29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS 29e Confrence internationale des commissaires à la protection de la vie prive
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Ubiquitous Computing Location-based Tracking Workshop Chair Dr. Alexander Dix Berlin Commissioner for Data Protection and Freedom of Information (Germany)
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Überveillance: 24/7 x 365 People Tracking and Monitoring Michael G. Michael (61) University of Wollongong, Australia
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Classifying Location Technologies and Services Network or device-based or hybrid Precise vs proximity positioning Indoors/outdoors, closed campus/global Consumer, business, government Used to track objects, animals, people Voluntary vs mandatory Push vs pull location services
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Chew & Michael, 2005
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Practical Approaches to Gauging Privacy Impacts Before widespread diffusion of an innovation –Discourse and debate Citizen and public/private sector involvement –Scenario-based planning Historical method; learning from the lessons of the past Best case/worse case and deconstruction/interpretation –Technology assessment & forecasting Ask a universal panel of experts with diverse backgrounds After widespread diffusion of an innovation –Case law-based analysis –Technical standards, guidelines, protocol review –Evidence-based practice can fine-tune regulation
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Ubiquitous Tracking: Fact or Fiction? Ubiquitous tracking is here, NOW –E.g. Logistics providers tracking shipments DHL-Asia claims 5 million daily parcel location fixes Is people tracking ubiquitous? –Are you a criminal or terrorist suspect? Law enforcement agencies can track anyone (warrant) –Are you a prison inmate or medical patient? Minority groups are always early adopters (trialability) Balance needed between extreme viewpoints –Industry is promoting ubiquity to its customers –Civil libertarians are not always fully informed
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS The High-Profile Debate Over RFID Tags in Retail Learning from the bar code experience 1970s+ Do we need a kill function in passive tags? –What information does an RFID tag reveal beyond that of our credit card history (spending patterns and trends)? –Future prospects: obtrusive vs unobtrusive readers Should we not be more concerned with RFID anti- cloning techniques? What is the value proposition of RFID to –Business: supply chain management, inventory control etc –Consumers: additional convenience (yet to be proven) What about RFID tags in ePassports/eTollways?
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Encouraging the Development of an Emerging Technology Consumer education is important –In the case of RFID it cannot wait until after deployment Safeguards and support depend on usability context –One size does not fit all –E.g. tagging objects vs implanting people with transponders is different (even if voluntary subscription) The question IS whether RFID: (A)Is a technology looking for a problem, pushed by vendors? (B)Is a valuable e-business investment for the future? (C)Is another interim technology serving perceived needs? (D)Is a vehicle for global object-to-subject surveillance?
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS The Rights of the Individual to Opt-Out of Being Tracked Is the individual being tracked: –a minor, mentally ill or disabled, a citizen or alien, husband or wife, a leaseholder of a vehicle, a life insurance policy member, a medical patient, an employee of a company, a criminal etc. Informed personal consent vs third party (power of attorney)? Need to respect individual philosophies/beliefs held by citizens Required accessibility to services through multiple mechanisms –E.g. there are people who do not own a mobile phone, do not wish to have Internet access for banking, and do not believe in credit facilities (it is their right to do so; their right to be let alone) An individual should be aware of location frequency reporting –Daily, hourly, per minute/second, based on custom requirements Polling transactions must be transparent to the subscriber
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Location Tracking Dilemmas Accuracy Accessibility Privacy Property Control Security Trust Cost Perusco, Michael & Michael, 2006
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Concluding Remarks Location intelligence can reveal a great deal about ones relationships, traits, likes and dislikes, mobility behaviour etc. Problem of any location service is the potential for: –Misinformation –Misinterpretation –Information Manipulation Location services can enhance national and personal security –But how much privacy are we willing to trade to increase security? Überveillance is here now- the above and beyond almost omnipresent 24/7 x 365 surveillance We must consider the trajectory of location services –Hierarchical positioning systems (converging services) –IP-based location services (location-aware devices) –The rise of the Electrophorus (the human as a wireless node)
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Surveillance web 2.0: Traceability in the internet of things David Lyon Professor of Sociology at Queen's University Kingston, Ontario
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Dealing With Privacy and Security Issues When Providing Location- Based Services Eloïse Gratton Partner, McMillan Binch Mendelsohn
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Introduction - Wireless Privacy Issues Collection of personal / location data - Static Profiling - Dynamic Profiling - Location-specific Profiling Wireless spam - Legal Framework Canada : PIPEDA and provincial laws United States : Safe Harbor Agreement Europe : EC Directives
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Who should provide/be provided with the disclosure? Disclosure: Data collector should disclose to data subjects what kind of data is collected about them and the purpose / use of collection. Recipient of the disclosure : The data subject Issues : - Status of anonymous location data - Ownership of the location data Provider of the disclosure : The data collector Issue : - Different parties involved : LBS provider, content provider, network operator, etc.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS How should disclosure be provided? Method : - Legal Framework : - Orally or in writing - Depends on the nature of the business - On the wireless device, when technically feasible - Suggested method: In a service contract Timing : - Legal Framework : - Prior to the use or collection of such data - Suggested timing : Prior to the collection
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS The content of the disclosure Collection of data : - Type and quality of data collected - Way of collecting the data and purpose - Collectors identity, place of business and procedure to complain Security of data, storage and transfer Access to data Choice and consent : - Period of validity of consent - Withdraw of consent / Implications of opt-out - Update in privacy policy
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Obtaining the Consent Consent: Data collector should obtain the data subjects consent before collecting or using his/her personal data. From whom do you get the consent? -Wireless users being tracked (anonymously or not) : - Each device transmits a unique identifier - Device usually belongs to an individual - Wireless users receiving location-based content Who should obtain the consent? The operator : - Already relationship with wireless users - Incentive to protect location data
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Content of the Consent - Issues relating to the data collection, use of location data, etc. - Issues relating to messages : - Number and frequency of messages - Provider of message and type of messages - The timing of messages - The location of messages - Absence of consent : Should individuals who refuse any type of tracking be legally entitled to equivalent non-tracking-based services and products?
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Security Issues Security : Data collected should be protected by reasonable security measures against accidental loss, theft, disclosure, etc. Issues : - What is the most secure location tracking technology? - What is a reasonable technical security system? - What is the appropriate business model? - Storage related issues.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Security System: Case Study
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Other Privacy Principles Data Quality : - Data used and collected shall be accurate and relevant for the purpose of the collection Data Transfer : - Under what conditions should location data be made available to third parties, including law enforcement agencies? Data Access : - The data collector shall provide to the data subject reasonable access to the collected data in a form intelligible to him/her
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Conclusion - Voluntary guidelines or existing laws may not be sufficient to govern the use of location data - Privacy laws are drafted in general terms, therefore the industry needs to translate the privacy legal framework into business practices taking into account : - The interest of the industry and wireless users - Wireless privacy issues - Jurisdictions issues: using the most stringent privacy framework
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Questions? Tel: (514)
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS The Battle over Location: Competing Agendas Harming Privacy and Innovation John Morris Center for Democracy & Technology
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Overview The Good News: Technological initiatives can enhance the privacy of location information –GeoPriv But other societal demands are threatening those initiatives –e911 emergency call requirements –Law enforcement surveillance demands This can harm privacy and innovation
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS GeoPriv A technical standard aimed at protecting the privacy of location information Development started in 2001 by the Internet Engineering Task Force (IETF) Created in response to proposals about location that ignored privacy implications of location information
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS The GeoPriv Standard Requires that basic privacy rules must be transmitted alongside location information Privacy rules and location information are contained in the same electronic envelope Basic privacy rules include: –Time limit on retention –Retransmission consent (or lack thereof) –Pointer to more robust externally-stored privacy rules
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Robust Rules Possible Robust rules can include conditions for: –Identity: who can receive my location –Validity: when can my location be provided –Sphere: am I at work, at home, traveling? Allows for rules like if I am at work the following people can learn my location Does not assume that the network or access provider will control location information -- allows third party privacy providers
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS GeoPriv Deployment Intended by IETF to be used for all transmissions of location info using IETF protocols, e.g., SIP (VoIP/IM) Initial plans to implement GeoPriv: –3GPP -- wireless communications –NENA (US) -- emergency communications Requires national/local laws to enforce privacy rules conveyed by GeoPriv
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS The Bad News Competing national/social agendas are setting technical requirements that undermine GeoPriv and other efforts to protect location privacy Various proposals would have us skip straight to the Orwellian surveillance society
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS e911 Highly problematic proposed requirements: –Demand for network-provided location –Devices must be automatically locatable –All IP-enabled devices covered Harm to privacy –Takes control away from users –Tracking can be done without user involvement –More and more devices can be tracked Harm to innovation –Some possible devices cannot meet requirements
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Law Enforcement Surveillance and Location Tracking On-going debate in U.S. about legal standard for access to location info Technical demands by law enforcement raise serious privacy concerns (CALEA) –Cell tower location not adequate >> GPS –In VoIP and other IP-enabled contexts, U.S. law enforcement wants to control initial design of new technologies
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Concern about Both Privacy and Innovation Clear harms to privacy –Loss of user control and knowledge –Greater commercial access to location –Always on tracking capability Limitations on innovation and new technology can also harm or diminish privacy –May preclude simpler, less trackable devices –May preclude third parties offering privacy protection services
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Conclusions New location technology can threaten privacy But technologies can also protect location privacy Well-intended societal goals can harm location privacy We need to balance other societal goals (911, law enforcement) with need to protect privacy
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS Questions John Morris Center for Democracy & Technology Washington, D.C., U.S.A