A joint venture between Canada's three largest telecom companies has been selling the real-time location of its subscribers to third parties — as long as they have your consent, the company says.

EnStream, a joint venture between Rogers, Telus and Bell, isn't new. It was originally formed in 2005 to develop ways for subscribers to make purchases with a mobile phone. Now, it's in the business of providing "identity verification and authentication services," helping third-party companies such as banks and insurance companies confirm you are who you say you are — and where you are.

It makes money, in part, by charging companies a fee to provide a user's location.

To explain how that works in practice, EnStream used the example of a person calling for roadside assistance, and that service asking for the person's consent to locate them. This is done without installing any apps or using the phone's GPS, but simply by measuring its distance from nearby cell towers.

But the practice of sharing location data has come under scrutiny in recent days, after the New York Times published a report detailing how access to such data can be abused. The paper found that a former U.S. sheriff misused a similar service stateside to track the cellphones of a judge and other law enforcement officers without a warrant.

I think this speaks to a really fundamental difficulty in individuals knowing the information that's being generated about them and then disseminated - Christopher Parsons, research associate, University of Toronto's Citizen Lab

In Canada, EnStream executives believe that the bar they've set for accessing sensitive subscriber data such as location is higher. "Unlike the U.S., we have taken a more strict approach," said Robert Blumenthal, the company's chief identity officer, in an email.

Blumenthal declined to name any specific clients, citing non-disclosure agreements.

The company says users have to explicitly opt-in each time before EnStream will share their location.

However, EnStream's ability to do so relies on having a relationship with the wireless providers in the first place. It's not clear whether subscribers can opt-out of this relationship, preventing EnStream from making access to that subscriber base part of its business model.

On this point, Bell and Rogers declined to comment. Telus did not respond to questions.

What does consent look like?

In the U.S. case, a Missouri sheriff is alleged to have tracked the location of cellphones using a service called Securus, which also sells communications services to prisons. The New York Times reported that Securus obtained the location data from a marketing company called 3Cinteractive, which in turn acquired it from yet another company called LocationSmart, which buys access from the major U.S. wireless carriers.

EnStream can determine person's physical location without installing any apps or using the phone's GPS, but simply by measuring its distance from nearby cell towers. (Jacy Schindel/CBC)

LocationSmart is also an EnStream partner. ZDNet reported this week that LocationSmart sells access to the location data of the major Canadian wireless carriers as well.

Like LocationSmart, EnStream executives say that "informed explicit consent" is required before anyone can access a person's location — "either just prior to providing location or when a client registers for a service."

Consent, said Blumenthal, "is not buried on page 57 of an application's service terms, but rather brought out in the 'primary' consent clause that people see" — language that EnStream has to approve.

"This is true for our Canadian customers, as well as parties from outside Canada like LocationSmart," he said.

For Christopher Parsons, a research associate at the University of Toronto's Citizen Lab who studies the privacy of telecommunications data, the key is how that consent process is actually implemented in practice — namely, how well users understand what is being collected and why, and whether users understand they have the ability to withdraw their consent at any time.

"We know the existing model of consent doesn't work very well," Parsons said.

Unclear how to prevent sharing with EnStream

In a letter to AT&T earlier this week in connection with the Securus revelation, U.S. Senator Ron Wyden criticized the telecom giant for not having more control over access to its users' private data, which was sold to a string of third parties beyond AT&T's direct control.

Because EnStream is a joint venture between the country's carriers, the company said it can see what information passes between the mobile networks and third parties, 'and it is monitored for unauthorized access.' (The Associated Press)

But in Canada, said Parsons, "the positive thing with the carriers being involved in it is they are a relatively well-regulated segment of the economy." He said that groups such as the CRTC or the country's privacy commissioner could step in if evidence of wrongdoing was found here.

Because it is a joint venture between the country's carriers, EnStream said it can see what information passes between the mobile networks and third parties, "and it is monitored for unauthorized access," wrote Blumenthal and Chief Operating Officer Almis Ledas in a separate email. "The location data is not stored or maintained beyond the immediate confirmation."

EnStream also said that it has to approve each company's use of location data, and that regular audits are a contractual requirement. But Senator Wyden was critical of such contracts and their pledges against misuse, calling them "the legal equivalent of a pinky promise."

While EnStream said that it won't share any location data unless a person opts in, what's not clear is how the major Canadian carriers obtain the consent of users allowing EnStream to sell that access in the first place. The company said that "some subscribers are, at their request, excluded from any services that allow other parties to access any information, including location data," but neither Telus, Rogers or Bell would answer questions about how users could do this themselves.

Nor is it clear how users can see who they've consented to share their location data with in the past.

"I think this speaks to a really fundamental difficulty in individuals knowing the information that's being generated about them and then disseminated," said Parsons. "Consent can be really well done, and users still not quite understand it."