Kaye Beach

You Are Where You’ve Been: Location Tracking Tech’s Deep Privacy Impact

In Uncategorized on February 8, 2010 at 10:03 am


You Are Where You’ve Been
Location Technologies’ Deep Privacy Impact

(I picked out excerpts from this abstract that I found the most interesting. The entire document can be accessed by clicking the title)



Location is a critical aspect of both privacy and surveillance. A detailed record of locations allows all sorts of other information to be linked together, adding to information about the subject and his or her associates in the same way that a unique identifier allows dataveillance to be expanded so swiftly and extensively. This time, by allowing the linking of both the activities and records of many different people together. Location technologies have far outstripped both public awareness and legal and policy attention. Addressing this gap will require careful use of precise language to ensure that unexpected side effects do not occur when this is finally faced up to, and the present paper explores both this essential language and some of the applications and linkages that need addressing.

A wider public and policy understanding of the implications of the expanding capacities to track, record and monitor location is an urgent need, as it is very difficult to reverse capacities once integrated into a wide range of commercial, enforcement and intelligence systems – as is already happening.

Relevant Information-Terminology

1. Introduction

A decade ago, technologies that could provide information about the location of a motor vehicle, or a computer, or a person, were in their infancy. A wide range of tools are now in use and in prospect, which threaten to strip away another layer of the limited protections that individuals enjoy. While steady moves to identify, trace and record locations of things and animals has long been established, the application to people is now gaining momentum, and requires a reappraisal.

Location-based aspects of mobile phones, public transport smart cards and Automatic Numberplate Recognition are used to illustrate the emergent prospective and retrospective issues. The central concern is that the multiplying technologies for real time and retrospective location tracing have advanced far beyond the legal and privacy frameworks that we have in place. In combination with unique identifiers (for people or vehicles) the potential for remarkably intrusive data assembly and use has become a reality that has not been catered for. [. . . ]

Even when appropriate policies and legislative backing have been developed, the confusions between privacy and identity, and what comprises a sufficient yet not enduring identity to preserve privacy will need to be carefully communicated.

This paper commences with a brief overview of key concepts underlying the subsequent discussion. One cluster of relevant concepts comprises real-world entities (particularly humans and vehicles), identities, and pseudonymity and anonymity. A second cluster comprises the concept of location and the process of acquiring it, and the concept and process of tracking.

Building on these ideas, the paper briefly surveys the privacy impacts of location technologies, in order to set the scene for subsequent papers, and to provide a basis for addressing the possibility of privacy protecting middleware for systems currently being developed and deployed. One’s location is potentially very sensitive personal data. But the tracking of people’s movements both real-time, and retrospectively, lifts the threat to a much higher level and has become a form of function creep that has already become established practice in some quarters.

1.1 Background

Nearly two decades ago Daniel, Webber and Wigan (1990) identified the likely outcomes from the advanced traffic identification, tolling and linkage technologies becoming planning options for operations, and the implications of these location, time and activity specific tracing technologies. Roughly a decade later the sharper issues of more general location data acquisition and integration with other data holding were highlighted by Clarke (1999a), who reviewed location and tracking in what was then still a somewhat simpler world than today. Clarke’s paper noted increasing intensity in the collection of transaction data, in the association of personal identifiers with that data, in the retention of that data, and in mining of that data. It also referred to the emergence of spies in people’s pockets, wallets and purses (smartcards and cellular mobile phones), and in their cars (toll-road tags, and tagging by car-hire companies, insurers and investigators), and to the integration with other data systems as foreshadowed ten years earlier. [. . . ]

Radio Frequency Identification (RFID and Near Field Communication (NFC) devices identify and locate chips with reasonable reliability, and, because of their short range, with considerable accuracy. NFC is not widely known. A good source of information on NFC is the industry forum (NFC Forum, 2008), and NFC is increasingly being integrated into mobile phones and used for contactless transactions in various forms of transactions – including public transport. The NFC Forum specifically included credit card companies such as Visa, and is working on device independent intercommunciation with a major emphasis of contactless identification applications. Meanwhile, Automatic Number Plate Recognition (ANPR) surveillance of traffic has been introduced with minimal regard for its impact on privacy and freedom, although very recently a Queensland Government enquiry into ANPR recognised it as an issue in the issues paper (Travelsafe, 2007).

describing this technology. Scroll down to “typical applications” and imagine the numerous undesirable implications of using this technology.


For the last four decades, discussions of privacy and surveillance have primarily focused on the collection and handling of personal data. In effect, the orientation has been towards ‘you are what you’ve transacted with us’.

The march of information technology has resulted in the scope of the transactions that are being recorded are expanding exponentially, due to the increasing ability to link different data sources- and now to add probabilities of associations from proximity or repeated visits to specific locations, where `people of interest’ might also go. Now organizations in both the public and private sectors are seeking data about where people are, in order to use it – sometimes at least nominally for themselves, but in practice mostly against them or at the very least to pick them out as objects of special interest, be it marketing, tracking, monitoring, or active surveillance. The almost complete absence of data destruction requirements for such implied transaction data means that data about ‘where you are now’ is kept, and becomes a trail of ‘where you’ve been’. The presumption underlying the exploitation of this pool of data is that ‘you are where you’ve been, and to which we may now add `the probabilistic associations of others visiting the same locations at various times’. This addition enhances intelligence activities (Michael et al, 2006.) – but does not increase precision in a civil law sense.

The latter is a critical and quantum change in the surveillance capacities; as such associations are (necessarily) probabilistic (or circumstantial) evidence – until unique personal identifiers on both parties are added to the mix. This new expansion of dataveillance techniques moves from the evidence base of current surveillance systems, which are largely compatible with civil law, to the anticipatory and necessarily probabilistic approaches that are the unique domain of intelligence and anti-terrorist operations – which operate on quite different bases for action. This is a major shift, and one that is largely innocuous when done for marketing purposes- but changes the nature of civil society if added to normal civil law and the complementary police approaches to evidence.


4. Privacy Threats in Location and Tracking

This section provides an overview of the privacy threats inherent in location and tracking. It draws substantially from Clarke (1999a). The threats arise from individual technologies, and the trails that they generate, from compounds of multiple technologies, and from amalgamated and cross-referenced trails captured using multiple technologies and arising in multiple contexts. The human and ethical issues of enhanced location based identification are also addressed by Perusco and Michael (2005). The fundamental concepts of dataveillance and the risks it embodies are examined in Clarke (1988).

Location and tracking technologies give rise to data-collections that disclose a great deal about the movements of entities, and hence about individuals associated with those entities. Given an amount of data about a person’s past and present locations, the observer is likely to be able to impute aspects of the person’s behaviour and intentions. Given data about multiple people, intersections of many different kinds can be computed, interactions can be inferred, and group behaviour, attitudes and intentions imputed.

Impute means to assign or attribute responsibility to a particular cause. In other words I may impute that the fact that you were late for a meeting because you had car trouble the day before or I could impute that the reason is that you are a rude person based on my observation that you spoke sharply to someone. It is an assumption that is limited by the capacities of and data available to the observer. Here is a link if you care to read an involved essay on the ins and out of this form of
cognitive algebra


Location technologies therefore provide, to parties that have access to the data, the power to make decisions about the entity subject to the surveillance, and hence to exercise control over it. Where the entity is a person, it enables those parties to make determinations, and to take action, for or against that person’s interests. These determinations and actions may be based on place(s) where the person is, or place(s) where the person has been, but also on place(s) where the person is not, or has not been. Tracking technologies extend that power to the succession of places the person has been, and also (probabilistically, but in the case of real time monitoring, increasingly accurately) to the place that they appear to be going.

Currently locational data is largely only a by-product of the operations of traffic systems, public transport operators, mobile phone operations, ambulance and courier services, and those actively collecting data from a small sample of people for research purposes. (This is no longer true. Applications of these technologies has rapidly advanced) Active monitoring is in place for vehicle theft, high value transactions in transit – or, in the case of operators such as FedEx or UPS, a real time monitoring through transit points is a user service that they offer for all their identified packets. The ANPR systems in the UK are now connected to the online registration and licensing databases at the Driver and Vehicle Licencing Authority (DVLA), and is in use by police to anticipate the arrival of vehicles and persons of interest travelling along UK motorways. These are simply a few of the growing number of systems and capabilities: the ANPR/DVLA linkage to Police operations is a significant harbinger of what is in store.

The nature and extent of the intrusiveness is dependent on a variety of characteristics of location and tracking technologies. An analysis is provided in Clarke (1999b), encompassing such factors as the intensity of the data collection process, the data quality, data retention and destruction, and data accessibility.

Dangers that are especially apparent include the following:

  • Psychological harm through embarrassment, loss of control over one’s life, and devaluation of the individual, which arises from the knowledge or suspicion that the person is being watched;
  • Social, cultural, scientific and economic harm, arising from the ‘chilling effect’ on personal and group behaviour, and especially non-conformist, inventive and innovative behaviour, which arises from the knowledge or suspicion that some or all of the group are being watched. These mechanisms are lucidly covered by Kim (2004);
  • Political and democratic harm, arising from the ‘chilling effect’ on personal and group behaviour, and especially the voicing of unpopular opinion, participation in demonstrations, and other forms of political opposition or dissident behaviour, which arises from the knowledge or suspicion that some or all of the group are being watched. On the notion of ‘dissidentity’, see Clarke (2008);
  • Profiling and suspicion-generation, through the discovery of individuals’ behaviour patterns, thereby enabling matching against pre-determined patterns. This can be used by the State in order to generate suspicion, and by the private sector to classify the individual into micro-markets and thereby to manipulate consumer behaviour;
  • Substantially enhanced scope for damaging or embarrassing (political or personal) disclosures, blackmail and extortion*. This has a deleterious effect on democracy, because it reduces the willingness of competent people to participate in political life;
  • A vast increase in ‘circumstantial evidence’ for criminal cases, which might dramatically affect the existing balance through lack of contestability, including the presumption of innocence, and hence increase the incidence of wrongful convictions. This would in turn result in a more credible threat of conviction (including in ambiguous and spurious instances), and hence in increased repression of human behaviour; and
  • Enhanced visibility of behaviour. This increases the potential for measures to be taken against individuals, both by agents of the State, and by corporations whose behaviour is impinged upon by the person;
  • Actual repression of the readily locatable and traceable individual (Clarke 1988, 1994b.) The focus of public concerns is usually exercise of power by the State, but these technologies also greatly empower corporations. The capability will be useful in dealing with troublesome opponents, such as competitors, regulators and lobbyists, but also employees, whistleblowers, consumer activists, customers and suppliers.

The degree of impact on each individual depends on their psychological profile and needs, and their personal circumstances, in particular what it is that they wish to hide, such as prior misdemeanours, habits, and life-style, or just the details of their personal life. Some categories of individual are in a particularly sensitive position.

‘Persons-at-risk’ is a useful term for people whose safety and/or state of mind are greatly threatened by the increasing intensity of data-trails, because discovery of their location is likely to be followed by the infliction of harm, or the imposition of pressure designed to repress the person’s behaviour. Examples include VIPs, celebrities, notorieties, different-thinkers, victims of domestic violence, people in sensitive occupations such as prison management and psychiatric health care, protected witnesses, and undercover law enforcement and security operatives.

Marketers have an interest in identifying population segments and networks, and in building personal behaviour profiles (e.g. mobile location advertising). So too do intelligence agencies, to identify associated persons in National Security applications.

Legislative bodies are beginning to make such information the basis (which may be by visits to a location) grounds for potential criminal action or enforced restrictions. Recent legislation passed in South Australia (Government of South Australia, 2008) will, when it comes into effect, make a limited number of associations through membership or deemed membership (visits to specific locations being one, if circumstantial, basis for such assignment) a basis for assigning people to a specific group subject to police and possible legal action.

More sinister applications arise because so-called ‘counter-terrorism’ laws have greatly reduced the controls over data gathering, storage and access, over inferring about where people have been and whose paths people have crossed, and over detention, interrogation and prosecution.

5. Location and Tracking Technologies

A wide variety of location and tracking technologies exist. They are mostly oriented towards entities, and their effective operation depends on the collection of entifiers (the range of possible encodings of different forms of identity for entities) that distinguish the particular entity and enable transaction data to be reliably associated with the appropriate entity and perhaps with other transactions. Some technologies are relevant to spaces other than physical space (especially net space), and some to identities rather than entities. Many specific instances of location and tracking technologies were catalogued and outlined in Clarke (1999a).

During the intervening decade, a few of these have become noticed by the general public. In particular, there is an increasing appreciation that mobile phones have become not only a personal convenience, but only a spy in the person’s pocket, reporting continually the device’s presence in a particular cell (and hence continually disclosing its location to an accuracy of 100m to a few km), even when nominally switched off.

Cell-phone location and tracking data is subject to security and some privacy regulation, but most of the features have been designed from an engineering perspective and privacy protections are incidental rather than intrinsic. The protections are subject to very substantial exceptions. The protections have been effectively nullified by extended powers for law enforcement agencies during the long national security extremism phase that followed 11 September 2001. The protections are subject to compromise by the increasing prevalence of public-private partnerships, and the vast concessions that Governments are granting for-profit corporations in return for taking over the burden of infrastructure provision and maintenance.

The rapidly developing scenario of location base services is not without positive examples. The Mountain View based company Loopt\ (LoopT, 2008a) offers geospatial social networking services, and now deliver location based push advertising with CBS. Clearly aware of the sensitivity of location-linked and sensitive technologies, they have carefully expressed aims to allow users to manage their privacyLoopT, 2008b). It remains to be seen of the advertising linkages with CBS will leave this intent untouched. There are no formal controls or standards in this area, and they are clearly already badly needed. CBS Mobile are requiring users to `opt-in’ and CBS intend to deliver advertisements anonymously and not retain any location records.

“So far, privacy and technology concerns have held back the prospect of personalized mobile ads from the likes of Starbucks or Barnes & Noble. But using Loopt’s G.P.S.-based technology and capitalizing on its relationships with mobile carriers, CBS Mobile wants to make it easier for advertisers to aim promotions at consumers more precisely as they walk by particular stores and restaurants” (New York Times, 2008c).

Clearly, some users are apparently not as sensitive about some location based services as they might be were they fully aware of the cumulative record linking capacities of such services. They will pay for them (Isqbal & Lim, 2007), and their specific consent is needed under European Privacy legislation (Loenen & Zevenbregen, 2007). Pelsys (2008) in South Australia already offers personal tracking via mobile phones as a commercial service for employers to track their staff and even to tale pictures and transfer these back to a monitoring base station as part of the service. It is not clear what freedom – if any – these staff may have to disable or deny the use of such intrusive location based services for their employer, although it is but a small step onwards from the accepted commercial vehicle tracking services already on offer. Such commercial services might indeed in the future be used for personal carbon budgets…or to track the carbon budget usage of an organisations’ staff.

The assessments of particular technologies in Clarke (1999a, 1999b) and above are mainly conceptual, and the terms `locational’ etc are now being more clearly framed in specific cases for discussion of privacy and surveillance issues, although the privacy issues are well recognised (Bettini et al, 2005; Ackerman et al, 2003) In order to bring real examples into closer focus, this section adds a few succinct vignettes that illustrate in greater depth some of the specific and highly problematic technologies (and software and management systems) that have rapidly appeared and even more rapidly been applied. Many appear to be subject to almost no meaningful privacy controls, and have extraordinary and highly negative implications for privacy, and for civil liberties and political freedoms more generally.

To position the nature of the concerns and how they might be addressed, a positive and negotiated example is given first.

5.1 Detailed identified trip purpose, location and data collection programs

The use of GPS to track individuals with their full consent to secure transport planning information now has close to a decade of experience, and has become a standard tool of trade. This is perhaps the only area where full knowledge and assent is always secured, and anonymising is part of the protocol. As long ago as 2004, typical mainstream examples and commentary was provided by the US TMIP (Transport Modeling Improvement Program) program. Murakami et al (2004) summarise the detailed travel data collected, emphasising how detailed and comprehensive it is compared to household methods, and Guensler (2004) reports result of adding instrumentation to 487 vehicles in 270 households which in addition to trip data report speed and engine operating data in real time via a mobile phone connection. The subjects were sampled randomly and a very large fraction agreed to participate over a substantial period of time.

Specialised high sensitivity personal recording equipment has been developed by several transport data specialists in Australia, such as the Centre for Logistics and Transport at the University of Sydney who has applied it to commercial vehicle data collection (Graves & Figliozzi, 2007). The general area of location based services and security and privacy has been given a further impetus from the augmented GPS systems in the European Union. The GALILEO project (European Commission, 2007) is well known for being planned to provide an alternate set of GPS services, but far less well known for offering augmentation of the GPS data and the list of specific services that will be offered. An encrypted authentication scheme is to be available for navigation services, for example, as well as a structured series of ground GPS augmentation and the EGNOS service provision centres on which third party location based services can be delivered.

“The European Geostationary Navigation Overlay Service (EGNOS) is Europe’s first venture into satellite navigation. It augments the two military satellite navigation systems now operating, the US GPS and Russian GLONASS systems, and makes them suitable for safety critical applications such as flying aircraft or navigating ships through narrow channels” (European Space Agency, 2007).

This infrastructure is an example of what is possible (Pozzobon et al, 2004) if new technology for linking location-based services with other types of services is planned for in advance.

The lesson is that fully informed consent and responsible management can be acceptable, especially when the application is so clearly for the constructive purposes of transport and traffic planning in the area where the vehicle owners live and work. The levels of detail are very fine grained and linked directly to the people and the vehicles and their operating characteristics at any point in time. The difficult issues are those where these conditions are not satisfied. These are for far less transparent and agreed purposes, and the management of the data and its subsequent recording, linkage and data mining are not disclosed to those monitored.

5.2 Automatic Number Plate Recognition (ANPR)

Far from a balanced and considered implementation of ANPR and the associated databases and linkages, the UK has raced ahead to implement and deploy a national ANPR vehicle surveillance scheme.

In March 2005 the Association of Chief Police Officers of the UK demanded [and now have widely operational] a national network of Automatic Number Plate Recognition (ANPR) UK-wide ANPR data capture “utilising police, local authority, Highways Agency, other partner and commercial sector camera, including the integration of the existing town centres and high street cameras, with a National ANPR Data Centre with an operational capacity to process 35 million ANPR reads every day increasing to 50 million by 2008, stored for two years” (Wood, 2006: p 19).

5.3 Public transport smart cards

The Oyster card for public transport in London is a salient example: one of sufficient notoriety that Richard Stallman (2008) – the founder of Open Source – has publicly protested at such an onerous use of Open Source software. 90% of all bus and underground travel in London is now paid for using Oyster RFID cards (Transport for London, 2008), with 12 million cards now in use. There is no anonymous method of payment, and the linkages between credit cards and the Oyster travel and timing records are thus unavoidable. The function creep is well established, with extensive police and surveillance access used. The commercial extensions and function creep is now beginning with the re-implemented Linux based software for faster modification and greater flexibility for Transport for London to utilise- promoting iTunes on the Oyster system with new members get free vouchers.

The Oyster principles are a major influence on the well-overdue (and over cost) MyKi (myki, 2006) transport ticketing system still under development for Melbourne. Although at least some token attention to privacy is indicated on their website, it remains to be seen if it will remain. In the case of MyKi the extended use of the card to other types of purchases is clearly signalled, so the function creep has begun long before the system has even been finalised.

Oyster has progressively become an major tool for general enforcement and surveillance, the function creep that inevitably occurs once an expensive system begins to work well – many different parties press to get the potential (usually privacy invasive) advantages at minimal marginal cost. This persuasive economic dynamic is one that can confidently be expected to occur again and again – unless clearer privacy rules and new enforcement techniques (maybe drawing upon the same locational technologies with the addition of nyms and other forms of temporary identification adequate for the purpose and no more).

5.4 Identity variants and location based services

There has been little coherent treatment of the privacy and security aspects of the many and various forms of location based services. A few examples have been given here where they has been recognised as an issue of recognised importance, and some provisions have been made. These provisions are inconsistent, and follow no particular pattern.

GALILEO has provided for encrypted navigational services with a full protocol, but it is up to service creators to decide how to use these facilities, but they are indeed there to be used. There is no equivalent of middleware for location based privacy services, although there are systematic efforts to move towards it by mobile phone manufacturers. For example, Nokia (2008) provides full application programming interfaces to support such facilities for its developers so that GPS augmentation by other data sources can be easily be used to enhance the location determination and location attributes.

Nuanced locational anonymity is not impossible. Beresford & Stanjo (2003) propose and demonstrate the mix zone, a locational extension of techniques developed for anonymous communications. Another example is Priyantha et al (2000) who describe the Cricket location system under sole control of a PDA user.

Microsoft is also one of the organizations working on a range of protocols for privacy (or the choice of its absence) at both a middleware level and an application level. All of these approaches are not focussed on providing a coherent approach to privacy in a location-enabled environment, and do not distinguish between people and objects.

As a result the careful niceties expounded in the early section of this paper where the variations in association type (and indeed duration) of associations between individual entities in a data system are not yet widely recognised.

It is only when the overall privacy design of the system is considered that such provisions become necessary. The Internet Taskforce GEOPRIV initiative (IETF, 2008) is probably one of the most effective (or at least pervasive) places to begin to contribute such fine – but critical- distinctions to the process.

6. Conclusions

Locational technologies have not previously been seen as surveillance devices in common use, and so the controls – or even the need to have any – have been slow appear

`Where you have been’ is not restricted to location, the massive pressure from many different areas of government and commerce to link up existing data collections on people has a special meaning once the locations visited are not only physical but also social and transactional. To this extent locational issues are sensitive in its own right- but the combination of backward integration with other types of data, as well as historical physical locations, allied to social network analysis offers an almost irresistible attraction to many areas of government administration and commercial enterprises.

In this regard the multiplications of connections that result from adding historical or real time locational data has an impact that draws all individuals and their associations into a single tightly closed net: you may be judged not only where you have been, but by who you were there with (or even close to) – and when. This expansion of connections cannot be ignored and entwines all of us with anyone or any group under monitoring for any purpose, historically or prospectively, or, as one might put it, `you are where you have been and ….who with and when’

Information technology shares a key characteristic with an elephant: it doesn’t know how to forget. It needs to be taught how: very quickly – and provably. This is almost certainly an impossible dream, and the best course of action is to focus on three things:

  1. Secure a layered privacy and record linkage process, supported by widely used middleware to buffer the added sensitivities of linking in locational data.
  2. Ensure that the duration of associations between nyms, names and objects etc is as brief as is necessary for the transaction, and make this an industry standard.
  3. To develop policies that articulate clearly that the intermediate associations are neither needed nor kept beyond the transaction in which they are involved. Especially when approximate locations are used to link disparate people or `objects of interest’.

This too may already be impossible to secure, so `we are where we were – and are now likely to be labelled by the characteristics of those who might also pass through the same locations’.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s