Two reports by privacy campaigners into mobile and Wi-Fi services' location tracking activities have revealed practices of questionable legality and security.
The studies found that “at best, companies are fulfilling the minimal legal requirements, and at worst could breaking the law and breaching our right to privacy.”
The collection and exploitation of traffic and location data is detailed in two reports which are published today. The Open Rights Group (ORG) has provided a 44-page inquiry titled “Cashing in on your mobile?” (PDF), which reports on “how phone companies are exploiting their customers' data.”
This is accompanied by a 32-page investigation “into the contracts, policies and practices of mobile and Wi-Fi service providers in relation to location tracking” by privacy campaigners Krowdthink, titled “They know where you are” (PDF).
Pairing up, the advocacy groups have launched Opt Me Out Of Location “to encourage the British public to demand that mobile and Wi-Fi service providers are explicit about what they are asking their customers to opt into and provide clear choices for opting out.”
The groups claim that “high net worth individuals, children and householders could all be at significant risk from cyber criminals targeting historic location data that has been collected by our mobile phone and Wi-Fi services providers.”
UK service providers
The investigations, which were carried out independently from each other, allege that consumers are “unwittingly signing up to be location tracked 24/7” and are unaware that “the highly sensitive data this generates is being used and sold on for commercial benefit.” There is, they suggest, a clear incentive for companies to stand by this opt-out model, as analysing customers' data provides an additional source of revenue on top of subscriptions.
Krowdthink reported on the practices of specific mobile and Wi-Fi service providers, noting that of the Big Four mobile providers, only Three explicitly states that it does not share location data with third parties, “although it is not clear if their advertising platform does so indirectly.”
O2 and Vodafone both allow customers to opt out of location tracking, but remain opted in to marketing communications unless they expressly ask to be opted out of those too. EE and Three require a call to opt out of marketing services, “although it's unconfirmed in writing that it also opts you out from location services.”
The ORG looked through the Big Four's policies and contracts, and met with representatives from those companies, before finding that customers were not “given enough clear information” about the use of their data, and that the opt-out mechanisms were unclear and difficult.
Krowdthink cited provider Purple WiFi as “interesting” as it “drive[s] users to login via their social media accounts. They then explicitly opt-in users by default to have their precise movements tracked and correlated back to their social media account, they even have real-time access tools as seen above.”
US service provider Verizon was fined $1.35m for injecting its subscribers' HTTP requests with a “unique identifier token header” which identified them for marketing purposes.
While it is not alleged that providers in the UK are engaging in similar mischief, the ORG noted that behavioural data “collected by apps, web browsing, monitoring and mobile companies via mobile commerce platforms” is entered “into a very complex global ecosystem of marketing platforms that try to match potential consumers with the sellers of products.”
The ORG included a diagram “kindly made publicly available by Luma Partners” which “gives an excellent overview of the complexity of the mobile advertising industry.”
Diagram made public by Luma Partners © 2016.
The collection of customer data is defended on service and business intelligence grounds, however its transmission to third parties and marketers is consistently challenged. Retail outlets are regular customers for the analytics that mobile companies run on their subscriber data.
The ORG reported that companies approach the legal justification for analytics different. Notable was O2 which did not offer any means to opt-out of their analytic platform, but instead suggested that as their customers' data was anonymised there was no legal requirement to provide a mechanism for doing so.
“For most types of low dimensional data, anonymisation is in fact quite a good security tool,” reported Krowdthink, but “location data is high dimension data and is thus much hard to anonymise,” it continued:
[The] problem with anonymisation is that the better the anonymisation, the better our privacy protection, but the worse the data set becomes as an informational source.
The ORG report said: “A person’s location trace over a long period of time is completely unique and very hard to properly anonymise. The risks of re-identification of location data are potentially higher than for other forms of data.”
The digital pressure group stated that “industry claims that consent is not required because data is anonymised are hard to justify for location data”, citing a 2013 paper from MIT showing that “four cell points in a mobile trace are enough to uniquely identify 95 per cent of the individuals in a sample of 1.5 million people".
Spooks and snooping
Krowdthink reported that Wi-Fi providers did not understand that there is no legal duty for them to collect information on their users' browsing habits, even though one such provider “sits on a Home Office committee for RIPA conformance alongside the likes of MI5.”
The privacy campaigners said:
RIPA [the Regulation of Investigatory Powers Act 2000] has never explicitly required public Wi-Fi vendors to maintain location tracking information. RIPA has only ever related to telecommunications providers as per the EU Directive – a Wi-Fi provider is not a telecommunications provider, they are a gateway to a telecommunications provider.
RIPA is wholly focused on cell site triangulation data and call metadata. There was an attempt in 2014/15 under DRIP to bring Wi-Fi tracking in, but it was explicitly struck out in 2015 as DRIP was struck down. One obvious reason is this – if anyone with a hotspot opened it up for public access they’d suddenly become subject to RIPA and be required to maintain this data and deliver it to the security authorities. As every mobile phone can be used in this way it would make every citizen potentially liable.
Krowdthink pondered why the COO of one public Wi-Fi provider was adamant that this data retention – which has been “explicitly struck down” – was a legal requirement. It suggested that “to a public Wi-Fi provider, a RIPA requirement may help them feel justified in also collecting revenue from the collated data as they have to take the cost burden of collection.”
Three refused to comment. EE had not responded to our request for a comment by the time this story was published, while Purple WiFi had not supplied a comment by the time of publication.
Jo Blazey, Vodafone UK's privacy counsel said: “Vodafone UK does not use location data for marketing purposes without customers’ opt-in consent.”
“We have been looking at how mobile location data can be used to help organisations such as local councils improve infrastructure or public services, for example,” she continued. “This is not about individuals, it is about overall patterns and the data is anonymised and aggregated. We do not provide any third party with any information that would enable them to identify any individual by name or mobile number, access any personal information or contact an individual, unless required to do so by law.”
An O2 spokesperson said: “As a telecommunications provider, our service requires us to know the location of our customers in order to enable connectivity to our network. This is not to be confused with ‘tracking’ the movements of our customers. We do not sell individual customers' location data to third parties. We provide each customer with a contract summary sheet listing of key terms of their contract, set out in a prominent, clear and intelligible manner. We are the only network operator that references how we use a customer’s information in the summary sheet – we recognise it's one of the most important provisions of the agreement.”
Responding to the suggestion that telcos made it “less than obvious how to opt out of location tracking and associated commercial marketing data usage”, the O2 spokesperson continued: "The legal and regulatory framework within which we operate guides our activity,” adding: “In addition to the controls available to customers for particular campaigns and apps, our terms and conditions and website state that customers can dial 1300 from their mobile to manage their preference for location-based services.” ®