For years, Orange has been trying to market the gold mine that is our geolocation data (the list of relay antennas to which our phones connect during the day). The pandemic appears to be a good opportunity for the company to open its market.
In 2013, Orange launched its first product, Flux Vision, providing cities and tourist destinations with statistics on the “travel flows” of their visitors: number of visitors, length of stay, origin, routes travelled. The provided statistics are anonymous, but Orange produces them in a more or less legal manner.
Measuring the number of visitors on a location is as simple as counting the number of connections to a relay antenna, without processing any personal data. Alright. However, in order to evaluate the length of stay, origin or route, Orange has to process non-anonymous data that reveals the position of each visitor at different times during his or her stay. In practice, it is no longer just a question of counting the number of connections to a given antenna, but also of looking at the identifier of each visitor
The ePrivacy Directive and French law prohibit the processing of non-anonymous location data without one’s consent. Within Flux Vision framework, Orange never asks for this consent. For reasons that are still unclear
A health crisis and a failing government have created a great opportunity for new strategies to bloom out and a new product to replace Flux Vision.
The opportunity of the crisis
European Commissioner Thierry Breton also saw an opportunity to help the industry that fed him: he brought together the eight main European operators (i.e. Orange, Deutsche Telekom, Vodafone…) to announce among non-medical ingeneers without any pandemic experts, their strategy to fight the pandemic by population monitoring. Enough to highlight their commercial offers.
In France, Orange CEO Stéphane Richard is all over medias with a quite clear strategy: to recycle its Flux Vision 2013 offer for the current global crisis. If Orange can already inform cities about how tourists are moving in and out, it surely can be extend to infected and confined people. And if Orange plays well in times of crisis, it will have opened up a new sustainable market. It will even have moved closer to other similar markets, which are still not very reputable, whether it be to track demonstrators, young people in poor neighbourhoods, the homeless…
A great opportunity to diversify in security.
The support of the CNIL
And what does the CNIL do? Mediapart revealed that the CNIL is pushing the government towards comparable solutions which, in practice, are mainly those of Orange.
To justify itself, the CNIL uses the spurious vocabulary of Orange, which boasts of providing “aggregated” statistics to give a feel they are complying with the law. However, in order to provide “anonymous” travel statistics, Orange first analyses personal, non-anonymous data without the consent of individuals. This is illegal.
The CNIL should have required that no Orange statistics could be based on anything other than purely technical data, unrelated to people, such as the number of connections to base stations. For example, although it is not clear how Paris city estimated the 17% drop in its population since confinement, the city could simply have compared the number of connections to its antennas between two dates, demonstrating that it is not necessary to break the law to produce figures.
Unfortunately, the CNIL does not only promote Orange’s commercial offers. It also invites the government to adopt a new legislation in case that “more advanced” measures are needed – e.g. mapping every patient or confined person without their consent. However, the ePrivacy Directive prohibits any such legislation: location data can only be collected without people’s consent to fight crime (and only the most serious crimes, according to EU judges) and not to fight the spread of a virus
We would like to believe that, if the CNIL is calling on the government to violate European law, it is not just to restore the greatness of the country’s industry, but also to protect our health. Except that neither the CNIL, nor Orange, nor anyone else has been able to demonstrate the medical necessity of monitoring confined or sick people without their agreement – especially when they are undetectable in the absence of a test. While Singapore is suggesting an application based on an open protocol allowing people to voluntarily reveal their movements, why is the CNIL defending Orange’s proposal, which represents a law violation, much less respectful of our freedoms and which, for its part, has not demonstrated any efficacity against the virus?
For now, the government seems too busy with other things to respond to Orange’s call. Unlike the CNIL, we will not hesitate to attack it if it yields to the risky ambitions of crisis profiteers.