(News / Editorial) Is location-data tracking the next big target for cyber criminals?

track location

Two reports reveal serious threat posed by having our movements constantly tracked by the mobile and Wi-Fi service industry

 

High net worth individuals, children and householders could all be at significant risk from cyber criminals targeting historic location data that has been collected by our mobile phone and Wi-Fi services providers.

Two independent reports conducted by Krowdthink, a privacy advocate and innovator in digital engagement, and Open Rights Group (ORG), the UK’s leading digital rights campaigners, have examined the contracts and practices of the mobile phone and Wi-Fi industry. Both reports highlight that consumers are unwittingly signing up to be location tracked 24/7 and that the highly sensitive data this generates is being used and sold on for commercial benefit. They conclude that consumers deserve to know and to not have their consent assumed.

The independent investigations reveal that mobile and Wi-Fi service providers are:

  • not telling customers upfront either in store at point of contract signature or online via their websites that all their movements will be tracked and historic location data will be used for marketing purposes and often sold to third parties;
  • hiding in the detail of their contracts that customers can indeed opt out of location tracking as well as the marketing and sharing of related data; and not making clear the means to opt out;
  • putting the customer communications focus on the need for location information to route calls and meet the requirements of government security legislation.

The investigations also highlight that:

  • Some public Wi-Fi service providers claim that they have to collect location data for security purposes, which is not the case as with mobile service providers;
  • anonymisation of data is opaque and questionable as a personal data protection tool;
  • unless customers know what to ask for when interrogating their mobile or Wi-Fi service providers about the location data they hold on them, they will never be any the wiser; and even when they do know, they don’t always get the information they have requested.

The reports follow a recent announcement by the Information Commissioner’s Office, the UK’s independent body set up to uphold information rights, that Wi-Fi service providers must notify device users of the potential for their data to be analysed before they begin to process their information. It also coincides with the introduction of the new EU General Data Protection Regulations this Spring. These are designed to compel organisations to be more transparent about how they collate and handle people’s personal data. Companies who fail to follow the new rules could face huge fines.

The mobile phone market industry in the UK is worth £14 billion, with 93% of adults owning a mobile phone, and 61% owning a smartphone2. Within this multi-billion pound industry, there is a fast-growing market in services and products created from the data that customers generate when we use our phones and log into public Wi-Fi. Data is used to build profiles that are used by advertisers and other undefined businesses.

Location data is collected from the cell towers of a mobile service provider when it tracks a customer to route a call to them. Such location data is becoming more and more precise with the move from 2G to 4G services, as more cell towers are needed to cope with changes in technology and density of usage. There are currently over 52,000 cell towers in the UK and in towns they can be 50m to 500m apart and in the countryside 2-5km.

The Krowdthink investigation also warns that Wi-Fi hotspots and Bluetooth beacons are potential location trackers, with many public Wi-Fi service providers specifically opting customers into location tracking by default in their privacy policies. Furthermore, it reveals that some Wi-Fi service providers, who are also mobile phone service providers, including O2 and Vodafone, use the same privacy policy for Wi-Fi as for their mobile phone customers, enabling them to track location through Wi-Fi and cell towers providing even greater fidelity of location tracking.

Krowdthink: They know where you are report

This looked into the practices of a number of mobile and Wi-Fi service providers:

O2 and Vodafone allow specific opt out of location tracking but customers remain opted in to marketing generally unless they separately express that desire with EE and 3 the customer has to make a call to opt out of marketing services, although it’s unconfirmed in writing that it also opts you out from location tracking only 3 explicitly states they do not share location data with third parties, although it is not clear if their advertising platform does so indirectly

Tesco, which is a Mobile Virtual Network Operator, a mobile service provider which runs over the infrastructure of 02, does not provide any indication that they track location through their mobile phone service, despite the fact that O2 collates location information, growing UK Wi-Fi service provider PurpleWiFi drive users to login via their social media accounts. They then explicitly require users to opt-in to have their precise movement tracked and correlated back to their social media account. PurpleWiFi also have all the user movement data since they started business 4 years ago!

Aquiva, a Wi-Fi service provider whose clients include airports, Premier Inn and Travelodge, make it difficult to opt out of location tracking by requesting information as to which Wi-Fi client the user first logged in on, which will be difficult for any individual to remember.

Open Rights Group: Cashing in on your mobile? report

ORG looked at the policies and contracts of the UK’s four main mobile providers: EE, O2, Vodafone and Three UK and analysed what information they gather, store, analyse and share. The report is also based on meetings with representatives from these companies and officials from the ICO. ORG’s supporters contacted their providers about these practices, requested copies of the data held about them and carried out mystery shopper visits to the companies’ front end shops in the high street to ask about personal data handling.

ORG’s report revealed:

Customers are not being given enough clear information about how their data is being used by their mobile providers.

Customers are not being given clear and easy ways to opt-out if they don’t want companies to use their data.

Companies could be breaking e-privacy law if they process traffic and location data without consent. The mobile phone companies that we spoke to say that they anonymise data, which means that they are not legally obliged to ask for consent to use it. But it appears that in some cases the data is not fully anonymised and should remain classed as personal information requiring consent for reuse.

Customers need to understand the risks if they are to give companies permission to use and share their data. But it is currently impossible for individuals to work out how effective anonymisation and pseudonymisation techniques are.

The law may not be fit for purpose in giving customers control over the risks associated with big data.

Companies and their clients are potentially getting value from data but it is not clear whether these benefits are being shared with mobile phone customers.

PROTECTION AGAINST BEING LOCATION TRACKED

Following the publication of the reports, Krowdthink and ORG have joined forces to launch https://optmeoutoflocation.com/ to encourage the British public to demand that mobile and Wi-Fi service providers are explicit about what they are asking their customers to opt into and provide clear choices for opting out. The campaign also offers guidance regarding minimising location tracking possibilities

Chief Editor of DroidHorizon. I own a few different devices at the minute and enjoy writing reviews and sharing what I think is cool. You can often find me playing Playstation 4 or sprawled across the couch with headphones on (maybe with a nice beer or gin & tonic in-hand)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.