NYT on T-Mobile, Verizon & AT&T's location tracking and location data retention

Caspar Bowden (travelling private e-mail) tharg at gmx.net
Sun Mar 27 19:19:45 BST 2011


It's Tracking Your Every Move and You May Not Even Know
Published: March 26, 2011

A favorite pastime of Internet users is to share their location: services
like Google Latitude can inform friends when you are nearby; another,
Foursquare, has turned reporting these updates into a game.

Michael Löwa for The New York Times

But as a German Green party politician, Malte Spitz, recently learned, we
are already continually being tracked whether we volunteer to be or not.
Cellphone companies do not typically divulge how much information they
collect, so Mr. Spitz went to court to find out exactly what his cellphone
company, Deutsche Telekom, knew about his whereabouts.

The results were astounding. In a six-month period - from Aug 31, 2009, to
Feb. 28, 2010, Deutsche Telekom had recorded and saved his longitude and
latitude coordinates more than 35,000 times. It traced him from a train on
the way to Erlangen at the start through to that last night, when he was
home in Berlin.

Mr. Spitz has provided a rare glimpse - an unprecedented one, privacy
experts say - of what is being collected as we walk around with our phones.
Unlike many online services and Web sites that must send "cookies" to a
user's computer to try to link its traffic to a specific person, cellphone
companies simply have to sit back and hit "record."
"We are all walking around with little tags, and our tag has a phone number
associated with it, who we called and what we do with the phone," said Sarah
E. Williams, an expert on graphic information at Columbia University's
architecture school. "We don't even know we are giving up that data."

Tracking a customer's whereabouts is part and parcel of what phone companies
do for a living. Every seven seconds or so, the phone company of someone
with a working cellphone is determining the nearest tower, so as to most
efficiently route calls. And for billing reasons, they track where the call
is coming from and how long it has lasted.

"At any given instant, a cell company has to know where you are; it is
constantly registering with the tower with the strongest signal," said
Matthew Blaze, a professor of computer and information science at the
University of Pennsylvania who has testified before Congress on the issue.

Mr. Spitz's information, Mr. Blaze pointed out, was not based on those
frequent updates, but on how often Mr. Spitz checked his e-mail.

Mr. Spitz, a privacy advocate, decided to be extremely open with his
personal information. Late last month, he released all the location
information in a publicly accessible Google Document, and worked with Zeit
Online, a sister publication of a prominent German newspaper, Die Zeit, to
map those coordinates over time.

"This is really the most compelling visualization in a public forum I have
ever seen," said Mr. Blaze, adding that it "shows how strong a picture even
a fairly low-resolution location can give."

In an interview from Berlin, Mr. Spitz explained his reasons: "It was an
important point to show this is not some kind of a game. I thought about it,
if it is a good idea to publish all the data - I also could say, O.K., I
will only publish it for five, 10 days maybe. But then I said no, I really
want to publish the whole six months."
In the United States, telecommunication companies do not have to report
precisely what material they collect, said Kevin Bankston, a lawyer at the
Electronic Frontier Foundation, who specializes in privacy. He added that
based on court cases he could say that "they store more of it and it is
becoming more precise."

"Phones have become a necessary part of modern life," he said, objecting to
the idea that "you have to hand over your personal privacy to be part of the
21st century."

In the United States, there are law enforcement and safety reasons for
cellphone companies being encouraged to keep track of its customers. Both
the F.B.I. and the Drug Enforcement Administration have used cellphone
records to identify suspects and make arrests.
If the information is valuable to law enforcement, it could be lucrative for
marketers. The major American cellphone providers declined to explain what
exactly they collect and what they use it for.
Verizon, for example, declined to elaborate other than to point to its
privacy policy, which includes: "Information such as call records, service
usage, traffic data," the statement in part reads, may be used for
"marketing to you based on your use of the products and services you already
have, subject to any restrictions required by law."
AT&T, for example, works with a company, Sense Networks, that uses anonymous
location information "to better understand aggregate human activity." One
product, CitySense, makes recommendations about local nightlife to customers
who choose to participate based on their cellphone usage. (Many smartphone
apps already on the market are based on location but that's with the consent
of the user and through GPS, not the cellphone company's records.)
Because of Germany's history, courts place a greater emphasis on personal
privacy. Mr. Spitz first went to court to get his entire file in 2009 but
Deutsche Telekom objected.

For six months, he said, there was a "Ping Pong game" of lawyers' letters
back and forth until, separately, the Constitutional Court there decided
that the existing rules governing data retention, beyond those required for
billing and logistics, were illegal. Soon thereafter, the two sides reached
a settlement: "I only get the information that is related to me, and I don't
get all the information like who am I calling, who sent me a SMS and so on,"
Mr. Spitz said, referring to text messages.

Even so, 35,831 pieces of information were sent to him by Deutsche Telekom
as an encrypted file, to protect his privacy during its transmission.

Deutsche Telekom, which owns T-Mobile, Mr. Spitz's carrier, wrote in an
e-mail that it stored six months' of data, as required by the law, and that
after the court ruling it "immediately ceased" storing data.

And a year after the court ruling outlawing this kind of data retention,
there is a movement to try to get a new, more limited law passed. Mr. Spitz,
at 26 a member of the Green Party's executive board, says he released that
material to influence that debate.

"I want to show the political message that this kind of data retention is
really, really big and you can really look into the life of people for six
months and see what they are doing where they are."
While the potential for abuse is easy to imagine, in Mr. Spitz's case, there
was not much revealed.

"I really spend most of the time in my own neighborhood, which was quite
funny for me," he said. "I am not really walking that much around."

Any embarrassing details? "The data shows that I am flying sometimes," he
said, rather than taking a more fuel-efficient train. "Something not that
popular for a Green politician."

This article has been revised to reflect the following correction:

Correction: March 26, 2011

An earlier version of this article misstated Malte Spitz's partner in the
mapping project. He worked with Zeit Online, not Die Zeit. Zeit Online is a
sister publication of Die Zeit.
A version of this article appeared in print on March 26, 2011, on page A1 of
the New York edition.

More information about the ukcrypto mailing list