Big four UK mobile phone companies are selling sensitive data with no customer opt-out, warns privacy campaigner

IP Bill means that mobile companies increasingly monetise personal data to cover costs, predicts Geoff Revill

The big four UK mobile phone companies are selling potentially sensitive data to third parties without seeking the explicit consent of their customers and failing to provide any obvious way of opting out.

That's the contention of social entrepreneur and privacy campaigner Geoff Revill, who has studied the sign-up contracts and privacy policies of the four main UK mobile service providers: EE, Vodafone, O2 and Three.

"How many people here know that when they sign up for a mobile contract they are also authorising the mobile company to sell their data, including location data, to third parties?" he asked during the Privacy Advantage Summit in London earlier this month.

Only a smattering of hands went up, a surprise given that the audience consisted largely of entrepreneurs seeking ways to turn privacy awareness to their advantage.

"And how many have ever tried opting out?" he asked. Even fewer hands were raised.

Telecoms providers need to know the whereabouts of phones so they can provide a service, of course, but according to the principles of privacy by design, soon to be embedded in EU data protection law, the data they collect should be limited to that needed to support this connectivity. Other data concerning browsing habits and use of apps, which might be used for marketing or sold on, should not be collected without user consent.

"Every day in the UK we are under mass surveillance by mobile companies with our every move tracked and annotated by commercial entities for their financial gain," Revill said.

"Worse, the vast majority of us are unaware that we opted into this tracking, and turning off location on our phones makes no difference at all."

Location data is particularly sensitive as it provides a record of where you've been and who else was there at the same time, Revill explained, giving the hypothetical example of a person who first visits their GP more frequently, then attends a hospital and then a specialist cancer clinic.

"In countries where the healthcare you recieve depends on having the right insurance cover, this information in the hands of an insurer could mean that this person doesn't receive treatment for cancer," he explained.

Even if the data is anonymised before being sold on to third parties for purposes of analytics, in the age of big data, de-anonymising records to re-identify an individual from their phone, location and browsing records can be trivial.

The policies of all four of the UK's main providers appear to allow for the collection of location data, with most probably collecting browsing and search history too, although this is hard to ascertain. Certainly all of them make it very difficult for the customer to opt out of this collection, either at time of sign-up or subsequently.

Revill fears that since the IP Bill is likely to require them to retain browsing data, mobile firms will increasingly link browsing and location data and sell it to third-parties to offset the cost of storage, because such linkage will make the data more valuable. He has started an online campaign for mobile providers to allow users to explicitly opt out of this collection.

"Trust in a business is about confidence that our value exchanges are fair and equitable," he said.

"When a business takes and sells such insightful data as our movement history, and compounds their activity by making opaque that they do so and how to opt out of such an exchange, then we have to ask ourselves if we can trust businesses operating such unethical business practices," he concluded.