Is your location private? If you have installed an App on a smartphone it is almost certain that your location is being tracked. So should you care? Are you giving away details of your movements too cheaply? Is being able to track where your children are a benefit or a risk? To find the answers to these and other questions, on December 12th I attended “A Fine Balance 2011: Location and Cyber privacy in the digital age” sponsored by the UK Knowledge Transfer Network.
The title to this article is taken from the lyrics of a 1983 song by “The Police” that was used as the basis of a talk by Richard Hollis, CEO of Orthus and a director of ISACA. In his talk he explained the business value of geo-location information to increase revenue as well as to reduce cost, and the difficulty individuals have to opt out from having their location tracked. He gave a number of examples of the use of location data including; a US car rental firm that adds an extra charge if the car has exceeded 79mph for a period longer than 2 minutes, and a French company that saved on fraudulent expenses claims by tracking employees’ locations. He also described how he discovered that his new bank debit card contained an RFID chip, allowing the bank to track his presence. When he enquired of all the major UK banks he found that he was unable to opt out from this or find a bank that didn’t use this technology. Hollis believes that companies like Google have made billions of dollars from tracking where you went on the internet and they expect to make more from tracking your physical location. The downside of this data is that it is valuable to criminals; for example knowing you are not at home is valuable to thieves.
Stewart Room, a partner at Field Fisher Waterhouse LLP, outlined the legal basis for privacy. In Europe, the relevant legal framework is the data protection directive (95/46/EC). This applies where personal data are being processed as a result of the processing of location data. The e-privacy directive (2002/58/EC, as revised by 2009/136/EC) applies to the processing of base station data by public electronic communication services and networks (telecom operators).
Location data is defined in the above as being: “any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service”.
Location data is covered by general rules on data protection and can only be processed anonymously or with informed consent. But how informed is the consent that is given? Jonathan Bamford, Head of Strategic Liaison at the ICO described an end user agreement for the use of an App that was over 10,000 words in length. He also reported that the EU Working Party set up under Article 29 of EU Directive 95/46/EC has published a document on this subject: Opinion 13/2011 on Geolocation services on smart mobile devices. He noted that this document states – “Typically, companies that provide location services and applications based on a combination of base station, GPS and WiFi data are information society services. As such they are explicitly excluded from the e-Privacy directive,..” At the end of his presentation the audience was invited to vote on a number of issues including what approach should the ICO take to deal with this emerging problem.
Prof Jonathan Raper then presented his vision for a location data broker. This would provide a service that would securely store data on the location and movements of individuals. It would then only make this information available to other organizations with the consent of the individuals concerned and share any monetary value. It would also be able to provide confirmation of individual’s whereabouts in the case of disputes.
Chris Atkinson, from the UK Council for Child Internet safety, then discussed Safeguarding children’s privacy in social media. She posed the question “are children vulnerable innocents or tech savvie natives?” In the UK 50% of children aged 12-15 own a smart phone in comparison to only 27% of adults. In the EU 1 in 5 9-12 year olds have a profile on Facebook, in spite of there being a requirement to be 13 years or older (due to the US child protection laws). Most of these younger children do it with the help of their parents. 52% of 11-18 year olds are aware of geo-location services and 48% like their friends to know where they are.
At the end of this event I had more questions than answers. Geo-location information on individuals seems to be in widespread use. It is for example, funding the development of Apps and people want the services provided by the Apps but would prefer not to pay for them directly. Online marketing is willing to pay to know where you are and that is fine if it is done lawfully and transparently. I still worry that this geo-location data could be misused and personally I prefer not to knowingly provide it.
For more debate on this subject why not attend the European Identity Conference on April 17-20 in Munich.