Mapping the Data Broker Economy (Blog 3): Telus
In order to shine a light on the data broker economy, we’ve filed personal information requests to take back our data, and are exploring the privacy risks of data brokers.
This is the third post in our Mapping the Data Broker Economy blog series. To go back to the first post, click here.
Telus is western Canada’s leading telecommunications monopoly. Like the Pelmorex Corporation, we recently came to learn that they’ve been involved in the sale of their customers’ location data to third parties, including the federal government of Canada. Unlike the Pelmorex Corporation, they had given access to their customers’ data to the federal government at no cost or on a cost recovery basis through their Data for Good program. But Telus has another program, called Insights, that sells access to this very same data to mysterious and anonymous third parties. (If the program for socially beneficial purposes is “for Good” can we consider this one “for Bad”?)
Telus holds firm to the line that the location data that they make available for socially beneficial purposes and sells for profit can’t be used to identify any particular individual as the data is in a de-identified and aggregate form (13). But as mentioned in our previous blog, many studies have concluded that location and mobility data alone are enough to identify a person within a large dataset; that they can’t be sufficiently anonymized to prevent individual people from being identified. And this doesn't mean that one person, or one group of people, couldn’t be discriminated against based on how these data sets are used.
The inferences drawn from these datasets could be used to discriminate against people in a range of ways that are constitutionally protected – like through race, age, income, ability, sexuality, and religion. So just because one person can’t be readily re-identified, it doesn’t mean that one person can’t be individually hurt.
Telus’s Data for Good and Insights programs could be used to provide information to third parties about people who are accessing healthcare services related to pregnancies. Worse yet, Telus, by collecting, storing, and making this kind of information available, could be subject to legal requests from United States law enforcement agencies that force the disclosure of this kind of information in a form that might not be fully de-identified or aggregated, and could be used to prosecute individuals seeking pregnancy related healthcare services in Canada.
Let’s sum it up. Here’s a short list of some of the things wrong with Telus selling access to their customers’ location data:
We don’t know enough about how this data is sorted and used, what kind of inferences can be drawn from it, and how these inferences might be hurting people through discriminatory practices;
The collection, storage, and facilitated use of this data makes it easier for law enforcement to demand access;
A reasonable person might not expect that the service provider of their cellular device would derive an additional revenue stream from exploiting this kind of data;
This kind of novel exploitation of data resources is a perverse and negative consequence of the for profit business model, and showcases how the pursuit of profits runs contrary to the provision of an essential public service.
Surveillance capitalism as an essential service
And that brings us to a very big question: Should a company offering an essential service be allowed to exploit our data in this way?
Telus makes plenty of money as a telecommunications company. It assumed this dominant position through the privatization of a natural local monopoly, and has aggressively reduced competition for its services through mergers and acquisitions, which has been shown to increase prices for consumers.
A company like Telus that offers an essential service to people by providing access to cellular networks and the Internet with few natural competitors arguably shouldn’t be permitted to generate novel revenue through processes that might also be harmful to these customers, and society more broadly.
So is this surveillance just a product of capitalism that we have to accept? By design, Telus is obligated to make money for its shareholders, and Telus is not obligated to offer a service that’s respectful of their customers’ fundamental human rights, like their right to privacy. But is that sufficient to abrogate their responsibilities to their customers entirely, especially in light of the public image that the company carefully curates?
Privacy “greenwashing”: Social good as justification for social harm
Telus strives to be a leader when it comes to privacy protections for their customers. This is seemingly antithetical to the alternative revenue stream of its Insight program, which by design exploits the location data of its customers.
During the parliamentary investigation into the federal government’s secretive use of mobility data, Telus representatives defended their use of mobility data through the claim of creating a social benefit through its Data for Good program – without readily addressing the harms of the Insights program. However, the two programs appear to be one in the same.
Telus makes it impossible for customers to opt-out of their Insights program without also leaving their Data for Good program. The only opt-out is nested within the Data for Good page. Meaning, it’s impossible for people in Canada to allow Telus to use their data for only socially beneficial purposes and not for pure commercial exploitation.
In this way, Telus appears to be using their Data for Good program to legitimize – to do the privacy equivalent of “greenwashing” – the exploitative practices they’ve created through their Insights program. In fact, the privacy protections that exist for the Data for Good program, as described by Telus representatives, don’t exist for their Insight program, according to Telus’s own public statements and marketing materials.
According to Telus, the Data for Good program is only offered to government and academic partners in “a supervised and guided way” (1:15) and explicitly does not offer access in real time “because that increases the risk of reidentifiability [sic] to something. It would no longer be considered de-identified.” This is not the case when it comes to Telus’s Insight program, which sells access data about “the vast majority of the Canadian population” to organizations, including governments, and appears to grant access in real time – or at the very least in “near'' real time.
This means that Telus takes greater precautions when offering the use of its customers’ data to government and academic partners for socially beneficial purposes than it does when exploiting that very same data for profit by selling it to unnamed third parties.
That last point should tell you what you need to know about whether or not we should trust a for profit company that provides an essential service with sensitive data assets like our location information. If the status quo remains, more regulation is badly needed in order to protect our privacy interests because, as technology enables companies like Telus to produce more data about us, more ways of using the data for good, and for bad, will emerge.
Accountability and regulatory uncertainty
Which brings us to another big question: Who should regulate this kind of activity, like Telus’s alternative revenue stream? Generally, the activities of telecommunications companies in Canada are regulated by Canada Radio-television and Telecommunications Commission, but Telus’s Insights program would perhaps be better suited for scrutiny by the Office of the Privacy Commissioner of Canada, with input from the Competition Bureau.
It’s worthwhile to observe that a lack of competition in the Canadian telecommunications sector hasn’t been addressed or rectified by either the CRTC or the Competition Bureau, which doesn’t provide much faith that either of these regulators would be adequately suited to address the concerns raised by business practices that are harmful to the fundamental rights of customers and society. As well, regulating the use of the location data collected by telecommunications companies in the United States is proving to be difficult and complicated for regulators.
That’s a lot of information without even beginning to address my interactions with Telus representatives as I attempted to take back my data. Let’s get to that.
Taking back my data from Telus: "We hear you, we see you, your concerns don't matter to us at all."
Telus makes a lot of money and cares about their reputation. On the positive side, my interactions with them indicate that they’re invested in being seen as having good customer service and being respectful of their customers’ privacy. Unlike my interactions with the Pelmorex Corporation’s “Privacy Officer”, Telus offered me actual humans to communicate with.
A few days after I submitted my request for personal information, I received an email from a person at Telus Privacy. They requested an account number from me, and I clarified that I was not looking for information associated with a specific account, but with a person: Me. From there, they asked me to set up a time to speak on the phone with them to confirm my identity and clarify my request. (They even cited the investigation from the Office of the Privacy Commissioner of Canada that created precedent for confirming identities before disclosing personal information. Extra points!)
The following week, I spoke on the phone with a different person from Telus Privacy. We confirmed what services I received from Telus, and I provided some information in order to prove that I am who I claim to be. They assured me that Telus would be back in touch soon with more information related to my requests. On the phone and through email, I emphasized that I would be interested in receiving a list of all the possible organizations that my location data could have been shared with through Telus’s Insights program.
On July 25th, 2022, exactly thirty calendar days after I submitted my request, they left me a voicemail, and sent me an email, informing that Telus required a thirty day extension in order to facilitate my request.
On August 2nd, 2022, I received an email from yet another person at Telus’s Data and Trust office. Like the Pelmorex Corporation, they stated that Telus does not sell any personal information to third parties through its Data for Good or Insights programs: “All data used and shared by TELUS Insights is de-identified, aggregated and extrapolated to market share. TELUS Insights does not use information about specific customers, but rather creates models using bulk, aggregated information from wireless sites about how traffic moves. It’s simply a way to understand movement patterns and areas where people congregate.”
Telus, like the Pelmorex Corporation, is unwilling to tell me the names of the third-parties they sell their customer data to: “As per PIPEDA Part 1, Section 2(1) “personal information” means information about an identifiable individual. Data For Good does not contain personal information, so the request regarding where TELUS sells or shares personal information is not applicable.” Telus is relying upon Canada’s outdated privacy laws that don’t consider de-identified information to be personal information, thereby giving individuals no recourse to understand or control how their information is being used.
And just like with the Pelmorex Corporation, I’ve filed a complaint with the OPC related to their refusal to provide me with my data related to the Insights and Data for Good programs, and for refusing to provide me with a list of all the possible third-parties that my data may have been shared with.
The Canadian government has proposed Bill C-27, new privacy laws that would challenge the practices of Telus and the Pelmorex Corporation by including de-identified personal information within the scope of Canada’s privacy laws. While Bill C-27 is far from perfect, it would create new requirements for data brokers like Telus and the Pelmorex Corporation, and give people in Canada greater control over their own data.
In the meantime, I’ll await word from the Office of the Privacy Commissioner of Canada as to whether or not people in Canada have a right to know the names of the third-parties that have purchased their de-identified personal data, including their sensitive location data. If people in Canada do have this right, we’ll be granted the ability to exercise some measure of control over our own data through the ability to map the data broker economy, and learn more about how our data travels between this shadowy network of companies.
What can you do? Canada’s proposed new privacy laws need significant amendments. Send a message to your MP right now asking for greater privacy protections! And, if you haven’t done so already, you can also sign the petition to #StoptheHarvest of your personal information.