A digital rights and privacy organization has filed a complaint against software company TeleSign for gathering and selling information on millions of mobile phone users.
The organization that filed the complaint is nyob. nyob is an Austrian based digital right organization that focusses on commercial privacy issues on a European level. After the General Data Protection Regulation (GDPR) came into force on May 25, 2018, commercial privacy violations can now be enforced on a European level, which allows for much more effective procedures and strategic litigation.
The complaint targets BICS, TeleSign, and Proximus. BICS is a Belgium-based communications service that enables phone calls, roaming, and data flows between different communications networks and services all over the world (500 mobile operators in more than 200 countries). Instead of having direct agreements with each other, hundreds of mobile phone providers can connect their networks through the interconnection service of BICS.
TeleSign is a US-based company that provides Application Programming Interfaces (APIs) that deliver user verification, digital identity, and omnichannel communications, to help other brands with secure onboarding, maintain account integrity, prevent fraud, and streamline omnichannel engagement. Among its customers are Ubisoft, ByteDance (TikTok), Skype, and Salesforce.
Proximus is the Belgium based parent company of both BICS and TeleSign.
When processing phone customer data, BICS gets detailed information like the regularity of completed calls, call duration, long-term inactivity, range activity, and successful incoming traffic. And it receives these data for about half of the worldwide mobile phone users.
In 2022, Belgian newspaper Le Soir published an article about BICS sharing these data with TeleSign. Based on these data, TeleSign gave every mobile phone user a “trust score” between 0 and 300 points. This trust score helps their customers decide whether to allow users to sign up to a platform or, for example, require an SMS verification first.
According to Telesign’s website, it verifies over five billion unique phone numbers a month, representing half of the world’s mobile users, and provides critical insight into the remaining billions.
The data BICS shares includes information such as the type of technology used to make calls or texts, the frequency of activity, and the duration of calls.
nyob co-founder Max Schrems said:
“Your phone provider likely forwards data to BICS who then forwards it to TeleSign. TeleSign generates a ‘trust score’ about you and sells phone data to third parties like Microsoft, Salesforce or TikTok – without anyone being informed or giving consent.”
While GDPR allows for sharing data for the purposes of taking appropriate, proportionate, preventive and curative measure and in order to detect fraud and malicious use of networks and services, nyob feels that this is not the case here.
From Max Schrems:
“The responses received by BICS and TeleSign suggest that this business model is not complying with EU privacy laws. We have therefore filed a complaint with the Belgian Data Protection Authority, who is competent for Proximus, BICS and TeleSign.”
The lawsuit could end up to be very costly. The Belgian Data Protection Authority (DPA) can issue a fine up to 4% of the global turnover of Proximus, which is roughly $250 million.
EU citizens that want to know whether TeleSign has data on them, and has assigned them a score like the complainants, nyob has developed a template that you can use to send an access request to TeleSign. Companies holding data about you have the obligation under GDPR to tell you not just whether they process information about you, but also where they received the data, for which purpose they use it, and with whom they shared it.
Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.