Location, Location, Location? Legal and Privacy Issues around Processing of Personal Locational Data
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Location, Location, Location? Legal and Privacy Issues around Processing of Personal Locational Data



Many "web 2.0" websites and smartphone apps now collect locational data of persons for everything from harmless games to socially useful applications such as anti-kettling apps or crime or traffic ...

Many "web 2.0" websites and smartphone apps now collect locational data of persons for everything from harmless games to socially useful applications such as anti-kettling apps or crime or traffic congestion maps. How far does ubiquitous collection of " where you are" endanger personal privacy, and how far is it controlled by the informed consent of the data subject? What balance should be struck with the social utility of collecting locational data||? THis ppt discusses some of the (mainly EU) legal issues against the technological/social background - further work needed.



Total Views
Views on SlideShare
Embed Views



2 Embeds 2

http://www.slideshare.net 1
https://twitter.com 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution-NonCommercial LicenseCC Attribution-NonCommercial License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • My web geolocator at home from my Virgin media wi fi thinks I’m near Preston all the time..
  • Growth in LBS – originally delivered primarily via smartphones using cell but more especially GPS technologies to locate user of handset – cell gave you maybe a a kilometer square location, or more, depending on rural or urban – GPS goes to 4-15 meters location – v different. Now being rolled out to other platforms which pinpoint location using instead wi fi access points to locate user (or as well). Eg desktops, laptops, tablets (ipads), etc.
  • => Diversification of ways to access LBSs – via social networks (FB Places ) – via your desktop or your phone or anything with a web browser.. 4Square was market leadr, prob now FB Places since roll out..
  • New types of business models. Grindr eg “sells” the location of its users to each other so they can pick each other up for gay sex – an intersting example of users clearly wanting disclosure not privacy or seclusion.. 4Square/FB Places encourage users to repeatedly “check in” to places so they can become “Mayors”, pick up discount vouchers etc. In general few of these LBSs are sold directly for money as is common in web 2.0 Their bisiness models are emergent but mainly around same models as we see through the SNS world – give a product away for free, collect personal data from users (explicitly revealed or implicitly via cookies and of course , acces to locational data) , add it to other sources of data, create anonymised data profiles of users and sell these to the highest bidders who then use this data to send “targeted” or “behavioural” ads to users. LBSs thus feed inti general debate going on right now on in law/IT on whether OBA and SNSs invade user privacy and if so how to control it (more from Judith on former). Muvh location data collection now come “bundled” as part of functionality of SNSs – FB Places, geolocated tweets - enhancing the data they already collect and providing more “social networking experience” to users. Similarly many are used as downloaded apps to smartphones. Note the no of responsible agents involved here… handset maker, network provider (eg Orange),OS maker (Android, Apple), browsers (Safari etc, not always same), SNS platforms, app developers, user themselves – all have a role in “regulating by code” here – setting privacy defaults etc. Not just an isue for lawmakers – coders must get involved in understanding issues. Very complicated area to “pin down” who should implement any rules protecting users therefore , and for users to understand what to do to protect themselves (fiddle with phone, talk to Orange, alter settings on app,??)
  • Also note public benefits from LBSs - not just about fun & private profit - increasing use mash ups eg here #uksnow – created from geolcated tweets during recent awful winter in UK – could tell which areas most badly hit. Similar uses recently eg to show comparative crime rates in your area (UK Crime Map); more controversial – what adv except to drive down house prices? Is consumer info always a bonus?
  • After the “uncut” battles near Lib Dem HQ and Westminster etc – tactic revealed to share data on where police arranging “kettling” traps and how to exit from them..
  • Odd one out because alrhough it uses “location data”, it’s not collected via your phone (or laptop etc) but by Goog;e’s cameras in vans. Good example of p’raps most loved LBS – to make money (ads) but also arguably social benefit - finding your way to new places, scoping out areas to move to or for holidays etc, checking look of hotels you’re going to be staying in . But has perhaps arisen the most privacy fears for various reasons we’ll get to (and vast opt out here in Germany cf ed to UK eg). Also raises issues I’ll come back to as whether law DOES currently specially regulate to safeguard user in respect of “collection of locational data”
  • 1 – harms? Misleading/erroneous? Invasive? May leak to 3 rd parties not contemplated – govt, private litigators, advrs 1= Me & J mist worried in EU about 1 – 2 gets a lot of attention in field of SNSs and ch protection already (education? Online safety?) – 3 is a security issue legally, a design and policy isue for technologists to think about - may turn out to be the biggy as we move from web based loc’l data collection -> extensive Internet of Things loc’l data collection?
  • Revised text Oct 2010: For the purpose of marketing electronic communications services or for the provision of value added services, the provider of a publicly available electronic communications service may process [traffic data] to the extent and for the duration necessary for such services or marketing, if the subscriber or user to whom the data relate has given his or /her prior consent . Users or subscribers shall be given the possibility to withdraw their consent for the processing of traffic data at any time. Art 9 for location data similar but not amended – remains just “consent” but only after “information..of the purposes and duration of the processing”.
  • PECD envisaged Minority Report “intelligent billboards”, tailored texts to phone eg “nearest Indian restaurant” oogle RFID – collected by chip in Oyster – not “terminal equipt” of user nor using “public network” GPS in Sat Nav – same (+private netwk) G St View – data collected is what we think of as “location” but not collected by your PHONE but by Google taking pix!!
  • J will talk about what level of consent – prior, informed, explicit – the Art 29 WP is recommending. But who would implement it – the netwk provider, the handset maker, the app, the OS, the browser? Which is the “data controller”?

Location, Location, Location? Legal and Privacy Issues around Processing of Personal Locational Data Presentation Transcript

  • 1. Location, location, location? Lilian Edwards Professor of E-Governance University of Strathclyde , Glasgow Koblenz Web Sci Conference, June 2011
  • 2. Location based services: the next gen!
    • Establish location from
      • cell data used by cellphones (c 1 mile square?)
      • wi fi networks used by mobiles/laptops/PS3s etc
      • GPS data from smartphones, possibly sat navs in cars? (c 15-20 metres)
      • IP address? Sometimes.. (web geolocators)
      • Locational data given explicitly by you or friends (eg geo located tweets, “check-ins” by friends on 4Square
      • RFID – retail goods, smart pacemakers, smart transport (Oyster), roads, cars – issues already slightly familiar to lawyers
    • Business models? Privacy worries? Regulatory regime?
  • 3. Location based services : the fun bit
  • 4. Facebook Places
  • 5. Grindr
  • 6.  
  • 7. Sukey – anti kettling GPS app
  • 8. Google Street View – the odd one out?
  • 9. Location based services: the fear
    • Richard Stallman, March 2011
    • “ It's Stalin's dream. Cell phones are tools of Big Brother. I'm not going to carry a tracking device that records where I go all the time, and I'm not going to carry a surveillance device that can be turned on to eavesdrop."
  • 10. Privacy risks from LBSs
    • “ Voluntary” disclosure of LD => data profiling and mining by “Big Data” – qu of what consent needed for collection and/or processing.
    • Voluntary disclosure => “small data” abuse – stalkers, burglars etc
    • Involuntary disclosure – eg Nissan smart cars; GStV wi fi data collection; Sat Nav scare stories
  • 11. Regulatory false starts
    • EU special regulation of “location data”? See Privacy & Electronic Communications Directive 2002, Art 2(c), covers :
      • “ data processed in an electronic communications network or by an electronic communications service indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service”
    • To collect or process this data needs consent of the user (art 9) after info given on purposes of collection. Cf traffic data – (art 6)- “prior consent” – same??
  • 12. PECD problems..
    • Problem: wrong business model. EC expected data collected by phones to be used by “value added services” eg smart billboards.
    • Compare : RFID chip in Oyster Card; sat nav in car; Google St View. ?
    • Also – SNSs etc who are “information society service providers” (E-Commerce Directive) – are excluded from this rule.
  • 13. LBSs and general data protection (DP) law
      • General DP law says “data controller” who collects/processes “personal data” – must generally (though not always) ask for consent of user. But:
      • Is all location data “ personal ”? Eg IP addresses, cell data, wi fi router data?? Anonymised data profiles?
      • What kind of consent ? Eg I give consent to collection of LD by accepting FB’s privacy policy . Is this enough? Explicit but.. Specific? Informed?
      • I buy smartphone and default setting is that locational data is “ON”. Is this implied consent? Is that enough?
      • I sign up to Twitter in 2012 and geo-locating tweets is on by default. Is this enough?
      • For how long do I consent? What if defaults change?
  • 14. Future Issues
      • Law : Should I have special legal protection given “consent fail“ in web 2.0 eg “everyone” signs up to FB and no one reads the privacy policy? More stringent consent? Will it help?
      • Code : Should settings/defaults be set to most privacy protective level – so user has to explicitly “opt in” to disclosure? Privacy by Design. (Goal in DPD reforms.)
      • Business models : Are 1 and 2 compatible with making money to stay afloat when no one wants to pay directly for these services?
      • Norms : can we just learn to respect each other’ s (locational and other) privacy as well as own?