ever held accountable. The LLM even painted a ‘simplified’ picture to illustrate how responsibility for the flow of this HLR data is diffused in practice.

So instead of accepting the invitation to go on a wild goose chase, I continued to focus on OpenAI’s responsibility. The nexus of this responsibility was neatly summarized by the LLM.

And those key points really are key, as demonstrated by the next admission.

The LLM did then offer other suggestions for why OpenAI may not be breaking the law, beginning with the possibility that the law is not being broken if all the seeming HLR data it supplied was actually made-up bullshit. I doubt that will prove to be OpenAI’s ultimate defense, not least because I checked some phone numbers that I know about, and the lookups returned the correct information. That left the LLM with only one other way of excusing OpenAI, as captured in its summary conclusion.

The LLM then helpfully explained how I could seek to complain to various parties about the apparent wrongdoing. I chose to remain focused on OpenAI. Everybody should be held responsible for protecting ordinary people from harm, and that means OpenAI does not deserve a free pass when they so obviously seek to profit from the exploitation of data. So I acted on the LLM’s advice, and had it draft a letter of complaint to OpenAI’s Data Protection Officer (DPO). I read the initial draft then asked for it to be amended so that if the DPO argues that the legal reasoning in the letter is a load of bullshit then that means the output of ChatGPT is also a load of bullshit. You can see the complaint letter produced by the LLM at the bottom of this article.

The complaint has now been sent, and the DPO of OpenAI has one month to respond. I am not optimistic about obtaining an appropriate response. Most DPOs are weak. The USA is ruled by corporations that disrespect its meager privacy laws. Sam Altman is a man who openly says European consumer protection laws are treated as an ‘in joke’ within his company. Let us see if these particular issues, which are intimately connected to European privacy law, are taken seriously by the human employees of OpenAI, or if they will also resort to legalistic excuses for increasing the risk to you, me and everyone in the world. If OpenAI will not voluntarily end this abuse, then it is time for European data protection agencies to start prosecuting data controllers and data processors who exploit HLR data while pretending not to be data controllers nor data processors.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email