The texts can arrive at any time. Recipients are told they’ve been exposed to the coronavirus and must immediately begin a two-week period of isolation. For some, the frustration of knowing the routines of daily life must suddenly stop can be exacerbated by the fact that the details in the message are wrong. One Israeli journalist described on Twitter how her message – from the ministry of health – stated she had been exposed to a person infected with coronavirus on a Friday evening between 19:00 and 20:00. Her daughter was told she had been exposed an hour earlier. But during all that time, claims Liat Ron, they were both at home eating dinner. “We were exposed to rice,” she said.
To date, Israel has registered more than 550 deaths linked to the coronavirus. Decisions on who should receive these instructions to self-quarantine are dependent on a controversial database, known as “The Tool”, managed by Shin Bet, the country’s internal security service.
Officials have not clarified exactly how The Tool works. The database, which leverages data collected by the telecommunications operating companies (telcos), is thought to contain the call, message and location histories of all Israelis, all the time. While police need a court order to request such data, the Shin Bet has constant access. In response to concerns over the agency’s involvement in contact tracing, the Israeli government argues that data from telcos is more effective than voluntary smartphone apps or monitoring by humans. Telcos reliably track Israelis, one of the world’s most connected populations – whether they consent or not.
Extreme contact-tracing programmes are controversial. Public suspicion of the system, which Israelis complain is often inaccurate, has been directed almost entirely at the government. Although Shin Bet chief Nadav Argaman has expressed discomfort at the deployment of intelligence tools to track civilians, Israel’s telecommunications industry which provides the data has kept silent. “Their role has been as a mere conduit,” says Amir Cahane, a cyber security research fellow at the Hebrew University of Jerusalem. “I would say the role of telecommunication firms is not something that is discussed because they’re required to provide this information by law.”
Similar attitudes prevail around the world. Telcos are the main enabler of national and regional surveillance programmes designed to curb outbreaks of the coronavirus, but governments derive their authority to obtain data from legally binding regulations with the companies. According to The Correspondent’s Tracked Together database, at least 30 countries are harvesting data from telcos to track the coronavirus spread.
The absence of public accountability contrasts with the intense interrogation of Apple and Google’s intervention into contact tracing. Telcos have largely escaped such scrutiny. At least until the services from phone and internet networks are interrupted, most of us give little thought to the companies that provide the cables, pipes and satellites to carry information around the world between friends, family, colleagues and clients. Technology watchdogs are distracted by the noisier drama of “GAFA” – big tech’s powerful content and networking brands: Google, Apple, Facebook, Amazon and their peers.
The original big tech
The telecommunications industry is responsible for the infrastructure that connects us. Telcos erect the masts and lay the cables that underpin wifi, mobile phones and 4G (now 5G) coverage. They are the core of the world’s communications universe. Business, education and entertainment all rely on their services to function.
These companies were the original big tech. And although their prominence has faded since their heyday and the boom in digital infrastructure in the 1990s (and their profits squeezed by the new dominance of internet services), they are still giants in reach and scale. Vodafone Group counts more than 600 million mobile customers, operating in 24 countries while maintaining partnerships with mobile networks and broadband operators in about another 50. Orange has a presence in 27 countries, with 204 million mobile customers with another 20 million using its broadband services.
Because they control the pipes that connect our phones and computers, telcos can also see what passes through them – who you talk to, what you said, what you looked at online and even where you go. Different companies have different policies about what information they collect and how long they keep it. For example, freedom of information requests in the US revealed that Verizon would store the contents of text messages for up to five days while other US telcos did not keep that data at all. Some of this data is important to calculate costs, fees and customers’ bills. But telcos also use information about their users for commercial reasons, selling it on to other companies called aggregators who sell it again to different clients and industries.
Since the Covid-19 pandemic, the data that has become really valuable to policymakers is the location history in our devices. This is the record of the signals from cellphone towers to which a mobile phone has connected. The accuracy of this location information can vary according to the technology the telco uses and the number of cellphone towers in an area – there are generally more in urban settings than in rural ones. It’s generally thought this method can pinpoint a person with an accuracy of within about 300 metres, but some systems can be more accurate, able to pinpoint a person’s location even inside a building.
This data is also extremely revealing. “A single data point is probably not super sensitive,” says Sara Collins, a legal expert at the US non-profit Public Knowledge, which campaigns for privacy and an open internet. “But being able to track your location over time is really sensitive because you figure out where someone works, and where someone lives pretty easily. You also can figure out who they associate with and those connections can lead you to [understand] what religion a person is, their sexual orientation, their politics, all sorts of things that people may not want to share with the wider world for whatever reason.”
Israel is far from being the only country where this potentially sensitive location data is shared between national telcos and government agencies. In China, telco data was instrumental in tracing people who had been in or near Wuhan’s Hubei province. In South Korea, when a person tests positive for coronavirus, a contact-tracing investigator can ask police to request two weeks of their location history from telecommunication operators. Records of where that person went and when would then be posted online or sent as text message alerts, so others can assess whether they might be at risk and if they should get tested. Names are not published but the details can still be deeply personal, revealing visits to sexual harassment classes or short-stay “love hotels”. There have been cases where people featured in these location logs have been identified by TV reporters. Patients cannot opt out.
In European Union countries, the ePrivacy directive prohibits the use of this data to trace individuals’ location history. Instead, officials can harvest location data in aggregate: from gauging all anonymous movements it’s possible to assess how many people are following lockdown orders. Norwegian telco Telenor has shared location data with its government since January, before any cases of Covid-19 were reported in the country. Operators in Italy’s Lombardy region also complied swiftly with government requests, another early example, when the coronavirus outbreak took hold in February.
Advocates for harvesting aggregated telco data include Andy Tatem, professor at the UK’s University of Southampton, who works with telcos including Vodacom Mozambique to analyse the patterns of mobility which inform the country’s malaria strategy. “Assuming the biases are understood and accounted for as best as possible, we can get unprecedented insights into movement patterns between and within cities, between and within countries, and across multiple timescales,” Tatem told me over email. This information helps to model how the disease might spread and guide policy on how best it can be controlled.
Compliance without transparency
Leveraging telco data for what’s now become known as “coronavirus surveillance” is a new chapter in the long history of close cooperation between telcos and governments. Following the liberalisation of many state-owned telecommunications utilities in the 1990s, the relationship between governments and new entrants or privatised incumbents remained close. “I would define it as a very cosy relationship,” says Diego Naranjo, head of policy at European Digital Rights. He adds that telcos are seen, increasingly, as allies for law enforcement as more of us live more of our life online.
Details of government requests for data are largely secret, although whistleblowers provide sporadic insights.
Nick Merrill, founder of Calyx, a small internet service provider, waged a decade-long struggle to lift a gag order which barred him from telling how the FBI approached him in 2004 with a “national security letter” – but no warrant – to demand the location history of one of his clients.
Mark Klein, a technician at telecom company AT&T in 2003, stumbled across a secret room that enabled the US National Security Agency (NSA) to hoover up US Americans’ internet and phone call data. Almost a decade later, his story was confirmed by the NSA documents leaked in 2013 by Edward Snowden in which AT&T was described as “highly collaborative”.
Snowden’s revelations included reams of information about telcos’ cooperation with spy agencies in the US and UK. Between 2008 and 2010, Cable and Wireless was found to have met regularly with the UK intelligence agency GCHQ and the company was paid up to £1 million per month to monitor web traffic as it flowed through its networks.
When asked if AT&T’s relationship with government had changed since the NSA documents were leaked, the company directed The Correspondent to its latest transparency report, which details the types of government requests the company receives. Cable and Wireless Communications (formerly Cable and Wireless) did not reply to a request for comment.
Close collaborative relationships between telcos and governments are governed by a series of contractual mechanisms and legal tools. “All countries try to control [telcos] in some way,” says Edin Omanovic of Privacy International. The methods and statutory process vary country-to-country. Where telcos are not state-owned, licensing agreements dictate that companies can only operate within certain rules. Industry jobs deemed “sensitive” can be screened by security agencies.
In Europe, laws mandating telcos to store customers’ data (for years) are common – in case those details are needed by security agencies. Elsewhere, telcos’ doors are open to state agencies. Israel’s Telecommunications Law requires carriers to enable access to their facilities and databases “as necessary to perform the functions of the security forces or to exercise their powers”.
These laws provide a legal and cultural basis on which the concept of telco data for coronavirus tracking can easily be layered. Jan Rydzak, Poland-based analyst at Ranking Digital Rights, an organisation which ranks telcos according to their commitment to human rights, says the public and the media are not vigilant.
Telcos are not held to the same standard as big tech, Rydzak told me over the phone, allowing them to shrug off calls for change. “The Facebooks of the world face a lot of scrutiny from both the press and the public. Whether their transparency amounts to a PR operation or not, they’re compelled to show that they’re doing something,” he says. Even when telcos do share information about government data requests, “they don’t say quite as much about whether they’ve complied with those orders … I would speculate that in most cases, that is because they comply with most orders. If there’s nothing to compel them to be transparent about that, then they won’t do it.”
That lack of transparency in telcos’ data sharing practices extends through the pandemic, too. Rydzak says the answers are mostly missing to questions about how long telco data, harvested to create coronavirus mobility reports for governments or researchers, will be stored – in part because nobody knows when the pandemic will end.
Of the big firms, to date only Telia has released a coronavirus-themed transparency report which includes details about government requests and whether the company complied. Although further information about the potential duration of data sharing arrangements is missing, Telia’s report offers insights into how governments are clamouring for telco data. The Swedish multinational has disclosed requests, since February, from the European commission as well as governments in every country where it operates: Sweden, Finland, Norway, Lithuania, Latvia, Denmark.
From the industry’s perspective, this level of cooperation with governments reflects the nature of their international operations, each one dependent on national licences to operate. David Sullivan, programme director at the Global Network Initiative, cautions that it’s unfair to compare the practices of international telcos to other big tech networks due to differences in their business models and because they face different regulatory regimes.
“When a company has hundreds of thousands of employees, huge amounts of investment, a license to operate under a significant regulation by the government, that’s a different circumstance than if you are a social media company that is not present on the ground in a given country … [That company] can say, if you want data from us, you’re going to have to go through a US court to get it,” Sullivan explains.
No record of solidarity
Concern for civil liberties is growing. Before the pandemic, the seeds of resistance were taking root, as critics pushed telco operators to do more to protect users from government overreach – particularly in response to internet shutdown orders. Most telcos are bound by law to cooperate quietly with official requests to “turn off” the internet in response to violence, protests or during elections. Recently, however, some companies have been looking for loopholes.
In Sudan and Iraq, for example, telcos have shut down local internet services but left foreign Sim cards unblocked – effectively allowing activists to continue to communicate. Sullivan says companies could be more transparent by resisting government pressure to lie about the reason behind network shutdowns: “If the government is saying, we want you to send out a message saying that there are technical difficulties, companies can say, no, we’ll say that networks are down but we won’t say for a false reason.”
When Guinean operator Guilab was ordered to carry out repairs to their network over the same weekend as the March 2020 election, management refused. “They switched off for a short while, and then they said no, we’re not doing this,” says Alp Toker, director of NetBlocks, an organisation which tracks internet shutdowns worldwide. But Guilab’s stance was undermined by a lack of solidarity from industry peers, as the government asked French telecom company Orange and South Africa’s MTN, multinationals that are dominant across Africa, to block access to social media sites instead. Both operators complied.
In most such cases, industry defenders point to the issue of safety: there have been cases of armed guards turning up at telecom offices to demand that services are shut down during elections. More often, observes Toker, it’s local operators that are threatened: “The international ones, they just do it anyway because they don’t want to lose their business.”
Coronavirus data: the new frontier
The lack of a coordinated pushback from telcos against the growing number of internet shutdown requests foreshadows a new frontline in the global contest over data privacy. While it’s true that operators are often muzzled by regulation, a growing consensus in civil society expects them to do more – especially in terms of transparency.
The industry’s history of opaque compliance is cause for concern in the context of the pandemic, which is likely to entrench data sharing arrangements that already existed between telcos and governments. If telcos don’t push back against shutdowns which are widely condemned, it’s hard to imagine they are likely to stand up to excessive data requests which governments seek to justify in the name of public health. The industry’s central role in contact tracing and analytics means telcos can no longer hide from the scrutiny focused on Google, Facebook and Apple. It’s time to wake up to the fact it’s not only big tech that could do damage with our data.