Those pesky little digital breadcrumbs are starting to catch up with us.
A recent article in Wired noted that it’s not just your telephony provider who knows where you are – plenty of smartphone apps use a mixture of GPS, Bluetooth and Wi-Fi signals to pinpoint your location whenever you carry your phone.
A recent global ‘sweep’ of more than 1,200 mobile apps by Privacy Commissioners around the world found that three-quarters of all apps examined requested one or more permissions, the most common of which included location. Disturbingly, 31% of apps requested information not relevant to the app’s stated functionality. A prominent example is the flashlight app which tracks your precise location, and sells the data to advertisers.
Of course, sometimes location is relevant – we want the convenience of location-driven services, like local restaurant recommendations or weather predictions – but should we be worried about the privacy tradeoffs?
Nah, “it’s all good”, we’re told … “the data is de-identified before we use/disclose/sell it”.
Oh phew, we’re OK then. Oh no, hang on, wait – not so fast with the complacency!
First, some third parties, like law enforcement agencies, can ask for precise details about you and your location. They could ask your telephony provider, or the company which runs your phone operating system, or the company which operates the internet browser on your phone, before they even get to the companies which run the apps on your phone.
Second, a recent study suggest that four points of geolocation data alone can potentially uniquely identify 95% of the population. Mark Pesce, the inventor, educator and broadcaster whose recent keynote address I have written about previously, described the geolocation data collected by and broadcast from our smartphones as “almost as unique as fingerprints”.
In other words – those ‘de-identified’ breadcrumbs are likely leading straight back to you.
Data showing where you have been will not only reveal the obvious, like where you live and work or who you visit, but it may also reveal particularly sensitive information – like if you have spent time at a church or a needle exchange, a strip club or an abortion clinic. Some app-makers claim they can even tell which floor of a building you are on. All useful stuff for your boss, ex-boyfriend or insurance company to know.
So what’s the solution? Wired magazine offers the pessimistic view that the only way to avoid privacy intrusions is to “fry the GPS chip, turn off Location Services, and give up on some of the coolest, most personal tech currently available”. ZDNet Editor Chris Duckett suggested at the recent PAW breakfast that we need a data breach involving the geolocation data of every politician to kick-start the political will needed for better regulation.
But I like to think that the law already offers a solution. Indeed, a recent determination from the Australian Privacy Commissioner could be the starting point for more effective regulation of the collection, use and disclosure of geolocation data. In Grubb v Telstra, the Privacy Commissioner found that journalist Ben Grubb was entitled to access the ‘metadata’ held about him by his mobile phone service provider – the breadcrumbs left behind as he goes about his day.
On the one hand, this determination from the Privacy Commissioner is just common sense, and a matter of fairness. If a company is prepared to collate information from different sources about a customer in order to provide it to law enforcement, as Telstra admitted it did 85,000 times in 2013-14, then it should be equally prepared to do so if a customer exercises their access rights under the Privacy Act to ask to see all that information too.
On the other hand, this is a ground-breaking decision. Telstra argued that geolocation data – the longitude and latitude of mobile phone towers connected to the customer’s phone at any given time – was not “personal information” about a customer, because on its face the data was anonymous. They lost that argument, because the Privacy Commissioner found that a customer’s identity could be linked back to the geolocation data by a process of cross-matching different datasets.
The implications of this case go well beyond the telcos which will have to comply with the new metadata retention laws. It even goes beyond just geolocation data. This case has far-reaching consequences for any organisation which deals in any form of ‘big data’. No-one should think that privacy can be protected simply by leaving out customer names or other identifiers from a database. Any dataset which holds unit-record level data can potentially be linked to data from other sources, which can then lead to someone’s identity being ascertainable – which means it will meet the definition of “personal information”, and thus must be treated in accordance with the Australian Privacy Principles. That has implications not only in relation to customer access requests, but also in relation to how that data can lawfully be used.
Think about the use limitation principle. In theory, personal information should only be used for the purpose for which it was collected (connect your call via the nearest mobile phone tower, play a game or run your flashlight app), or a directly related secondary purpose (billing, complaint-handling and the like). Any other type of secondary purpose will either need a special exemption (law enforcement, research, etc), or your consent.
(Oh, consent? Sure, the website and app developers would like you to think that you ‘consented’ to have your location data sucked up and used for unrelated purposes, but seriously – have you even read those T&Cs? Rather like the Londoners who ‘consented’ to give up their first born child when signing up for free wifi, most of us don’t read T&Cs, because they are longer than Shakespearean plays. I doubt that many would stand up to scrutiny under Australian privacy jurisprudence, which suggests a customer has not genuinely ‘consented’ to terms buried in a lengthy document, acceptance of which are a pre-condition to gaining goods or services. When even a monolith like Microsoft is arguing the failure of the American ‘notice and consent’ model of privacy regulation in favour of collection limitation and use limitation principles like those on which Australian privacy law is modelled, it is time we stopped living in the fantasy land of believing that ‘consent’ has anything to do with these types of business practices.)
I believe that we are on the verge of a new awakening, in which people start to recognise not just the opportunities provided by geolocation data, but the threats it can pose – and start to demand privacy protection to match.
Businesses which suck up geolocation data should no longer rely on standard T&Cs to indicate a customer’s ‘consent’ to unrelated secondary uses. The Grubb v Telstra case suggests they can also no longer argue that “it’s not personal information so you have nothing to worry about”. Instead, they should get genuinely transparent about unrelated secondary uses, and seek informed, specific and voluntary agreement from their customers – or let our breadcrumbs blow away in the wind.
(April 2018 update: If you would like some privacy tools to help you assess the risks posed by a new project, check out our range of Compliance Kits to see what suits your needs.)
Photograph © Shutterstock