Hackers could steal users’ location data, finding out ‘where you are, how you got there and where you are going’, say campaigners

British mobile phone users are one data breach away from having the routines of their daily lives revealed to criminals, privacy campaigners have said.

Mobile phone networks and wireless hotspot operators are collecting detailed information on customers’ movements that reveal intimate details of their lives, two separate investigations into mobile data retention have found.

Many people unwittingly sign up to be location-tracked 24/7, unaware that the highly sensitive data this generates is being used and sold on for profit. Campaigners say that if this information were stolen by hackers, criminals could use it to target children as they leave school or homes after occupants have gone out.

It is so detailed that it can reveal customers’ gender, sexual orientation, religion and other many personal details that could present serious risks of blackmail.

“Effectively consumers are opting in to being location tracked by default,” said Geoff Revill, the founder of Krowdthink, the privacy campaign group behind one of the investigations published on Monday.

“The fact of the matter is your mobile service provider knows – without you knowing – where you are, how you got there and can figure out where you are going.”

UK plans to track all internet connections could cost £1bn, campaigners warn Read more

Such precise location data would be like “gold dust” for criminals if it found its way on to the black market, said Pete Woodward, the founder of information security experts Securious.

“The information that mobile and Wi-Fi service providers hold on location tracking is an evolving and high-risk area of cybercrime that needs urgent attention by the industry,” Woodward said. “Otherwise we will face the frightening prospect that such highly sensitive data could get into the hands of the likes of kidnappers and paedophiles.”

Krowdthink’s research found that 93% of UK citizens had opted in to location tracking, giving mobile phone and wireless operators unlimited access to their whereabouts 24 hours a day.

This data, the report says, “brings the cloud into the crowd” by connecting web users’ digital lives with their physical lives, making it one of the most intrusive forms of tracking.

Yet Krowdthink’s research, and research conducted simultaneously but independently by the Open Rights Group (ORG), found that customers were not being given clear enough information about how the data is used, or opportunities to opt out of collection.

Facebook Twitter Pinterest Wireless hotspots have been singled out as potential location trackers. Photograph: Jose Luis Pelaez Inc/Blend Images/Corbis

Mystery shopping trips carried out by both groups found that mobile and wireless service providers are not telling customers upfront that all their movements will be tracked and used for marketing, and often sold on to third parties.

All the mobile phone companies contacted by the ORG said they anonymise data, which means they are not legally obliged to ask for consent to use it. But the group, which campaigns for digital rights, raised questions about the efficacy of anonymising such personal information.

Often all it takes is the cross-referencing of one set of anonymised data with another set of data, such as the electoral roll, to reveal the identities of the people tracked. Jim Killock, the ORG’s executive director, said: “Mobile service providers need to collect and keep data so that they can bill us for our services.

“But just because they collect this data does not mean that they have an automatic right to process that data for other purposes without our consent. If they don’t, they are removing our right to control this data and the risks associated with their using it.”

There’s always an excuse to hack into our lives | John Naughton Read more

Britain’s mobile phone industry is worth £14bn, with 93% of adults owning a mobile phone and 61% owning a smartphone. Data collected from these phones, including usage, web browsing and location histories, is used to build profiles that are used by advertisers and other undefined businesses.

Location data is collected from the cell towers of a mobile service provider when it tracks a customer to route a call to them. There are now 52,000 cell towers in Britain. In some areas they are as close as 50 metres apart.

Wireless hotspots are also potential location trackers, with many public providers opting customers into tracking by default in their terms and conditions. In many cases these hotspots will log registered customers’ location as they pass through, even if they do not sign in.

Krowdthink’s investigation found that some providers, including O2 and Vodafone, use the same privacy policy for wireless as for their mobile phone customers. The combination of the two networks enables them to track location with even greater fidelity of location tracking.

However, customers do have a legal right to opt out of location tracking for marketing purposes and, with the forthcoming European General Data Protection Regulation, will soon be able to demand that their location data is deleted.

Krowdthink and the ORG warn mobile users to turn off wireless internet when they are out to avoid disclosing their identities as they pass through hotspots. They also warn people to be aware that they could be providing information on their location when sharing digital photos and video images and downloading mobile apps.

Killock added: “Mobile phone companies should improve the transparency of their operations by making their privacy polices clearer, giving customers’ information about what exact data they are collecting, how long they will keep it for, how each particular type of data will be used, who it will be shared with and the risks associated with this.

“They should also make contracts available before the point of sale and marketing and location tracking opt-outs simpler.”

• The headline on this article was changed on 4 April 2016 to better reflect the story.