Location, location, location?
Lilian EdwardsProfessor of E-Governance
University of Strathclyde , Glasgow
Koblenz Web Sci Conference, June 2011
Location based services: the next gen!
Establish location from cell data used by cellphones (c 1 mile square?) wi fi networks used by mobiles/laptops/PS3s etc GPS data from smartphones, possibly sat navs in cars?
(c 15-20 metres) IP address? Sometimes.. (web geolocators) Locational data given explicitly by you or friends (eg
geo located tweets, “check-ins” by friends on 4Square RFID – retail goods, smart pacemakers, smart transport
(Oyster), roads, cars – issues already slightly familiar to lawyers
Business models? Privacy worries? Regulatory regime?
Location based services : the fun bit
Facebook Places
Grindr
Sukey – anti kettling GPS app
Google Street View – the odd one out?
Location based services: the fear
Richard Stallman, March 2011 “It's Stalin's dream. Cell phones
are tools of Big Brother. I'm not going to carry a tracking device that records where I go all the time, and I'm not going to carry a surveillance device that can be turned on to eavesdrop."
Privacy risks from LBSs “Voluntary” disclosure of LD => data
profiling and mining by “Big Data” – qu of what consent needed for collection and/or processing.
Voluntary disclosure => “small data” abuse – stalkers, burglars etc
Involuntary disclosure – eg Nissan smart cars; GStV wi fi data collection; Sat Nav scare stories
Regulatory false starts EU special regulation of “location data”?
See Privacy & Electronic Communications Directive 2002, Art 2(c), covers:“data processed in an electronic
communications network or by an electronic communications service indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service”
To collect or process this data needs consent of the user (art 9) after info given on purposes of collection. Cf traffic data – (art 6)- “prior consent” – same??
PECD problems.. Problem: wrong business model. EC
expected data collected by phones to be used by “value added services” eg smart billboards.
Compare : RFID chip in Oyster Card; sat nav in car; Google St View. ?
Also – SNSs etc who are “information society service providers” (E-Commerce Directive) – are excluded from this rule.
LBSs and general data protection (DP) law
General DP law says “data controller” who collects/processes “personal data” – must generally (though not always) ask for consent of user. But:
Is all location data “personal”? Eg IP addresses, cell data, wi fi router data?? Anonymised data profiles?
What kind of consent? Eg I give consent to collection of LD by accepting FB’s privacy policy . Is this enough? Explicit but.. Specific? Informed?
I buy smartphone and default setting is that locational data is “ON”. Is this implied consent? Is that enough?
I sign up to Twitter in 2012 and geo-locating tweets is on by default. Is this enough?
For how long do I consent? What if defaults change?
Future Issues Law: Should I have special legal protection given
“consent fail“ in web 2.0 eg “everyone” signs up to FB and no one reads the privacy policy? More stringent consent? Will it help?
Code: Should settings/defaults be set to most privacy protective level – so user has to explicitly “opt in” to disclosure? Privacy by Design. (Goal in DPD reforms.)
Business models: Are 1 and 2 compatible with making money to stay afloat when no one wants to pay directly for these services?
Norms: can we just learn to respect each other’s (locational and other) privacy as well as own?
Top Related