T-Mobile next month will start a new program that gives customers’ web-browsing and device-usage data to advertisers unless customers opt out of the data sharing.
“[S]tarting April 26, 2021, T‑Mobile will begin a new program that uses some data we have about you, including information we learn from your web and device usage data (like the apps installed on your device) and interactions with our products and services for our own and 3rd party advertising, unless you tell us not to,” T-Mobile said in a privacy notice. “When we share this information with third parties, it is not tied to your name or information that directly identifies you.”
For directions on how to opt out of the expanded data sharing, see the first section of the T-Mobile privacy notice. There’s also an opt-out link here.
T-Mobile, which completed its purchase of Sprint in April 2020, said that the new advertising “program changes the way Sprint offered choices for sharing in the past, as this data was previously used only if you indicated that it was OK with you first.”
It’s not clear exactly how big a change this is for non-Sprint customers of T-Mobile. An August 2020 version of the privacy policy said that T-Mobile collects “websites and URLs visited” but did not list smartphone customers’ web-browsing data in the list of information shared with third parties. However, that August 2020 version said that T-Mobile sold “device identifiers and Internet and electronic network activity to facilitate certain advertising activities commonly deployed by online and technology companies.” A similar disclosure was in T-Mobile’s privacy policy before the Sprint acquisition as well.
T-Mobile says in another webpage describing its advertising and analytics program that it collects “addresses of websites visited; types of websites visited, like sports sites, music sites, etc.; applications, content, and features used—including how much time you spent using them, and information from servers that host these apps, content, and features.”
Advertising IDs used instead of customer names
In order to anonymize data before it’s sold to third parties, T-Mobile said that it ties the information “to your mobile advertising identifier or another unique identifier” instead of the customer’s name. But you’ll have to take T-Mobile’s word on just how anonymous the anonymized data actually is. “[P]rivacy groups say those IDs can be linked back to people by comparing different data sets,” The Wall Street Journal noted in an article on the T-Mobile changes today.
“It’s hard to say with a straight face, ‘We’re not going to share your name with it,'” Electronic Frontier Foundation lawyer Aaron Mackey told the Journal. “This type of data is very personal and revealing, and it’s trivial to link that de-identified info back to you.”
Before the merger with T-Mobile, “Sprint had previously shared similar data only from customers who opted into its third-party ad program,” the Journal wrote. “We’ve heard many say they prefer more relevant ads so we’re defaulting to this [opt-out] setting,” a T-Mobile spokesperson told the Journal.
We asked T-Mobile several questions about the data-sharing changes and for details on how exactly it ensures that data can’t be linked to individual customers, and we’ll update this article if we get a response.
Update at 9:37 pm ET: In response to our question about what data is being shared, a T-Mobile spokesperson told us, “We only share Advertising IDs, which are pooled to create audience segments based on customer interests, like sports or entertainment. We do not share underlying customer broadband or device usage data with third parties.”
However, T-Mobile’s privacy policy indicates that each “Advertising ID” is tied to one device. T-Mobile didn’t provide much of an explanation on how it makes sure each Advertising ID cannot be tied to an individual customer, saying only that “we do not utilize information for advertising that directly identifies customers, like name, address, email or precise location information.”
T-Mobile did not answer our question about whether it was already giving third-party companies access to the web and device usage data of its non-Sprint customers. As mentioned earlier in this article, T-Mobile’s privacy notice seems to indicate that the new data-sharing program is a bigger change for Sprint customers than for T-Mobile customers, but the notice is vague enough that it’s possible the change is about the same for both sets of customers.
AT&T and Verizon data-sharing doesn’t go as far
The Journal article said that T-Mobile is being more aggressive in sharing individual customers’ Internet usage data with advertisers than AT&T and Verizon:
AT&T automatically enrolls wireless subscribers in a basic ad program that pools them into groups based on inferred interests, such as sports or buying a car. An enhanced version of the program shares more-detailed personal information with partners from customers who opt into it.
Verizon likewise pools subscriber data before sharing inferences about them with advertisers, with a more-detailed sharing program called Verizon Selects for users who enroll. Its separate Verizon Media division shares data gathered through its Yahoo and AOL brands.
AT&T says on this webpage that it doesn’t “share information about your individual web browsing or TV viewing” in its “relevant advertising” system but offers an “enhanced relevant advertising” system that shares additional information only with customers’ “prior explicit consent.”
Verizon says on a relevant mobile advertising FAQ that “Information Verizon Wireless has about web activity from your mobile device is not used in the program.” The program does use “mobile and online web browsing information” collected by Verizon’s Yahoo and AOL subsidiaries, but this apparently wouldn’t cover browsing to non-Verizon websites. Customers can opt out of this targeted advertising program.
In 2016, Verizon agreed to pay a $1.35 million fine and give users more control over “supercookies” that identify customers in order to deliver targeted ads. Verizon’s previous use of the supercookies without properly notifying users violated an FCC rule that required Internet providers to disclose accurate information about network management practices to consumers.
Carriers sold location data without consent
T-Mobile and the other major carriers were previously caught selling their customers’ real-time location data to third-party data brokers without customer consent, violating a law banning sales of phone-location data. The Federal Communications Commission in February 2020 proposed a fine of $91 million for T-Mobile, the biggest for any of the major carriers, but T-Mobile said it would fight the penalty.
The Obama-era FCC tried to require home-Internet and mobile broadband providers to get consumers’ opt-in consent before using, sharing, or selling web-browsing and app-usage histories, but a Republican-controlled Congress and then-President Trump killed the rule in 2017 before it took effect.
https://arstechnica.com/?p=1748388