Hamburg, San Francisco The sun is shining, the employees are grinning, Timotheus Höttges is willing to pose for selfies: At the end of last week, the CEO of Deutsche Telekom traveled with his half of the management team to Bellevue near Seattle, the headquarters of T-Mobile US. The managers wanted to be inspired by the success of the company’s most important subsidiary and its boss, Mike Sievert.
Some projects of the US mobile phone provider, who cultivated a rule-breaking image for years, do not fit at all with the strategy and appearance of the mother from Bonn. Intimate data of the users are specifically evaluated and sold to advertisers. All users who did not expressly object were enrolled in a program last spring that allows T-Mobile to collect the most sensitive data.
At home, Deutsche Telekom is promoting data protection as a core competence. “The most valuable thing our customers entrust us with is their personal data,” the Dax Group emphasizes in its publications.
The requirements are not limited to Germany. “With our worldwide data protection organization, we make it possible for the same high standards to apply to our products and services everywhere,” the Group assures. And Höttges likes to criticize in public the rampant behavior of large tech corporations, which generate their billion-dollar profits mainly from insights into the privacy of their users.
However, Deutsche Telekom is taking a similar approach in the USA, the company’s most important market. Last year, T-Mobile US contributed almost two-thirds of Group sales, and its customer base is steadily growing. Thanks to the good figures, the daughter enjoys a lot of free space. The advertising program shows the flip side of this strategy.
As a network operator, T-Mobile has a deep insight, as can be seen from the company’s advertising guidelines. In principle, a provider can record almost everything that customers do with their devices on the Internet.
T-Mobile is really evaluating a lot of this for its advertising business. For example, it is about the websites that customers visit, which apps they use or information about the device they use and where the customers are exactly. T-Mobile also includes personal data from inventories of external companies in order to assign age, education and personal preferences, as the terms of the contract show.
>> Read also: Deutsche Telekom is now withdrawing from Russia
The information is summarized anonymously. But data protection experts criticize that the identity of users can ultimately be discovered by combining information from different databases.
Many executives in Bonn and even supervisory boards are not aware of the existence and design of this offer. According to Deutsche Telekom, even Höttges, who also chairs T-Mobile’s Board of Directors, knows “the context of the program”, but not the details.
In a written statement to Handelsblatt, Deutsche Telekom emphasizes that US customers had the opportunity to object to participating in the program. However, according to German law, such an “opt-out”, subsequent objection regulation would not be sufficient. Deutsche Telekom apparently does not challenge this: they are guided “by the local specifications and regulations”.
The statement is surprising – and apparently contradicts its own rules. For example, the “Group Data Protection Policy” states that it creates “a globally uniform and high level of data protection”. Users must obtain “express” and written consent before processing their data. The policy also applies to fully consolidated subsidiaries such as T-Mobile US.
“No concerns” in the Advisory Board of Deutsche Telekom
It goes on in a similarly contradictory way. A spokeswoman for T-Mobile said on request: “Deutsche Telekom was not involved in the development of the advertising program.“ In addition, the Group’s global data protection rules would not apply to the advertising program. This also applies to the responsibility of the company’s data protection advisory board.
According to Telekom, however, the advisory board, which includes CEO Höttges or former Federal Data Protection Commissioner Peter Schaar, has very well dealt with the advertising offer. “There were no concerns,” the company said in a written statement.
An incident that occurred a few months after the introduction of the new advertising program showed how risky T-Mobile US’s approach can be from the customer’s point of view: the then 21-year-old hacker John Binns captured the private data of around 50 million T-Mobile customers from Turkey. In it: names, addresses or IMEI numbers that uniquely identify the phone of customers.
In the “Wall Street Journal”, which made details of the spectacular burglary public at the end of August, Binns criticized the lax security measures of the telecom subsidiary.
“We covered the issue with money”
It was the fifth data scandal at T-Mobile in four years. To date, it is unclear what exactly happened to the information. There was an alarm in Bonn at that time. Höttges put pressure on Bellevue: the issue should finally be taken seriously.
Follow-up costs of more than $ 250 million are said to have been incurred. Possible compensation payments to complaining customers are not yet included in this. “We have poured money into the topic so that Höttges can sleep peacefully as chairman,” says a telecom executive.
The clean-up work dragged on. In the meantime, even the German IT security chief Thomas Tschersich is said to have traveled to Bellevue to see what is right and to help his colleagues. It was only in December that the T-Mobile Board of Directors adopted a new security concept.
In its statement, Deutsche Telekom denies that Tschersich travelled to Bellevue. There is “agreement between Höttges and Sievert that the matter must be dealt with with the highest priority”. T-Mobile has now “entered into a long-term partnership with one of the leading consulting companies in the field of cybersecurity”. T-Mobile US states that no “tracking and advertising data” had been affected by the hack.
However, the advertising program continued at that time. An insider who helped develop it told Handelsblatt: “T-Mobile would like to benefit from the high sales in the advertising business.“ The system is deliberately designed in such a way that it covers almost all customers. Only a few consumers bothered to unsubscribe separately.
The approach exposes Deutsche Telekom’s inconsistency, says Roger Entner, founder of telecommunications specialist Recon Analytics. “Deutsche Telekom cannot preach data protection in Europe and at the same time collect and sell the data of its customers in the USA.” The US customers were already paying dozens of dollars a month for their contracts anyway, according to Entner. It is not appropriate to monetize your private data.
T-Mobile takes advantage of a legal loophole
Google or Facebook, which are far more shameless in their advertising business, offer their users free access to useful services in return. However, T-Mobile customers have hardly any of Sievert’s side business. They “benefit from the advantages of offers tailored to their needs,” according to Deutsche Telekom.
T-Mobile uses a legal loophole for the advertising program. True, US federal laws basically severely restrict the use of information such as billing data from network operators for advertising purposes. However, the rules do not extend to the large amount of data generated via smartphones.
T-Mobile’s approach is part of a larger problem, says Adam Schwartz of the non-governmental organization Electronic Frontier Foundation, which specializes in data rights. Other carriers such as AT&T and Verizon have launched similar programs. “Many people do not know how their data is evaluated and sold. There is little use in giving them opportunities to restrict this practice afterwards,“ says Schwartz.
Telekom CEO Höttges, meanwhile, has apparently taken a liking to the offer of his US colleagues. He is considering “applying parts of the program in Europe as well,” according to the Telekom statement. Then, of course, “according to the German data protection rules”.