Privacy officials in Canada plan to look into reports over the past week that Canadian telecom companies share location data on subscribers with third-parties, a practice that, in at least one case, appears to have allowed similar data on Americans to be accessed by police without a warrant.
Bell, Rogers and Telus were named in an article on ZDNet.com, a technology website owned by a subsidiary of CBS Corp., as among the North American telecom companies selling real-time location data on subscribers to a company called LocationSmart.
READ MORE: US cell carriers are selling access to your real-time phone location data
LocationSmart bills itself as a service that “locates 15 billion devices anywhere in the world, for any location need.”
Those needs can include letting clients who buy access to its data target consumers based on their location, check the locations of workers such as truck drivers, and locate any connected device and allow store locator services to track consumers without having to provide their postal codes.
However, it can also be used for more questionable tasks.
READ MORE: Service Meant to Monitor Inmates’ Calls Could Track You, Too
A prison technology company called Securus is now under fire after the New York Times alleged on May 10 it had shared location data obtained via LocationSmart with a sheriff’s office in Missouri that then used it to track people’s phones — without a warrant.
The sheriff was charged with unlawful surveillance.
WATCH BELOW: Cambridge Analytica scandal explained
Global News reached out to the office of Privacy Commissioner Daniel Therrien asking for his reaction to the reports.
A spokesperson responded there were few details to share right now, but that the office would be looking into the matter.
“We are aware of the news articles you’ve pointed to. This is not something we have examined to date,” wrote Valerie Lawton in an email.
“We have noted the mention of Canadian carriers in the recent ZDNet article on LocationSmart. It does raise questions and we plan to follow up. I don’t have further details to share with you at this time.”
WATCH BELOW: U.S. Justice Department reported to be actively investigating Cambridge Analytica
Telus did not respond to a request for comment but spokespersons for Bell and Rogers said the location data in question is not directly shared by them.
Instead, it is done by a joint venture owned by all three telecom companies called Enstream.
One of its partners is LocationSmart.
Enstream is described on its website as providing identity verification services for third-party applications.
READ MORE: Canada has ‘fallen behind’ in powers to do battle over privacy with tech giants: UK official
It operates as a sort of hub of information held by the Canadian telecom companies and others can buy access to the data to do things like verify mobile subscriber identity, allow a roadside assistance company to locate a caller, or verify credit card information used in mobile payment systems.
Once the data has been used by the partner companies, it is destroyed to prevent further use.
Robert Blumenthal, spokesperson for Enstream, said the company only shares data like location when it verifies an individual has given explicit permission to one of its approved partners and that it conducts security reviews before entering into partnership agreements to make sure those companies can follow their rules to protect the data.
That permission is not ongoing, he said, and does not last beyond the specific purpose consented to by the client “on a one-time basis.”
For example, he said, when an individual calls roadside assistance they may be asked whether the dispatcher can use their location to send help.
If the caller agrees, that assistance provider can then make the request to Enstream to get and use that specific data.
“It’s not like everyone’s information is out there and you have to figure out a way to shut it off — in fact, it’s the opposite,” he said.
“By default, it’s off and the services are only made available when you explicitly consent through a service that you are looking to legitimately provide value to you, whether it’s roadside assistance or package tracking, applying for a credit card or any of those kinds of things.”
WATCH BELOW: Who is responsible for user privacy on social media?
Picture the situation this way: rather than there being only one locked door into a house, there are a number of smaller windows that can only be opened from the inside by the owner.
The companies accessing location data are going in through the windows: open only for a short time by the owner for a specific reason.
The main entry into the house remains locked: no one without permission can just walk in and start sniffing around.
That’s because privacy rules in Canada and the U.S. are different.
In the U.S., there is nothing to prevent telecom companies from sharing the data they hold with other companies.
In Canada, private sector companies require “meaningful consent” to collect, use and disclose personal information, except in cases where police have a warrant.
Because of that, Blumenthal said Enstream reviews each request from its partners to access the information it holds on Canadians.
“They give us a lot of grief for making it more strict than it is in the U.S.,” he said.
“Some of these partners like LocationSmart, they say, ‘Why does it have to be so hard?’ Because things are different here.”
Enstream has launched a security review of its relationship with LocationSmart in light of the reports.