JRB - Fotolia

UK campaign launched against location data security risks

UK consumers are unwittingly signing up to be location tracked and this data is being used and sold on for commercial benefit, warns privacy campaign

Privacy technology firm Krowdthink and the Open Rights Group (ORG) have launched a campaign to minimise the security risks of mobile and Wi-Fi geolocation data.

The move is in response to two reports that reveal the serious threat posed by the tracking people’s movements carried out by the mobile and Wi-Fi service industry.

Individuals could all be at significant risk from cyber criminals targeting historic location data, the campaigners warn.

Geoff Revill, Krowdthink founder, said consumers are opting in to being location-tracked by default. “According to research, 93% of UK citizens have opted into this service so far,” he said.

“Consequently, mobile phone and Wi-Fi service providers have contractually unlimited access to powerful data which is commercially extremely valuable – and also a threat if cyber criminals get their hands on it.”

The Opt me out of Location campaign is aimed at encouraging UK citizens to demand that service providers are explicit about what they are asking their customers to opt into and provide clear choices for opting out.

The campaign is also aimed at raising awareness of legal rights to opt out of location data being used for marketing purposes under current and future data protection laws, and offering guidance on how to minimise location tracking.

Assumed consent

Two independent reports conducted by the campaign sponsors, Krowdthink and ORG, examined the contracts and practices of the mobile phone and Wi-Fi industry.

Both reports show that consumers are unwittingly signing up to be location tracked constantly. It also shows that the highly sensitive data this generates is being used and sold on for commercial benefit.

The reports conclude that UK consumers deserve to know and to not have their consent assumed.

The independent investigations reveal that mobile and Wi-Fi service providers are not telling customers upfront in store at point of contract signature. Providers also fail to tell customers online via their websites that all their movements will be tracked and historic location data will be used for marketing purposes and often sold to third parties.

Suppliers hide in the detail of their contracts that customers can indeed opt out of location tracking, as well as the marketing and sharing of related data.

Read more about location data

  • Geolocation apps pair consumer preferences and location to provide real insight about customer preferences, but these apps pose data integration and privacy challenges galore.
  • Carriers sit on a goldmine of user data that could launch context-aware services, but they must review regulatory and compliance issues carefully.
  • New technologies may point the way to improved data collection, but organisations need to shore up data management and security practices first.

According to the reports, suppliers are putting the customer communications focus on the need for location information to route calls and meet the requirements of government security legislation.

The investigations also highlight that some public Wi-Fi service providers claim that they have to collect location data for security purposes, which is not the case as with mobile service providers.

The campaign sponsors believe that, unless they know what to ask for, customers will be kept in the dark about the location data that service providers hold on them.

Tracking location

The mobile phone market in the UK is worth £14bn, with 93% of adults owning a mobile phone and 61% owning a smartphone.

“In this multi-billion pound industry, there is a fast-growing market in services and products created from the data that customers generate when we use our phones and log in to public Wi-Fi. Data is used to build profiles that are used by advertisers and other undefined businesses,” the campaign sponsors said in a statement.

Location data is collected from the cell towers of a mobile service provider when it tracks a customer to route a call to them. Such location data is becoming more and more precise with the move from 2G to 4G services and increasing density of cell towers – currently estimated at 52,000 across the UK, according to the Krowdthink report.

The report also warns that Wi-Fi hotspots and Bluetooth beacons are potential location trackers, with many public Wi-Fi service providers specifically opting customers into location tracking by default in their privacy policies.

The report reveals that some Wi-Fi service providers that are also mobile phone service providers, such as O2 and Vodafone, use the same privacy policy for Wi-Fi as for their mobile phone customers. This enables the providers to track location through Wi-Fi and cell towers, providing even greater fidelity of location tracking.

Anonymous data

The ORG report looks at the policies and contracts of EE, O2, Vodafone and Three UK and analysed what information they gather, store, analyse and share.

The report reveals that customers are not being given enough clear information about how their data is being used by their mobile providers. Customers are also not being given clear and easy ways to opt-out if they do not want companies to use their data.

According to the report, the mobile phone companies say they anonymise data, which means that they are not legally obliged to ask for consent to use it. But it appears that, in some cases, the data is not fully anonymised and should remain classed as personal information requiring consent for reuse.

“Customers need to understand the risks if they are to give companies permission to use and share their data. But it is currently impossible for individuals to work out how effective anonymisation and pseudonymisation techniques are,” the report said.

Control over personal data

Jim Killock, executive director at Open Rights Group, said most people have no idea that mobile phone companies are making money from their personal information.

“Companies are permitted to collect and keep data for business purposes such as billing, but that doesn’t mean they have an automatic right to process that data for other purposes without asking for our consent.

“We have a right to decide how our personal data is used. Companies need to make their privacy policies clearer and give us clear information about exactly what they are collecting, how long they will keep it for, how they will use it and, importantly, who they will share it with.

“Trust needs to be at the heart of companies’ relationships with their customers. It’s time for them to come clean about what they are doing,” he said.

Security risks of location data

The campaign sponsors said there is a real risk that, if the data security of a mobile or Wi-Fi service provider is breached, location data is likely to be posted for sale on the dark web.  

The campaign said users of mobile and Wi-Fi services need to be aware that they could be providing information on their location when sharing digital photos and video images and downloading mobile apps.

The campaign advises users of mobile phones and other Wi-Fi enabled devices to turn off Wi-Fi when away from home to avoid disclosing location data. It also advises users to opt out of location tracking and/or marketing services from mobile service providers.

Read more on Privacy and data protection