Locational Privacy: The EFF Weighs in on Safeguarding Your Location

eff locational privacy

Increasingly our devices know where we are and are able to share that information. This is a trend that will enable many new services, but at the same time puts the consumer and the service provider at risk. The consumer is at risk of their “future self” forgetting that they are being tracked and then having their location being recorded unintentionally. The company is put at risk just by having this data stored. If they have user data then it is subject to subpoena or unintentional releases.

The EFF has weighed in on this trend with a timely whitepaper: On Location Privacy and How to Avoid Losing It Forever. The paper includes a number of scenarios with actionable solutions and a number of reason why companies should care. The scenarios are:

Anonymous payment and credentials – Many toll roads use electronic transponders to extract payment from drivers. These systems are not necessarily designed with the driver’s privacy in mind. This Boston Globe article from 2007(!) talks of EZ-Pass records being subpoenaed in a case (there are many other articles on Google — some going back as far as 1997). The EFF suggest letting users using an anonymous and encrypted form of electronic cash(ecash). This will still allow the service provider to track flow and estimate revenue on a realtime basis, while protecting their users. For those working on mobile payments or with sensors this is a scenario (and potential solution) to pay attention to. If you need to make sure that only certain people can gain access then you may need to use anonymous credentials to preserve locational privacy.

Location-based search – Often when a user does a search from their cellphone they are identified along with their location and their query. The user “needs” to be identified so that any personal information can be shared. The EFF correctly depicts this interaction as such:

“This is Frank’s Nokia here. I see the following five WiFi networks with the following five signal strengths”. The service replies “okay, that means you’re at the corner of 5th and Main in Springfield”. Then your device replies, “What burger joints are nearby? Are any of Frank’s friends hanging out nearby?”.

This is something that all of us with smartphones (and who use Loopt, Brightkite, Twitter, or use Find My iPhone to update Latitude) are doing multiple times day. An alternative method would be to have the phone send their location and query anonymously. The service can return that data along with a set of encryped data for that location. If any of it is aimed at the user they will be able to decrypt it. The EFF depicts this interaction as such:

“Hi, this is a mobile device here. Here is a cryptographic proof that I have an account on your service and I’m not a spammer. I see the following five wireless networks.” The service replies “okay, that means you’re at the corner of 5th and Main in Springfield. Here is a big list of encrypted information about things that are nearby”. If any of that encrypted information is a note from one of Frank’s friends, saying “hey, I’m here”, then his Nokia will be able to read it. If he likes, he can also say “hey, here’s an encrypted note to post for other people who are nearby”. If any of them are his friends, they’ll be able to read it.

The company still gets anonymized location data and the query, while delivering the same features. The problem with this scenario is that the web (and mobile in particular) favor speed. If a mobile service added several seconds to send down an encrypted payload of data that is much larger than needed then that service will lose users (or never gain them). The mobile handsets and networks that most of us are using now are too limited and to handle anything more than the bare minimum.

What’s the value of locational privacy to a service?

If a service provider does not ever receive location data, the EFF points out that company potentially giving itself a competitive advantage. If you don’t log it then you can’t be subpoenaed to provide that user data and you (probably) won’t ever inadvertently reveal someone’s location incorrectly. The EFF is correct: not having to answer subpoenas can save costs for companies and not having a well-publicized privacy debacle is priceless.

The paper also points out that people are becomingly increasingly cognizant of privacy issues and that you can champion privacy as a selling point. I am not sure that I buy this argument completely. I think that quite often people don’t realize their location and identity are being recorded. So though there may be increasing awareness it’s not a selling point that will get a company much right now. Based on the adoption of social location services, I think that people are more concerned with how their location is shared with other people on and off the service than whether it is logged at all.

When considering these solutions, we need to take into account what the impact on the user experience will be. If it requires too much extra work or is not very transparent on the user’s part then the solutions may end up killing the product before it starts. I fear that the encrypted payload used to anonymize local search would hamper any mobile service that tried it — given our current set of handsets and networks (at least in the US).

Personally, I am a fan of sharing (and in some cases storing) my location data with a limited set of third-party services. However, the services that exist right now are lacking. They do not necessarily make it clear how long they will keep the data or how it will be shared with others. I often do not have the ability to delete my data from a service. I want to share my location (within bounds) and I pay attention to when I do so, but I do fear that my future self will forget–and I think that service providers have a responsibility to protect their users from themselves.

(Disclosure: I am a member of the EFF and Tim is a former Board Member)

tags: , ,