Is Rogers Selling your Location Data?
There’s a rule of thumb about clickbait headlines that says if the headline is asking a question, the answer is no. Except in this case, the answer is yes. Yes, Rogers is definitely selling your location data. They are selling your location data even if you are not a Rogers customer; the fact that they run Canada’s largest cellphone network, and one of Canada’s largest ISPs gives them access to pretty much anyone’s location, regardless of whether or not you do business with them.
Who are they selling it to? We already know that Rogers (and every other Canadian telecom) will give your location to law enforcement. Michael Geist reported that
three [Canadian] telecom providers alone disclosed information from 785,000 customer accounts in 2011. Moreover, virtually all providers sought compensation for complying with the requests.
It’s not clear how many of those requests include location data, but I wouldn’t bet against the answer being “most of them”. We already know that Rogers is selling your location to law enforcement.
But that’s not what I’m talking about. Law enforcement’s ability to track your location is a scandal in its own right, but these days, it’s old news. At least law enforcement has the (dubious) justification that it helps them catch “bad guys”. But Rogers isn’t just selling to law enforcement. In fact, they are selling your location data to me.
Now, just to be clear, I have not actually purchased any location data. But I could if I wanted to. The data is definitely for sale, and it’s not for any lack of effort on Rogers’ part that I haven’t made a purchase.
I run a small business. That means I’m on more spam lists than I care to admit, and I receive calls on an almost weekly basis promising to put my website in the top 10 results on Google. Most of these are obvious scams, but recently I received a call from a more professional-sounding organization called Rogers Outrank. For some reason, I agreed to a half-hour sales call to talk about what Rogers could do to promote my business.
I won’t bore you with the details of the sales pitch. Suffice to say that they made the usual promises to put me on the front page of Google’s search results (something Google might be interested in, since their advertising partners are not supposed to guarantee natural search results), and they provided extensive tools to generate sales calls from those results.
One of those tools caught my attention. You can see why in this screenshot from their sales presentation:
This is a map of inbound calls for the campaign. The red pin is supposed to be the location of my business. The blue pins represent people who have called the number associated with the sales campaign. You can drill down and get more detailed information about each caller, including address.
Where does this information come from? My friendly Rogers salesperson had the answer:
So the map is really cool because it lets you see where your leads are going to be calling you from, so if they use a landline, or from a desktop computer, they track the IP address to let us know where that person is calling from, and if it’s a mobile, it’s tracking GPS.
The salesperson assured me I would get this information regardless of who their service provider was:
Same idea, whether they are with Bell, Telus, Koodo — whatever other providers they are — we make sure that when anyone with any sort of brand is looking for your service, our goal is just make sure they are finding you, regardless of whether they are a Rogers client or not.
Let me say this loud and clear: This is creepy. Rogers is selling me the location data of anyone who calls my number, specifically so I can make decisions about how to sell them my services. As a salesperson, that’s really useful, but it’s not an option I should have. As a citizen and a private individual, I don’t want my whereabouts to be available to someone who is selling me something. I don’t want that information to be available to anyone, and Rogers shouldn’t be selling it — especially when I have no business relationship with them.
Now, a few provisos:
- It’s a salesperson, so the technical explanation of where the information comes from may not be accurate. For mobile information in particular, I think it’s more likely that the location data comes from tracking SIM cards via cell tower triangulation than directly accessing the cell phone’s GPS.
- Likewise, the salesperson doesn’t say outright that I can get addresses for people who don’t use Rogers … he simply implies that “their goal” is to provide me with useful information. But, the map is pretty telling, and I made a point of asking how reliable the information on the map was. He was pretty clear that I could expect to get reliable location data for all my incoming calls.
- They aren’t selling location data as a separate product. Technically, Rogers is selling a marketing service, which includes location data as part of the service. I can’t buy the location data separately.
- Locations are for inbound calls only. That means I can’t just ask Rogers to track a given phone number; I only get locations for people who I have somehow convinced to call me. But, Rogers’ product is marketing. Their service is specifically designed to convince people to call me.
So, is this legal? I have no idea; I’m not a lawyer. I’d love to hear someone like Michael Geist chime in. My guess: Probably, it’s technically, arguably legal. Rogers has plenty of cash to spend on lawyers. The fact that they are only selling data from incoming calls probably comes with some sort of implied consent. I have no idea how they would get around the fact that non-customers’ data is being sold (and thus, there can be no contractually-waived rights), but lawyers are smart. I’m sure they’d figure something out.
Is it ethical? Hell no. Selling my location, without my knowledge and consent is wrong. I pay my phone company because communicating by phone is a useful, almost essential service. I understand that that privilege entails letting my phone company know where I am, and, by extension, any other phone company whose customers I talk to. I understand that it’s not really possible to build a phone system if you don’t know the location of the phones you are calling. I entrust the companies that run the phone system with my location because it is impossible to build the system without that information.
Selling my location to external parties — making my location public knowledge — is a violation of that trust. Rogers is taking advantage of me. They are taking advantage of you, and everyone else who uses the Canadian phone system. My location does not need to be public knowledge for the phone system to function. It is being made public purely because it is profitable for Rogers to do so.
I wish I could say I knew what to do about this. It’s easy to say “don’t use a phone”, but it’s hardly a practical solution. It’s possible a lawsuit could help stop this particular practice, but that only solves this specific issue; it doesn’t solve the structural issue of abusing private data for profit. It’s possible an industry regulator — the privacy commissioner? — might be able to do something if I complain loudly and often enough.
Honestly, I think the most effective tool is probably public shaming, which is why I wrote this blog post. My hope is that other people — you — will read this, and agree Rogers is doing wrong. And I hope that you will share this post with other people, so those people know what Rogers is doing. Rogers is selling our location data. Their public image should reflect the reality of what they are doing.