For EU folks: anyone tried a GDPR request to their phone provider to figure out what do they collect and what do they store? I'm thinking any of the following are within the realm of possibilities:
- Call history, including metadata and potentially also contents;
- Text messages, same as with calls: metadata and potentially the contents;
- Location history;
- Data connection activity, again: metadata and potentially the contents;
- IMEIs of the devices I used.
I submitted a GDPR request to my GSM provider a few days ago, but I'm not fluent in legalese, so may not reach as far as someone fluent in it. Still awaiting initial response.
For a sneak peak of the kind of data you can expect take a look here [1] (German newspaper, but in English).
Background story:
Malte Spitz, a Green Party member, sued to get all data collected and retained (according to a law which has been overturned since) by his carrier. Die ZEIT/OpenDataCity cross-referenced the data with publicly available information from his Twitter and party website and compiled it all into one visualization.
Unfortunately, they seem to have stopped paying for the Google Maps integration, but you should still be able to follow along just fine.
This is interesting, if that's indeed the case then I'll publish my findings and encourage people to 1) fill similar requests, 2) fill requests for data deletion and ceasing of further collection. Hopefully eventually we'll get an option to opt-out via the web, like on http://myactivity.google.com/
Also, EU readers: why not ask your own provider today?
Apart from location I'm still concerned about actual data transferred via those networks (calls, text and data).
> anyone tried a GDPR request to their phone provider to figure out what do they collect and what do they store?
Yes. The Netherlands, carrier is called Youfone.
They have very, very little data on me: they claim not to be able to see which cell tower I'm even connected to (which would be tracking info), which makes me wonder how they even provide their service. They say it's all outsourced to third parties, one of which is the network operator, KPN, and they cannot list those parties for commercial reasons. I doubt that's legal (I'd assume you can't just stuff everything into subsidiaries and go "sorry can't tell, business secrets": either you have to get it from the subsidiaries, or you tell me who they are and whom to talk to), but the Authoriteit Persoonsgegevens (local authority) seems to have their hands full, as do I, so I did not bother pursuing it.
The info I did get was: everything I provided (name, DOB, bank account), everything you would commonly expect (call logs (though that is not as common in Germany, it is everywhere else afaik), the invoices based on those call logs, data usage per month, etc.), and I think one or two uninteresting pieces of information (probably SIM card number and such). They also provided storage time limits for the data.
I feel like they did not have the process in place yet before my request, as a dude quite high up in the orga replied to my support ticket and they exceeded their response deadline. After two months they gave me a professional-looking PDF with the data, so I think they quickly set that up because GDPR was fairly new (few months after May 2018). They're also cheap, I'm sure the mails back and forth (not to mention the investment in that "data to pdf" system) cost them much more than my 8,50/month subscription would warrant. I kind of want to cut them some slack for working on it rather than bother those who try. Maybe I'll pursue it again later. Or maybe someone else can ask better questions based on my experience.
Thanks, I'll look out for that. @tapland and @jgibson also mention that mobile networks often outsource running the infra.
In any case - I agree with you that this seems like a shitty legal pseudo-loophole. At the very least the company you sign mobile contract with needs to share your phone number with those infra subsidies. But then according to GDPR: "15. 1. The data subject shall have the right to (...) access to the personal data and the following information: (...) (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed". Following this rule one should be able to reach the bottom of the data processing chain.
Possibly on the network facing side of the business in the form of logs that get purged when old, but I have yet to see any IMEIs, possibility to log texts, call histories etc, but if they are sent there will be a trail in the network.
Could probably send the GDPR-request to Huawei and Ericsson as well.
Just keeping track of phones permissions in the network 100 times/second is an insane amount of data, but there could be leaks/compromised systems somewhere in the User -> Apps -> Phone -> Network -> Provider chain.
I'm not familiar with how GSM networks operate. Why would I send a request to Huawei or Ericsson? Don't they just provide networking equipment? Or do they also provide services, part of which may be relevant for end user privacy?
My info may be a little dated, but yes, most of these companies (Huawei, Ericsson, Alcatel-Lucent, etc) also provide network services and ops to run the network.
Disclaimer: I work at Ericsson but am not directly involved in any network operations.
Ericsson provides operations service for a number of telecom operators. This means, the operators own the equipment and make the decisions, while Ericsson does the maintenance, supervision and troubleshooting of the network. This is usually done on contracts of three to ten years, after which time the operator may choose to renew or to contract with one of our competitors.
I could certainly be wrong, but my impression is that in this scenario Ericsson is not the data custodian according to the GDPR. It would be interesting to know what the outcome is, if anyone were to make a GDPR request to my employer.
Just because the user is the one asking for the data doesn't mean the rest of the GDPR stops applying. They're still required to have appropriate safeguards, which means they certainly can't email it to you (at least not in plaintext).
Also, more specifically about the Right to Access, Recital 63 says: "Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data". (emphasis mine)
I planned to document it and share with wider audience in case I find something out of the ordinary. For example, if they kept my location history for longer than is necessary to just route my data through their network, or if they had the contents of my texts, or DNS requests history.
Not sure how to pressure into the Google-style solution, but I think knowing would be a fist step.
Nothing fancy, and I sent it to the contact point they have in their privacy policy. You can find it on their websites (or at least I found it; in my case it was just an email but it will possibly escalate to snail mail). As far as contents goes - here it is, translated into English:
I am a/an [OPERATOR] subscriber, identification data: (...)
I would like to get a complete list of personal data that [OPERATOR] stores about me:
- The history of telephone calls, metadata (when and where [to which number] I called or when and who [what number] called me) as well as the data itself (the content of the calls themselves);
- The history of text messages, as in the case of calls - metadata and the data itself;
- History of data transfer (Internet), as above - metadata and the data exchanged itself;
- Connection history - when my phone was connected to the [OPERATOR]'s network, when in [OPERATOR'S COUNTRY] or when via roaming;
- Location history - where my phone was located, e.g. which base stations it was connected to or from which country it was connecting or any other information allowing to determine my location more accurately than "Planet Earth";
- History of used devices - IMEI numbers as well as other data collected about my device / devices;
- Any additional information collected about me.
If any of the above mentioned types of data is not stored by [OPERATOR] please let me know.
I don't think it's your responsibility to play whack-a-mole and guess what types of data you think they might have. It's their responsibility to tell you.
The right to access your data is Article 15 of GDPR. Section 1 lays out what they have to provide you. Part (b) of that is "the categories of personal data concerned." I'm no lawyer, but I take that to mean that they have to provide you with the complete list of processing they do.
If I were making this request, I would scrap the entire bullet-point list you wrote and say that I'm invoking my Article 15 rights to be informed of the categories of personal data that [OPERATOR] processes about me.
See, one of the reasons why I'd prefer someone who speaks legalese to do this :)
Thanks, makes sense. I wanted to make it clear I'm not happy with a response "Yeah sir, you live here and here, and your device model is X. That's your personal information.". But I'll keep pressing them, as I seriously do not entertain the idea that someone may store all the data that can be inferred from my activity in a mobile network.
I submitted a GDPR request to my GSM provider a few days ago, but I'm not fluent in legalese, so may not reach as far as someone fluent in it. Still awaiting initial response.