Orange recycles its geolocation service for the global pandemic

Posted on


For years, Orange has been trying to market the gold mine that is our geolocation data (the list of relay antennas to which our phones connect during the day). The pandemic appears to be a good opportunity for the company to open its market.

Flux Vision

In 2013, Orange launched its first product, Flux Vision, providing cities and tourist destinations with statistics on the “travel flows” of their visitors: number of visitors, length of stay, origin, routes travelled. The provided statistics are anonymous, but Orange produces them in a more or less legal manner.

Measuring the number of visitors on a location is as simple as counting the number of connections to a relay antenna, without processing any personal data. Alright. However, in order to evaluate the length of stay, origin or route, Orange has to process non-anonymous data that reveals the position of each visitor at different times during his or her stay. In practice, it is no longer just a question of counting the number of connections to a given antenna, but also of looking at the identifier of each visitor1During the 2016 Féria de Béziers, Orange revealed that a significant number of visitors came from Toulouse, allowing the city to better target its next advertising campaign (see testimonial). The company also tracked the position of people around the Féria at different times of the day, revealing for example that the people who usually lived there waited until the last days of the festivities to return home (see the graph illustrating this article). This information can only be produced by analysing the location data for each person. It does not matter that this data is then anonymised if, prior to such anonymisation, data have been collected, processed and categorised for a purpose unrelated to the service the operator originally provides to its subscribers..

The ePrivacy Directive and French law prohibit the processing of non-anonymous location data without one’s consent. Within Flux Vision framework, Orange never asks for this consent. For reasons that are still unclear2We can point out that this is unfortunately not an isolated case, which could explain why the CNIL tolerates Flux Vision. In Article 5 of its 2019 guidelines on the use of online trackers, the CNIL has, here again, created an exception to justify collecting data without consent. Again, this exception concerns the analysis of visitors (to websites) and authorizes the filing and retrieval of cookies on our computer or smartphone for the “production of anonymous statistics”. This exception violates both Article 5, §3 of the ePrivacy Directive and Article 82 of the 1978 Data Protection Act. These two texts are perfectly explicit: by law, no one is allowed to access your computer for something you did not explicitly ask for. Whatever the CNIL may say, no economic motive justifies infringing the inviolability of your computer equipment or your home., and without any legal basis, the CNIL tolerates that mobile operators violate the law “in the field of tourism, land use planning and road traffic”. In 2013, Orange was able to take advantage of this situation but, caught between illegality and the CNIL’s tolerance, the company has not pushed any new offer for 7 years.

A health crisis and a failing government have created a great opportunity for new strategies to bloom out and a new product to replace Flux Vision.

The opportunity of the crisis

European Commissioner Thierry Breton also saw an opportunity to help the industry that fed him: he brought together the eight main European operators (i.e. Orange, Deutsche Telekom, Vodafone…) to announce among non-medical ingeneers without any pandemic experts, their strategy to fight the pandemic by population monitoring. Enough to highlight their commercial offers.

In France, Orange CEO Stéphane Richard is all over medias with a quite clear strategy: to recycle its Flux Vision 2013 offer for the current global crisis. If Orange can already inform cities about how tourists are moving in and out, it surely can be extend to infected and confined people. And if Orange plays well in times of crisis, it will have opened up a new sustainable market. It will even have moved closer to other similar markets, which are still not very reputable, whether it be to track demonstrators, young people in poor neighbourhoods, the homeless…

A great opportunity to diversify in security.

The support of the CNIL

And what does the CNIL do? Mediapart revealed that the CNIL is pushing the government towards comparable solutions which, in practice, are mainly those of Orange.

To justify itself, the CNIL uses the spurious vocabulary of Orange, which boasts of providing “aggregated” statistics to give a feel they are complying with the law. However, in order to provide “anonymous” travel statistics, Orange first analyses personal, non-anonymous data without the consent of individuals. This is illegal.

The CNIL should have required that no Orange statistics could be based on anything other than purely technical data, unrelated to people, such as the number of connections to base stations. For example, although it is not clear how Paris city estimated the 17% drop in its population since confinement, the city could simply have compared the number of connections to its antennas between two dates, demonstrating that it is not necessary to break the law to produce figures.

Further monitoring

Unfortunately, the CNIL does not only promote Orange’s commercial offers. It also invites the government to adopt a new legislation in case that “more advanced” measures are needed – e.g. mapping every patient or confined person without their consent. However, the ePrivacy Directive prohibits any such legislation: location data can only be collected without people’s consent to fight crime (and only the most serious crimes, according to EU judges) and not to fight the spread of a virus3Under Article 15 of the ePrivacy Directive, States may require operators to process location data without one’s consent if “national security” or “public security” justify it. “National security” is defined in Article 4, §2, of the Treaty on EU as covering areas where the Union is not competent to act. Article 168 of the Treaty on the Functioning of the EU states that the EU is competent to adress diseases issues and make them fall outside the scope of “national security”. Otherwise, Thierry Breton and the Commission would not have authority to combat the coronavirus on the territory of the Member States, as is currently the case. “Public security” is described in Article 1 of Directive 2016/680 as an area “included” in the fight against criminal offences. The Court of Justice of the European Union is even stricter, specifying that “public security” only justifies surveillance of individuals related to “a serious crime” (Tele2 judgment of 21 December 2016, point 106). Fighting the virus does not consist in fighting “serious crimes” and is therefore excluded from the notion of “public security”.. Contrary to what one may read in the press, the GDPR is not in a position to authorise processing of location data. Only the ePrivacy Directive could do so but prohibits it in this case.

We would like to believe that, if the CNIL is calling on the government to violate European law, it is not just to restore the greatness of the country’s industry, but also to protect our health. Except that neither the CNIL, nor Orange, nor anyone else has been able to demonstrate the medical necessity of monitoring confined or sick people without their agreement – especially when they are undetectable in the absence of a test. While Singapore is suggesting an application based on an open protocol allowing people to voluntarily reveal their movements, why is the CNIL defending Orange’s proposal, which represents a law violation, much less respectful of our freedoms and which, for its part, has not demonstrated any efficacity against the virus?

For now, the government seems too busy with other things to respond to Orange’s call. Unlike the CNIL, we will not hesitate to attack it if it yields to the risky ambitions of crisis profiteers.

References

References
1 During the 2016 Féria de Béziers, Orange revealed that a significant number of visitors came from Toulouse, allowing the city to better target its next advertising campaign (see testimonial). The company also tracked the position of people around the Féria at different times of the day, revealing for example that the people who usually lived there waited until the last days of the festivities to return home (see the graph illustrating this article). This information can only be produced by analysing the location data for each person. It does not matter that this data is then anonymised if, prior to such anonymisation, data have been collected, processed and categorised for a purpose unrelated to the service the operator originally provides to its subscribers.
2 We can point out that this is unfortunately not an isolated case, which could explain why the CNIL tolerates Flux Vision. In Article 5 of its 2019 guidelines on the use of online trackers, the CNIL has, here again, created an exception to justify collecting data without consent. Again, this exception concerns the analysis of visitors (to websites) and authorizes the filing and retrieval of cookies on our computer or smartphone for the “production of anonymous statistics”. This exception violates both Article 5, §3 of the ePrivacy Directive and Article 82 of the 1978 Data Protection Act. These two texts are perfectly explicit: by law, no one is allowed to access your computer for something you did not explicitly ask for. Whatever the CNIL may say, no economic motive justifies infringing the inviolability of your computer equipment or your home.
3 Under Article 15 of the ePrivacy Directive, States may require operators to process location data without one’s consent if “national security” or “public security” justify it. “National security” is defined in Article 4, §2, of the Treaty on EU as covering areas where the Union is not competent to act. Article 168 of the Treaty on the Functioning of the EU states that the EU is competent to adress diseases issues and make them fall outside the scope of “national security”. Otherwise, Thierry Breton and the Commission would not have authority to combat the coronavirus on the territory of the Member States, as is currently the case. “Public security” is described in Article 1 of Directive 2016/680 as an area “included” in the fight against criminal offences. The Court of Justice of the European Union is even stricter, specifying that “public security” only justifies surveillance of individuals related to “a serious crime” (Tele2 judgment of 21 December 2016, point 106). Fighting the virus does not consist in fighting “serious crimes” and is therefore excluded from the notion of “public security”.