US company using cell data to rank ‘reliability’ of billions of phone users, lawsuit alleges

A European digital rights organization is alleging that a telecommunications giant and a U.S.-based fraud detection company are violating privacy laws by gathering and transferring the cellphone data of half the world’s population and using it to create personalized scores of individuals’ trustworthiness.

The European Center for Digital Rights — also called noyb, from “none of your business” — filed a complaint Friday with the Belgian Data Protection Authority on behalf of a group of unnamed plaintiffs who allege their privacy was violated.

The accused are BISC — a telecommunications company that partners with more than 500 mobile operators in more than 200 countries; TeleSign, a company using artificial intelligence to prevent fraud; and their parent company, Proximus.

The allegations against BISC and TeleSign date back to an article in March 2022 by the newspaper Le Soir, which revealed that the telecoms provider gathered data about customers’ phone activity and secretly shared it with TeleSign.

The data included information such as the type of technology used to make calls or texts, the frequency of activity and the duration of calls.

Using an algorithm, TeleSign then assigns users “trust scores,” which are allegedly used by clients like Microsoft, Salesforce and TikTok to determine if users should be allowed to set up accounts.

According to Telesign, the company “verifies over five billion unique phone numbers a month, representing half of the world’s mobile users, and provides critical insight into the remaining billions.”

When the plaintiffs filed data requests with the company under Europe’s far-reaching privacy law, the General Data Protection Regulation (GDPR), they discovered that they had indeed been ranked by TeleSign based on their phone activity. In one example shared in the complaint, a plaintiff is assigned a “medium-low” risk level.

The GDPR does allow for certain concessions in protecting privacy, including “for the purposes of taking appropriate, proportionate, preventive and curative measures… in order to detect fraud and malicious use of their networks and services.” The complaint alleges that the scope of TeleSign and BICS’ activity, however, is unjustified.

“The systematic and massive transfer of all telephone numbers to TeleSign so that the latter can assign a score to each number is not proportionate,” the complaint contends. “It amounts to putting on file all users whose communications transit through BICS, even though such systematic retention of data for police and judicial purposes is only permitted under very strict conditions.”

The plaintiffs also allege that such a ranking system violates the GDPR’s prohibition on profiling individuals using predictive algorithms. The law bans the “automated processing of personal data … to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict factors concerning the work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements of that natural person."

The complaint also alleges that BICS’ data transfers to a California-based company potentially exposes European citizens’ information to U.S. law enforcement.

A TeleSign spokesperson sent Recorded Future News a company response to the complaint, saying: “Telesign has in place a data privacy program, which encompasses global law and regulations including the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA). The company constantly reviews internal policies and practices to maintain compliance with the evolving regulatory landscape.”

Among noyb’s requests to the Belgian data authority, the plaintiffs are asking BICS to cease the data transfers and for TeleSign to stop processing data. They also call for a fine, which under EU law would not exceed €236 million ($257.4 million), or 4% of Proximus’ annual revenue.