Private calls revealed
April 1, 2011In late February 2011, Malte Spitz, a German Green Party member of parliament and privacy advocate, in conjunction with the German newspaper, Die Zeit, published an interactive map illustrating six months of his detailed mobile phone records between August 2009 and February 2010.
In June 2009, Spitz sued Telekom to gain access to this data, which the company had been required to record under German and European law, the Data Retention Directive. A few European countries have overturned their own versions of this law, including Romania, and most notably Germany, which declared the law unconstitutional in March 2010. More recently, the Czech Constitutional Court overturned its version of the law on Thursday, March 31, 2011.
Under the terms of a settlement between Spitz and his mobile provider, Deutsche Telekom (T-Mobile), Spitz received a massive file detailing his movements anytime his phone was on, often with precision down to a few hundred meters of his actual location. That's because his mobile phone, like all mobile phones, is constantly in contact with the network infrastructure to give the best level of service. However, that information can also be used, as he has now shown, as a tracking device. The publication of this level of private data collected by a mobile phone company is unprecedented.
To learn more, Deutsche Welle spoke with Malte Spitz.
Deutsche Welle: You recently published a lot of data from your mobile provider. Can you tell me how that process got started? When and how did you try to get this data?
Malte Spitz: Yeah, it was a process that started around June 2009, and there I asked my mobile phone operator (Deutsche Telekom, aka T-Mobile) for the data it stored about me and at first I got no answer at all. And then I wrote a second letter, and I said: ‘Hey, I want to get this data, and I have the right to get this data from the German privacy law.' Then they answered me, but they only sent me this basic data: my name and address and so on. They didn't send me the data they have stored under the Data Retention Law. So I said, I still want to have this data. I asked a lawyer who I know, and he said ‘Ok, we will fight for this data and we will sue them so they have to give you this data.'
This was a process that started by suing Deutsche Telekom in August 2009, and at first it was just a ping-pong game, with the lawyers of Deutsche Telekom and my lawyer writing each other letters. It went really fast when, in March 2010, the German Constitutional Court decided that this data retention is unconstitutional and is unlawful and all this stored data had to be deleted. This was the moment where things went pretty fast. We had a settlement a few days later that I would get all the data [pertaining] to my person, but I didn't get any data like from people who I called or who called me in the past six months. This was the settlement that we agreed upon, and this was the point that we stopped suing them because they agreed upon sending me data for the past six months, which were over 35,000 points about my mobile phone usage.
What was the purpose of getting this data? What were you trying to accomplish? Were you just curious or were you trying to prove a point?
I've been fighting for privacy for a few years now. I wanted to know if this data retention is working. I wanted to check to see if all these technical specifics that they have to store is working. I wanted to have this data and I thought about back then to publish this data, because I think this kind of data retention is something that goes really deep into someone's private life. And in the end, I decided to publish all of this data.
What does this data show? Obviously it must tell you where you are because your phone needs to communicate with the towers and the telecom infrastructure. Does it tell you what time you're in a certain place? Does it tell you what web pages you're using, what applications you're using? What does it tell you?
This data tells me when I am using my phone, and this quite correctly shows me each second I'm using it. It also shows if I'm using my mobile phone for calling people, or sending an SMS or using the Internet. It doesn't show what kind of web page I may have open, or it's not showing what kind of application I may be using.
What it also shows is where I am. It really shows quite directly in what place I am. It's not on a meter [scale], but it's like on a couple of hundred meters, and in big cities like Berlin, it's between 50 to 150 meters close to the point where I am, so they can always track me down, and maybe know then where is my home and where is my workplace and so on. And this data is 35,000 lines long. Sometimes for each five minutes, there is such an information and it shows when I am traveling. This goes very deeply into my private life because this data shows when I go to sleep, when I'm doing my first calls in the morning and so on.
Was this surprising for you to see all of this data in this level of detail? Obviously it's your life - you lived it. Was it shocking that it was this detailed?
Yes, it was quite shocking to see 35,000 pieces of information about my past six months. And it was also so detailed that there was some information where I was at some events that I didn't even remember. So seeing the interactive visualization, I remembered: ‘Oh yeah, this was the day I was here and there, and so on.'
It was quite shocking because I thought it would be maybe 5,000 pieces of information. But 35,000 pieces of information, when you break it down, that means each day, there are 200 pieces of information. So if you have five to seven hours of sleeping time, so you have like, between the morning and evening, you have maybe 150 pieces of information - every five to 10 minutes my mobile operator knows where I am.
Now you said that this settlement came about, roughly a year ago, right after the German Constitutional Court, which found that the Data Retention Directive - which Germany was required to administrate, because it came from the European Union - was unconstitutional. I'm wondering does that mean that Telekom is no longer collecting this type of data about you, and presumably from all the rest of its customers?
It's been a year now that telephone companies don't have to collect this kind of data, but still now phone companies record other kinds of data like the date and the minute I am using their services. But still they don't collect these specific information like where I am and so on. So they are collecting less data, but still they are collecting information.
In other words, since March 2010, this type of data that you have, for the previous period, doesn't exist?
No. But it does still exist in most of the other European Union countries. And we still have the debate in Germany and the German government about redefining this Data Retention Directive and starting this all over again. This was part of the point to publish this information - I wanted to show how much detailed information you can get about a person when you collect this type of [data]. And this information is stored for anybody. So anybody who is using [his or her] mobile phone or who is using mobile Internet access has had their data stored in the same way that data was stored for me.
Interview: Cyrus Farivar
Editor: Susan Houlton