Location, location, location?

Lilian EdwardsProfessor of E-Governance

University of Strathclyde , Glasgow

Koblenz Web Sci Conference, June 2011

Location based services: the next gen!

Establish location from cell data used by cellphones (c 1 mile square?) wi fi networks used by mobiles/laptops/PS3s etc GPS data from smartphones, possibly sat navs in cars?

(c 15-20 metres) IP address? Sometimes.. (web geolocators) Locational data given explicitly by you or friends (eg

geo located tweets, “check-ins” by friends on 4Square RFID – retail goods, smart pacemakers, smart transport

(Oyster), roads, cars – issues already slightly familiar to lawyers

Business models? Privacy worries? Regulatory regime?

Location based services : the fun bit

Facebook Places

Grindr

Sukey – anti kettling GPS app

Google Street View – the odd one out?

Location based services: the fear

Richard Stallman, March 2011 “It's Stalin's dream. Cell phones

are tools of Big Brother. I'm not going to carry a tracking device that records where I go all the time, and I'm not going to carry a surveillance device that can be turned on to eavesdrop."

Privacy risks from LBSs “Voluntary” disclosure of LD => data

profiling and mining by “Big Data” – qu of what consent needed for collection and/or processing.

Voluntary disclosure => “small data” abuse – stalkers, burglars etc

Involuntary disclosure – eg Nissan smart cars; GStV wi fi data collection; Sat Nav scare stories

Regulatory false starts EU special regulation of “location data”?

See Privacy & Electronic Communications Directive 2002, Art 2(c), covers:“data processed in an electronic

communications network or by an electronic communications service indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service”

To collect or process this data needs consent of the user (art 9) after info given on purposes of collection. Cf traffic data – (art 6)- “prior consent” – same??

PECD problems.. Problem: wrong business model. EC

expected data collected by phones to be used by “value added services” eg smart billboards.

Compare : RFID chip in Oyster Card; sat nav in car; Google St View. ?

Also – SNSs etc who are “information society service providers” (E-Commerce Directive) – are excluded from this rule.

LBSs and general data protection (DP) law

General DP law says “data controller” who collects/processes “personal data” – must generally (though not always) ask for consent of user. But:

Is all location data “personal”? Eg IP addresses, cell data, wi fi router data?? Anonymised data profiles?

What kind of consent? Eg I give consent to collection of LD by accepting FB’s privacy policy . Is this enough? Explicit but.. Specific? Informed?

I buy smartphone and default setting is that locational data is “ON”. Is this implied consent? Is that enough?

I sign up to Twitter in 2012 and geo-locating tweets is on by default. Is this enough?

For how long do I consent? What if defaults change?

Future Issues Law: Should I have special legal protection given

“consent fail“ in web 2.0 eg “everyone” signs up to FB and no one reads the privacy policy? More stringent consent? Will it help?

Code: Should settings/defaults be set to most privacy protective level – so user has to explicitly “opt in” to disclosure? Privacy by Design. (Goal in DPD reforms.)

Business models: Are 1 and 2 compatible with making money to stay afloat when no one wants to pay directly for these services?

Norms: can we just learn to respect each other’s (locational and other) privacy as well as own?