A German politician named Malte Spitz sued his mobile provider (Deutsche Telekom) for access to all the information they were storing on him. When they released the information to him he published six months of calls, texts and Internet usage on an interactive map. German law has since improved its privacy.
Meanwhile, other countries, including the United States, still track users via mobile phones as well as wireless accessories (e.g. BlueToad). Here is an example of what it looked like on Spitz’s map:
Deutsche Welle just posted an interesting interview with him.
Yes, it was quite shocking to see 35,000 pieces of information about my past six months. And it was also so detailed that there was some information where I was at some events that I didn’t even remember. So seeing the interactive visualization, I remembered: ‘Oh yeah, this was the day I was here and there, and so on.’
It was quite shocking because I thought it would be maybe 5,000 pieces of information. But 35,000 pieces of information, when you break it down, that means each day, there are 200 pieces of information. So if you have five to seven hours of sleeping time, so you have like, between the morning and evening, you have maybe 150 pieces of information – every five to 10 minutes my mobile operator knows where I am.
Of course your mobile operator knows where you are, or rather, where your phone is.
How else could it forward any calls to your phone?
The cellular network works that way. When you move about, base stations hand over your handset between themselves. If they didn’t do that, you would be quite annoyed, because your call would be dropped every time you went out of range. How often a handset reports to the base station is dictated by the GSM standards. And yes, it does result in a rather stunning number of communications. A side effect of this is that the handset is easy to locate based on which base stations it can see. (Google Maps and other services make use of this.)
Another question is how long service providers need to retain location information. Criminal investigations are easier if you can slap a court order on a service provider to give a list of every movement of IMEI xxxxxxxxxx between dates y and z – which, I presume, is the original reasoning behind the data retention directive. Then again, it’s a burden on the provider to retain this information (storage costs money) and keep it secret (secure storage costs more money) and destroy the information once no longer required (secure processing of data costs even more money).
Then there’s billing data that has to be retained for some length of time anyway, if only for fiscal reasons and for customer service. Some service providers provide call logs to be browsed in a self-service interface.
Thanks for your comment. Yes, I agree a phone needs to be in contact with the provider when it wants service. However, while there is some room to argue the “network works that way” this is only a subset of the larger issue of mobile devices being tracked and their information stored.
There are a couple edge case (pun not intended) that I have been watching for the past couple years.
First, movement of bluetooth devices not in contact with any provider directly are still tracked and accessible to law enforcement — it’s called Blue Toad.
Second, data on the movement of cellular devices may be accessible via weak controls in an API-based service (e.g. your example of Google Maps)
The questions I see thus depend only sometimes on how the network works
1) can users use mobile devices anonymously (e.g. you mentioned IMEI rather than name, DOB, etc.)
2) can users opt-out of location information storage or access via API both on the provider systems and also locally on the mobile device (e.g. iPhoneTracker shows that Apple is collecting location history locally on their mobile devices)
3) can users be notified of collection (or otherwise opt-in) with the right to conveniently review the information (e.g. parents tracking their children)
The troubling privacy issues come up even when there is no relationship between the device and a particular provider.