Wireless providers are aggressively collecting and reselling your usage data. And a lot of what they do remains secret.
November 8, 2012  |

Photo Credit: Shutterstock.com/Lasse Kristensen

  CIVIL LIBERTIES

Have you ever lost your mobile phone and been able to find it through your wireless company’s GPS tracking service? Or have you signed up for a family locator program to check on where your kids are through their phones? If so, you’ve voluntarily entered the world of telco tracking. Unfortunately, these are but the most innocent tracking programs that wireless companies like AT&T and Verizon are engaged in.

Every seven seconds or so, one’s wireless company tracks your position vis-à-vis the nearest cell tower, determining not only your location but how long your call lasts. What a phone company does with this data, let alone with all the other information it gathers, remains the company’s secret.

Earlier this year, Rep. Ed Markey (D-MA) revealed that, in 2011, state and local law enforcement agencies had received approximately 1.3 million records from the nation’s wireless carriers. A wireless customer’s personal information provided to law enforcement entities is fairly comprehensive. It includes geo-locational or GPS data, 911 call responses, text message content, billing records, wiretaps, “ping” location and what are known as cell tower “dumps” (i.e., a carrier provides all the phones numbers of cell users that connect with a discrete tower during a discrete period of time).

Equally insidious, these same wireless providers are aggressively collecting and reselling your usage data. The most widely used method is through a special GPS geo-location program offered by Carrier IQ known as CIQ.

Are You Being Tracked?

On October 10, Sen. Jay Rockefeller (D-WV) sent inquires to nine of the nation’s leading data brokers asking about their business practices. These companies aggregate and sell consumer information and include Acxiom, Datalogix, Epsilon, Experian, Rapleaf and Spokeo.

The senator should ask the same questions to the nation’s leading wireless providers.

* * *

“Data is the new oil,” declared Bill Diggins, a Verizon Wireless exec in charge of the telco’s latest data aggregation program, Precision Marketing Insights (PMI). Verizon, along with Sprint, introduced its initial device tracking service in 2007.

But PMI goes further.  According to Diggins: “We’re able to analyze what people are viewing on their handsets.” He offered the following example: “If you’re at an MLB game, we can tell if you’re viewing ESPN, we can tell if you’re viewing MLB, we can tell what social networking sites you’re activating, if you’re sending out mobile usage content that’s user-generated on video.”

Other wireless executives share Diggins’ enthusiasm for data collection. Sprint company spokesperson Stephanie Vinge Walsh champions the power of the telecos: “We think it’s a benefit to receive ads targeting your interests rather than ads which may not be relevant.”

Verizon’s PMI program allows it to collect user data from devices running on either an Android or an Apple OS (operating system).  According to Verizon, the data collected includes what products and services a consumer is using (e.g., device type, calling features and usage patterns), what apps are on the device and GPS location. In addition, it collects a host of demographic and psychographic information “such as gender, age range, sports fan, frequent diner, or pet owner.”

Further, the company acknowledges that all the collected information can be combined into “aggregated and marketing reports.” In turn, these reports can be sold to third-party entities like data aggregators and direct marketing firms. However, it insists: “We may combine this information in a manner that does not personally identify you.” Some reports indicated that Verizon provides a customer’s home address to third parties.

Diggins identified the company’s long-term goal as insinuating itself into a customer’s mobile wallet. “So we’re able to identify what that customer likes not by filling out forms but by actually analyzing what they do on a day to day basis and serve them with products we know they like because we’ve seen they’ve downloaded and purchased products like that.”

Pulling the curtain further aside, Diggins reveals the underlying rationale of Verizon’s data collection effort: “We’re doing this on a one-to-one basis even though we’re marketing on an aggregate anonymous because we’re able to just view everything they [users] do.”

Not to be undone, AT&T actively collects user data. It introduced its FamilyMap program to track the location of any cell phone on AT&T’s network in 2009. On its AdWorks site, AT&T promotes its capabilities to “reach customized audience segments based on anonymous and aggregate demographics.”

AT&T insists it doesn’t sell personal data to third parties. Rather, it offers “[third parties] products and services, packages, discounts and promotions from the AT&T companies, such as High Speed DSL Internet access, wireless service and U-verse TV services, which may be different from the types of services you already purchase.”

AT&T provides “location information” to Sense Networks, a company analyzing mobile location data for advertising. One of its products, CitySense, highlights local nightspots to customers based on cellphone usage.

“Because cell phones have become so ubiquitous,” notes Ramón Cáceres, a researcher at AT&T’s labs in Florham Park, NJ, “mining the data they generate can really revolutionize the study of human behavior.”

He described how, last year, AT&T undertook a study of the travel habits of wireless subscribers in the New York and Los Angeles regions. The company sifted through millions of call detail records (CDRs) from hundreds of thousands of customers in 891 separate zip codes areas.  It analyzed the origin and destination numbers, the type and duration of call and the location of the cell tower nearest to where the call was made.

A full report of AT&T’s research findings was not released. However, what was disclosed is illuminating as to how data collectors analyze customer behavior. It found that, on average, people living in Manhattan travel 2.5 miles most days, compared to five miles in Los Angeles. “But,” according to Cáceres, “we also found that when you look at the longest trips people make, people that live in New York go significantly further, 69 miles on a weekday compared to 29 in Los Angeles.”

The other two leading wireless providers, Sprint and T-Mobile, are also commercializing subscriber data. A T-Mobile spokesperson said it “collects information about the Web sites that customers visit and their location” and that it “may use that information in an anonymous, aggregate form to improve our services.”  T-Mobile employs the Carrier IQ program for GPS tracking. It does not provide information as to the third-party customers it provides user data.

Sprint provides customer data to third parties. Going further than either AT&T or Verizon, it lets advertisers target customized messages to a subscriber’s wireless phone. However, it insists that it does not provide third parties with customer’s site visit information or location data; it ended its relation with Carrier IQ last year.

One of the most intriguing areas in which wireless companies are working with third parties involves auto insurance. This may explain why AT&T conducted such extensive research into subscribers’ mobility habits. Sprint recently established the Integrated Insurance Solutions unit offering “usage-based insurance” data.

Sprint is working with Allstate’s unit, Esurance, on a pilot program in Arizona and Texas. It offers insurance companies a turnkey tracking solution, including the on-board car tracking device, the wireless connectivity to capture, send and record the data, and the program to evaluate the driver’s performance.

One of the major providers of such insurance is Progressive through its “Snapshot” program. Working with Sprint, it identifies the car’s Vehicle Identification Number (VIN), tracks the driver’s speed, time of day, location and braking patterns via a diagnostic device plugged into the car. Perhaps more insidious, it also records when the device is connected and disconnected from the vehicle.  Snapshot does not include GPS tracking technology, nor identify the vehicle’s location, nor whether the driver broke the speed limit.

According to a recent article in Reuters, “more than 30 North American insurers are looking at some sort of usage-based program.”

* * *

Tracking and personal privacy are growing concerns among Americans, yet a very grey area in the courts, Congress and the Obama administration. A recent study by UC Berkeley School of Law found Americans overwhelmingly believe data stored on their mobile phones is private. Nearly three out of five (59%) of respondents 18 to 65-plus said their phones were “at least as private” as their home computers and 19 percent believed their phones were more private than their home computers. 

The U.S. federal courts seem confused over cyber privacy. In January, the Supreme Court ruled in U.S. v. Jones that the police could not hide a tracking device in a suspect’s car without a valid warrant. More recently, the U.S. Court of Appeals for the Sixth Circuit (Cincinnati, OH) ruled the conviction of an alleged drug dealer should stand because there is no constitutional right to cellphone privacy; a custom “did not have a reasonable expectation of privacy in the data given off by his voluntarily procured pay-as-you-go cellphone.”

The Obama Justice Department has repeatedly come out in opposition to a customer’s privacy rights using a wireless services. As it noted in a case in February, “… a customer has no privacy interest in cell-site records, which are business records created and stored by a cell phone provider in its ordinary course of business.” It insists that Fourth Amendment prohibitions against “unreasonable” searches and seizures do not apply to a mobile device.

Both the progressive Electronic Frontier Foundation and the conservative Competitive Enterprise Institute have raised concerns about telco tracking. Both insist that the aggregation and sale of customer data by wireless companies might violate federal electronic privacy laws. Three statutes are sited: the Electronic Communications Privacy Act of 1986 (ECPA), the Communications Act of 1934 and the Cable TV Privacy Act of 1984. In particular, the cable law requires “prior written or electronic consent of the subscriber” before any personally identifiable information can be collected.

When Congress settles down in the wake of the 2012 election, the efforts of Sen. Rockefeller, Rep. Markey and others will likely focus a spotlight on cyber privacy like never before.

In the meantime, what can a wireless user do? Each of the major wireless providers offers customers various means to limit tracking.  Be advised that “opt out” procedures are not easy to find and challenging to implement. The following are good sites to start:

For more information on opt-out options and privacy rights regarding wireless devices, check out these resources.