Telus Gave Your Location Data to the Feds. Now what?
Our privacy laws failed to protect us. Find out why more than 10,000 people are demanding new privacy rights from Justin Trudeau.
Over the course of the last year, the federal government has tracked the location of 33 million mobile devices. Considering the size of Canada, that’s nearly everyone who owns a cellular device, even devices only capable of emergency calls.
The location data is being used by the Public Health Agency of Canada to monitor population movements in response to the pandemic. The federal government says that the data that they’ve received — and are requesting more of — is aggregated and de-identified.
There’s still so much unknown and we need answers about the sharing of this kind of data and the risk of inadequately de-identified data.
Anyone with a mobile device in Canada may have been tracked. From what we know so far, the primary source of the location data the government is using is Telus – one of the ‘Big Three’ telecommunications companies in Canada. Telus is primarily active in British Columbia and Alberta, so how did the company come to possess data from 33 million mobile devices?
In Canada, telecommunications providers share infrastructure, like cellular towers and Internet cables; Telus could have had access to location data related to people with whom they don’t have a direct business relationship. Just because you might not have a contract with Telus, that doesn’t necessarily mean that your location data wasn’t shared with the federal government.
Why is this a problem?
There are a few reasons why this is so concerning.
The first has to do with consent. People are angry that they didn’t know their location was being shared with the federal government. They might not be mad about how the data is being used, but more upset by the fact that they didn’t know about it.
The second reason is the sensitive nature of location data. This kind of information usually indicates where we live and work, who our friends and family are, what kind of activities we engage in, and forms a picture of intimate and private aspects of lives, like our health, finances, politics, and sexuality. Because of this complete picture, it’s very easy to discern who a person is based on this type of information.
And the last reason is because there are no consequences for this kind of privacy violation. Even if Telus or the federal government is found to have violated Canada’s privacy laws, there will be no meaningful repercussions that lead them to respect the privacy rights of people in Canada in the future.
Consent: People didn’t know this was happening
Under Canada’s commercial privacy laws, companies are required to ask for permission before collecting information about us. Telus may have, buried somewhere within its lengthy contract documents, a statement about collecting location data. They probably also list some specific uses for that kind of information. But did you, for example, understand that your location data could be used this way and consent to this kind of use?
There’s an argument to be made that Telus, by sharing this location data for this specific purpose, did not have the consent of their customers – as they wouldn’t have understood the implications of this kind of use. In that case, something called meaningful consent would likely not have been achieved, and a privacy violation may have occurred.
It’s also worth noting that this information — from 33 million mobile devices — seems to impact many more people than Telus would likely have a direct business relationship with, who have actually signed contracts with the company. So an important question is: How can Telus achieve meaningful consent to collect and share the location data of people it has no direct business relationship with?
Another reason that this didn’t come to light is because the contract between Telus and the Public Health Agency of Canada didn’t go through a competitive procurement process. Usually, when a contract is awarded to a private company from the government, it is open to public bids. To prevent corruption, the procurement process and contract details are public knowledge. In this case, the contract was given directly to Telus outside of the normal transparency process.
Risk of re-identification: Location data is incredibly sensitive
While the federal government requested that the location data be in an aggregate and de-identified form, this kind of information is susceptible to re-identification. Meaning, there’s a real risk that the location data could be used to identify specific people if misused.
Aggregate data means that information concerning a large number of individuals — in this case 33 million mobile devices — is combined into one great, big data set. De-identification involves removing the most obvious personal information that might be contained in that data set which would make it immediately possible to identify someone: for example someone’s name, birthdate, address, or social security number.
But location data from our mobile devices reveals so much about us that, even with these personal identifiers removed, it’s still possible to identify a specific person. For example, if your phone travels with you from your home, to your place of work, to where you visit your family and friends, to all of your medical and financial appointments, to where you might go to worship — it forms an extremely complete and intimate picture of your life, and one easy to attach to you in a data set if just a few of these regular trips are known to the would-be analyst.
Given the extremely sensitive nature of location data, and the lack of transparency around the use of it by the federal government in this case, people are rightfully upset. Even more troubling, however, is the complete lack of accountability from federal government bodies, like the Public Health Agency of Canada, in using this kind of information.
Accountability void: There are no consequences for this kind of secrecy
Unfortunately, Canada’s weak privacy laws don’t require the federal government to report honestly on these kinds of arrangements or provide meaningful penalties if our rights are not respected through them. They are under no obligation to inform or consult with an independent third party, like the Office of the Privacy Commissioner of Canada before entering into a sole source contract to get location data from a company like Telus.
Even if someone submitted a privacy complaint to the Privacy Commissioner, and the Commissioner investigated and found that a violation of Canada’s privacy laws occurred in the sharing of personal information between Telus and the federal government, there would be no significant repercussions for either Telus or the Public Health Agency of Canada. We desperately need a privacy protection system that holds government agencies accountable for both casual and intentional breaches of our right to privacy .
Canada is rapidly falling behind on privacy. In theEuropean Union and in California, there are more obligations for organizations that collect, use, and share our personal information. Under European law, permission for use and disclosure of personal information are limited to certain conditions, and should an organization wish to use information outside of the agreed upon context, they’re required to obtain consent again.
There’s no reason we couldn’t enjoy the same protections here in Canada. With similar privacy laws, if a Telus customer agreed that the company could collect their location data and share it with the federal government for the purpose of “expanding and improving telecommunications connectivity in Canada,” this would not include consent for sharing information in response to a public health emergency, like the pandemic. Telus would be required to ask its customers if they’re willing to give permission to share their location data for this purpose. People in Canada deserve this level of protection just as much as in other parts of the world. We need to demand more comprehensive privacy protection from our federal government NOW.
What can you do about it?
More than 10,000 members of the OpenMedia community are already calling for new privacy laws in Canada that include enhanced powers for the Office of the Privacy Commissioner of Canada.
These include the ability to impose financial penalties against private companies like Telus if they violate Canada’s privacy laws, and independent oversight of the handling of our sensitive personal information, like our location data, by federal government departments and agencies. If realized, these kinds of protections would prevent the non-transparency, unaccountable sharing of sensitive information like location data between private companies, like Telus, and the federal government.