Location-Based Services: Where Does Privacy Fit In?

This past quarter I was in the Rhetoric of Technology for my PWR, and chose the topic of location-based services for my final essay. Since it relates to this blog and addresses a few of the sources I commented on, I have decided to post it here in case anyone is interested in reading my 15 page exploration of the topic. =]

At the beginning of the 21^st century, many of the new technologies we now consider commonplace were only recently invented. Mobile phones were just becoming available for average consumers, the internet was still transitioning into a world-wide tool, Google had barely celebrated its first birthday, the dot-com bubble was still inflating, and GPS had just been opened to customers other than the military and governments. Who could have imagined just one short decade ago the technologies and services we would have today? Cell phones, iPhones, RFID tags, GPS--the new location-based services (LBS) provided by these technologies are innumerable and, more often than not, highly useful. However, there is a dark side to these inventions as well. They often provide more information than users wish to share, or give criminals and third parties access to personal data. Privacy, one of the building blocks of American democracy, is at stake, placed at risk by a society too absorbed with new gadgets and tools to protect its personal freedom. Luckily, there are a number of new methods to combat privacy infringement, but first privacy must be recognized as something worth protecting. It is important that we arrive at an understanding of the problems surrounding location-based services in order to assess the best solution. Over the course of this essay, I will address the benefits of LBS, the specific privacy concerns they generate, the best current solutions, and I will argue for the most effective choice for the future.

It is important to recognize the benefits of these technologies and how they are useful for consumers, corporations, and marketers. Consumers value the safety, convenience, efficiency, and profit provided by the technology, while corporations value profit and efficiency, and marketers value solely profit. These values are important to address because they are causing people to relinquish their privacy.

Consumers find many reasons to value this technology, which allows them to manage their lives more safely, conveniently, efficiently, and profitably. GPS locators in family cars can protect young drivers (GPS Police Inc.), while Wherifones, small GPS equipped cellphones for young children, help their parents keep them safe (Dobson and Fisher 55). Ian Paul, author of "Google Latitude Lets You Track Your Pals," published in PC World this past April, explains how Google Latitude lets friends and family share their locations and even provides directions from one location to the other. To most consumers, saving time and money with EZPass (a small RFID card used to pay tolls) and Safeway Club cards (which give the user discounts in return for data on what they bought at which store) is worth the transfer of information.

Corporations use location-based technology for security purposes, as well as efficiency. For instance, GPS locators can be used to track company trucks, protecting both the property and those using it. The improved security-technology is very beneficial, helping companies recover cars within hours of a theft. Rental car companies in particular use this method to check whether users cross state or national borders (GPS Police Inc.). An example presented at the ASIACCS symposium on computing security in 2006 is Location-based Access Control, which uses a badge to constantly monitor if employees have authorization to occupy a specific physical location (Samarati, et al 218). This method of tracking employees could increase security by giving people access to sensitive areas in a foolproof manner (for example, at an airport, any civilian who ventures onto the tarmac or worker who boards an airplane could be immediately detected and stopped). Where increased security is especially crucial, this technology could prevent unauthorized workers from entering restricted areas.

Corporate interests also support location-based services for efficiency purposes, using them to track products, packages, vehicles and sometimes even employees. Scott Granneman describes RFID tags and their uses in his article “RFID Chips Are Here,” published in Security Focus. RFID tags are tiny chips that respond to radio waves with a unique identifying number that often corresponds to data about the product or individual in a separate database. By reading the RFID chip in various places, it is possible to identify the product’s or consumer’s location. For example, Walmart plans to include RFID tags in every item they produce, giving stores increased efficiency when stocking shelves and ordering goods. By keeping records of which item was purchased by which customer, from what branch, from where in the store, and on what date (Granneman), Walmart can respond to previously invisible trends in consumer purchases. They can also track exact listings of which products are on the shelf, in the storage area, or being shipped in order to efficiently stock their stores. Now that the price of RFIDs has fallen below a dollar (Granneman), companies can gather this data cost effectively and thereby increase the efficiency of their business both in re-stocking and in guiding customers to their desired items.

Similarly, marketers embrace the technology in relation to profit incentives, recognizing that using location-based technology in advertising would be revolutionary (Vaughan-Nichols 15). As Abbey Klaassen says in her article, "Places, Please: Location Changes Digital Marketing," published in Advertising Age, marketers can provide more useful information to users given their location (2), which simultaneously benefits companies in advertising revenue and users in convenience. Another example of how location information benefits advertisers would be corporate marketing teams planting RFID tags in their products to re-organize their store layouts, helping them sell products more effectively. When stores know specifically which products are in high demand, they can display those items more prominently or place products that are commonly purchased together next to one another. For example, stores could test if candy sells better at the front, middle, or back of the store by creating multiple displays of candy, each placed at a different location in the store, and give the candy bars corresponding RFID tags. By tracking which RFID chips are more commonly purchased, corporations could identify the most appealing location for the product and change their layout accordingly. Corporate advertisers can capitalize on the new technology to market their products in the most attractive way, thereby maximizing the store’s profit. Given these few examples of the benefits of location-based services, it is no wonder why marketers, corporations, and consumers use location-based technologies to improve their daily lives.

However, despite the many benefits of location-based services, their invasion of privacy causes a number of problems. Unfortunately, consumers are untroubled by this invasion. If privacy is to be protected, and it should be, consumers will have to acknowledge its importance and choose to fight for it. Experts in location science and communication technology fear that pervasive location information will damage privacy, autonomy, and free will. In chapter two of their book Blown to Bits, Abelson, Ledeen, and Lewis (authorities on the fields of Computer Science, Internet and Society, and Engineering) discuss the dangers facing modern society with the dwindling value of privacy. Their book is a comprehensive source on the potential for privacy infringement in modern life as a result of technology, and therefore helped shape many of the following arguments. To them, privacy is a necessity, “essential to the development of independent thought” (Abelson, Ledeen, and Lewis 69) and supported by society’s laws and conventions.

In many of our laws and social norms, privacy is protected on a fundamental level. The American Revolution was fought over America’s desire for freedom from England, and in a sense, grew out of the colonists’ demand for privacy, specifically relating to taxation. Following that goal, James Madison structured The Bill of Rights to protect individual privacy: of beliefs, of the home, of possessions, and of personal information (Bill of Rights). This value is further articulated in Roe v. Wade, which resides on “the Due Process Clause of the Fourteenth Amendment, which protects against state action the right to privacy, including a woman's qualified right to terminate her pregnancy” (Roe v. Wade). This interpretation of the Fourteenth Amendment makes privacy an inalienable right. It is also considered vital because of its role in protecting “progressive social changes” (Abelson, Ledeen, and Lewis 65): people need to be able to try unconventional things without fear of retaliation from the elite members of society or government, otherwise democracy would cease to exist. LBS should therefore be restructured to support this right instead of convincing consumers to surrender their privacy in exchange for various services. The following discussion provides four examples of the dangers of location-based services in relation to privacy; specifically, the opportunity for governmental control, individual exploitation, malicious interception, and personal embarrassment.

The first concern associated with LBS is the Orwellian fear that governments will track and control citizens. James Madison wrote The Bill of Rights to protect against this kind of scenario. Totalitarian or communist governments could use GPS or RFID tags to supervise and dominate their citizens by tracking their movements. For example, “in China, which has a long history of tracking individuals as a mechanism of social control, the millions of residents of Shenzhen are being issued identity cards, which record far more than the bearer’s name and address” (Abelson, Ledeen, and Lewis 48). China is using these cards to literally track their citizens, able to tell who was at a protest or visited a certain location and punish them accordingly (Abelson, Ledeen, and Lewis 49). Blown To Bits uses Nixon as an American example, explaining how he “used his authority as president to gather information on those who opposed him” (Abelson, Ledeen, and Lewis 53), and then ordered the IRS to audit their tax returns. Imagine how much worse it would be if Nixon had also been able to physically pinpoint his political enemies. Obviously, it is critical to protect citizens from the governmental abuse of this new technology.

Another reason why privacy protections are essential to the development of location-based services is the inclination for individuals to exploit the technology to subordinate others. GPS transmitters seem beneficial when helping parents protect young drivers. However, if overused, this technology could foster abusive relationships by controlling the exact movements of the child or spouse. Not only could a victim be dominated within the house, but even school or work would no longer be a safe outlet. On a more extreme level, forced laborers and child slaves would no longer have any opportunity for escape, and their masters would have new tools for surveillance and control. This same relationship could be demonstrated in the work place, with employers using the technology to control their employees right down to bathroom breaks. Times in and out of work, as well as lunch breaks, could be tracked and used to pressure employees. A counterargument might be that punch cards and bathroom passes have performed similar functions in the past, however those technologies are at least visible, while this technology could be implemented almost without the employee’s knowledge.

The third danger associated with LBS is the possibility of people intercepting the location information in order to harm the user. While driving directions from GPS units and discounts from Club Cards seem handy and useful, burglars could use GPS to see if and when residents leave their houses, while other criminals could use data stored in RFID cards to perform identity theft. An even worse scenario would be pedophiles hacking into the Wherifones to locate small children who may be prone to wandering off. Some might argue that these delinquents could attain their goals without the location technology, but the bottom line is that the technology would help them accomplish their crimes more efficiently and effectively, just as it would help businesses and consumers save time and money.

The final reason why privacy is an important component of the technology is the intensely personal information that LBSs utilize. RFID tags and supermarket loyalty cards can track “whether you use regular or super tampons, lubricated or unlubricated condoms,” or even if you buy treatment for acne, herpes, or AIDs (Abelson, Ledeen, and Lewis). The users of these products aren’t “guilty” of anything, but if that personal information were published, they would be both uncomfortable and embarrassed. The constant transfer of information could be used to correlate the user’s tastes in movies, restaurants, stores, products, and friends. None of this information is being used for malicious purposes, however it is something most people prefer to be kept private instead of open to browsing by strangers and advertisers.

In reality, what each of the above examples argues is the value of privacy. As these situations show, while LBS might have some useful qualities, for vulnerable citizens it can become a vehicle of domination and control. Citizens can be dominated by governments, or employees by employers, and even criminals can take advantage of the technology to enable their various wrongdoings. In these cases, privacy is more important than the value of the service offered. The significance of privacy in modern life is being overlooked by both consumers and marketers, yet its presence is nonetheless vital to the preservation of democracy and prevention of public shame, crime, and slavery. Consumers should be concerned about their privacy, stepping up in both private and public spheres to protect this important value.

Location-based services have benefits for consumers, corporations, and marketers, but privacy concerns necessitate modifying the technology to address these worries. Although there are many current methods of confronting privacy complications in LBS communication, not all of them are effective. A balance between protecting the information and preserving the services’ original values must be achieved.

It is important to note that technology itself is not the problem. As Dobson and Fisher explain, “technology per se is neither good nor evil, and it certainly cannot be held responsible for the sins of society. But technology can empower those who choose to engage in good or bad behavior.” (Dobson and Fisher 47) Therefore, it is important to enable those who use location-based services for constructive purposes while also protecting users from those who look to exploit the technology for their personal gain. Current research surrounds privacy protection for “smart phones,” which collect the user’s location using GPS or cell-tower triangulation and provide related services. By examining solutions for this scenario specifically, we can demonstrate that there are effective ways of protecting privacy while maintaining the service’s benefits, which can then be applied to other technologies like RFID tags and GPS. Smart phone research suggests four methods for protecting privacy: cloaking, encryption, dummy-based location hiding, and the trust-based model. Each solution has its own advantages and disadvantages, however the champion by far is the trust-based encryption model.

The first technique is known as cloaking, which involves blurring the user’s exact location in order to make him or her less identifiable. This strategy requires setting up a trusted mobile operator (e.g. AT&T) which collects the user’s exact location and generalizes it into a cloaked area. For instance the exact location of 5th and Main Street would be translated to Seattle as a whole. The cloaked location along with personal information is sent to the service provider (e.g. Google Maps) in order for them to provide the service (e.g. driving directions) (Zimmermann, Chen, and Ku). The communication between the smart phone and the service provider is direct in this technique, with an uninterrupted flow of information from the smart phone to the service provider. This method is based on a “location anonymizer,” which obscures the user’s exact location to make the device unlinkable to its spatial position. This is a functional solution, however it immediately affects the quality of service. With inferior information, services that need exact locations are inherently flawed. For example, directions within a city using the client’s current location would be impossible to compute with only vague data. While the cloaking system does protect against governmental abuse, malicious data interception, and personal embarrassment, this flaw makes the solution inadequate because the services are negatively impacted. Researchers might try to dress up the technique in fancy jargon, calling it “spatial obfuscation techniques” consisting of “artificial perturbations of the location information” (Ardagna, Cremonini, and Gianini), but no matter how fancy the system sounds, it depreciates the value of the services offered and is therefore inadequate. Despite the obvious drawbacks, this solution is a good candidate. However, there are better options.

Encryption is another method for keeping privacy data secure. Encryption involves scrambling true data in a set pattern so that it is unreadable without a “key” which is used to decrypt the data and see the true information. Groups can be formed “through the distribution of keys that decrypt the location information” (Sun, La Porta, and Kermani), with different keys unlocking different levels of the data such as a county, city, or specific location. These groups may include other users and servers in the network that can then use the data to provide services. By hierarchically encrypting the location information, groups with different privacy levels can be created, able to see more or less precisely where the user is. This method has the added bonus of supporting groups with different privacy levels, but it falls short in protecting privacy when dealing with service providers. Here, either they are inside or outside the privacy circle--either you are subscribed and sharing all your information and getting the service, or you share no information and get no service. The problem with this solution is that, even if criminals and pedophiles are blocked, service providers can still slowly amass private (and perhaps embarrassing) information.

A third procedure for protecting privacy was developed in the Graduate School of Information Science and Technology in Osaka University in Japan. Hidetoshi Kidof, Yutaka Yanagisawa, and Tetsuji Satoh invented dummy-based location hiding, where users generate and send both dummy and true location data to service providers. The user’s location privacy is protected because service providers cannot distinguish the true position data from the dummy data (Kidof et al). One of the main issues that this solution resolves is sending true location data to a service provider and then never being able to delete it. In most cases, if the service provider were to store and track this data, they could discover motion patterns about the user. However, by sending multiple positions, all but one of which are false, service providers don’t know which location is true and are therefore unable to form databases of the user’s movements from which to make inferences. This technique is much better than the previous methods, with only a few drawbacks in terms of usability for providers and consumers. The first drawback would be if users themselves were required to create and input the “dummy” data. This would significantly decrease the usability of the strategy, making more work for the user than similar technologies. Another concern is that service providers might be able to analyze the incoming data and use trends in the queries to discover the real location among the fakes. If, for instance, each time the user submitted five locations, one of them was in Houston, TX, the service provider might be able to infer that that location was the real one. Despite these concerns, this system works relatively well at providing user benefits while still protecting privacy on all levels. On the other hand, it does mean more work for the service provider, forcing them to analyze five times as much data. This might not be as prohibitive as say for a restaurant serving five times as many orders, however it does place a significant burden on the service provider. These drawbacks make this method impractical for widespread usage and therefore a less provider-intensive solution would be preferable.

The final and most effective method is the trust-based model because it balances the value of privacy with the value of the service offered. This technique protects the user’s privacy through the mobile operator (MO), making sure that only locations, not identities, are released to service providers (SP). For instance, a smart phone would release location information to AT&T (MO), say to ask for directions from point A to point B. AT&T would then contact Google Maps (SP) and ask for directions from point A to point B and return the result to the user. This is distinct from the cloaking method in that the MO releases no information about the user to the SP. By releasing less information, it protects privacy more effectively. Explained by the system’s creators from Information and Communications University, it is more “convenient for the mobile device to trust one single entity like MO rather than validating many SPs and then trusting them.” This solution removes the burden of deception from the user and requires the mobile operator to conceal the identity of the user from the service provider (Konidala et al). The MO is charged with the duty of selecting, identifying, and authenticating genuine service providers and maintaining a list of the services they provide at a particular location, relieving the user of this trouble and perhaps letting the mobile operator make a small profit off the service (Konidala et al).

This final method is clearly the most effective and simplest to enforce legally, maintaining all the benefits of location-based services while still protecting the user’s privacy. Perhaps incorporating encryption into the sending of information to the MO would be beneficial as well, protecting the user on the off-chance the data was intercepted before being sent to the SP. This small modification to the technique would still provide all the services involved in the location-based technologies, yet protect the user’s privacy even more effectively from embarrassing correlation, governmental abuse, or interception. LBS would become similar to data plans, which are already available on iPhones and Blackberrys. The MO (a network like AT&T or Verizon) would charge some flat rate per month to act as middleman with various location-based service providers and privacy legislation would have a single target, making it easier for laws regarding privacy to be enacted and enforced. Users already have to trust their MO, because it stores call logs, user information, and often credit card numbers where it bills monthly minutes. With all of this trust consolidated, strict “security and privacy policies imposed by the law” (Konidala et al) can be designed and implemented to protect the user. This method prevents MOs from collecting and using the customer’s data illegally. Since effective laws are already in place for phone records regarding mobile operators, it would be simple to extend them to location data as well.

While this solution offers many improvements, it doesn’t protect users from taking advantage of the technology to dominate subordinates. This particular scenario is nearly impossible to address with any privacy-protection method because of the thin line between legitimate uses such as taking care of a sick or old relative, and controlling uses such as abusive relationships. Despite this serious flaw in current solutions, making progress toward preserving privacy is more important than eliminating all misuses in a single effort. Indeed, this imperfection makes it even more vital to develop strict laws regarding privacy protection.

In order to support an effective solution, consumers must be proactive about their privacy protection. Technical designers should take privacy into account, designing their devices to incorporate privacy safeguards. While it would be ideal if consumers would recognize their value of privacy and individually ensure its protection, it is unreasonable to assume that they have the time and motivation to do so. Instead, they could articulate these values to their political representatives in order to ensure that privacy is preserved. Currently, the location records are shielded from governmental abuse by the Privacy Act and corporate misuse by the Fair Information Practice Principles (Abelson, Ledeen, and Lewis 65), but further legislation to clarify that mobile operators would be required to use the location information for only the specified purposes, and preferably delete the data stores monthly or weekly in order to preserve user privacy, would be ideal. Despite these laws and agreements, “privacy has been legislated inconsistently and confusingly” in America (Abelson, Ledeen, and Lewis). It is often unclear who has to follow privacy laws and what information is considered private. The value of privacy is essential to democracy; the question is whether politicians, consumers, and marketers can agree on what should be considered private. Fortunately, with a simple method of protecting privacy, concentrated securely into one mobile operator instead of a variety of service providers, perhaps the current confusion can be organized and, with both service and privacy protected, America can finally accept the true wonders of the 21st century.

Based on qualities like usability, security, and simplicity, the trust-based model with an initial encryption is plainly the most effective method of privacy protection in location-based services. This method is straightforward, functional, and doesn’t diminish any of the benefits of location-based services for consumers and corporations. Marketers might feel that protecting the user’s privacy is not in their best interest, as they can use the personal information to discover exactly who their customers are and market them more effectively. However, Facebook is a good example where marketers can choose a category of people to show an advertisement and Facebook itself will actually calculate which users to display it to. This maintains advertising benefits while still letting the MO protect privacy. By balancing each of the major stakeholder’s values, this solution proves itself exceptionally effective.

This essay has detailed why privacy is important when dealing with location-based services and offered a feasible solution to protect it while preserving many of the benefits. As such, it is a call to action for consumers who have been previously unalarmed about their unprotected use of location-based services, and also for the designers of location-based technology. Consumers can use this information to lobby their political representatives, helping develop detailed laws protecting privacy from location-based services. Inventors can learn to specifically design their technology, be it hardware or software, to handle location data in a way that preserves privacy. With the trust-based encryption model as their guiding example, consumers and technical designers can use their newly reawakened value of privacy to inspire innovative technology and laws that protect privacy.

Bibliography:

1. Abelson, Hal, Ken Ledeen, and Harry Lewis. “Blown to Bits.” Boston: Addison-Wesley, 2008. Pg. 19-72.
2. Ardagna, Claudio Agostino, Marco Cremonini, and Gabriele Gianini. “Landscape-aware location-privacy protection in location-based services.” Journal of Systems Architecture. 4/2009: 243-254.
3. Congress. The Bill of Rights. 1789. <http://www.archives.gov/exhibits/charters/bill_of_rights_transcript.html>
4. GPS Police Inc. “Applications.” 2009. <http://www.gpspolice.com/applications/>
5. Granneman, Scott. “RFID Chips Are Here.” Security Focus 6/26/2003 <http://www.securityfocus.com/columnists/169>
6. Dobson, J.E. and P.F. Fisher. “Geoslavery,” IEEE Technology and Society Magazine, 2003. 47-52.
7. Jendricke, U., M. Kreutzer, and A. Zugenmaier. “Pervasive Privacy with Identity Management.” UBICOMP 2002.
8. Kidof, Hidetoshi, Yutaka Yanagisawa, and Tetsuji Satoh. “An Anonymous Communication Technique using Dummies for Location-based Services.” Graduate School of Information Science & Technology, Osaka University, Japan. 6/2009: 159-182.
9. Klaassen, Abbey. "Places, please: Location changes digital marketing." Advertising Age 9/14/2009: 2-3.
10. Konidala, Divyan M., Chan Yeob Yeun, and Kwangjo Kim. “A Secure and Privacy Enhanced Protocol for Location-based Services in Ubiquitous Society.” Cryptology and Information Security Lab, Information and Communications University. 2004: 2164-2168.
11. Medford, Cassimir. "Will Location-Based Service Find Itself?" Red Herring 10/9/2008: 3-3.
12. Paul, Ian. "Google Latitude Lets You Track Your Pals." PC World Apr 2009: 20-20.
13. Samarati, P., S. De Capitani di Vimercati, E. Damiani, M. Cremonini, and C. Ardagna. "Supporting Location-Based Conditions in Access Control Policies". ASIAN ACM Symposium on Information, Computer and Communications Security 2006: 212-222.
14. Sun, Yan, Thomas F. La Porta, and Parvi Kermani. “A Flexible Privacy-Enhanced Location-Based Services System Framework and Practice.” IEEE Transactions on Mobile Computing. 3/2009: 304-321.
15. Supreme Court. “Roe v. Wade.” January 22, 1973. <http://supcourt.ntis.gov/get_case.html?casename=Case%20Name:%20ROE%20V.%20WADE,%20410%20U.S.%20113%20&searchstring=mode=casename&cn_words1 =roe&cn_words2=wade>
16. Vaughan-Nichols, S.J. "Will Mobile Computing's Future Be Location, Location, Location?" Computer Feb. 2009: 14-17.
17. Zeledon, Max. "Why Social Media Should Welcome Location-Based Services." BusinessWeek Online 9/28/2009: 3-3.
18. Zimmermann, Roger, Yu Chen, and Wei-Shinn Ku. “Privacy Protected Spatial Query Processing for Advanced Location Based Services.” Wireless Personal Communications 10/2009: 53-65.