MOBILE PHONE: LOCATION DATA

INFORMATION HELD BY THE COMPANIES ON CUSTOMERS

This is a tale of trying to get ‘Location Data’ from communication companies on the use of a mobile phone.

To explain my interest a little further.

I have been at demonstrations, when I’ve seen people, I know to be involved in the organisation of the event, use their mobile phone. Shortly after, I’ve seen a police ‘snatch squad’ charge in and arrest the person concerned. Having been nearby, I’ve not seen these people throw rocks or abuse that otherwise might well have caused them to be targeted. I could, of course, nave no idea if other ‘intelligence’ was being used…..

From the articles I’ve sited here, companies, giving evidence in court, sometimes only guarantee a user location to quite a large area [35Km in Cellnet o2’s case!]

Thus, they could not ‘triangulate’ an individual in a crowd. HOWEVER, I’ve seen people ‘lifted’ under these conditions a few times now.

I had thus conducted the following experiment, to get copies of my own ‘location data’, by a ‘Subject Access Request” under the Data Protection Act.

To see if I might make some estimate of these increasing capabilities.

Just been working and sharing information with Steven Mathieson, a freelance reporter and contributor on communication issues in the Guardian.

Over the last few months he had produced articles to do with the ability of mobile phone companies to supply ‘location data’ on the use of a mobile phone [cellphone to the US readers here] .

The pieces that first attracted my attention were:

The net’s eyes are watching: The new anti-terrorism bill may force internet firms to spy on us.

S A Mathieson reports

Thursday November 15, 2001

The Guardian

http://www.guardian.co.uk/online/story/0,3605,593343,00.html

You can ring, but you can’t hide: Our mobile phones track every move we make, but we’re entitled to see their logs. S A Mathieson went on a lengthy search for his

Thursday November 29, 2001

The Guardian

http://www.guardian.co.uk/online/story/0,3605,608434,00.html

In sight of the law: The police and local authorities are using technology to keep a close watch on our every move.

SA Mathieson looks behind the scenes


Thursday March 1, 2001

The Guardian

http://www.guardian.co.uk/online/story/0,3605,444313,00.html

Caught in the Wap: 3G may be strangled at birth if networks don’t put security first

SA Mathieson

Guardian

Thursday March 28, 2002

http://www.guardian.co.uk/Archive/Article/0,4273,4383023,00.html

Track your every move: Big-name companies monitor all your purchases – and you have a right to see the results.

S A Mathieson reports

Thursday May 16, 2002

The Guardian

http://www.guardian.co.uk/online/story/0,3605,715871,00.html

Steven Mathieson Brief biography

After graduating from King’s College at Cambridge University, Steven spent a year travelling in North America, Australasia and south-east Asia. On returning, he joined Corporate Finance, a specialist financial title owned by Euromoney Publications.

He joined the newsdesk staff of Computing in November 1997, and reported on issues including government policy, ecommerce, the IT job market and corporate software. He also wrote occasional features and viewpoint columns, and chose which Dilbert cartoon the paper printed.

He left in February 2000 to pursue a freelance career. His clients now include the Guardian, Health Service Journal and Computing. He lives in Bath.

http://www.samathieson.com

Chronology

This is the chronology of my ‘Subject Data Access Request, to get Information & location data derived from the use of a mobile phone. I think, by showing you this lot, I demonstrate that they don’t want to tell me …….!

 17th Dec 01 Letter to Cellnet of initial enquiry.

 20th Dec 01 Cellnet reply saying not entitled to data.

 28th Jan 02 Formal request to Cellnet.

 22nd Feb 02 Letter to Information Commission regarding no response from Cellnet.

 01st Mar 02 Information Commission replies saying I’ve not waited required 40 days.

 11th Mar 02 Re-apply to Information Commission for assistance and investigation.

 12th Mar 02 Information Commission replies – commencing the process.

 03rd Apr 02 Information Commission response saying Cellnet had not received my application.

 09th May 02 Letter to Information Commission as Cellnet has still not replied, as per Commissioner letter of 3rd April.

 6 June 02 Letter to Cellnet: Subject Access Request [applic. On forms] re: ‘Location Data’ held by Cellnet

 21 June 02 Cellnet / o2 finally reply with an extensive document [ 40 pages long ] , but with the location data, concealed within their own coding. Translation of which might be ‘commercially sensitive’ they say, Where I came in on the 17th December 2001

TO BT CELLNET

17th December 2001.

Information: “location data” derived from the use of a mobile phone.

Dear Sir,

Have read an article in Guardian [29 Nov 01] from the Online section, in which information on the use of a mobile phone is discussed.

The purpose of the article was to discuss the use and databasing of “location data” derived from the use of a mobile phone.

I have an interest in these matters and for a first enquiry then, would ask you what information can be released and what procedure I should follow to apply for it.

I note that there are many privacy implications here and additionally wondered if there was any guidance that Cellnet followed in dealing with such matters. Is this publicly available?

Thanking you for any assistance.

>>>>

FROM BT CELLNET

20th December 2001

Dear Mr Lodge

Thank you for your letter dated 17th December 2001.

I have been in contact with our legal department who deals with Data Protection enquiries. They have advised me that details pertaining to the transmission of calls and their corresponding transmitter locations are not considered personal details, to which you are entitled to access under the Data Protection Act.

Such information is considered commercially sensitive as it directly refers to our operational processes. Details such as call duration, date and time of call, dialled digits, cost of call and whether the call was made within the UK or whilst roaming, can be accessed upon a written request to our Data Controller. Details on how we route a call through our network is information the belongs the BT Cellnet and to be disclosed requires a court order.

Yours etc ……

Erika Lowe

BT Cellnet Complaint Resolution

++++

Slightly amazing job title to reply, I hadn’t complained, I only asked!!

>>>>

TO BT CELLNET

Monday, 28 January 2002

Information: “location data” derived from the use of a mobile phone.

Dear Sir,

Thank you for your letter dated 20 Dec 2001.

You will know from your records that I was enquiring about the provision of ‘location data’. My interests here, was sparked on reading a Guardian article, dated: 29 Nov 01 from the Online section.

Please will you forgive my confusion, but your reply, does seem to be at significant variance to the conclusions of this article. [printout enclosed] .

“I understand that I have a statutory right under the Data Protection Act 1998, section 7 (1), to issue a Subject Access Request, obliging you to disclose in full all data your organisation holds on me. Please treat this letter as a Subject Access Request for all my personal data.

It is my understanding that this personal information includes location data concerning which base station my phone is registered with during a given time period. I am particularly concerned with seeing this information.

If you do not believe you are obliged to disclose my personal data under the terms of the Act, I would be grateful if you can provide me with an explanation.”

>>>>

Compliance Officer

Information Commissioner

Dear Sir / Madam.

On reading a Guardian article, dated: 29 Nov 01 from the Online section, titled: ” You can ring, but you can’t hide ”

http://www.guardian.co.uk/Archive/Article/0,4273,4309424,00.html

The article deals with the collection of “Location Data” by mobile phone companies.

Reading the piece, I discovered that the author had successfully applied for this information under the Data Protection Act.

However, on trying this myself, it generated this correspondence. You will note in the exchange that I have ask for and been refused this information on the grounds, quote:

” Such information is considered commercially sensitive as it directly refers to our operational processes “

However, this is at variance with the experience of the author of this piece.

I thus contacted them again, and pointed out:

“I understand that I have a statutory right under the Data Protection Act 1998, section 7 (1), to issue a Subject Access Request, obliging you to disclose in full all data your organisation holds on me. Please treat this letter as a Subject Access Request for all my personal data.”

I believe that I am entitled to this information and think that BT Cellnet is prevaricating. I have received no further replies from them.

In view of all this, are you able to advise me what I can do next. I still wish to pursue the matter.

>>>>

04 March 2002

Hello Steven

Gosh, what a long and tortuous route..!

You may remember that I’d written to Cellnet regarding ‘location data’, associated with mobile phone usage. You already have a copy of the correspondence I’ve had with them.

I had first written to Cellnet on Monday, 17 December 2001 and received a ‘fob-off’!!

As you had suggested, I wrote again on Monday, 28 January 2002, including a paragraph making clear that this was a ‘subject access request’. Still nothing happened,

So I e-mailed the story so far to the Information Commissioners Office. Have just received a reply from them this morning, pointing out that they can’t help till after 40 days of non-compliance with request. It appears that this is counted from the last letter, rather than the original request.

So on my calculations; I have to go round again if I’ve not heard back by Monday 11th March, beginning of next week. You may also like to know that I’ve not heard from MI5 either! [that is, since returning my proof of identity] . Their 40 days expire on the 7th March. The information Commissioner doesn’t know about my other request, so might end up getting back to them with a ‘job lot’.

So there you have it. Diligence seems to be required.

>>>>

My formal request, made under the Data Protection Act

Please supply all ‘location-specific’ data generated my mobile phone, including but not exclusively cell ID data. I Believe that the personal information you would hold on me, as a customer, includes location data concerning which base station my phone is registered with during a given time period.

>>>>

15 March 2002

RE: Location Data / mobile phone use.

Hello Steven

Thanks for your e-mail yesterday, confirming that you’ve received the last wedge of paper I’d sent you.

After dealing with the various time limits they were operating, I have now received a preliminary response from the Information Commissioner.

I see this is going to be really uphill!

You’ll note that they say they were aware of the issues you’d raised in your articles, but my case is different! I don’t see how or why, but will send you the next instalment as and when.

You say you have another piece that will be appearing in Guardian Online. Would appreciate a reminder.

>>>>

Compliance Officer

Information Commissioner

09 May 2002

I had a number of communications with your office, over the last couple of months, regarding my difficulty in getting information from Cellnet. You may see from the record, that I’d written to them requesting ‘location data’ regarding the use of a mobile phone. They had not replied, and I was thus seeking your advice and help.

It appears that on your enquiries, Cellnet had stated that they did not receive my request in the first place. This was strange, since I had written to the same address a little earlier, with my initial enquiry and received an unfavourable reply. Then, the ‘follow-up’ letter I’d written to them was the formal request for information and they say they had not received this.

Anyway, according to your letter of 3rd April: they were then

“going to contact me with regards to fulfilling your request”.

Unfortunately, as of today, no further response has been received.

What do you think I should do next?

· Give up!

· Ask for further advice and help from yourselves

· Go round again, sending the same letter to Cellnet as I had on 17th December 2001

I am of course, grateful for any assistance, as I do feel a little ignored.

>>>>

From: Information Commissioner

15 May 2002

Dear Mr Lodge

We have contacted BT Cellnet, they have informed me that there was a breakdown of communications on their part, and that they have now contacted you regarding your subject access request and the action that is to be taken

I trust this is an accurate reflection of the situation

Yours etc ….

>>>>

TO Data Controller

Cellnet O2 Ltd

Leeds

06 June 2002

Spoke to you a couple of weeks ago on the telephone, regarding my difficulties in getting information.

I had first applied back in January. I received an unsatisfactory reply, and, after taking some advice, sent the enclosed letter. I waited a respectful time and having not heard from your organisation, contacted the Data Commissioner for further help. I think that it was in response to this, that you first contacted me.

Because of the delay in first hearing from you, you had offered to waive the £10.00 fee. Thank you very much for this.

>>>>

FROM BT Cellnet – Finally reply with ‘some’ information

21 June 2002

Received 40 pages of information in column of meaningless code

Telephone conversation will Cellnet / o2 Data Controller saying that they will not ‘translate’ these codes since they represent ‘commercially sensitive’ data.

This is were I came in 20th December 2001.

>>>>

24 June 2002

Hello Steven

Gosh! Well having started this project / application, back in December, I now have a reply from Cellnet [now o2] .

Because of the adventure to now, the data person at o2 rang me to say it was all customer services fault in the first place. Anyway, since I’d been messed about, they were waiving the £10.00 fee.

Am sending you photocopy of what was supplied. There are the covering parts, but the full submission was 40 pages I think. So have copied the first couple and the last page, to give you an idea of the ‘form’.

Well, I understand the first 5 columns ok. The last three columns are about location. However, I don’t understand any of that…….. Is it intelligible to you?

I read somewhere in the Data Registrars advice, that data, on subject access request, should be intelligible ( but am unsure now.).

So, if this is useful to you, then use it, [aside from the phone numbers etc of course]

All quite contemporary eh?

With the next stage of the RIPA and Blunketts latest wheezes. Although, postponed, again, it seems to come round again, on 6 monthly cycles now……

===================================

This is an ongoing Project ………….. !

It will result in a series of articles in the Guardian, Starting in August 2002

Alan,

Thanks for your ongoing help. The site I mentioned is http://www.sitefinder.radio.gov.uk/.

By the way, this is roughly how I’ll be describing your experiences (bear in mind I’ve had to compress things a bit). Anything inaccurate as far as you can see? Let me know what you think.

Thanks,

Steven Mathieson

(Note – this follows a description of my nine-month odyssey to get my data, hence the start.)

Mr Lodge’s enquiries were similarly tortuous. He wrote to BT Cellnet (as O2 was then called) on 17 December, and was turned down flat. He tried again on 28 January, and heard nothing. He complained the Information Commissioner’s office, which said he had not given Cellnet the full 40 days. He wrote again after 40 days had elapsed. The office wrote back, saying Cellnet had not received his letter of 28 January. One hopes the mobile networks don’t lose similar communications from police investigating murders.

On 21 June, six months after his first request, O2 sent Mr Lodge a document providing ‘Cell Site Analysis’. This provides three columns of encoded location data for outbound calls made from 6 October 2000 to 19 June 2002 – more than 20 months’ worth. But as with Orange, O2 refused to decode the information, pleading ‘commercially sensitive information’.

Suplimentary links:

Radiocommunications Agency http://www.radio.gov.uk/

Radio Communications Agency: Mobile Phone Base Station Database http://www.sitefinder.radio.gov.uk/


Your Boss May Know Where You Are – Wired 31 May 2002

http://www.wired.com/news/wireless/0,1382,52852,00.htm


This entry was posted in .. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *