In recent weeks, Norway’s state broadcaster, “NRK” has published a number of stories around a geo-location dataset they purchased from Tamoco in November 2019. NRK told us repeatedly this data would be used for urban planning – to understand the “correlation between peoples movement patterns and the public transit/urban planning developments being performed by local and national entities”. We double-checked this with NRK before selling them the data but NRK had no intention of ever using the data for this purpose.
Instead, this data was used to present a number of misleading claims about how we operate and to present and share opinions that present a very limited and unbalanced view of how location data is used and what Tamoco’s role is within this space. We have always been fully transparent on the industry and how we work. We were shocked that a reputable news organisation would need to use deception when we have openly discussed what we do with major media outlets many, many times. In the interests of full transparency, we have published, in full, the answers to questions we have received. Our aim is to be allow people to make up their own minds based on the full picture. Most of media reports on this – using old-school “gotcha” journalism – present only one side of the story. This is unfair to all parties – most of all viewers and readers.
Tamoco has been in contact with both NRK in Norway and DR in Denmark but is publishing its full, unedited response to the questions raised on these claims:
NRK: The Norwegian Consumer Council says that the data sold by Tamoco is “without doubt” obtained illegally due to the lack of informed consent. The organization explicitly mentions that consumers cannot know to whom their personal data is shared when consenting. How do you respond to these claims?
Tamoco: This isn’t true. We source data directly from app publishers, their partners, or SDK’s integrated into apps. They’re required to provide explicit consent from their users. Consents are managed by those publishers who provide assurances that they comply with relevant laws and regulations.
NRK: What precautions have you made to ensure that personal data is not misused?
Tamoco: Tamoco uses standard mobile advertising identifiers IDFA (Android) or AAID (Apple), but it’s critical to understand these DO NOT identify individuals – only a device. Identifiers can easily be changed (in phone settings), meaning they’re not fixed to an individual.
We vet customers carefully demanding information on where data is used. We sell data on a legitimate basis for a bonafide purpose. We do so in good faith that the buyer will respect laws and regulations. NRK was deceptive in pretending it was using our data for urban planning. When we challenged NRK over its use, it provided fake maps. In our view, NRK has breached its own code of ethics because the way Tamoco works is already widely in the public domain. NRK did not need to use deception.
NRK contravened the way in which the data was meant to be used, and the reality is many large anonymized datasets sold by major firms like Uber, Strava, or TomTom can be taken apart and engineered in precisely the same way.
“We analyze, segment, and categorize the data provided by our customers, clients, and partners for the purposes of providing accurate and relevant content and advertising across devices and to analyze the effectiveness of these advertising campaigns. The data is also used to provide relevant advertising to mobile devices.”
We’ve always been fully transparent. We use location data for various functions across statistical analysis, research, and machine learning on top of personalized advertising. Again, it’s important that people understand that many critical functions in our lives depend on large datasets being analyzed – such as urban planning.
In respect of this particular story, most phone users understand how location services in apps work. We agree there’s a debate to be had around whether all apps are clear on permissions, but many NRK viewers will ask why any working in the armed forces did not think twice about using apps that clearly use location data.
NRK: The Norwegian Data Protection Authority is opening an investigation into Tamoco. They seek to work together with the UK Data Protection Authority (ICO). What is your comment?
Tamoco: We’ve launched our own internal investigation into data provided to us and will comply fully with any external investigations from Norwegian or British regulators. We have also been very open with the media around what we do.
NRK: In response to NRK’s first article, Tobias Judin of the Norwegian Data Protection Authority described the sale of Norwegians location data as a “very severe” matter. How do you respond to this characterization?
Tamoco: Let’s be clear – NRK obtained data from us by deception, then decompiled and decrypted it for an illegal use. This is a very severe matter, but like any intermediary, while it’s fair to hold us to account for doing everything possible to ensure the quality of the product we sell, we sit between the party supplying data and the party using it. If the user is doing illegal things beyond our control, then it’s unfair to blame us if there are no reasonable steps we could have taken.
We employ our best efforts to ensure compliance with regulations as much as possible, however balanced reporting must consider the role of those parties who collect data and those who take it from us to use. NRK viewers may question why a national broadcaster used deception where it could have walked through the front door and asked questions.
We do take data privacy seriously, but the regulation and enforcement of these rules must be omnipresent for things to work as intended. While it makes things easier for the media, you cannot merely apply rules to one party.
NRK: The Minister of Regional Development and Digitalisation in Norway, Linda Hofstad Helleland, says that the sale of location data is ethically unacceptable. How do you respond to this claim?
Tamoco: Location data, like any other data set, has the possibility to be misused by bad actors, but has perfectly legitimate and ethically positive use cases which unfortunately go unreported by the media.
Dissemination, decoupling, or decryption of this data is indeed unacceptable and is not a process Tamoco has or ever will employ. NRK felt that for the purposes of their investigation, they would themselves commit an ethically unacceptable act, including breaching their own journalistic code of ethics to prove a point that no responsible company in the industry would do. NRK used deceptive tactics to obtain data for a legitimate use case they actually had no intent of pursuing. It did this to create a story around their own misuse of data and it has attempted to give the impression they were able to ‘trick’ Tamoco – a company that has spoken publicly about its business and products for several years.
It is also very important to distinguish between location data types. We agree that there is limited rationale for persistent and invasive tracking; receiving 10,000 location points from a phone per day is excessive and unnecessary in 98% of use cases. It is also not something that Tamoco uses. However, measuring important points in a journey such as a visit to a shop or when someone starts or stops a journey is necessary, and some would argue essential in the pursuit of building better products and services. In this regard, location data is an accurate and powerful signal for advertisers, researchers, analysts, and more as an aggregated data set. It helps with such a wide range of applications from city planning to contact tracing, advertising to analytics.
NRK: Based on data from Tamoco and open sources like Facebook, NRK could identify several individuals, amongst them military personnel. What do you think about that?
Tamoco: The data is not able to, on its own, identify any individual person, nor should it be reverse engineered or decrypted in the pursuit of this kind of use. We work with firms around the world and focus on measuring data around consumer “points of interest” such as shops, attractions, and destinations. We do not store any sensitive or restricted places in our database and thus do not measure these places, meaning that anyone who had access to the data would have to misuse it and combine it with other data sources, in order to expose any potential correlations around these locations.
Tamoco takes privacy concerns very seriously and is committed to working to ensure that consumers can control their data. We have launched an internal audit into our data providers and the way in which this data has been used, and will not hesitate to immediately end relationships with any providers who have failed to comply with all appropriate regulation and legislation.
Tamoco is happy to work with any data protection organization that has concerns about how data may be used and we welcome any recommendations to improve processes.