This Wednesday the House Subcommittee on Commerce, Trade, and Consumer Protection and Subcommittee on Communications, Technology, and the Internet will hold a joint hearing on The Collection and Use of Location Information for Commercial Purposes. Very important committees in the House, the topic brings Location Privacy to the forefront of Congressional oversight. An important topic in any digital era - before Clouds, Google Maps, iPhone & Android, Foursquare, Facebook, Twitter, and Buzz; even before GPS semiconductor ubiquity within mobile devices, and when cellular networks were often the only option available to passively extract user location data. It's enlightening to revisit the topic again - much has changed.
Six years ago, mobile location privacy issue discussions de jour focused predominantly on passive extractions common to cellular network capabilities. Two broad issues were:
- Corporate-liable location privacy: Companies, businesses, or corporations had legal rights to locate and track mobile devices or vehicles considered corporate property, similar to an insured asset. Locke might have agreed with this notion of property ownership, but some individuals representing labor unions did not!
- Individual-liable location privacy: Individuals, consumers, citizens must provide opt-in consent to a software or platform as a service locating or tracking them. The software or platform must authenticate and authorize individual opt-in provisions with requested server-initiated location queries.
To protect themselves, partners, and users from invasive threats, most cellular providers crafted supporting legalese with technology deployments written to safeguard personally identifiable information with included location information. Boiler agreements I recall reviewing protected individuals and application & service providers from intentional abuse and/or accidental misuse of location information coupled to a phone number (wireless' personal identity primary key). Most agreements looked similar to the below click-threw, but were less efficient and typically required legal review and sign-off - particularly for group activations.
While safeguards introduced then protected carriers, application providers, companies and individual constituents for transactions, little discussion revolved around location information histories and storage of location data for other post-transaction commercial uses. Some early movers had foresight to include protection clauses within terms of service agreements explicitly stating location data history with personally identifiable information shall not be stored for post-processing analytics, but it's commonly known crude cellular-identification positioning techniques accompany every wireless transaction detail record. It's also known some of these historical records were attained from wireless carriers on the receiving end of issued subpeonas covered by the Patriot Act, which raises concerns and questions... Is it acceptable to store and analyze personally identifiable location information histories for government and security uses, while unacceptable for commercial purposes? ...Questions I expect the hearing addresses not just in the context of cellular provider behavior, but in the larger and more general context of the privacy discussion.
Social Web Privacy
Beyond cellular network approaches to location information capture and storage, we're now entering a new era of availability, accessibility, and concern. Today, GPS and other positioning technologies are ubiquitous within mobile devices to a point where Mobility is now synonymous with Location. At the same time, the Web has evolved from a read-only Web to a writable Web where volunteered status updates from location-capable smartphone applications post personally identifiable location information to social nets interconnected across the Web. Boutique check-in, "I am here" location broadcasting services linked to larger social networking services like Twitter are leading the movement, while controversial services such as Google's Buzz have recently emerged. While these new mobile & Web services offer local protection safeguards for users to control and manage how location information is shared and published, it's anything but clear or publicized how back-end services will use location information in post-processed commercial contexts. It's widely speculated bits of private information will be used for local advertising, based on stored, analyzed, and synthesized personal location information histories.
As an example, I use Latitude on my smartphone which offers local privacy controls for publishing and sharing.
While I control privacy provisions for peer sharing, I don't yet know how Google (or any other Web property aggregator) uses my stored location histories. I assume they synthesize my mobility movements into predictability patterns for profit, where in the future businesses in business with them tap derived intelligence and insert ads into my mobile life, and while I might want to share my location with my social network, I might not want the former. At this time, it appears I must do both, without choice. Also, who else could they sell my historical data to? Could they themselves also use my data without my authorization for their own data-product improvements? Will they grant government entities access to my information? These are all unknowns not of my personal concern, but of public concern - additional items I hope the House committee addresses on Wednesday.
Pseudonymity, Dishonesty, & the New Privacy
Scott McNealy's now infamous utterance "You have zero privacy, get over it" may be true (or become reality soon), but it doesn't have to. In order for location information histories to create value for commercial purposes, the data must be associated with individual, unique identity. In the cellular arena it's impossible to fake individual identity because monthly bills and validated billing information define accountable relationships between individuals and service providers. However, on the Web, where 'free' defines the loose relationship between individuals and services, individual pseudonymity and dishonesty may become the currency for identity privacy on the Web. Lying about identity is wrong, but perhaps it's the only way for individuals to protect themselves while benefiting from the good-side of services on the Web & Social Web. It's troubling to think we might become a society of liars killing trust, but Web & Social Web influences may inadvertently encourage social dishonesty as a means of personal privacy protection. Will the House address these digital dishonesty issues as well? They should.