Saturday, March 26, 2011

It’s Tracking Your Every Move and You May Not Even Know

via Noam Cohen at the New York Times,

A favorite pastime of Internet users is to share their location: services like Google Latitude can inform friends when you are nearby; another, Foursquare, has turned reporting these updates into a game.

But as a German Green party politician, Malte Spitz, recently learned, we are already continually being tracked whether we volunteer to be or not. Cellphone companies do not typically divulge how much information they collect, so Mr. Spitz went to court to find out exactly what his cellphone company, Deutsche Telekom, knew about his whereabouts.

The results were astounding. In a six-month period — from Aug 31, 2009, to Feb. 28, 2010, Deutsche Telekom had recorded and saved his longitude and latitude coordinates more than 35,000 times. It traced him from a train on the way to Erlangen at the start through to that last night, when he was home in Berlin.

Mr. Spitz has provided a rare glimpse — an unprecedented one, privacy experts say — of what is being collected as we walk around with our phones. Unlike many online services and Web sites that must send “cookies” to a user’s computer to try to link its traffic to a specific person, cellphone companies simply have to sit back and hit “record.”

“We are all walking around with little tags, and our tag has a phone number associated with it, who we called and what we do with the phone,” said Sarah E. Williams, an expert on graphic information at Columbia University’s architecture school. “We don’t even know we are giving up that data.”

Tracking a customer’s whereabouts is part and parcel of what phone companies do for a living. Every seven seconds or so, the phone company of someone with a working cellphone is determining the nearest tower, so as to most efficiently route calls. And for billing reasons, they track where the call is coming from and how long it has lasted.

“At any given instant, a cell company has to know where you are; it is constantly registering with the tower with the strongest signal,” said Matthew Blaze, a professor of computer and information science at the University of Pennsylvania who has testified before Congress on the issue.

Mr. Spitz’s information, Mr. Blaze pointed out, was not based on those frequent updates, but on how often Mr. Spitz checked his e-mail.

Mr. Spitz, a privacy advocate, decided to be extremely open with his personal information. Late last month, he released all the location information in a publicly accessible Google Document, and worked with a prominent German newspaper, Die Zeit, to map those coordinates over time.

“This is really the most compelling visualization in a public forum I have ever seen,” said Mr. Blaze, adding that it “shows how strong a picture even a fairly low-resolution location can give.”

In an interview from Berlin, Mr. Spitz explained his reasons: “It was an important point to show this is not some kind of a game. I thought about it, if it is a good idea to publish all the data — I also could say, O.K., I will only publish it for five, 10 days maybe. But then I said no, I really want to publish the whole six months.”

In the United States, telecommunication companies do not have to report precisely what material they collect, said Kevin Bankston, a lawyer at the Electronic Frontier Foundation, who specializes in privacy. He added that based on court cases he could say that “they store more of it and it is becoming more precise.”

“Phones have become a necessary part of modern life,” he said, objecting to the idea that “you have to hand over your personal privacy to be part of the 21st century.”

In the United States, there are law enforcement and safety reasons for cellphone companies being encouraged to keep track of its customers. Both the F.B.I. and the Drug Enforcement Administration have used cellphone records to identify suspects and make arrests.

If the information is valuable to law enforcement, it could be lucrative for marketers. The major American cellphone providers declined to explain what exactly they collect and what they use it for.

Verizon, for example, declined to elaborate other than to point to its privacy policy, which includes: “Information such as call records, service usage, traffic data,” the statement in part reads, may be used for “marketing to you based on your use of the products and services you already have, subject to any restrictions required by law.”

AT&T, for example, works with a company, Sense Networks, that uses anonymous location information “to better understand aggregate human activity.” One product, CitySense, makes recommendations about local nightlife to customers who choose to participate based on their cellphone usage. (Many smartphone apps already on the market are based on location but that’s with the consent of the user and through GPS, not the cellphone company’s records.)

Because of Germany’s history, courts place a greater emphasis on personal privacy. Mr. Spitz first went to court to get his entire file in 2009 but Deutsche Telekom objected.

For six months, he said, there was a “Ping Pong game” of lawyers’ letters back and forth until, separately, the Constitutional Court there decided that the existing rules governing data retention, beyond those required for billing and logistics, were illegal. Soon thereafter, the two sides reached a settlement: “I only get the information that is related to me, and I don’t get all the information like who am I calling, who sent me a SMS and so on,” Mr. Spitz said, referring to text messages.

Even so, 35,831 pieces of information were sent to him by Deutsche Telekom as an encrypted file, to protect his privacy during its transmission.

Deutsche Telekom, which owns T-Mobile, Mr. Spitz’s carrier, wrote in an e-mail that it stored six months’ of data, as required by the law, and that after the court ruling it “immediately ceased” storing data.

And a year after the court ruling outlawing this kind of data retention, there is a movement to try to get a new, more limited law passed. Mr. Spitz, at 26 a member of the Green Party’s executive board, says he released that material to influence that debate.

“I want to show the political message that this kind of data retention is really, really big and you can really look into the life of people for six months and see what they are doing where they are.”

While the potential for abuse is easy to imagine, in Mr. Spitz’s case, there was not much revealed.

“I really spend most of the time in my own neighborhood, which was quite funny for me,” he said. “I am not really walking that much around.”

Any embarrassing details? “The data shows that I am flying sometimes,” he said, rather than taking a more fuel-efficient train. “Something not that popular for a Green politician.”

17 comments:

Katie said...

This post makes me want to throw my cell phone in the Potomac. I find it incredibly disturbing that my cell phone carrier has the ability to track my every move simply because I am carrying it around, not just making a phone call. I never thought about how a cell phone knows that it is receiving a new call/text. I feel like I'm carrying a big neon sign over the top of my head saying "I am here" to the government, and to any criminals that want to know where any particular person is.
As much as I can see this being helpful to law enforcement, I still believe that this is an invasion of privacy, especially since the companies don't have to report all of the information that they obtain.
I also believe that more people should be aware of what is happening every time they are near a cell phone with their names attached to the bill. It would be a little better if everyone weren't so oblivious to the fact that they are constantly being tracked.

Katharina said...

I agree with Katie. It’s really chilling to realize how much information is being collected as we walk around with our phones. Most people do not know, or simply forget, how easy it is for cell phone companies and law enforcement agencies to track and record our every move. Cell phone users, similar to computer users, tend to assume that their data is safe and kept private by their service providers.
It’s extremely alarming that “major American cellphone providers declined to explain what exactly they collect and what they use it (their user data) for.” I think cell phone users need to become more educated on how their cell phones work and thus, how simple (even inevitable) it is for cell phone companies to create a detailed portfolio of them. Also, cell phone companies need to better inform their users on who can access personal data and how long this data is stored. If cell phone companies were clearer about their data collection process and only stored data for a limited time, this would help users determine how much private information they want to share via their phone. Another worrying point raised in this article is that AT&T is already working with third parties like Sense Networks. Even though users today still need to give consent to share their data with third parties, it is scary to think about how easy this tracking could be done by companies and criminals without our awareness and consent. Malte Spitz deserves a lot of respect for his courageous actions. Hopefully, similar acts/demonstrations will be seen in the United States.

Diana said...

Technology has come a far way and it is incredible how it is enhanced into our cell phones. To find that we are walking around like little tags, and our tag has a phone number associated with it, is very disturbing and outrageous. I also feel it is a good thing that cell phone companies can track our whereabouts for safely reasons but our privacy is still invaded. Cell phones is necessary because it is a easy form of communications and apart of our modern day life. I just do not like the fact that in order for me to be apart of this modern day life/21st century we have to hand over our privacy (Not Cool). Now, reading this it cannot really bother me anymore because I know I will never have privacy when it comes to using my cell phones or computer. The way this society is composed with so much government rules enforcing to redeem all our information, I feel I have not reason to complain because our information will be stolen whether we like it or not.

Noemi Beltran said...

I definitely agree with Katie and Katharina regarding the ways in which our privacy is invaded through cell phone data collection. I do think cell phone companies should clearly state their ability to collect information and the different ways they may use the information collected. With that being said, I do not think this will deter people from using a company's services since we are so dependent on technology.

Mr.Spitz is a perfect example of some of the themes we have discussed in class regarding the way our information is used to develop a picture of who we are. At the end of the article he mentions an embarrassing fact revealed by his data and this clearly represents a way we may transform our habits once we know we are monitored.
I think nowadays we are forced to renegotiate our views on privacy and this is not necessarily for the best since we 'give in' to the system by changing our lifestyle/information released but this process is inevitable unless the majority of users actually know how their privacy is invaded.

Margot Annie Dalet said...

While I agree with both Katie and Katharina, I must also assert that when it comes down to it....collecting this information does make sense. Although, I agree with the fact that this information is quite chilling. To know that a company knows exactly where I am at all times is a little creepy, especially after learning about the hacking potential of malicious third parties. It worries me that at any point in time, a third party could some how gain access to information as to my whereabouts. Yeah, that's scary. Also, it is a little suspect that many major American cell companies wont release exactly what information they are collecting. However, when reading this article I am reminded about the discussion we had in class earlier this semester, about the woman who had gotten into an accident and was found on the side of the road after her cell phone was allowed to be tracked. Obviously, this is an example of the benefits of this constant tracking. Maybe I'm just not as much of a privacy stickler as others, but the fact that Verizon knows when I am in class, when I am on the metro, and when I am downtown doesn't really bother me too much. If, in extreme situations, this collection of information could possibly benefit me, I am thankful. Meanwhile, as Mr. Spitz joked about, I don't believe any embarrassing information would be collected. I don't really leave the neighborhood much, and when I do, it is not for malicious purposes. It may be a cop-out to pull the "I don't have anything to hide" card, but while I am still young and innocent and really don't have anything to hide, I am not terrible shaken by this report.
However, I think it is important to comment on the benefits of Mr. Spitz' involvement in this lawsuit. I think it is very, very important for cell phone users around the world to just be aware of what kind of personal information is being collected by cell phone companies. We need to be aware of what our privacy rights are, and what exactly we are sacrificing by involving ourselves in the 21 century technological world.

Dominic said...

Pinging places and location based services are scary because they are tracking our every move and we do know it! We just don't care! It's going to be interesting to watch this problem unfold as cellular technology begins to mirror that of computer technology. What scares me is not the dissemination of our cellular records, but rather access to our phones via apps.

I think smartphone technology will only compound this problem. My worry is that we will begin to see bogus apps with the ability to ping our locations without our knowledge, or disguised as a data push of another sort. I wouldn't put it past a fake RSS reader to additionally send our information along to a service that keeps a record. The RSS reader doesn't even have to be fake, do these app services similarly keep logs of where? when? ip (if on wifi)?

This is only the beginning.

pjk52 said...

I was reading this article and it reminded me a lot of what we discussed in class about privacy.

http://www.bloomberg.com/news/2011-04-21/apple-iphone-tracking-is-probably-engineering-mistake-researchers-say.html

I thought it was really interesting when it talked about the difference between permission and control, where the iPhone had been tracking the whereabouts of its users without their permission. This concept paralleled extremely well with our class-room discussion on the definition of privacy and the evolution of the term.

I think that Apple should erase that engineering mistake, because if a hacker ever had the ability to gain access to that information, it would be worth a lot of money. Where we go can tell someone a lot about our patterns, interests, likes, habits, and friends - which can leave us incredibly vulnerable to criminals.

Catherine Henry said...

I agree with everyone that the ability cell phone providers have to track our every movement is unsettling. But I think that in many cases the benefits outweigh the costs. You'd be glad that your provider knows where you are if you were in an accident, lost, kidnapped, etc. I'm also glad that the provider is able to use my location to give me the best possible signal. And I can't argue with anything that helps track down criminals. If the providers are benevolent and trustworthy, it's almost like a comforting safety net (although how benevolent they are with your information is questionable). That being said, I think that there definitely need to be some regulations put in place. For example, I think that location information should be erased after a certain amount of time has passed--there is no need for it to be permanent like the information in other databases. I also think that customers should be aware of exactly what is being recorded and who the information could go to. I'm not opposed to providers sharing information with the government if there is a really good reason (for example a criminal or kidnapped person's location), but the customers have to agree to this possibility. Like most issues on the internet, consumers just don't know enough about what information is collected, who is recording it, and who they are sharing it with.

Elizabeth B said...

While I am not completely against cell phone companies obtaining this knowledge, I think that the cell phone companies should explain why they are keeping the data. I also think that there should be laws passed that limit when this data can be used and how long it can be kept for. However, I do not agree with the above comments that tracking people through their cell phones is such a bad thing. I think that being able to know exactly where someone is at any given time can be very useful for law enforcement. These records can make the difference in a case as to whether a murderer or rapist is caught and therefore, I think they are very important. I remember one of the readings that we did this semester talked about a woman who was in a car crash and found in a ditch because of the signal her cell phone was giving out. She could have been found much sooner and helped much sooner if these records had been easier to obtain. From this, we know that these records are not easily obtained and that there are billions of them everyday. I think that this should comfort people because cell phone companies are most likely not interested in your every day-to-day actions. These records should only be used when they are for the good of society as a whole. I do realize that this is a very optimistic viewpoint and that there is no doubt that many people would want to abuse this privilege. However, I would like to have faith in society that the majority of this information would be used for good and not for evil. This may be naïve but I can dream, can’t I?

Kirsten said...

Mr. Cohen’s article draws attention to the limits of individual privacy and to the potential for information gathered by telecom companies on individuals using their service to be abused. He describes a German politician who researched the extent to which Deutsche Telekom was keeping track of his whereabouts in the course of a six-month period, and the findings are definitely surprising, but hardly limited to Germany. So much for tracking the whereabouts of endangered species—now we’ve all been tagged!

Maria said...

I would agree with some of the earliest posters (i.e., Katie and Katharina). Quite frankly, I believe the costs and problems with the aggregation of this kind of tracking data outweigh the benefits (outlined by later posters, i.e., Catherine). Because we live in a democracy, we often forget that this kind of tracking data is particularly harmful and disconcerting for individuals living in countries where any government opposition is squashed. Those who speak out against such oppressive governments are captured, jailed, and often tortured and killed. Imagine if such governments coerced internet and cell phone providers to turn over individuals records to track down "dissidents," who were merely speaking out against government atrocities. I don't think this scenario is too difficult to imagine, especially because of the control that countries, such as China and Iran, now have over the internet.

Further, even in a democracy, I take issue with providers being able to track consumer's locations and, worse yet, to aggregate this information over time. Recall that aggregation of data was one of Solove's primary concerns. Why should private companies or the government know the exact locations I frequent and how often I frequent them? The iPhone tracking, that another student referenced earlier, apparently is particularly accurate in tracing location, exact location. In one article I read, an iPhone user got the information from his company and the records clearly indicated his favorite restaurants and the coffee place where he goes everyday. Even if we don't think that companies' collection of such information is a breach of privacy, surely, the tracking devices, once more people actually know about them, will create a condition of surveillance --- a privacy harm we discussed. The tracking devices, if nothing else, create a condition of surveillance.

Interestingly, a number of bipartisan privacy bills, including the Mccain-Kerry and Stearns-Matheson bills, have recently been introduced and are creating a lot of discussion about this kind of tracking. These bills would require companies to tell their consumers when their data is being collected and attempt to ensure companies keep that information safe from hackers. The bills seem to have the same goal---to protect consumers' information and privacy. However, the bills do have some differences. These differences include, for example, differences in what constitutes "personally identifiable information" (PII) and what agencies are excluded from obeying disclosure rules.

I have included a wall street journal article on the Mccain/Kerry bill. http://online.wsj.com/article/SB10001424052748703385404576258942268540486.html
Here's another articles on the Stearns-Matheson privacy bill: http://www.adlawaccess.com/2011/04/articles/privacy-and-information-securi/representatives-stearns-and-matheson-introduce-consumer-privacy-protection-act/. Keep an eye for more coverage these bills.

Maria said...

I would agree with some of the earliest posters (i.e., Katie and Katharina). Quite frankly, I believe the costs and problems with the aggregation of this kind of tracking data outweigh the benefits (outlined by later posters, i.e., Catherine). Because we live in a democracy, we often forget that this kind of tracking data is particularly harmful and disconcerting for individuals living in countries where any government opposition is squashed. Those who speak out against such oppressive governments are captured, jailed, and often tortured and killed. Imagine if such governments coerced internet and cell phone providers to turn over individuals records to track down "dissidents," who were merely speaking out against government atrocities. I don't think this scenario is too difficult to imagine, especially because of the control that countries, such as China and Iran, now have over the internet.

Further, even in a democracy, I take issue with providers being able to track consumer's locations and, worse yet, to aggregate this information over time. Recall that aggregation of data was one of Solove's primary concerns. Why should private companies or the government know the exact locations I frequent and how often I frequent them? The iPhone tracking, that another student referenced earlier, apparently is particularly accurate in tracing location, exact location. In one article I read, an iPhone user got the information from his company and the records clearly indicated his favorite restaurants and the coffee place where he goes everyday. Even if we don't think that companies' collection of such information is a breach of privacy, surely, the tracking devices, once more people actually know about them, will create a condition of surveillance --- a privacy harm we discussed. The tracking devices, if nothing else, create a condition of surveillance.

Interestingly, a number of bipartisan privacy bills, including the Mccain-Kerry and Stearns-Matheson bills, have recently been introduced and are creating a lot of discussion about this kind of tracking. These bills would require companies to tell their consumers when their data is being collected and attempt to ensure companies keep that information safe from hackers. The bills seem to have the same goal---to protect consumers' information and privacy. However, the bills do have some differences. These differences include, for example, differences in what constitutes "personally identifiable information" (PII) and what agencies are excluded from obeying disclosure rules.

I have included a wall street journal article on the Mccain/Kerry bill. http://online.wsj.com/article/SB10001424052748703385404576258942268540486.html
Here's another articles on the Stearns-Matheson privacy bill: http://www.adlawaccess.com/2011/04/articles/privacy-and-information-securi/representatives-stearns-and-matheson-introduce-consumer-privacy-protection-act/. Keep an eye for more coverage these bills.

Darion Parker said...

Honestly, while this seems to be over the top it makes sense in some ways. I remember years ago having my first phone and in playing around with it I stumbled up a feature that allowed me to opt out of being located, the only stipulation was that I could still be traced by police if needed. This is good in that it made me feel protected if i should ever have my device stolen. I understand the sentiment of my classmates however. Especially if someone else on my account were able to track me without my knowledge. It is a direct invasion of privacy but it is also something many us would wish we had should an emergency arise.

Weixian Cai said...

The idea that "you have to hand over your personal privacy to be part of the 21st century" is interesting. However, I would modify this to read "you have to hand over trust about your personal information to be part of the 21st century." It is precisely because it is necessary in many cases to hand over our personal information that safeguards exist to ensure that the information is not mis-used for nefarious purposes, and does not fall into the wrong hands. We must simply trust that these safeguards do their job in terms of keeping our information safe.

Brian said...

People pretend to be so naive about being tracked. Action movies are constantly including the cellphone tracking scene. People vaguely know that they are being tracked but dont do or say anything until its dragged into the spotlight. Very similar to this story is AT&T's secret location folder on their Iphones that stores customers locations in an unencrypted folder on the phone. Customers became outraged and now said folder is encrypted through Apple's most recent update. Cellphone companies have unknowingly become the best trackers in the world, but are only seen in that light when the mass populace becomes aware. People are too attached to their phones to stop using them. It's just considered another sacrifice in the pursuit of an easier life.

Chris Heller said...

I think this article again loops us back to our discussion about what constitutes private information.

Can a cell phone company ping your location a couple thousand times and store all of that information for useful purposes? Sure.

Should that company do it? That depends.

By signing that lengthy contract, we must be consenting to the location storing activities. (I wouldn't really know though, since I barely ever read the things.) And when you consent to that activity -- whether you know it or not -- you're stuck with the results. If (or when) this information is used for ulterior purposes (e.g. prosecuting somebody in court, etc. etc.) then the privacy concerns will be more valid.

Kelly said...

I think this is another case where collecting the information isn't necessarily harmful (probably useful in some cases involving law enforcement), but rather it's the sharing of information that might invade privacy. The article says that at least in Germany obtaining data from Deutsche Telekom was difficult. However, the article also mentions that in the US "telecommunication companies do not have to report precisely what material they collect." I find this more disturbing than the actual collection of information, and I think users should at least be notified of this in some kind of small print that they may or may not read.