Here’s how Bell, Rogers and Telus profit from mobile subscriber data

In its roughly 12 years of operation, EnStream, an identity and device authentication company jointly owned by Bell, Telus and Rogers, has mainly flown under the radar.

On its website, the company promotes a handful of selected articles mentioning it, mostly from business and industry publications.

The articles report the facts: EnStream was founded over a decade ago to facilitate mobile payments. About a year-and-a-half-ago it pivoted to provide identity and device authentication services to third-party customers using wireless network subscriber data.

However, a recent privacy breach story that broke in the U.S. has brought a new wave of media attention to the company, with the main focus being data privacy concerns for telecom subscribers.

What is EnStream?

EnStream uses subscriber information from Bell, Rogers, Telus Fido, Koodo, Virgin and Lucky Mobile to provide third-party companies with a variety of identity and location-related services.

On its website, EnStream notes several use cases — for instance, using mobile subscriber information, including name, address, mobile number and date of birth, to verify the identity of a customer.

EnStream can also provide a service that determines whether a particular mobile number is valid and in-service, offering an alternative to SMS one-time codes.

Then there are the location service applications, which track locations based on network connections, thus doing away with the need for a preloaded software solution.

These services include roadside assistance locating, geo-restricted service verification (i.e. for lottery tickets that require the customer to be in-province) and transportation tracking, which might be used for parties like independent truckers.

These, of course, are use cases provided by EnStream, and the company refrains from revealing any specific examples of customer use.

Enstream does however, list partners that sell its services, including one that recently drew some less-than-positive attention: LocationSmart.

LocationSmart privacy breach

A recent New York Times report revealed that a former police sheriff used a service called Securus to track people’s locations through their mobile phones without court orders.

Securus received its data from a company called 3Cinteractive, which in turn got its data from LocationSmart, a location aggregator that buys access to data from a variety of parties including major American carriers and EnStream.

U.S. Senator Ron Wyden wrote a letter to the Federal Communications Commission (FCC) on the subject, stating that Securus confirmed it did not “conduct any review of surveillance requests,” and that wireless carriers must take affirmative steps to verify law enforcement requests.

It has been subsequently revealed by ZDNet that a bug in LocationSmart’s website allowed anyone to track someone’s location without their permission — especially troubling because the site had a “try-before-you-buy” page that let potential customers test the accuracy of its data.

Could the same thing happen here?

Robert Blumenthal, chief identity officer at EnStream, told MobileSyrup the same thing couldn’t happen in Canada.

“We wouldn’t allow that type of application,” he said.

“For every partner that we have, for every customer of theirs, we approve those use cases in advance and for every transaction we make sure they are complying.”

Blumenthal said EnStream does not manually review every transaction that comes in from its partners customers. He did state, however, that EnStream reviews each application manually when a new customer is onboarded with audits that take place “periodically.”

“We have been criticized by some of the partners we have outside Canada for being a little too strict,” said Blumenthal, adding that EnStream has completed reviews with the Office of the Privacy Commissioner (OPC) regarding which services it delivers and how it delivers those services.

Customer confidentiality in the internet age

Still, general counsel at the Public Interest Advocacy Center (PIAC), John Lawford, took issue with the very premise of EnStream’s business.

He brought up the Canadian Radio-television and Telecommunications Commission’s (CRTC) confidential customer information rules.

The rules were created to ensure that without explicit customer permission, telecoms could not share any confidential customer information. At the time, the particular concern was call logs.

“The CRTC has always protected that to an extreme level,” said Lawford, “The trouble is, this thing called the internet came along with a lot of metadata that’s similar to call records.”

Lawford noted that the CRTC has yet to update its definition of what confidential customer information means in the internet era.

He said he believes this issue will come to a head at some point with EnStream at its centre.

“I can tell you I haven’t signed anything or been alerted by Bell or Rogers that they’re going to give my information to third parties,” said Lawford.

Questions surrounding permission

However, EnStream’s Blumenthal told MobileSyrup that’s not how his company’s services work.

EnStream’s clients — for instance, a company that provides roadside assistance — must ask for permission from their customers to see their mobile location, as is the case with many mobile apps.

He stated via email that “by default everyone is opted out of any mobile location service. They need to explicitly opt-in for a particular application in order for the service to be delivered to a third party with their consent. No location or other personal information is ever released without end-user prior consent.”

Still, EnStream’s business model is based on access the national telecoms’ subscriber base, and there’s no clear answer yet as to whether telecom subscribers can opt-out entirely of being part of the subscriber base to which EnStream sells access.

In an email to MobileSyrup, a spokesperson for the Office of the Privacy Commissioner of Canada said concerns around EnStream are “not something we have examined to date.”

The email further stated that the watchdog noted the mention of Canadian carriers in the recent ZDNet article on LocationSmart.

“It does raise questions and we plan to follow up,” said the spokesperson, adding that they have no further details to share at this time.

Lawford said he thinks more complaints regarding EnStream will be lodged with the privacy commissioner.

“There’s no transparency here,” said Lawford. “There will be complaints to the privacy commissioner, and there will be CRTC action to at least clarify what’s going on.”

The post Here’s how Bell, Rogers and Telus profit from mobile subscriber data appeared first on MobileSyrup.

from MobileSyrup https://ift.tt/2rT9zVr