An Update on Location Privacy
August 17, 2011
It's been a busy year in the location services space, especially as it pertains to privacy.
After remaining largely quiet, the U.S. Congress has proposed a number of laws addressing Internet privacy and in particular the use of subscriber location. What happened? Why now? Is this merely reactive grandstanding, or is something interesting happening here? Let's take a look.
First, congressional attention if nothing else provides some indication of location services reaching critical mass. Mobile platform providers have clearly caught on, and are competing feverishly to figure out how best to utilize this capability, share it with developers and advertisers, and at the same time be cognizant of the potential privacy concerns.
Location determination in a mobile environment is a combination of GPS and cell/WiFi triangulation. One important battleground for the various platforms is in acquiring a superior cell and WiFi access point database in order to best enable cell/WiFi triangulation. Primarily this is done through "crowd-sourcing". That is, the device monitors visible cell sites and WiFi access points, and whenever a GPS fix is done on the device, the mapping between the GPS fix and the visible cells and access points (along with signal strength) is uploaded to the network, over time building out a comprehensive database that can be used when GPS is not desired or available. This practice in fact is part of what got Apple and Google in trouble earlier this year. In part, proper notice was not given to users that this kind of collection was taking place, and further Apple made a few foolish mistakes, such as not encrypting the data, and storing it indefinitely.
Acquiring crowd-sourced data in this fashion for the purpose of providing a better location determination technology for developers is actually a fairly tame act. Assuming proper notice is provided, assuring that collected data is anonymous, and that industry-standard steps are taken to safeguard the data, such a practice may have (and probably should have) gone along with little or no notice.
Unfortunately, platform providers are competing on much more than merely providing the best location technology. They must also compete in providing advertisers with the best display and click-through rates. Achieving this is, in part, a problem of deducing user "context". That is, what do I know about this user, and what this user is currently doing with their device that I can use to place a better performing ad? Of course the user's current location (and possibly their location history) can play an important role in this process.
For example, as Apple was rolling out their iAd platform, changes made to their privacy policy made it clear that they had plans of incorporating location for this purpose.
A second area of interest for lawmakers is at least more directly nefarious. As location services gain adoption, there is a risk that users may become complacent, and potentially have little awareness of what applications and services have access to their location data. This risk may be exploited by malicious actors wishing to unknowingly monitor the location of other individuals. This is not an unreasonable fear, and it is the platform providers responsibility (among others across the value chain) to take steps to mitigate this risk. Proper notice and consent are clearly part of the answer. Beyond this, Apple and Google have looked at creative ways to provide visual cues that location is being accessed and to provide system tools for managing applications with location access. Do these measures go far enough? Does the government have some responsibility here for setting guidelines?
These two major concerns are clearly the motivation behind the current bill in the Senate, introduced by Al Franken and Richard Blumenthal, The Location Privacy and Protection Act of 2011 (S. 1223). This bill takes reasonable, fairly narrow steps in providing a baseline for proper notice and consent as it relates to location in a consumer service setting. The framing is done from the perspective of closing existing loopholes as they pertain to outdated statutes, such as ECPA, the Electronic Communications Privacy Act, a law that is now 25 years old.
In a second piece I will take a loop at the House bill, the so-called "GPS Act" and how it extends these concerns to include the use of location in law enforcement.