A customer in Germany is suing mobile operator Vodafone because it allegedly stores connection data without having any legal obligation to do so, the plaintiff’s lawyer said Monday. Lawsuits against other telecom operators will follow soon, he said.
The lawyer, Meinhard Starostik, in May sent a cease-and-desist letter on behalf of his client to Vodafone in which he said that the allegedly illegally stored traffic data was unnecessary for the billing process and should be deleted without delay. Starostik is a lawyer working with the Working Group on Data Retention, a privacy and digital rights organization.
Vodafone stores data such as the unique number that identifies a mobile phone (IMEI number), the unique identifier that is stored on SIM cards (IMSI number) and data from the cell tower at which the mobile phone call is initiated, which reveals the physical location where the phone contacted the network, according to the cease and desist letter. The IMEI is stored for 80 days, the IMSI for 30 days and the connection data of incoming and outgoing calls is stored for 92 days, wrote Starostik.
However, Vodafone is only allowed to store data used for billing purposes, and the operator does not need the data that it stores, said Starostik.
In 2008, Germany adopted an E.U. directive requiring telephone companies and ISPs to store information including data about email, phone calls and text messages for law enforcement purposes. However, the implementation of the measure was annulled in 2010 by the German Constitutional Court amid privacy concerns, noted Rena Tangens, spokeswoman for the Working Group on Data Retention. This is why people are fighting the telecom operators, she added.
In a response, which was also posted online by Starostik, Vodafone said it saw no reason to accept the cease-and-desist request of the client, because the data are indeed needed for billing purposes. The cell tower information is needed for location-based billing, and was in this case used to calculate the home tariff, Vodafone writes. The IMEI is needed to settle device-related services and could be used to check whether certain device-specific services can be provided at all, Vodafone added.
In addition, the IMEI is used to identify the subscriber and is associated with the caller ID, said Vodafone. Data about incoming calls will only be saved if they have billing relevance, which is the case when it concerns roaming calls, Vodafone added.
“My client doesn’t have a home tariff anymore and therefore does not have a need for location based services,” Starostik said in a statement posted to his website. “That is why I filed a complaint with the district court of Dû³¥¬¤orf,” he said, adding that lawsuits from other customers against other telecom service providers will follow soon.
Starostik’s client is one of “many” that responded to a call from the Working Group on Data Retention issued last September seeking users who want to complain about the storage of their data by telecom providers, he said.
The storing of traffic data is a privacy issue that makes everyone a suspect, Tangens said. “It is pathetic to argue that the data is needed to battle terrorists,” she said, adding that the storage of traffic data at a central place could be very convenient for law enforcement agencies or well-connected private detectives to track someone down or figure out who he has been calling and where he has been.
The ability to track a person’s whereabouts with mobile traffic data was demonstrated by the German politician Malte Spitz, who collaborated in 2011 with the German newspaper Die Zeit to incorporate six months of telecom data in an interactive map. Whoever hits the play button on the infographic can track Spitz’s whereabouts almost by the minute within the time span of half a year.
This really shows the potential of stored telecom data, Tangens said. She added that the Working Group is also trying to undo the European Data Retention Directive itself, which the German parliament in April 2011 said might itself be unconstitutional. The Data Detention Directive requires European communications service providers to retain data for up to two years. The directive applies to data about phone calls and e-mail or text messages, but not their contents.
In May, European authorities took Germany to court for failing to implement the E.U. Data Retention Directive.
“We want to kick away the Data Retention Directive in Europe,” said Tangens, adding that they were planning action in Brussels in September to raise awareness about the issue, and if necessary, start a citizens initiative to place the issue on the European Commission’s agenda.
Loek covers all things tech for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to firstname.lastname@example.org