How Rogers, Telus and Bell sell access to your location data to third-party companies

A jointventure between Canada's three largest telecom companies has been selling the real-time location of its subscribers to third parties as long as they have your consent, the company says.

EnStream, a joint venture between Rogers, Telusand Bell, isn't new. It was originally formed in 2005 to develop ways for subscribers to make purchases with a mobile phone. Now, it's in the business of providing "identity verification and authentication services," helping third-party companies such as banks and insurance companies confirm you are who you say you are and where you are.

It makes money, in part, by charging companies a fee to provide a user's location.

To explain how that works in practice,EnStreamused the example of a person calling forroadside assistance, and that service asking for the person'sconsent to locate them. This is done without installing any apps or using the phone's GPS, but simply by measuring its distance from nearby cell towers.

• Meet the group that measures censorship and internet shutdowns around the world
• Sidewalk Labs says itwill respect your privacy but proof is in the details

But the practice of sharing location data has come under scrutiny in recent days, after the New York Times published a reportdetailing how access to such data can be abused. The paper found that a former U.S. sheriff misused a similar service stateside to track the cellphones of a judge and other law enforcement officers without a warrant.

I think this speaks to a really fundamental difficulty in individuals knowing the information that's being generated about them and then disseminated- Christopher Parsons, research associate, University of Toronto's Citizen Lab

In Canada, EnStream executives believe that the bar they've setfor accessing sensitive subscriber data such as location is higher. "Unlike the U.S., we have taken a more strict approach," said Robert Blumenthal, the company's chief identity officer, in an email.

Blumenthaldeclined to name any specific clients, citing non-disclosure agreements.

The companysays users have to explicitly opt-in each time beforeEnStreamwill share their location.

However,EnStream's ability to do so relies on having a relationship with the wireless providers in the first place. It's not clear whether subscribers can opt-out of this relationship, preventingEnStreamfrom making access to that subscriber basepart of itsbusiness model.

On this point, Bell and Rogers declined to comment.Telusdid not respond to questions.

What does consent look like?

In the U.S. case, a Missouri sheriff is alleged to have tracked the location of cellphones using a service called Securus, which also sells communications services to prisons. The New York Times reported that Securus obtained the location data froma marketing company called 3Cinteractive, which in turn acquired it from yet another company called LocationSmart, which buys access from the major U.S. wireless carriers.

LocationSmart is also an EnStream partner. ZDNet reported this week that LocationSmartsells access to the location data of the major Canadian wireless carriers as well.

Like LocationSmart, EnStream executives say that "informed explicit consent" is required before anyone can access a person's location "either just prior to providing location or when a client registers for a service."

Consent, saidBlumenthal, "is not buried on page 57 of an application's service terms, but rather brought out in the 'primary'consent clause that people see" language that EnStream has to approve.

"This is true for our Canadian customers, as well as parties from outside Canada like LocationSmart," he said.

ForChristopher Parsons, a research associate at the University of Toronto's Citizen Lab who studies the privacy of telecommunications data, the key is how that consent process is actually implemented in practice namely,how well users understand what is being collected and why, and whether users understand they have the ability to withdraw their consent at any time.

"We know the existing model of consent doesn't work very well," Parsons said.

Unclear how to prevent sharing with EnStream

In a letter toAT&T earlier this week in connection with the Securus revelation, U.S. Senator Ron Wyden criticized the telecom giantfor not having more control over access to its users' private data, which was sold to a string of third parties beyond AT&T's direct control.

But in Canada, said Parsons, "the positive thing with the carriers being involved in it is they are a relatively well-regulated segment of the economy." He said that groups such as the CRTC or the country's privacy commissioner could step in if evidence of wrongdoing was found here.

Because it is a joint venture between the country's carriers, EnStream said it can see what information passes between the mobile networks and third parties, "and it is monitored for unauthorized access," wrote Blumenthal andChief Operating Officer Almis Ledas in a separateemail. "The location data is not stored or maintained beyond the immediate confirmation."

• To censor the internet, 10 countries use Canadian filtering technology, researchers say
• You can control what you share on Facebook but not what Facebook collects

EnStream also said that it has to approve each company's use of location data,and that regular audits are a contractual requirement. But Senator Wydenwas critical of such contracts and their pledges against misuse, calling them "the legal equivalent of a pinky promise."

While EnStream said that it won't share any location data unless a person opts in, what's not clearis how the major Canadian carriers obtain the consent of users allowingEnStreamto sell that access in the first place. The company said that "some subscribers are, at their request, excluded from any services that allow other parties to access any information, including location data," but neither Telus, Rogersor Bell would answer questions about how users could do this themselves.

Nor is it clear how users can see who they'veconsented to share their location data with in the past.

"I think this speaks to a really fundamental difficulty in individuals knowing the information that's being generated about them and then disseminated," said Parsons. "Consent can be really well done, and users still not quite understand it."