Today, noyb filed a complaint against TeleSign, a US company which profiled millions of phone users. TeleSign generates a “reputation score” and sells its services to various clients like TikTok, Microsoft or Salesforce. TeleSign secretly received the mobile phone data from BICS, a Belgian company that provides interconnection services for many mobile phone companies.
BICS – the company connecting phone providers globally. BICS is a world leading communications service, that allows phone calls, roaming and data flows between different communications networks and services in different corners of the world. Instead of having direct agreements with each other, hundreds of mobile phone providers can connect their networks via BICS’ interconnection service. When processing phone customer data, BICS gets detailed information (e.g. the regularity of completed calls, call duration, long-term inactivity, range activity, or successful incoming traffic) about half of the worldwide mobile phone users.
TeleSign generates “reputation scores” from BICS data. In March 2022, the Belgian newspaper “Le Soir” first revealed that the US company TeleSign was getting this data from BICS and was profiling millions of phone users across the globe. TeleSign gave every mobile phone user a “trust score” between 0 and 300 points. Based on this score, TeleSign’s clients (e.g. TikTok, Salesforce and Microsoft) could then decide to allow users to sign up to a platform or for example require an SMS verification first. TeleSign verifies over five billion unique phone numbers per month, representing half of the world’s mobile users.
Max Schrems: “Your phone provider likely forwards data to BICS who then forwards it to TeleSign. TeleSign generates a ‘trust score’ about you and sells phone data to third parties like Microsoft, Salesforce or TikTok – without anyone being informed or giving consent.”
User copy shows extent of TeleSign surveillance. Curious to know what was done with their data, several mobile users used their right under the GDPR to get a copy of their data from TeleSign, BICS and their national mobile provider. The answers were quite surprising: none of the mobile operator listed TeleSign as a recipient or knew that user data was sent to TeleSign. At the same time, TeleSign confirmed that it had the phone number and communicated the “trust score” assigned to their number, such as “medium-low”:
AI to score people & data transfers to the US. On its website TeleSign claims it is using artificial intelligence models to analyse the enormous amount of data received from BICS and to generate a “trust score” on each phone number. All of this happens in the United States, where US authorities also can access personal data from TeleSign.
Processing unlawful, potentially huge fine. While there are some situations where personal data can be used for security purposes without consent, the secret use of telecommunication data on the majority of all global mobile phone users is not in line with EU and national data protection law. Besides being ordered to stop the transfer of data to TeleSign, the Belgian DPA can issue a fine up to € 236 million, which is 4 % of the global turnover of the Proximus group, the owner of BICS and TeleSign.
Max Schrems: “The responses received by BICS and TeleSign suggest that this business model is not complying with EU privacy laws. We have therefore filed a complaint with the Belgian Data Protection Authority, who is competent for Proximus, BICS and TeleSign.”
Is your number processed by TeleSign? Easy to find out! Companies holding data about you have the obligation under the GDPR to tell you whether they process information about you, but also where they received the data, for which purpose they use it, and with whom they shared it. If you want to know whether TeleSign has data on you, and assigned you a score like the complainants, noyb developed a template that you can use to send an access request to TeleSign.