In its roughly 12 years of operation, EnStream, an identity and device authentication company jointly owned by Bell, Telus and Rogers, has mainly flown under the radar. On its website, the company promotes only a handful of selected articles mentioning it, mostly from business and industry publications. The articles report the bare facts: EnStream was founded over a decade ago to facilitate mobile payments. About a year-and-a-half-ago it pivoted to provide third-party customers with services that confirm identity and location using mobile subscriber data. However, a new wave of media attention is now crashing down on EnStream, courtesy of a recent privacy breach story that broke in the U.S. — and it’s raising questions about the company’s services. EnStream uses subscriber information from Bell, Rogers, Telus Fido, Koodo, Virgin and Lucky Mobile to provide third-party companies with a variety of identity and location-related services. On its website, EnStream notes several use cases — for instance, using mobile subscriber information, including name, address, mobile number and date of birth, to verify the identity of a customer. EnStream can also provide a service that determines whether a particular mobile number is valid and in-service, offering an alternative to SMS one-time codes. Then there are the location service applications, which track locations based on network connections, thus doing away with the need for a preloaded software solution. These services include roadside assistance locating, geo-restricted service verification (i.e. for lottery tickets that require the customer to be in-province) and transportation tracking, which might be used for parties like independent truckers. These, of course, are use cases provided by EnStream, and the company refrains from revealing any specific examples of customer use. Enstream does however, list partners that sell its services, including one that recently drew some less-than-positive attention: LocationSmart. A recent New York Times report revealed that a former police sheriff used a service called Securus to track people’s locations through their mobile phones without court orders. Securus received its data from a company called 3Cinteractive, which in turn got its data from LocationSmart, a location aggregator that buys access to data from a variety of parties including major American carriers and EnStream. U.S. Senator Ron Wyden wrote a letter to the Federal Communications Commission (FCC) on the subject, stating that Securus confirmed it did not “conduct any review of surveillance requests,” and that wireless carriers must take affirmative steps to verify law enforcement requests. It has been subsequently revealed by ZDNet that a bug in LocationSmart’s website allowed anyone to track someone’s location without their permission — especially troubling because the site had a “try-before-you-buy” page that let potential customers test the accuracy of its data. Robert Blumenthal, chief identity officer at EnStream, told MobileSyrup the same thing couldn’t happen in Canada. “We wouldn’t allow that type of application,” he said. “For every partner that we have, for every customer of theirs, we approve those use cases in advance and for every transaction we make sure they are complying.” “We have been criticized […] for being a little too strict” — Robert Blumenthal, EnStream Blumenthal said EnStream does not manually review every transaction that comes in from its partners customers. He did state, however, that EnStream reviews each application manually when a new customer is onboarded with audits that take place “periodically.” “We have been criticized by some of the partners we have outside Canada for being a little too strict,” said Blumenthal, adding that EnStream has completed reviews with the Office of the Privacy Commissioner (OPC) regarding which services it delivers and how it delivers those services. Still, general counsel at the Public Interest Advocacy Center (PIAC), John Lawford, took issue with the very premise of EnStream’s business and its access to mobile subscriber information from the Big Three. He brought up the Canadian Radio-television and Telecommunications Commission’s (CRTC) confidential customer information rules. The rules were created to ensure that without explicit customer permission, telecoms could not share any confidential customer information. At the time, the particular concern was call logs. “The CRTC has always protected that to an extreme level,” said Lawford, “The trouble is, this thing called the internet came along with a lot of metadata that’s similar to call records.” Lawford noted that the CRTC has yet to update its definition of what confidential customer information means in the internet era. He said he believes this issue will come to a head at some point with EnStream at its centre. “I can tell you I haven’t signed anything or been alerted by Bell or Rogers that they’re going to give my information to third parties,” said Lawford. However, EnStream’s Blumenthal told MobileSyrup that his company’s services are completely consent-based. EnStream’s clients — for instance, a company that provides roadside assistance — must ask for permission from their customers to see their mobile location, as is the case with many mobile apps. He stated via email that “by default everyone is opted out of any mobile location service. They need to explicitly opt-in for a particular application in order for the service to be delivered to a third party with their consent. No location or other personal information is ever released without end-user prior consent.” Still, EnStream’s business model is based on access to the national telecoms’ subscriber base, and there’s no clear answer yet as to whether telecom subscribers can opt-out entirely of being part of the subscriber base to which EnStream sells access. “There’s no transparency here” — John Lawford, PIAC Additionally, the website bug that affected SmartLocation, one of EnStream’s listed partners, doesn’t exactly inspire confidence that the system is infallible. In an email to MobileSyrup, a spokesperson for the Office of the Privacy Commissioner of Canada said concerns around EnStream are “not something we have examined to date.” The email further stated that the watchdog noted the mention of Canadian carriers in the recent ZDNet article on LocationSmart. “It does raise questions and we plan to follow up,” said the spokesperson, adding that they have no further details to share at this time. Lawford said he thinks more complaints regarding EnStream will be lodged with the privacy commissioner. “There’s no transparency here,” said Lawford. “There will be complaints to the privacy commissioner, and there will be CRTC action to at least clarify what’s going on.”What is EnStream?
LocationSmart privacy breach
Could the same thing happen here?
Customer confidentiality in the internet age
Questions surrounding permission
