Locational Privacy: The EFF Weighs in on Safeguarding Your Location

eff locational privacy

Increasingly our devices know where we are and are able to share that information. This is a trend that will enable many new services, but at the same time puts the consumer and the service provider at risk. The consumer is at risk of their “future self” forgetting that they are being tracked and then having their location being recorded unintentionally. The company is put at risk just by having this data stored. If they have user data then it is subject to subpoena or unintentional releases.

The EFF has weighed in on this trend with a timely whitepaper: On Location Privacy and How to Avoid Losing It Forever. The paper includes a number of scenarios with actionable solutions and a number of reason why companies should care. The scenarios are:

Anonymous payment and credentials – Many toll roads use electronic transponders to extract payment from drivers. These systems are not necessarily designed with the driver’s privacy in mind. This Boston Globe article from 2007(!) talks of EZ-Pass records being subpoenaed in a case (there are many other articles on Google — some going back as far as 1997). The EFF suggest letting users using an anonymous and encrypted form of electronic cash(ecash). This will still allow the service provider to track flow and estimate revenue on a realtime basis, while protecting their users. For those working on mobile payments or with sensors this is a scenario (and potential solution) to pay attention to. If you need to make sure that only certain people can gain access then you may need to use anonymous credentials to preserve locational privacy.

Location-based search – Often when a user does a search from their cellphone they are identified along with their location and their query. The user “needs” to be identified so that any personal information can be shared. The EFF correctly depicts this interaction as such:

“This is Frank’s Nokia here. I see the following five WiFi networks with the following five signal strengths”. The service replies “okay, that means you’re at the corner of 5th and Main in Springfield”. Then your device replies, “What burger joints are nearby? Are any of Frank’s friends hanging out nearby?”.

This is something that all of us with smartphones (and who use Loopt, Brightkite, Twitter, or use Find My iPhone to update Latitude) are doing multiple times day. An alternative method would be to have the phone send their location and query anonymously. The service can return that data along with a set of encryped data for that location. If any of it is aimed at the user they will be able to decrypt it. The EFF depicts this interaction as such:

“Hi, this is a mobile device here. Here is a cryptographic proof that I have an account on your service and I’m not a spammer. I see the following five wireless networks.” The service replies “okay, that means you’re at the corner of 5th and Main in Springfield. Here is a big list of encrypted information about things that are nearby”. If any of that encrypted information is a note from one of Frank’s friends, saying “hey, I’m here”, then his Nokia will be able to read it. If he likes, he can also say “hey, here’s an encrypted note to post for other people who are nearby”. If any of them are his friends, they’ll be able to read it.

The company still gets anonymized location data and the query, while delivering the same features. The problem with this scenario is that the web (and mobile in particular) favor speed. If a mobile service added several seconds to send down an encrypted payload of data that is much larger than needed then that service will lose users (or never gain them). The mobile handsets and networks that most of us are using now are too limited and to handle anything more than the bare minimum.

What’s the value of locational privacy to a service?

If a service provider does not ever receive location data, the EFF points out that company potentially giving itself a competitive advantage. If you don’t log it then you can’t be subpoenaed to provide that user data and you (probably) won’t ever inadvertently reveal someone’s location incorrectly. The EFF is correct: not having to answer subpoenas can save costs for companies and not having a well-publicized privacy debacle is priceless.

The paper also points out that people are becomingly increasingly cognizant of privacy issues and that you can champion privacy as a selling point. I am not sure that I buy this argument completely. I think that quite often people don’t realize their location and identity are being recorded. So though there may be increasing awareness it’s not a selling point that will get a company much right now. Based on the adoption of social location services, I think that people are more concerned with how their location is shared with other people on and off the service than whether it is logged at all.

When considering these solutions, we need to take into account what the impact on the user experience will be. If it requires too much extra work or is not very transparent on the user’s part then the solutions may end up killing the product before it starts. I fear that the encrypted payload used to anonymize local search would hamper any mobile service that tried it — given our current set of handsets and networks (at least in the US).

Personally, I am a fan of sharing (and in some cases storing) my location data with a limited set of third-party services. However, the services that exist right now are lacking. They do not necessarily make it clear how long they will keep the data or how it will be shared with others. I often do not have the ability to delete my data from a service. I want to share my location (within bounds) and I pay attention to when I do so, but I do fear that my future self will forget–and I think that service providers have a responsibility to protect their users from themselves.

(Disclosure: I am a member of the EFF and Tim is a former Board Member)

tags: , ,
  • Very good article. Is the situation better in the EU where data privacy is more protected?

  • We just released a free mobile app for Windows Mobile and Blackberry that allows you to send your location (GPS, Cell Tower or Zip code) to any web site of your choosing.

    Our approach to the privacy issue is as follows:

    1. User controlled Whitelist. The data only goes to the domains (www) that you approve and trust

    2. Every field of data (GPS – lat/long/alt/speed) is individually controlled by the user. So if you want to send just your lat and long and NOT your speed and altitude you can do that. Or you can just send your Zip code.

    The value of real time location data is immense – I don’t believe there is a silver bullet here – you just have to align customer privacy desires with web services who deliver a valuable service to you based on your location.



  • Peter,
    I’m not clear how your solution helps. Sure I can limit access to my data, but those “trusted” sites have a habit of changing the rules about the data they have already collected, plus they are not going to refuse a warrant for a request of the data.
    And what happens if they get hacked?

    The EFF raise an important point about the collection of personal data in the US and the lack of control over its use.

    A good example is the iPhone mapping. I want to have the use of the location to navigate, but that seems to come at a cost that I cannot prevent those locations being stored. Why is the default always “that is the cost of using the technology, if you don’t like it, don’t use it” rather than maintaining my anonymity as the default? If the mail or telephone was just being invented, the new default would be for non-privacy of the service, rather than the privacy we do have (mostly).

    This issue needs to get much more attention at the legislative level.

  • In my opinion.. “We are doomed” Privacy is dead, Get over it.
    Steve Rambam = Last Hope (2600)