22 May 2011, superseding the original version of 13 May 2011
Means for ascertaining the location of a computing device have matured rapidly recently, and include GPS, Wifi, and triangulation within mobile phone cells. These techniques have enabled Location-Based Services (LBS) to be created. Many LBS are proving attractive to users of mobile devices such as smartphones and tablets.
Researchers and privacy advocates have long warned about the dangers of person location and tracking. During April 2011, the public became aware that location data was being gathered with much greater intensity, was being retained longer, was being stored in accessible places, and was being used for more purposes, than consumers had previously realised. Location data is creating risks that consumers had not previously appreciated.
This document summarises the APF’s policy in relation to the use of positional data relating to mobile devices as a means of locating and tracking the individuals carrying them. The scope of this Statement does not extend to other privacy issues such as use of positional data to collect information about third parties.
1. Location data is sensitive for many categories of people. Examples of persons-at-risk include victims of domestic violence, protected witnesses, celebrities, and undercover law enforcement operatives.
2. Data about successive locations enables tracking, which may be conducted in real-time, or retrospectively. It is also feasible to use real-time tracking as a means of predicting a person’s future location and even their behaviour or intention. Tracking data creates even greater risks than does location data, for many more people.
3. Location and tracking data, even alone, but especially when combined with other data, enable a great many inferences to be drawn about an individual’s behaviour, attitudes, affiliations, political opinions and religious beliefs. Such data and the inferences they enable are of interest to both corporations and government agencies. The threats to the individual extend far beyond information privacy to encompass privacy of personal behaviour, privacy of the physical person and personal safety.
Use and Disclosure of Location Data by a Service-Provider
4. Location data is useful, valuable and even necessary for various kinds of services. Collection and use for operational purposes creates risks; but, provided that they are no greater than is necessary, are understood, and are managed, they are risks that many people will be prepared to take and will consent to.
5. There are circumstances in which ‘operational purposes’ may lead to the data not being ephemeral, but instead being retained for a short time, as part of the delivery of the service. A useful term for this is ‘caching’. That increases the risk, but again many people will be happy enough with operational caching – subject to the protections of justification, minimisation, consent and risk management, and provided that the cache is quickly flushed. ‘Quickly’ may mean seconds or minutes.
6. It is common for data that has been retained even for a short time, to be kept for a bit longer, to enable such things as audit and query resolution. A useful term for this is ‘logging’. That further increases the risk, but many people may be happy enough with operational logging – again subject to the protections of justification, minimisation, consent and risk management, and provided that the log is fairly quickly deleted. ‘Fairly quickly’ may mean hours or days.
7. Whether the location data is ephemeral, in cache or in a log, it is collected for a specific operational purpose closely associated with the individual’s use of the device. An individual’s consent restricts the use, disclosure and retention of location data according to that operational purpose. Any further use or disclosure requires additional consent, or authority of law.
Retention of Location Data on an Individual’s Own Device(s)
8. Retention of location data on an individual’s own device creates risks, because the device is vulnerable to spyware installed by service-providers and planted by third parties, and to acquisition by any person or organisation that gains direct access to the device.
9. Transfer of copies of location data to an individual’s desktop or other ‘master device’ (sometimes called ‘synch’ing’) increases the risk of the data escaping, and being subsequently misused.
10. The contents of each individual’s desktop is commonly backed-up to some other device on a periodic basis. This further increases the risks. If the individual uses a remote backup service, further vulnerabilities are created.
11. Therefore it is essential that location data on an individual’s device be fully under their own control. This requires firstly that information is provided to the individual about the collection, the location and nature of storage, and the handling of the data. It also requires that the individual be able to determine whether and for how long the data is retained, whether and how it is encrypted and decrypted, and when it is deleted.
Transfer of Copies of Location Data to Someone Else’s Device
12. A number of service-providers have contrived to acquire a copy of location data from an individual’s device, for purposes other than providing a location-based service to the individual. In the examples that have come to light in early 2011, the data may be uploaded with varying frequency (e.g. daily or monthly); it may record the device’s location at varying levels of time-intensity (e.g. per minute or per hour); and it may be identified to a person or a device, or nominally de-identified but in practice pseudonymous or re-identifiable, or it may be successfully anonymised. In most cases, the data collection has been conducted without consent, or at best consent has been contrived rather than real, because it failed the critical tests of being free, informed and granular. In many cases, such copies create substantial risks to the individual.
13. Service-providers that have acquired location data in such ways may have disclosed some or all of the data to other parties. This may have been on a commercial basis or under authority of law, including search warrants – but in some jurisdictions some agencies have the power to demand data, or to break in and copy data, without a warrant.
14. Location data that has escaped from the individual’s control may have been transferred to a jurisdiction that is remote from the individual, and that may have weak legal protections in comparison with the individual’s home jurisdiction. To address these abuses, the handling of location data must be subject to the protections described below.
15. It is essential that all handling of location data – including collection, use, disclosure and retention – by any organisation, be subject to the user’s consent. The requirement of consent is only satisfied if the consent is free, informed and revocable. Free means that there is no duress or undue influence. Informed means that the individual is able to understand the scope and implications of their actions. Revocable means that the individual can withdraw their consent at any time.
16. If consents for a broad range of actions are bundled together, then the consent is neither free nor informed. Consent arrangements must be sufficiently ‘granular’. That means that the individual must be able to consent to, or deny, multiple specific actions, and must not be forced to accept multiple undesired conditions in order to accept one or a few desired conditions. Most crucially, a consent for operational use is not a consent for retention, nor for marketing or other uses, nor for disclosure to other parties, nor for upload of data stored on the device.
17. Where any form of handling of location data is authorised by law, the authority must be specific, justified, proportionate and controlled.
18. The proposition that self-regulation by business enterprises will result in adequate protections for users has been demonstrated time and time again to be false. Corporations continually abuse the freedoms that Parliaments have permitted them, and industry associations, by their nature, can never rein in ‘cowboy’ behaviour even by their members let alone by non-members.
19. Parliaments must create legal protections, which must be clear, must be sufficiently technologically-specific to be effective, must have teeth, and must be enforced.
20. Parliaments must not use the convenient excuse that many of the abuses occur outside the jurisdiction. They must impose regulation using their full constitutional powers, and work through bilateral and multilateral fora towards equivalent protections elsewhere.