back to article Brits' phone tracking, web history touted to cops: The TRUTH

Pollster Ipsos MORI is under fire for touting data on millions of EE customers - from their whereabouts to their browser history - to anyone with a chequebook, including London's Metropolitan Police. The Met shelved the deal when the Sunday Times learned of the mass info flogging. But private companies have been buying the …

COMMENTS

This topic is closed for new posts.
  1. Jack Project

    The surprising thing about this for me is that I was actually surprised they would do this.

    1. Yet Another Anonymous coward Silver badge

      The surprising thing is that anybody would be surprised that they would do this

    2. Anonymous Coward
      Anonymous Coward

      The surprising thing for me is when people were criticising Google and Apple about location tracking, where, when they didn't ever really do it, but when the telephone companies have always unashaedly collected, catalogued (indexed) and stored every conceivable bit of information about your location data, telephone calls and text messages. I have personally met individuals (at tech finance conventions) who claim they can do background checks on anyone and obtain any of this data for any individual. ANYONE AND EVERYONE. People don't understand this is standard practice for rich investors before they make an investment. The tech community have shown a questionable sense of priority in their outrage over privacy matters.

    3. LarsG
      Meh

      If

      They want to use my data I have no problem, so long as they pay me £100 each time for the privilege.

      1. Crisp

        Re: If

        It's not your data though is it? It's theirs. But I get your point. They are making money indirectly from you paying for a service. Rather than make you pay through the nose for the service, they could be using this money to lower your bill.

        Maybe you'll see a lower bill in future as EE now has alternate revenue streams.

        (Yeah, I had trouble keeping a straight face when I was typing that)

  2. Magister

    Personal Information

    >>The suggestion that we sell the personal information of our customers to third parties is misleading to say the least.<<

    There is an issue here about what constitutes "personal information". Most people would agree that things such as bank details, etc are personal details that should be carefully protected. But when we go about our daily lives, there seems to be an assumption that where we go is not "personal information" and is therefore the property of any organisation that choose to collect and collate such data.

    However, there is an argument that such information should be more carefully protected. For example, I attend a particular hospital once a month; and the analysis might well suggest that I'm going to the VD clinic. (The place I go to is next door; but doesn't show on the map) If a business such as an insurance firm were to take that info and then use it to suggest that I am a high risk, then that most people would accept that to be a clear violation of my personal information.

    Of course if I found out that this was happening, I could then legally sue for reparations; but the onus would be on me to uncover the data breach, prove that they were at fault in court and then show that I had suffered as a result of that. Not always possible or easy.

  3. thesykes

    Simple solution

    Pop down the local supermarket, pick up a sim pack for anything between free and a fiver, get a paygo voucher and top up.

    No registration with any carrier, just an anonymous phone.

    1. Chris Miller

      Re: Simple solution

      But if you can access the records of a specific phone, it isn't difficult (in most cases) to work out where the owner lives and where they work. Not very anonymous now, is it?

      1. Anonymous Coward
        Anonymous Coward

        Re: Simple solution

        "it isn't difficult (in most cases) to work out where the owner lives and where they work."

        true... although all they could tell is that someone with a mobile phone lived somewhere nearby. I could stand in the middle of just about every street in every town and city and point at a handful of houses and be quite confident that someone in one of those houses had a mobile phone. Likewise for every office block, factory or shop.

        They may tell someone is there, but, not who.

        1. Anonymous Coward
          Anonymous Coward

          Re: Simple solution

          " I could stand in the middle of just about every street in every town and city and point at a handful of houses and be quite confident that someone in one of those houses had a mobile phone"

          But how many of those people you are pointing at work in exactly the same area, and also visited Tesco at 8:14, where you were seen paying by credit card and on CCTV and later vistied the Shell petrol station where you also paid by credit card and were caught on CCTV.

          May not be as easy as saying "where was Joe Bloggs at 15:25 on Tuesday" but if you are a suspect then they know who you are anyway.

      2. Mr Spigot

        Re: Simple solution

        But you can't access a specific phone from the data being sold, that's the point.

        It's still pretty anonymous, since the data is aggregated. You might be able to find out how many phones at the Google office go to Southgate at night, but not the address to which each individual phone went. As the article says the data is in blocks of 50, you could presumably work out that at least 50 Google employees live in Southgate. It's a bit of a leap from that to suggest they aren't paying income tax, but I think it's assumed. And why live in Southgate? You'd need a good reason.

    2. An0n C0w4rd

      Re: Simple solution

      You forgot to mention that you should pay by cash.

      Also, don't use a phone with GPS as there is allegedly a way for the operator to send a query to the phone to get its GPS co-ordinates (if GPS is enabled)

      Or just give up and realise that your right to privacy is a myth.

      1. Anonymous Coward
        Anonymous Coward

        Re: Simple solution

        Privacy is a myth, although I have found a better method.

        Sign up to O2, the signal is so bad around here, they'd never be able to trace me even if they wanted to.

    3. jonathanb Silver badge

      Re: Simple solution

      If that anonymous SIM stays overnight at a particular place, spends its working hours at another place, visits particular shops and so on, it can be correlated with other information to figure out who you are.

      1. Anonymous Coward
        Anonymous Coward

        Re: Simple solution

        Go live in the countryside, there will only be one mast with which they will struggle at best to triangulate the signal.

        Althrough you would have to take the battery out if you don't live there and plan on coming back to civilization.

        Posted as AC for obvious reasons.

    4. Anonymous Coward
      Anonymous Coward

      Re: Simple solution

      A few visits to your home, work and one or two places with CCTV would strip most of your anonymity, with the call, text and browsing data polishing off the rest. Unless you're prepared to use multiple phones and switch them on and off according to location, and similarly slice up your call list and avoid checking email, something's going to point to you eventually.

      It never ceases to amaze me how few activities it actually takes to define you as quite unique to an observer.

      1. Anonymous Coward
        Anonymous Coward

        Re: Simple solution

        I'm not sure if you're replying to me or the guy above me, but you do realise I was speaking from a point that by paying for your phone using CASH and only using PAYG they still wouldn't have it easy with my habits, I typically remove cell batteries on a regular basis and rotate my phone usages. If they only see myVPN.com as a website used via a PAYG phone in the sticks, good luck making any head tail (or foot even) sense of that!

  4. LesPaulCustom

    Long spoons required

    The Sunday Times alleges that MORI were offering individuals' data - presumably from their own sources linked to the EE stuff. Between 80 and 95% of individuals can be identified from anonymised blocks in any case so it's all a disengenuous. Simple answer is never sign up for any marketing material ever again and don't take part in any market research. They must have thought they had something to selll.... smells like a duck to me!

  5. Lxbr

    Need details

    It's well know that anonymized (or pseudonymized) data can be de-anonymized if enough data points can be correlated with existing known data. So we really need details of what data EE sold to MORI - how was the data anonymized, how was it grouped together in these blocks?

    1. Vimes

      Re: Need details

      http://www.bigbrotherwatch.org.uk/home/2013/05/everything-everywhere-ipsosmori-and-the-mystery-of-27m-peoples-data.html

  6. Ian 62

    Its not very anonymous is it..

    This 'anonymous' record is at this address from 6pm till 7am every week day.

    This 'anonymous' record is at this address on the banks of the Thames.

    This 'anonymous' record met this 'anonymous' record at the offices for the News of the World

    On sundays this anonymous record travels from this address to the address of Madam Whiplash between 5pm and 11pm.

    1. Justice
      Trollface

      Re: Its not very anonymous is it..

      HOW DO YOU KNOW WHAT I WAS DOING?!?

      My career as an MP is over.

      :(

      1. wowfood
        Trollface

        Re: Its not very anonymous is it..

        Not yet it isn't, you can still fight this out in court. Just remember to put the lawyers down on expenses.

        1. hplasm
          Happy

          Re: Its not very anonymous is it..My career as an MP is over.

          No it isn't- it's going pretty much as people expect!

        2. streaky
          Black Helicopters

          Re: Its not very anonymous is it..

          Don't bother with civil court. By "legal" people mean under the DP act, but under section 1 of RIPA they have committed a criminal offence punishable by time in prison. As an EE customer, I'm a victim of this crime and will make this known to the police when I've collected enough evidence.

          1. Anonymous Coward
            Anonymous Coward

            Re: Its not very anonymous is it..

            As an EE customer, I'm a victim of this crime and will make this known to the police when I've collected enough evidence

            And even then, don't be surprised to get the response, "It's not in the public interest to prosecute or bring charges" We've heard it before with Phorm.

            Now where's my vomit bucket.

            1. streaky
              Terminator

              Re: Its not very anonymous is it..

              "We've heard it before with Phorm"

              That's what the IPCC is supposed to be for. With Phorm the person concerned didn't push it far enough, got some wishy-washy response about data protection act. Completely missed the boat.

              I wasn't a victim of that crime so I wasn't in a position to do anything about it.

    2. Conrad Longmore

      Re: Its not very anonymous is it..

      AOL did something similar a few years ago, and it was demonstrated that a large number of users could be identified by this so-called anonymous data..

      https://en.wikipedia.org/wiki/AOL_search_data_leak

    3. CmdrX3

      Re: Its not very anonymous is it..

      ...and very good.."Ouch!! thank you Miss".. Madam Whiplash is too. She even.. "Ouch!!! Thank you Miss" ...has a rather excellent... "Ouch!!! Thank you Miss" ...wifi connection at her location.

  7. dephormation.org.uk
    Big Brother

    This is all entirely legal ?

    No its not.

    Not without consent of both parties to the communications, per The Regulation of Investigatory Powers (Monetary Penalty Notices and Consents for Interceptions) Regulations 2011... which (in the light of the Phorm affair) supposedly made it unambiguously illegal to intercept and disclose the content of communications without explicit consent from BOTH parties.

    It it *not* legal.

    See www.legislation.gov.uk/uksi/2011/1340/made

    1. wowfood

      Re: This is all entirely legal ?

      it's probably hidden in the fine print that the contract folks don't give you time to read.

      1. Anonymous Coward
        Anonymous Coward

        Re: This is all entirely legal ?

        A contract does not, and cannot, trump law.

        1. Anonymous Coward
          Anonymous Coward

          Re: This is all entirely legal ?

          "A contract does not, and cannot, trump law."

          Unless said contract specifically says that in agreeing to it you also agree to letting the vendor sell on your details. The law only says they have to ask your permission and you have to agree to it, not that it's illegal to sell it per se.

          1. streaky
            Coffee/keyboard

            Re: This is all entirely legal ?

            Sorry I replied to somebody else pointing out that under RIPA a criminal offence has apparently been committed. There's no contract terms that get them out of this. You can't write contract terms that absolve you things like this - RIPA exceptions are on a per-communication basis, they don't work with whole-scale data mining of communications over a public network. It's illegal, nothing more to it.

            Put it this way, the police need a warrant, and so do MI5, think of a reason some random company wouldn't given that the government could just farm this crap out to ISPs.

            Put it another way. If they recorded all your phone calls, and had some small print that said "we may record all your phone calls" - do you think it would be legal? RIPA treats phone calls the same as internet traffic, emails, snail mail etc.

            1. Peter Fairbrother 1

              Re: This is all entirely legal ?

              I agree, a contract would not trump RIPA - but no offense under RIPA has been committed. Here is section 2, subsection 5 of RIPA:

              "References in this Act to the interception of a communication in the course of its transmission by means of a postal service or telecommunication system do not include references to—

              (a) any conduct that takes place in relation only to so much of the communication as consists in any traffic data comprised in or attached to a communication (whether by the sender or otherwise) for the purposes of any postal service or telecommunication system by means of which it is being or may be transmitted; "

              If the data you are giving out is "traffic data" (as defined elsewhere in RIPA, see my next post) then giving it out is not interception, and therefore is not an offense under RIPA.

              1. streaky
                Facepalm

                Re: This is all entirely legal ?

                The only traffic data relevent to the communication system is IP addresses, and there's no requirement to *store* it for the purposes of transmitting it. A postal worker can read the name/address off the front of a letter. They don't open the letter to see where it needs to go then record that information for all customers and try to flog it to the Met.

                You do see the difference right? A system needs to see telephone numbers to route calls, it doesn't need to know who you're specifically calling at the other end, and what about.

                Not for nothing but this stuff is all copy/pasted from the telecommunications act, the same intent applies. Criminal complaint update: looking for more proof this happened and a police force that isn't the Met near London.

    2. Ben Tasker

      Re: This is all entirely legal ?

      supposedly made it unambiguously illegal to intercept and disclose the content of communications without explicit consent from BOTH parties.

      But the communication isn't being intercepted and the content not disclosed, so that area of RIPA doesn't really apply.

      Doesn't mean it's not wrong of course, but I think you're going to struggle to apply anti-interception regulations to location tracking. You could argue that getting the phone's finer location is a communication between you and the Telco and their disclosure is therefore in breach, but I suspect it's shaky ground. As for cell based location, not a chance in hell of making that stick if you ask me.

      1. dephormation.org.uk

        Re: This is all entirely legal ?

        This is not just location data (which in itself if bad enough)...

        The information includes; "gender, age, postcode, --> websites visited <---, time of day text is sent [and] location of customer when call is made”.

    3. John Smith 19 Gold badge
      Unhappy

      Re: This is all entirely legal ?

      " which (in the light of the Phorm affair) supposedly made it unambiguously illegal to intercept and disclose the content of communications without explicit consent from BOTH parties."

      Perhaps so but this is not "communications content" but "communications data".

      This is the stuff the snoopers chart is designed to hand over (for free, en mass and identified) to HMG.

      What we have here is more like the FBI putting one of those GPS trackers on a car owned by an alleged organized crime figure without a warrant. The judge (IIRC) decided actually your location is nobodies business but your own.

      But it's still pretty dispicable.

    4. Peter Fairbrother 1

      Re: This is all entirely legal ?

      Sorry. but it isn't illegal under RIPA .

      The data for sale is classified under RIPA as "traffic data", and you can do anything you like with that without it being classified as interception (see RIPA s2.(5)) - consequently the order you mention does not apply, as no interception (as defined in RIPA - which is not even close to the everyday definition) has taken place. :(

      It might be covered under the Data Protection Act, which only covers anonymised or aggregated data if the anonymisation or aggregation is not reversible - and many people think it is almost impossible to do that irreversibly.

      However, even then it is not a criminal offense under the DPA.

      Heck, it isn't even a criminal offense under the DPA to sell sensitive personal data. It's just a "breach of duty", and the civil penalties are paltry.

      1. Vimes

        Re: This is all entirely legal ? @Peter Fairbrother

        If they intercept a URL like http://www.somesite.com/indes.php?userid=1221&name=JohnDoe&age=28 are you honestly going to suggest that PII has not been intercepted and shared here? This is part of the problem - there is no clear line between traffic data and the content of the communication. Trying to separate the two in terms of web usage is literally impossible. URLs must be considered part of the content of the communication because of the details they often contain.

  8. Camilla Smythe

    I Did NOT sign up to FaceBook!!!1!!!

    Why is their shit being imposed on me???1???

  9. John Smith 19 Gold badge
    WTF?

    WTF is this "line rental" b**locks?

    Seriously.

    What line?

    I'm wondering if there is in bulk buying cell phone "lines" adding a small charge with the specific goal of not supplying any further information. IOW all billing details to all lines end up at the offices of (for example) "JS Enterprises." As to whose really using them, no need to ask, no need to know.

  10. tekgun

    With the extra cash they make from this my contract should be a bit cheaper next year then? nah thought not.

  11. Anonymous Coward
    Anonymous Coward

    Meta-data

    In comms, the meta-data is always as valuable, if not more valuable, than the actual comms data (voice whatever) itself.

    Tracking naughty paddies in NI 20+ years ago c/o their new fangled mobiles. No need to get into the conversation itself, just see where the phones go, where they cluster & when. And absolutely, it can be tracked back to individuals.

  12. nsld

    EE and Data Protection

    Given they store client records in plain text and export them to India protecting data is not exactly the highest priority for Nothing NoWhere.

  13. Fihart

    Damn !

    When I was with Orange the offshore call centre had signed me up under a phonetic version of my name and garbled my address. When switching to T Mobile (other arm of EE) I cleared this up so, presumably, the details passed onto Ipsos unethically by EE are now accurate.

    Cue junk mail avalanche.

  14. This post has been deleted by its author

  15. Sferix

    Police Hunt Zombies - Official

    Did no one else note this snippet:

    'And police officers can, by law, request access to these databases to track suspects and the recently deceased.'

    So, the recently deceased are on the move amongst us. When was this discovered? I think we should be told!

    1. Fihart

      @sferix Re: Police Hunt Zombies - Official

      To be fair to the cops, for someone dead in the street with no ID, but with a cellphone -- the records would help identify the body so relatives could be contacted.

  16. Zmodem

    most people just use ebay and watch porn during lunch

  17. Anonymous Coward
    Anonymous Coward

    Ignoble intent

    Among this and the thousand other data pimping exercises we're subjected to, I think quite the most depressing is the purpose. None of this energy or genius is going into curing cancer, improving crop yields, exploring the planets, improving education or even building a better mousetrap. Apart from allowing plod to add two and two to get seven, the sole miserable use for this is to try to sell us things we don't want at prices we don't like in ways that we find deeply irritating and often invasive in themselves. To ice the cake, we get to provide all of the input whether we like it or not, but get none of the benefit except for vague, wafty handwaving in the direction of cheaper, better blah, blah, blah. What was that Thatcher/Blairite crap about choice?

    I couldn't give a toss how legal it is; it is immoral, plain and simple, and anyone who thinks otherwise is frankly delusional.

  18. Anonymous Coward
    Anonymous Coward

    Well that caused me to re-read my mobile contract, and there is nothing in there that allows them to sell my data... I wonder what EE's contracts are like...

    1. Graham Cobb Silver badge

      Check out ORG blog

      Unfortunately there is also nothing in there which says they can't. And they would claim that if it is "anonymised" then it isn't personal data any more. And where can we (or the data protection authorities) check up on how well it is "anonymised"?

      That is why the latest Open Rights Group blog calls for: "Ask for users’ permission before offering their anonymised data. Make this legally required in data protection, helpfully being debated right now."

      1. Anonymous Coward
        Anonymous Coward

        Re: data protection authorities

        If they can't demand sight of how well it's anonymised, it's hard to see what they're for, other than as a fig leaf to cover an embarrassing lack of oversight.

  19. Anonymous Coward
    Anonymous Coward

    My phone contract is up for renewal. Guess where I won't be going.

    Although, just because EE have been found out, it doesn't mean Vodafone, O2 and 3 don't do it too.

    How anonymised is this data? If they can get a location and an activity, surely they will know you were surfing iffy websites in the sanctity of your own bathroom

This topic is closed for new posts.

Other stories you might like