Did you get a Valentine’s Day text message on November 7? If so, you can blame a company called Syniverse, which provides text-messaging services to major mobile carriers.
Syniverse helps deliver text messages via its intercarrier messaging service and boasts that it is “Connected to more than 300 operators” and processes 600 billion messages per month.
Syniverse says it delivers 99.8% of messages within one second. But a server failure caused many messages—exactly 168,149, according to The Washington Post—to be delivered nearly nine months late. (Update: Syniverse later acknowledged that the actual number of late messages was higher, but isn’t saying exactly how many there were. See the update later in this article for more.)
“The texts appeared to be sent or received from cellphones with different operating systems and a wide range of carriers, including Sprint, T-Mobile, AT&T, and Verizon,” the Post noted yesterday.
The incident highlights how mobile carriers aren’t the only companies handling your text messages. As the Post story says:
Jon Callas, a senior technology fellow with the American Civil Liberties Union, said text messaging technology is “an incredible mess of software,” in which multiple intermediary parties stand between users and carriers. That structure has the potential to create a number of privacy and security issues when a third-party vendor encounters glitches or has its data compromised.
Server failed, was reactivated 9 months later
Syniverse acknowledged its screwup in a statement posted on its website yesterday. In short, a Syniverse server failed on February 14, 2019, causing messages that were in the queue to go undelivered. For some reason, Syniverse didn’t reactivate the server right away or even for many months afterward. The server was reactivated just yesterday, causing those 168,149 months-old messages to be sent.
Syniverse also explained how its system is supposed to work, at least when a server doesn’t go dormant for nine months:
Messages that cannot be delivered immediately are temporarily stored between 24 to 72 hours depending upon each mobile operator’s configuration. During this time, multiple delivery attempts are made. If the message remains undeliverable after the specified time, the message is automatically deleted by Syniverse.
For all messages, the content of the message is deleted, and only the metadata for the message is stored for 45 days. Messaging metadata includes the operator and device identification information. We retain the metadata for billing and reporting purposes only.
Obviously, Syniverse’s statement that messages are stored only for 24 to 72 hours didn’t hold true in this case, in which the inactive server held messages for nearly nine months before delivering them.
Syniverse’s statement explained that “On Feb. 14, 2019 a server failed, and messages were in queue at the time. When the server was reactivated on Nov. 7, 2019 messages in the queue were released.”
That’s all Syniverse said in the statement on its website. We asked the company several questions about what caused the server failure, why the server wasn’t reactivated until nine months later, and about what security measures were in place to protect messages on the server. We also asked for a breakdown of how many messages were sent on each carrier. We’ll update this article if we get a response.
According to the Post, Syniverse said that regular maintenance is what caused the previously unsent messages to be delivered yesterday. Apparently, that regular maintenance wasn’t done on the server at any time between mid-February and yesterday.
“While the issue has been resolved, we are in the process of reviewing our internal procedures to ensure this does not happen again, and actively working with our customers’ teams to answer any questions they have,” Syniverse told the Post.
Update at 4:11pm EST: Syniverse deleted its original statement and posted a new one, which says that the number of text messages sent nine months late was actually more than the 168,149 originally reported by the company. But Syniverse isn’t saying how big the actual number is. Syniverse explained:
Earlier we released preliminary data that was based on information available at the time. As we’ve pursued additional analysis and review, we have determined that the initial number of person-to-person (P2P) messages released is higher than initially reported. We are continuing to work with customers to understand and communicate the scope of the incident and apologize for this inaccuracy. To reiterate, this matter is resolved. No additional old P2P text messages have been or are being sent as a result of this incident.
Texts cause confusion and anguish
The re-sent texts caused confusion for many people, and anguish for some recipients who received messages from or about people who had died between February 14 and this month.
“[O]ne person said they received a message from an ex-boyfriend who had died; another received messages from a best friend who is now dead,” The Verge reported yesterday. The Verge also quoted a California woman named Barbara Coll, who “said she received an old message from her sister saying that their mom was upbeat and doing well. She knew the message must have been sent before their mother died in June, but she said it was still shocking to receive.”
“I haven’t stopped thinking about that message since I got it,” she said.
https://arstechnica.com/?p=1599059