Thursday, July 24, 2008

Location privacy issues

The University of NSW, UNSW School of Surveying and Spatial Information System and Cyberspace Law and Policy Centre, hosted the seminar "You are where you've been", 23rd July 2008 in Sydney. This had researchers, industry and government people discussing the privacy issues with GPS, mobile phones and tracking via IP addresses. This was an excellent introduction to tracking technologies, the privacy issues with them and the legal and other responses to the issues. Such an event would normally cost thousands of dollars and even the lunch was free! ;-)

Ironically I was late for the seminar as I couldn't find it in the new UNSW Law building, which looks like the fractalated set for the The Cabinet of Dr. Caligari. The building has slanted columns, which are a tripping hazard, and no right angles, making finding your way around difficult (but the main lecture theatre has a wonderful window view and a power point to run your laptop at each seat).

Roger Clarke was giving an introduction to the issues of privacy and location tracking as I arrived. He talked about roles and identities. I wasn't too sure that his distinction between the real and abstract was real. He defined privacy as freedom from interference and can't just be legislated for. He criticized the data protection laws and the federal privacy commissioner (the privacy commissioner of Victoria was present).

Some technologies:

* Handheld: PDAs and mobile phones. He pointed out the iPhone as a key current device. He argued that 3G phone networks allowed better tracking than computer type networks. A computer network can track a person to within a few suburbs, whereas a mobile phone can do it to a few tens of metres. Most phones are used by individuals and so allow tracking the person. He discussed how a phone can be located but left out enhanced GPS which allows tracking of a phone quickly down to mm.

* Vehicles: Automatic number plate recognition (ANPR) can be used to record car number plates and so track the car (M7 Sydney Electronic Toll Road). RIFD tags can also be used to monitor cars, such as those used on motorways (Roger described it as "Passive"). He points out that this is useful for user pays parking, roads and the like. He pointed out that all vehicle details are captured and kept indefinitely not just ones failing to pay for the time they don't pay for. Police are also implementing ANPR for traffic administration and enforcement.

* People: Roger condemned the health department's policy to electronically tag dementia patients.

Helen Versey, Victorian Privacy Commissioner on "Location Privacy : Privacy regulator's perspective": She pointed out the value as well as the problems of location technology. But then argued how privacy is one of the fundamental human rights. CrimTrac might undermine state privacy legislation with federal law. The commissioner claimed that Victoria has few cameras and ANPR is at an early stage. However, the traffic authority has an extensive network of cameras to monitor traffic. This network could be easily interfaced to an ANPR system to record all number plates detected on all cameras all the time.

One question I had was the effect that open access to government information would have for privacy. There is a Victorian Parliament inquiry into open access. On the face of it, government providing information about what it is doing is a good thing. But how do you check for private information?

Rob Nicholls "Hic et nunc: Provision of location based services to law enforcement agencies": Looked at federal legislation. He argued that the Telecommunications, Privacy and Spam Acts worked well together. Telcos fall within the privacy principles and so location services are likely to fall within this. A 2007 telco act amendment explicitly identifies location information from mobiles as private.

Rob invited questions so I asked how much of an obligation there was on the telco to ensure their system protects privacy. He said that there was a strong obligation, as directors were likely to go to jail. The example I and in mind was when Vodafone Greece's system was hacked allowing phones to be bugged.

Rob argued that "active" location services imply the customer gives consent to have their location known. The example given was to request the location of the nearest ATM. He argued that this requires the customer to provide their location. This is not strictly true. A system could provide the location to a third party who found the nearest ATM. Also only an approximate location could be given. The phone could then be sent a list of near ATMs and the system could pick the nearest. This might actually be a more useful service for the user, as they could select from the range of nearby ATMs.

Ron then moved on to location based information and law enforcement. He argued that Australia has moved away from international norms for privacy. It took me a while to work out that this was a criticism. Australian law allows law enforcement access to vaguely defined "telecommunications data", which essentially includes everything except the actual call, email or file content. The request can come from a public servant, a judge is not needed. This includes ISPs as well as telcos. Carriers are required to be able to intercept the data if a warrant is issued.

I asked if the requests which senior public servants make for metadta have to be in a particular form. Rob said this could be something like a fax with a scanned signature. So I could imagine a system where the requests are sent semi-automatically, allowing one person to issue thousands of requests a day.

Lyn Moore: Location Privacy: Telstra's Perspective: Customers must opt in to location services and can change the services they subscribe to. A WAP gateway is used to interface to service providers suing the location information. The service providers have to agree to privacy conditions for use of the location information. OMA Mobile Location Service standards are used for implementation. OMA MLP and OMA Location Privacy Checking Protocol. The telephone number is mapped to a userid. A location id is used to identify the location. Details are only stored for 20 minutes. In this way it is claimed that the service provider therefore does not know where you are. This was a refreshingly straightforward presentation (unlike usual Telstra ones).

I asked if the service provider could use a cookie to identify the subscriber and then match that with their position. The reply was that this is prohibited under the the service provider conditions.

David Vaile, Google Street View: Need to look at street view in relation to other Google services. Google have been reluctant to engage on privacy issues, apart from asserting they were trying to not be evil. Google being US based as a different view of privacy to most of the world. Local Google staff have more understanding of Australian/European issues.

Matt Duckham: Obfuscation: Location privacy protection through spatial information hiding: Discussed how the technology works and how locations can be made approximate to protect privacy while providing services.

Dan Svantesson: Geoidentification - " A serious threat to your location privacy on the Internet?": A very approximate geo-location, to country, based on IP address is used by major web providers. This is used to limit access to content for licensing reasons, target advertising or content. Even at this level there are implications for privacy. The Antipiratbyran case (Sweden 2006) suggests that court will consider IP addresses are personal information. Go-location tests suggest country level accuracy at 99.9% and at state level of 95%. But these are US figures and it might be a lot harder for other countries. A French Yahoo auction case suggested an accuracy of 70%. Anonomisers can be used to hide the IP address of users. GeoBytes are an Australian based geo-location provider.

M.G. Michael: A research note on ethics in the emerging age of Überveillance: MG was suffering from jet lag and so this was not the best presentation of the day. He showed some advertisement and news report videos about surveillance, which would have suited an industry conference more than a scholarly seminar. He emphasized the term "Uberveillance", but without explaining it . Later I found he had authored several works on Uberveillance. With this and other material in the presentation MG seems to have assumed the audience would be familiar with the work. This was a problem for me, and I suspect others in the audience from diverse backgrounds. As a result there is a risk of such a presentation appearing to be shallow MG needed spend some time on the background of his previous work, to provide context.

Otherwise there is a danger of such presentations looking like one by an impersonator I once attended at the IFIP conference dinner. The comedian had been supplied with a set of ICT buzz words and names of industry people to mention. For several minutes they were able to fool a room full of ICT experts that they were an industry expert. Since then I have been wary of any presentation with too many glib terms:
The Congress dinner, held in Parliament House in Canberra, was one of the week's highlights. The speaker, introduced as Dr. Lawrence Tibbs, Associate Director for Technology and advisor to the President and Vice-President of the U.S., gave a lively and very humorous talk. He addressed the audience as, "Ladies, gentlemen, and Australians." He stated, "You can tell an American IT expert ... but you can't tell him much." Although most of the attendees were amused, some were upset or surprised at his lack of diplomacy. After his talk, which had some thoughtful moments, he removed his hairpiece and revealed himself as Mr. Campbell McComas, a professional comedian, who fooled virtually everyone in the audience.

From: IFIP NEWSLETTER, IFIP December 1996
Usman Iqbal: Privacy-aware telematics technologies - GPS enabled insurance and social issues: Usman presented an interesting and well researched presentation about the privacy issues of insurance. The idea is that the car insurance company would charge based on how far you drove and where you drove (tried by Norwich Union with a system called PAYD). The more km traveled and the more dangerous the road, the more the insurance costs. The catch is that this requires the insurance company to be provided with location information for the car. Usman carried out research using a GPS device in a student's car and then seeing what inferences could be drawn. He then looked at if it would be possible to design a system which do not reveal location to the insurance company. The solution proposed was to have the insurance calculation carried out by a computer in the car.

The example given considered the number of km driven on different roads. Would a simpler system which just reports what suburb the car is usually parked in do just as well? Car insurance companies use the suburb already for measuring location.

This suggests an interesting possibility to take into account insurance cost when planning a trip. This could be by a trip planner (such as Google Maps) or an on-board navigation system plots a route. It might also be amusing to consider having the safety of other drivers on the road taken into account and having the car tell you to avoid dangerous drivers. Also a simpler example would be to apply this to household insurance. It would be very simple to detect when someone is home and use that to determine their home and contents insurance.

It would also be interesting to apply such a system to an individual. Their smart phone could track them and have their personal insurance adjusted accordingly.

Usman also surveyed drivers and found that sports car drivers were prepared to pay more for insurance in return for anonymity. Females were more interested in privacy.

Panel: There was an interesting discussion of EU versus USA developed privacy standards. I asked the panel if they were worried by the rise of China resulting in a downplaying of personal privacy in technical standards. The panel was skeptical of technological determinism.

One question I wanted to ask all the presenters was if privacy only applied to individual natural people. One presenter commented that an IP address might only identify what family was using a computer, not an individual and therefore is not a privacy issue. But do not families and other groups have a right to privacy? Why shouldn't non-natural people, such as a community group, have a right to privacy?