The U.S. Government Accounting office is examining the risks to consumers’ privacy by location-based services, and in particular how those risks apply to the future of the "connected car." The Centre for Spatial Law and Policy’s executive director, Kevin Pomfret, explains how regulators intend to broadly apply existing privacy guidelines to the collection, use, storage and distribution of geolocated data.
A recent Government Accounting Office (GAO) report on consumer privacy and in-car location-based services highlights the challenges the geospatial community will face as regulators in the U.S. apply traditional privacy constructs to geoinformation. The report, published in December, is titled, "In-Car Location-Based Services: Companies Are Taking Steps to Protect Privacy, but Some Risks May Not Be Clear to Consumers." It examines the steps companies are taking to protect location information collected in connection with providing in-car location-based services. The report was prepared at the request of the Senate Subcommittee on Privacy, Technology and the Law, which has been looking at consumer privacy issues over the past few years. After reviewing the practices of 10 selected companies, the report concluded that all companies selected “have taken steps consistent with some, but not all industry-recommended privacy practices. In addition, the companies’ privacy practices were, in certain instances, unclear, which could make it difficult for consumers to understand the privacy risks that may exist.” [emphasis added]
The “industry-recommended” privacy practices cited in the GAO report are actually a construct favored by many within the privacy community. The Fair Information Practice Principles (FIPP) were developed in 1973 by a U.S. government advisory committee in response to concerns about the potential consequences that computerized data systems could have on the privacy of personal information. A revised version of the FIPP has served as a basis for a number of privacy and data protection laws, policies and regulations across the globe, including in the U.S. These principles include:
Transparency: Organizations should be transparent and provide notice to the individual regarding how they collect, use, disseminate, and store protected information.
Individual Participation: Organizations should to the extent practicable, seek individual consent for the collection, use, dissemination, and storage of protected information. Organizations should also provide individuals a mechanism for appropriate access, correction, and redress regarding use of the protected information.
Purpose Specification: Organizations should clearly and fully state the purpose or purposes for which the protected information is intended to be used.
Data Minimization:Organizations should only collect protected information that is directly relevant and necessary to accomplish the specified purpose(s) and only retain the information for as long as is necessary to fulfill the specified purpose(s).
Use Limitation: Protected information should only be used for the purpose(s) specified in the notice. Protected information should only be shared with third parties be for a purpose compatible with the purpose for which it was collected.
Data Quality and Integrity: Organizations should, to the extent practicable, ensure that protected information is accurate, relevant, timely and complete.
Security: Protected information should be properly secured against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.
Accountability and Auditing: Organizations should provide training to all employees and contractors who use protected information, and audit the actual use of protected information to demonstrate compliance with these principles and all applicable privacy protection requirements.
In applying the FIPP to the 10 in-car location-based services companies selected, the GAO concluded the following:
All selected companies disclose that they collect and share location data. However the disclosures were broadly worded and stated reasons for collecting often were not complete. Moreover, many did not disclose purposes for sharing de-identified location data because they did not believe that was protected information. However, the GAO found that even de-identified location data could be aggregated with other data to “discern the identity of an individual." Without clear disclosures, the GAO believed that the risks increase that data may be "collected or shared for purposes that the consumer is not expecting or might not have agreed to."
Consents and controls
Companies did obtain consent to collect location data and obtained this consent in various ways. However, most did not disclose how long the data were retained and did not allow consumers to request that their information be deleted. The GAO found that without the ability to request deletion "consumers are unable to prevent the use or retention of their data, should they wish to do so."
Safeguards and retention
All took steps to safeguard location data, but used different means. There were also wide variations on how data were de-identified and how long the retained vehicle-specific or personally identifiable location data were stored. The GAO found to "the extent that a company’s de-identification methods allow a consumer to be identified or that identifiable data are retained, risks increase that location data may be used in ways consumers did not intend or may be vulnerable to unauthorized access."
The GAO report found that companies took steps to protect location data that they shared with third parties. However, "inconsistent with recommended practices, none of the selected companies disclose to consumers how they hold themselves and their employees accountable."
Why the geospatial community should care
The use of the term “industry practices” in the report indicates that policymakers and regulators intend to use existing privacy constructs with regards to the collection, use, storage and distribution of geoinformation. This was further highlighted in a recent settlement published by the Federal Trade Commission (FTC), which is the federal agency primarily responsible for protecting consumer privacy in the U.S. The court case, In re Goldenshores Technologies, LLC, involved the collection of "geolocation information" from a mobile device app. Geolocation information is defined in the settlement documents as "precise geolocation data of an individual or mobile device, including but not limited to GPS-based, WiFi-based, or cell-based location information."
Goldenshores Technologies, LLC ("Goldenshores") developed "Brightest Flashlight Free," a free, ad-supported app that enables the device to act as a flashlight. According to the FTC, the app transmits when running, or could transmit, the device’s "precise geolocation along with persistent device identifiers that can be used to track a user’s location over time" to third parties, including advertisers. The FTC alleged that the app collected (and shared) the device's location prior to obtaining the individual's permission and did not adequately disclose with whom the information was shared. According to the FTC, such practices are prohibited under Section 5(a) of the FTC Act as "deceptive and unfair acts or practices in or affecting commerce."
As part of the settlement Goldenshores must “not collect, transmit, or allow the transmission of such [geolocation] information” from an app, unless it:
A. Clearly and prominently, immediately prior to the initial collection of or transmission of such information, and on a separate screen . . . [states]
- That such application collects, transmits, or allows the transmission of, geolocation information;
- How geolocation information may be used;
- Why such application is accessing geolocation information; and
- The identity or specific categories of third parties that receive geolocation information directly or indirectly from such application; and
B. Obtains affirmative express consent [e.g. written consent] from the consumer to the transmission of such information." [emphasis added]
Some may dismiss the In re Goldenshores Technologies, LLC settlement as applying only to mobile apps that collect location. However, that would be a mistake. The perceived privacy risks that regulators associate with geoinformation are quite broad, to include (i) disclosure to unknown third parties for unspecified use, (ii) tracking consumer behavior, (iii) identity theft, (iv) personal security and (iv) surveillance. Moreover, the FTC defines “geolocation information” as “precise geolocation data of an individual” and this generally includes not only data that can directly identify an individual but also data that can be reasonably expected to infer the identity of an individual. In fact, a number of other federal agencies are looking to apply FIPP to location-enabled information. For example, the Federal Aviation Administration stated in its recent report, “Integration of Civil Unmanned Aircraft Systems (UAS) in the National Airspace System (NAS) Roadmap, that the six selected test sites should develop privacy policies that are publicly available and “informed by Fair Information Practice Principles.” Similarly, a recent report by the National Institute of Standards and Technology (NIST) on privacy and the smart grid encouraged the use of FIPP.
Over time we should expect regulators will begin looking at the privacy risks associated with a wide range of geoinformation types. As a result, geospatial companies should begin to understand what the potential implications will be for their operations and practices. As a first step, geospatial businesses should consider a review of geoinformation they collect, use, store and distribute that could be used to identify an individual. They should then evaluate if and how the FIPP could be applied to this information.