LOCATION DATA PRIVACY - GUIDELINES, ASSESSMENT & RECOMMENDATIONS MAY 1, 2013 VERSION 2
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
LOCATION
DATA
PRIVACY
GUIDELINES, ASSESSMENT & RECOMMENDATIONS
MAY 1, 2013 VERSION 2
1
© 2013 THE LOCATION FORUM. ALL RIGHTS RESERVED | HTTP://WWW.THELOCATIONFORUM.ORG | +1-770-663-8898
Contributors PAUL BARRETT Senior Manager Accenture Interactive Paul has extensive experience in marketing, technology, and finance as a strategic consultant with Fortune 100, mid-market and start-up organizations. In his role at Accenture, he is focused on the intersection of location technologies and location intelligence with big data, web analytics, digital advertising, social media and mobile. ARTHUR BERRILL Vice President Technology, DMTI Spatial Arthur Berrill is the Vice President of Technology for Canada’s leading provider of Location Intelligence solutions, DMTI Spatial. Arthur has over 30 years of experience managing the architec- ture, design and development of enterprise spatial systems. Prior to DMTI, Arthur was with Pitney Bowes Inc. managing the Advanced Concepts and Technology team. Arthur came to Pitney Bowes through the acquisition of MapInfo where he managed their Advanced Development Department. GARY GALE Director Global Community Programs, HERE at Nokia Gary is an experienced mapping, location and geographic information professional. In his role at Nokia he helps people create maps around the world to suit their needs. He is the co-founder of WhereCamp EU, the conference chair of AGI W3G and sits on the Association for Geographic Information Executive and Council. He is a Fellow of the Royal Geographical Society and frequent 2 conference speaker. KIPP JONES Vice President Products, Skyhook Kipp oversees the product group at Skyhook. As VP Product, he is deeply engaged in all aspects of the business, customers, policies and technology in the fast moving mobile location and location intelligence markets. Kipp received his BS in Computer Science from the University of Nebraska as well as an MS and ABD in CS from Georgia Tech. NATASHA LEGER Editor LBx Journal; President, The Location Forum Natasha is Editor of LBx Journal and President of the Location Forum. Natasha is also founder and President of ITF Advisors, LLC, a strategy advisory firm with a focus on communications, media, technology and geospatial companies and the convergence of digital media technologies. Natasha is a strategist with a corporate, legal, and policy background.
DANA LONERGAN VP Commercial and Legal Affairs, Traxxitt Dana serves as General Counsel and Corporate Secretary for Traxxit, a start-up in the personal and asset tracking market. With significant legal and business experience, he is responsible for office operations in addition to representing clients in Administrative and Court hearings. He also represents Traxxit in numerous professional, civic and community associations. JIM WARNER COO, The Location Forum Jim is the President of The Westport Group, a global innovation and market strategy consultancy and serves as the Forum’s COO. He has a background in telecom, media and information services as well as managing industry consortia. He is a frequent speaker and writer on business transformation, digital services and cloud computing. PETER WOODGATE CEO, Cooperative Research Centre for Spatial Information Peter is CEO of Cooperative Research Centre for Spatial Information. He is also Chair of the Global Spatial Network as well as a Member of the International Expert Committee, of the Institute of Remote Sensing and Digital Earth. He is a Member of the Executive Committee, International Society for Digital Earth and a Board Member of the Terrestrial Ecosystems Research Network. He serves as a Board member at AUSCOPE and Chairs the Virtual Australia and New Zealand Initiative. MARLENE ZIOBROWSKI Senior Data Manager, DMTI Spatial Marlene is Senior Manager, Data Research and Governance for DMTI Spatial Inc. While engaged in 3 doctoral work at York University, she was a teacher and lecturer. Thereafter, she owned Lucitech Communication, a technical writing and editing business before becoming Data Director for Mapmobility Corp. About the Location Forum The Location Forum is a non-profit, global industry consortium that provides leadership for busi- nesses looking to capitalize on the advantages that location-based services, technologies and appli- cations offer. Our focus on location data privacy, locationomics and location intelligence enables decision makers to better understand how they can apply location strategies across their enterprise. www.thelocationforum.org The Location Privacy Council is the primary driver behind the Forum’s Location Data Privacy Initiative. The 11-member Council operates in a virtual fashion hosting monthly Executive Roundtables where members and invited experts discuss, debate and share knowledge on specific aspects of Location Data Privacy. Disclaimer: The contributors have shared their collective wisdom over their years of experience with location-based technologies, services and applications, and across multiple industry verticals. The opinions referenced are the sole opinions of the contributors an not necessarily the opinions of their current employers.
4 Table of Contents 5 ABOUT THIS GUIDE 6 EXECUTIVE SUMMARY 12 PART 1 – OVERVIEW: THE STATE OF LOCATION DATA PRIVACY 19 PART 2 –GUIDING PRINCIPLES & CONSIDERATIONS 21 PART 3 – GUIDELINES & RECOMMENDATIONS FOR THE MANAGEMENT OF LOCATION DATA 39 PART 4 – LOCATION DATA PRIVACY RISK & TRANSPARENCY ASSESSMENT 49 APPENDIX – GLOSSARY OF TERMS
About This Guide
Location knowledge varies widely from some people (and companies) having considerable expertise
to others who are just exploring how to apply it in their business, to everything in between. The same
variation exists with the topic of privacy as a whole. As such, this Guide was written for as wide an
audience as possible. Depending on your background, experience and objectives, you may find cer-
tain sections more useful and applicable than others.
These Guidelines were developed for those on the front lines of location data product and services
development. They bring attention to critical issues, and provide a framework for developers, manag-
ers, marketers, and executives to follow.
If you are an IT professional or Software Developer, these Guidelines will help you to under-
stand the potential risk areas, while the Risk Assessment Scorecard will help you to determine if
you have the proper practices in place for effective location data management.
If you are a Marketing professional, these Guidelines will help you to identify risks in your com-
munication and interaction with your customers relative to disclosing how you collect, use, and
share location data.
If you are a Product Development Manager, these Guidelines, Risk Assessment, and
Transparency recommendations will help you evaluate end-to-end issues and risks that should
be considered in rolling out new location-based products and services either internally or in the
open market.
If you are an Executive, these Guidelines, Risk Assessment, and Transparency recommendations
provide a comprehensive overview of the business, technology, and user issues associated with
handling location data.
5
For additional detail or background, please go to the Location Forum’s online library
www.thelocationforum.org/privacy/materials-documents
Please keep in mind that these Guidelines are also a work in progress as the technology is constantly
evolving.
These Guidelines do not address remote location data collection through traffic and surveillance
cameras, facial and gait recognition software and other means where the user is not able to
consent to such collection (no ability to opt-in or opt-out). These issues need to be addressed at
a broader legal and public policy level.
There is also more work to be done in the areas of transparency, notification, consent, risk pro-
files and the use of metatags to facilitate the development of automated processes and ensure
consistent implementation. These issues will be addressed in the next version of this Guide.
Executive Summary
Location-based services and applications have become more than a technology or feature; they are
an integral part of our lives. People define themselves not just by who they are, but where they are.
Location data is now everywhere, easily accessible, and collected at an unprecedented scale. In the
Information Economy we live in, personal data and similar forms of information are the new cur-
rencies. Location data is the universal link between all data, because everything and everyone is
somewhere.
For businesses, location information can transform virtually every facet of an enterprise from opera-
tions to sales and marketing, to customer care and even product development – all with a goal of
having a positive impact on the bottom line. It is therefore rapidly becoming the newest “information
weapon” used by CIOs, CMOs, COOs and digital strategists to gain a competitive advantage.
The problem with location data today is that it changes as it weaves through various hands—applica-
tions, vendors, developers, government, companies, data providers, and individual users. Another
complication is the diversity of legal protections across countries and states that make developing a
consistent privacy policy a moving target. All this is set against a business atmosphere of continuous
pressure to develop innovative location-based products and services.
The power, benefits, and risks associated with location data are in its capacity to infer more person-
ally identifiable information than the face value of the original information. While consumers and
businesses are deriving great value from location-based services, targeted advertising and other
applications, significant questions persist around location data privacy. In particular, how is location
data being shared and who has access to it?
The Location Data Privacy, Assessment and Guidelines (hereinafter Guidelines) were developed for
6
those on the front lines of location data product and services development, as well as those who hold
corporate, legal or fiduciary responsibilities. They bring attention to issues that many organizations
and companies have chosen to ignore, due to lack of legal certainty around requirements, and pro-
vides a framework of location data practices for developers, managers, marketers, and executives.
Part 1 provides an overview of the current location environment with an emphasis on the com-
plex issues, trends and risks companies must contend with and that ultimately drive the need for
these Guidelines.
Part 2 highlights the Guiding Principles underpinning the document.
Part 3 provides specific Recommendations, Policies and Practices that any business can use to
reduce risk and potential liability while improving customer communication.
Part 4 builds on Part 3 with a detailed Risk and Transparency Assessment that is used to gauge
how well you and your company are implementing these Recommendations.
In short, these Guidelines offer practical, ready to implement proactive measures that are ahead of
government regulation and the current state of law and policy on the issue of location data privacy.
Yet it is in line with market concerns. Companies who embrace these Guidelines will be sending a
clear market message to their direct and indirect customers that they take location data seriously, see
it as a competitive advantage, and respect the individual users right to personal privacy.
Introduction WHY – THE NEED Location-based applications are now ubiquitous. Any application, whether for business or consumer purposes, that provides location awareness or location intelligence must use location data that is acquired either directly or indirectly from an individual or organization. As a result, location data privacy is of increasing concern to all involved in the location ecosystem, consumer advocates, and lawmakers. For the purposes of these Guidelines, location data is any data with an implicit or explicit geographic or geospatial reference, including any data derived from GPS, GIS, cell-tower or other radio signal- based triangulation, assisted-GPS positioning devices, systems and processes, geo-tagged images, video, audio and text documents, satellite and aerial imagery, computerized, digitized and paper maps, IP address location, public documents, public or private databases, video, audio, text and image files, location-based applications. In short, location data is any form of information that has a geographic position associated with it. Location data is attached to everything we do as individuals and organizations on a daily basis. Now it can be collected, sliced and diced in a centralized, systematic and scalable fashion. That changes our relationship with location data—especially how we value it… and the value we place on protecting location data privacy. The importance of location data privacy has increased as an issue due to the scale at which location data is being collected, aggregated, and shared without the individual’s clear understanding of the value of the information, the collection and distribution process, or the ramifications of disclosing location data. Location data privacy is the right to not be subjected to unsanctioned collection, 7 aggregation, distribution or selling of an individual or organization’s location or location profile derived from location data. It is the ability of an individual, group, or organization to conceal informa- tion of their whereabouts, which can be derived from location data - sometimes stated as “the right to be left alone” and not reveal one’s location. For more comprehensive information on location data terms see the Glossary in the Appendix, along with our Executive Guide to Location Data Privacy, and Location Data Primer publications. Location data privacy is in somewhat of a “betwixt and between” situation. It shares many character- istics with other more broad-based data privacy initiatives, but also has some unique characteristics that cause existing privacy efforts to fall short. Within the location community, most existing privacy activities focus on specific aspects of the problem such as B2C issues or the interests of specific players such as marketers, advertisers, mobile operators or social media site platforms. The B2B dimension has not received the amount of atten- tion of its B2C counterpart. Much of the location data privacy debate has been dominated by use of location data by mobile devices and applications for location-based services (LBS) and consumer applications. For example, guidelines such as CTIA’s Best Practices and Guidelines for Location-Based Services, GSMA’s Privacy Design Guidelines for Mobile Applications, and MMA’s Mobile Application Privacy Policy Framework all look at privacy within the context of a mobile communications environment. While the mobile dimension has catapulted location data privacy to center stage, it has not painted the complete picture. Mobile-focused guidelines are not comprehensive enough to cover the entire location ecosystem—let alone the pitfalls of location data collection, aggregation, and distribution across the location data value chain.
The implications of location information extend far beyond communications providers, advertisers or
any such classification. The location ecosystem comprises a wide range of vendors, service provid-
ers and users arranged in complex value or supply chains, who deliver a broad set of consumer and
enterprise applications. Figure 1 illustrates the key components of the location ecosystem. These
chains are not always neat, linear, hierarchical chains. Instead they act more like a “value web” where
data can be shared, exchanged and used in almost endless permutations making the job of privacy
protection even more difficult.
THE LOCATION ECOSYSTEM
8
FIGURE 1: This location
ecosystem demon-
strates the various
technology, data, and
services components
involved in delivering
location-based solu-
tions to the market.
© The Location Forum
In addition, depending on the country or region, there is either an absence of regulations or a
number of territorial laws that make doing business across national boundaries burdensome and
unpredictable.
If progress is to be made in this business-critical area, some degree of common ground has to be
found. The distinctions between B2B, B2C and other transactional relationships are not enough to
warrant separate approaches or to treat them as unique “silos.” Nor should the problems of a certain
type of company or service provider be isolated.
In some cases, finding common ground is simply a matter of language – using the right terminology
(e.g. one that resonates with various groups to express the same concept). There is far more com-
monality than there are differences within the broader data privacy community, and the few differ-
ences there are can be handled by exception or some other pragmatic answer.
The Location Forum has boldly stepped forward to bring together several separate, yet related and
synergistic approaches to data privacy, specifically location data privacy. This collaboration is in an
effort to craft a single, deployable set of policies, practices, guidelines and recommendations for
reducing the risk of location data privacy infringement and fostering an atmosphere of trust within
enterprises, consumers and policymakers.
PURPOSE
This document fills a critical void in the market. It provides guidance to all the players in the loca-
tion industry in the hope of clarifying many of the key elements impacting location data privacy.
Specifically, it was created to:
Identify the business issues in location
data privacy across B2B, B2C and other “Location data is attached
environments where location data is to everything we do as
exchanged;
individuals and organizations
Bring together separate location data pri- on a daily basis. Now it
vacy efforts by providing a common view
and terminology;
can be collected, sliced
and diced in a centralized,
Fill in gaps and add specificity to previous
treatments of the topic;
systematic and scalable 9
fashion. That changes our
Serve as a vehicle for engaging with the
broader data privacy community;
relationship with location
Provide awareness and understanding
data—especially how we
of location information as it relates to
value it… and the value we
privacy rights and concerns; place on protecting location
Provide pragmatic recommendations for data privacy.”
companies and organizations who use
location data or are involved in the creation or handling of location data in some manner; with
the ultimate goal of mitigating risks of privacy infringement and privacy rights violations while
fostering the legitimate and beneficial use of location data; and
Develop a self-governing location industry framework to deter the imposition of onerous regula-
tions that often have unintended consequence that could dampen innovation.
AUDIENCE
This document is intended for the following:
Executives and decision makers in companies and organizations who are part of the location
data ecosystem by virtue of creating, collecting, acquiring, aggregating or distributing location
data whether they are in the B2B, B2C or other aspect of the value chain;
Companies and organizations that use location data in some aspect of their business including
internal operations, sales, marketing or other customer-facing activities or in the development of
products and services; and
Public and private sector organizations working to unlock the value of government data - espe-
cially those needing guidance on identifying, accessing, and managing location data that is part
of open data and open-government initiatives.
While consumers/individuals (end users) of devices such as mobile devices, GPS units, online maps
and other location aware services are not a direct audience; they too may find these guidelines and
recommendations of benefit.
SCOPE
This document has a very specific purpose:
It is designed to examine the end-to-end treatment and use of location data, including all the
intermediaries in the value chain and all the variations or “mutations” the data might undergo
whether in B2B, B2C or other interactions;
It is designed to address the business aspects and concerns associated with the privacy impli-
cations of handling location data. For
example, risk management, competitive “The Guidelines were
advantage, and brand management. It
is not intended as a technical review of
developed by location
how location data is created, developed, professionals who work with
acquired or exchanged; and location data every day and
The Risk Assessment Scorecard is wrestle regularly with the
designed to assist organizations and cross-border differences
professionals in determining potential
vulnerabilities in their current practices
in privacy regulations. 10
and procedures relative to the handling of Frustration is probably a
location data. kind term to describe how
The intent behind this document is to foster these professionals feel
common (standard) business practices in loca- about the current state
tion data management. It is not intended to set
public policy; although many of the guidelines
of location data privacy
and recommendations might prove informative
management.”
to policymakers.
OBJECTIVES
The Location Forum’s Privacy Council reviewed existing privacy frameworks and was particularly
influenced by the following:
OECD Fair Information Principles
The Privacy by Design work of Ann Cavoukian, Ph.D., Information & Privacy Commissioner of
Ontario, Canada
The GSMA’s application of Privacy by Design to Mobile Application Development
The White House Consumer Privacy Bill of Rights
Sprint’s Risk Utility Model for Sharing of Location Data
Paul Ohm’s Law Review Article on Broken Promises of AnonymizationIn developing these Guidelines, we had several objectives in addition to the Purposes outlined above.
Our main objective was to provide a comprehensive perspective reflective of the dynamics of the
entire location ecosystem that would reveal a new way to think about and approach location data pri-
vacy. We sought to build upon existing guidance, yet offer something fresh and unique to the industry
that strikes the balance between managing risk and innovation. This resulted in:
1. Practical and actionable measures that anyone can use to mitigate potential location data
privacy infringement. The Guidelines were developed by location professionals who work
with location data every day and wrestle regularly with the cross-border differences in privacy
regulations. Frustration is probably a kind term to describe how these professionals feel about
the current state of location data privacy management. In particular, the risk assessment and
Location Privacy Index Scorecard were designed to be easily adopted by managers in their day-
to-day workflow of assessing risks and evaluating vendors associated with the gathering and
use of location information.
2. Distinguishing between internal risk management and external communications to customers,
partners, regulators, employees, and the market regarding policies and procedures on the han-
dling of location data.
3. Distinguishing between B2C and B2B issues, especially with respect to communicating policies
and procedures to each audience as each have different needs and objectives.
4. Bringing attention to the B2I issues where the Bring Your Own Device (BYOD) environment,
along with location tracking of employer provided devices, even though the employee may be
“off the clock”, raises privacy concerns.
Our long-term objective is that the Guidelines, Assessment and Recommendations serve as a foun-
dation for an Industry framework that includes a seal of responsible location data management, a
11
location data audit, a clearinghouse of responsible location data service providers, and an application
that allows individuals to match their location data risk tolerance with the risk profiles of location data
service providers.Part 1 – Overview: The State of Location Data Privacy
In today’s connected world, location is more than just a technology or feature; it’s part of our person-
ality. People define themselves not just by who they are, but where they are. For businesses, location
information can transform virtually every facet of an enterprise whether it is improving operational
efficiency, enhancing the effectiveness of sales and marketing or providing customers with new levels
of service. It can drive the development of new products, the push into new markets and add a new
dimension to business intelligence all of which can have a positive impact on the bottom line. It is
therefore rapidly becoming the newest “information weapon” used by CIOs, CMOs, COOs and digital
strategists to gain a competitive advantage.
But it is also confusing for both businesses and users. What are the costs and benefits? What is legal
and ethical? Where is the line between adding value and privacy infringement? What should users
expect and what should businesses avoid? These are but a few of the issues that must be addressed if
the use of location information is to be widely accepted by both businesses as well as consumers.
More importantly, in today’s Social-Mobile-Location world, will the risks of having one’s location con-
stantly tracked, analyzed and shared overshadow the benefits location data can offer? Can potential
abuses grow to where the only alternative is regulatory intervention, which potentially dampens inno-
vation? These and many other questions arise daily as companies develop and deploy new location-
based products and services.
All of these questions and concerns roll up to four major issues related to Location Data:
1. The majority of the public does not fully understand location data;
2. The majority of businesses need to know more about location data management;
12
3. The location ecosystem and location data are complicated; and
4. The current policy and legal environment is not aligned with the current state of the technology.
BACKGROUND
Location data has been collected for years but until recently, it was collected manually, for specific
purposes and by organizations that were not selling location-based products and services. Many of
these companies operate within industries that are regulated, such as healthcare, financial services,
telecommunications and utilities. Because of that, there are strict boundaries imposed on these com-
panies in the ways they can use personally identifiable information, including location data. However,
many of these companies are under increasing internal pressure to find ways to monetize the data
they have been using for operational purposes.
Unregulated industries and businesses such as advertising, software, consumer electronics, data ser-
vices and others are a different story. With the advent of “freemium” services and affordable comput-
ing horsepower, whole businesses and industries exist for the sole purpose of collecting and selling
personal data, including location data. This is made easier by the rise of connected devices that are
GPS enabled, Big Data analytics, social media applications, plus local, state, and federal government
initiatives including surveillance devices.
Complicating matters is the fact that most people do not understand the value of location information
the way they understand the value of personal financial or medical information. Location information
is valuable because of its versatility. It is a storyteller, a powerful enabler, a lifesaver and more. It is
also complex – full of unintended consequences, and privacy risks because it can reveal more informa-
tion about an individual or organization than contemplated by the original collection of location data.
Information this powerful carries with it some inherent risks – chief among them location data privacy.WHY LOCATION DATA PRIVACY MANAGEMENT IS CHALLENGING
Growing Complexity:
Access: As location technologies increasingly become a feature of new products and ser-
vices across multiple industries, the number of players and people that touch location data
on a daily basis increases exponentially. The number of players in the location ecosystem
from mobile carriers to application providers, data creators and sources to location service
providers, governments, enterprises and individuals continues to expand.
Technology: Location technology is so embedded into devices and applications that
location is explicitly or implicitly being collected, aggregated and distributed without the
individual’s full knowledge.
Business models: A wide range of business models are being used to monetize location
and personal data that often mask the intended use or purpose behind the collection,
aggregation, or distribution of location data.
Data: The aggregation of location data is occurring at such a scale and fast pace that many
technology and application providers do not have the proper controls in place to effec-
tively manage the data from a privacy perspective.
Uniquely Sensitive:
Inference: Location data possesses a unique capacity for linking disparate datasets, infer-
ring and revealing personally identifiable information. As such, it can be a missing link in
understanding relationships between data and human activity.
Completeness: This ability to “connect the dots” almost automatically results in a much
13
more complete profile of an individual or organization than the base data reveals.
Hidden Details: The result is an entirely new level of “enriched” data that can essentially
create a new body of knowledge or information which is causing increased privacy concerns.
Legal Differences:
Unclear Precedence: Location is unchartered legal territory in the broader privacy debate
with piecemeal and narrow precedence to guide the policies and procedures of providers
and users of location data.
Unclear Similarities: Many privacy advocates, attorneys, regulators, and location provid-
ers seek to adapt or extend the existing privacy frameworks to location data. While there is
much that can (and should) be borrowed from these existing frameworks, location data’s
differences could trigger a privacy infringement scenario not covered or anticipated in
other regimes and therefore requires its own treatment.UNDERSTANDING LOCATION DATA: WHY IT IS COMPLEX, SENSITIVE AND DIFFERENT
Financial, medical, and location information are the “Big 3” personal data categories. The risks of the
unsanctioned disclosure of financial and medical records are well known. However, the value and
risks associated with location data are still poorly understood. Relative to medical and financial data,
treating location data as personal information is a new concept.
Individual interaction with location data is largely around convenience—getting directions, locating a
restaurant, looking for real estate, finding friends, etc. People truly find it useful. It is also still a relatively
new phenomenon for many individuals, driven largely by smartphones and ubiquitous broadband.
As such, there is a certain degree of novelty or casualness about its use, and people are therefore not as
conscious of the scale at which location data is being collected, aggregated, and distributed. Add in that
many times people are unaware their data is being captured. At best they may get an innocuous “this
app would like to use your location” alert, which masks a lot of what is really taking place and what that
ultimately means from a personal privacy perspective. Individuals have not been educated on the value
of location information beyond personal convenience, which explains why it is so misunderstood.
Many businesses do not understand location data management because it is rarely collectively man-
aged within an organization. In many cases it is a new dataset for many departments that comes with
hidden complexities. Business interaction with location data is largely around operations, customer
experience, real estate and facilities management, and workforce management. Location data privacy
management is challenging because location data is growing in complexity, is uniquely sensitive
because it acts as a common denominator linking multiple data sets, and it is subject to a diversity of
legal and policy frameworks.
UNDERSTANDING LOCATION DATA: MARKET TRENDS, CONTEXT AND ENVIRONMENT
Technology has enabled location data to be created and used like never before and social trends have
14
fueled growing acceptance of sharing one’s location. These drive additional conditions and requirements
that companies need to factor into their privacy planning and that impacted our recommendations:
Expanding Universe of Users and Providers: Location data used to be the domain of cartogra-
phers and experts in geospatial information because it dealt with specific geographic data and
standards. As such it was a relatively closed field of players and users. It was also considered
big and clunky to use because of technical challenges in distributing the data. Today location
data is used daily by tens of thousands of software developers, thousands of companies, and
billions of users.
Explosive Creation of Big Data: Location information is being created at an unprecedented
rate by wireless networks, GPS devices, applications, websites, cameras, RFID chips, satellites,
swipe cards and other connected devices and technologies.* And much of it is in real-time.
Almost any activity that involves digital interaction or verification results in location data being
generated. As with any Big Data source that has significant volume, velocity and variety, loca-
tion data has become far more difficult to manage and trace as it is moves throughout a com-
plex value chain of transactions and social media platforms.
*See Location Data in Glossary for a more complete list of Location Data sources.Inference: Because a lot can be inferred by knowing someone’s location, location data can serve
as the connective tissue between disparate pieces of information to build a more complete “pic-
ture” about a person or event than most people realize. This in turn creates widespread opportu-
nity for increased and highly detailed data mining on people, assets and places.
Companies may want to use location information about their employees, suppliers, and custom-
ers for a variety of human resource, operational, supply chain management, health and safety
and market intelligence purposes. Regardless of how benign the intended use of the data might
be, any time such information can reveal personally identifiable information, producers and
users of location information could be at risk for privacy infringement either legally or morally.
Automated Creation, Collection & Aggregation: While there are numerous sources of location
data present today, there are few guidelines or laws on what constitutes a legitimate way to col-
lect, aggregate, manage and explore it. Those that do exist, such as various privacy frameworks,
are inconsistent, narrow in scope, or ineffective resulting in uncertainty around the management of
location data. Therefore, the risks associated with handling location data are often misunderstood
from individuals to businesses to regulators, and are creating a sense of angst within the industry.
Roles, Relationships and Responsibilities: The issue of split personalities - when is someone
an “employee” or an “individual” – is increasingly becoming a problem in today’s BYOD world.
Using a smartphone on the job, or blogging and maintaining social media presence on behalf of
a company either implicitly or explicitly makes the distinction between employee and individual
extremely vague and blurry in both B2I and Individual-to-Individual (I2I) situations. What are the
responsibilities of employers in organizations to these individuals? What are the responsibilities of
individuals to other individuals? What are the responsibilities of applications to individuals when
location information is shared between applications and platforms?
15
Incomplete Protection Requirements: The value of location information, and the potential
knowledge that can subsequently be derived from it is not well understood. Because location
information reveals more than you think, it can lead to identity theft and the disclosure of sensi-
tive, confidential information. As information becomes increasingly decentralized in mobile,
cloud-based, and BYOD IT environments, businesses need to focus on safeguarding the privacy
of this data from competitors, hackers and others or face serious consequences ranging from
public embarrassment to legal and financial penalties or worse.
Currently, location privacy attributes or characteristics are not end-to-end assured. In other words,
a particular piece of location data may have privacy “rules” associated with it but those rules do
not always remain attached to that data as it gets shared between applications, across organiza-
tional boundaries or as derivative works are created. This lack of “stickiness” can result in overt
(opted-in) or default privacy settings being discarded. So even if the user has taken action to pro-
tect her privacy, it is not permanent. For example imagine having an unlisted phone number that
becomes publicly searchable after a few months. Therefore, current privacy protection policies
and mechanisms must be reviewed and evaluated within the context of the scale at which location
data is being collected, aggregated, and shared to mitigate potential privacy breaches.
Inconsistent Sharing and Acceptable Use Boundaries: The definition of what constitutes accept-
able use of location information varies from person to person and situation to situation. This
creates uncertainty and raises the risk of businesses crossing an invisible line, damaging their
strategy and even harming the very situation they were trying to improve by using location data.
Even when individuals are asked to consent to utilizing their location information, they may not
fully comprehend the implications of such disclosure in an area with such rapidly advancingand highly synchronized technologies.
Understanding how the information may
“Currently, location privacy
ultimately be used may be difficult for the attributes or characteristics
everyday user. In addition, the legalese of are not end-to-end
Terms of Use are often ambiguously drafted
assured. In other words, a
to protect the location applications or service
provider, and are not focused on informing
particular piece of location
the user on how organizations may use the data may have privacy
information. As a result, location information “rules” associated with
may be shared and accessed without the
individual’s or organization’s knowledge.
it but those rules do not
always remain attached to
Lack of Legal, Social and Business
Standards: The collection, aggregation,
that data as it gets shared
analysis and distribution of location data between applications,
has grown and evolved absent clear legal, across organizational
social and business standards. This lack of
guidance has contributed to inconsistent
boundaries or as derivative
policies and a “wild west” attitude towards works are created. This
location-based applications product and lack of “stickiness” can
service development with little regard for result in overt (opted-in)
privacy (except where existing regulations
are in place with respect to specific industries
or default privacy settings
or law enforcement requirements). While being discarded.”
privacy protection is now a mature body of
law and policy, the role and application of location data within it remains immature, because many
16
privacy and intellectual property attorneys are not familiar with the nuances of location informa-
tion and technologies.
Law Enforcement Use: Compliance with law enforcement requirements, while not the subject
of this document, is a critical element of providing location-based services, technologies, and
applications. Numerous laws and regulations exist for record retention and law enforcement
purposes that may result in companies, upon a subpoena or search warrant, releasing person-
ally identifiable location data. However, unfortunately there are many companies that turn over
information to government authorities even when the proper warrants are not provided.UNDERSTANDING THE LOCATION ECOSYSTEM AND HOW LOCATION DATA WORKS
The location ecosystem is comprised of numerous types of enterprises, individuals, products, ser-
vices and data. Collectively they act as “value chains” that provide or deliver location-based informa-
tion between companies, people or systems. Table 1 describes the industry landscape and its various
categories and areas.
Table 1. Location Ecosystem
CATEGORIES DESCRIPTION
Customer Enterprise Business, Individual (Consumer)
Hardware/Devices GPS chips, GPS Device, Smartphones, Desktop, Servers, Sensors, Routers,
In-vehicle devices, Drones
Services Professional Services, Integration, Planning, Development, Location-based
services, Financial Services, Legal, Location-based social media
Applications Asset Management/Tracking, Business Intelligence, Supply Chain,
GeoMarketing, Advertising, Market Research, Communications, Geofencing,
Augmented Reality, Mobile Resource Management, Navigation, e-Health,
Engineering, Precision Agriculture, Gaming
Location Data External: Demographics, Econometrics, Weather, Business Listings, Social
(3rd Party Geo- Networks, Mobile
referenceable data) Internal: Business Intelligence Data, Customer Data, Employee Data,
Operational Data, Partner and Supplier Data
Geographic Data Map Digitizing, Remote Sensing, Rectification and Photogrammetry,
Geological, Topographical, Thematic, Cartographic and Contour GIS Mapping
Data Sets 17
Location Lat/Long; Geocode, Cell ID, GPS, A-GPS, Bluetooth, IP Address, WiFi GIS,
Infrastructure PlaceNames, Geographic Reference, Mobile Devices, IP Addresses, Aerial
& Satellite Imagery, Business Data, Video, Telco, Cable, Satellite and Mobile
Networks, Sensors, Standards—KML, GML, Location Platforms, Storage,
Databases, Middleware, ETL, Visualization
An important subset of the entire location ecosystem is the Location-Based Services (LBS) ecosys-
tem. There is enormous growth in the LBS area, and in most cases is how most users consume loca-
tion. Table 2 outlines organizations involved in delivering LBS services and applications.
Table 2. LBS Ecosystem
WHO HAS ACCESS
TO LOCATION EXAMPLES
Mobile Carriers AT&T, Orange, Telstra Mobile
Platforms Apple, Google, Facebook
Device Manufacturers Nokia, Google (Motorola), Apple
Location Service Providers Skyhook, Apple, Google, Locaid
Applications Foursquare, Weather.com, Loopt, AP News, Google Maps, Flickr,
Urban Airship
Mapping Data Providers Navteq (Nokia), TeleAtlas (TomTom), Open Street Maps
Imagery Providers DigitalGlobe, Microsoft, Google
Data Providers Urban Mapping, DataSift, Factual, Sense Networks
Advertisers/Enterprise Honda, Budweiser, MGM, Cisco, Ekahau etc.
Government Police, FBI, Department of DefenseLocation data is collected on individuals and organizations through a variety of means including:
Mobile and GPS-equipped devices Video, audio, text and image files
Sensors and M2M networks Satellite and aerial imagery
GIS systems Computerized and digitized maps
Location-based services and applications IP addresses
Cell-tower and other radio signal-based Public documents
triangulation
Public and private databases
Geo-tagged images
The data is collected for a variety of purposes from delivery of services, to emergency response, to
product registrations, to applications for government or utility services, and more. Once the data is
collected, it can be aggregated and blended with other datasets, and shared with a variety of third
parties depending on the company’s policies on the use of location data. Figure 2 illustrates how loca-
tion data is collected, produced, and used from a mobile user perspective.
LOCATION USES & PRIVACY: A MOBILE USER PERSPECTIVE
BUSINESS & SOCIETAL OBJECTIVES ISSUES
Law Enforcement
Public Health & Safety Usage Rights
First Responders
En
e ha
Emergency Response nc
18
ie Government nc
en e
Ownership
d
nv
Se
Co
Real-time information
rv
2
ice
rs
ty
s 2
MOBILE
re
Big Data
uri
e
USER
tu
th 2 QR C
ri s
Too
Sec
od
fac
E-9
New Products
erp
ue 2 IP Addr
e
u
iFi 11
t
e
n
n
Bl
2
/ D e vic e M a
ro vid ers $ E
2 E n t er p r i s e O p ti m
W
ss
S S a t e llit e
A d v e r ti s i n g 2
Linked Data Consent
A p p li c a ti o
N et w ork O
MOBILE
NFC
USER
GP
Security
ce P
LOCATION DATA
Privacy
a ll s
0
am
0
ns
eted
rs
C
p er
rvi
lM
era e
0 C e ll To w
$
Se
ato
izat
tai
g
Advertising
Go
ve
Tar
on
Re
ti
rs
rn
ion
HOW COLLECTED
M me ca Stalking
Lo
$
/
t 2
ap nt/ M s
$ it e
2
p in u n i c i p a li ti e s
en
Improved Services bS
Sa
g& e
nt
D ata W
fe
Providers $
Co
ty
2 d
Lo ze
c a ti
WHO USES IT
n a li Disclosure
Business Optimization on
Enh e rso
a n ce 2 P
d O ff e r s 2 S o c i a l
Asset & Resource Management FOR WHAT PURPOSE
Proprietary Information
Source: Skyhook
FIGURE 2: The four rings of the diagram demonstrates how location data moves from and between the mobile user
and the various location data collection methods and the users of location data and the ultimate purpose for using
location data. It is important to note how the individual mobile user is both a producer and consumer of location
data. The law enforcement wedge reaches into all levels this ecosystem. This illustration also identifies the com-
plexity of the business and social objectives sought from the use of location data and the legal, policy, regulatory
and business issues that arise from the collection, aggregation, and distribution of location data.Part 2 –Guiding Principles & Considerations
The first step in developing effective location data management best practices is a thorough under-
standing of the data itself including its sources, uses, context and more. In short, location data and
its surrounding environment need to be well defined, in order to develop effective best practices and
guidelines. If you are new to location data, please be sure to read Part I if you have not done so already.
Following extensive reviews of various privacy frameworks and the issues associated with location
information, the Location Forum’s Privacy Council quickly recognized that a viable proactive indus-
try solution to location privacy concerns had to not only involve both the location provider and the
individual user of location information, but the entire end to end chain of location information from
the originator of the data all the way to the ultimate user of the data and all the intermediate actors in
between. Plus it had to be practical to implement.
The public is primarily concerned with the lack of transparency and choice associated with giving up
location information as well as a lack of understanding about how valuable such data truly is. In many
cases, individuals may be unaware when such
information is being divulged or collected. “The Privacy Council
Companies can experience the same situation determined that what is
given how much sensitive corporate informa-
tion can be revealed by the mobile and seman-
missing in the location
tic activities of employees.
industry, especially within
This situation requires a two-part solution in
the context of Big Data, is a
which; 1) the individual user has some control sense of trustworthiness of
over the information and a means for evaluat- the applications, services, 19
ing her choices and, 2) the provider clearly and devices that collect,
discloses how and why location information is
being collected, aggregated, and distributed.
aggregate and distribute
In addition individuals need an opportunity to location information. This
redress any errors in their data. lack of trustworthiness
In a B2B situation, the value chain for delivering could only be addressed
location technologies, services and applica- by inserting greater
tions is more complicated. For instance, how
do you know the privacy practices of the vari-
transparency into the
ous players in the chain? How does a company equation.”
know if their usage rights are being respected
in downstream applications? How do business models create risk or assurance in regards to respect-
ing personal privacy?
The Privacy Council determined that what is missing in the location industry, especially within the
context of Big Data, is a sense of trustworthiness of the applications, services, and devices that
collect, aggregate and distribute location information. This lack of trustworthiness could only be
addressed by inserting greater transparency into the equation.
Taking these requirements into account, these Guidelines are based upon a few key, overriding principles:
Practical implementation: The Guidelines have to be easy for both location providers to adopt
and implement, and easy for individual and business users to understand and act upon. While
many large companies have the luxury of large legal staffs that can work with product develop-
ment teams, the smaller companies often lack such resources. Therefore the Guidelines neededto be pragmatic and not consume significant resources so that entrepreneurs can continue
developing new innovative products and services. The Guidelines must be stated in simple
and clear terms that could easily be integrated into existing workflows. The Guidelines were
designed to offer the greatest reward with the least burden to both providers and users of loca-
tion data.
Transparency and Disclosure: It is the lack of transparency in the location data market that
breeds suspicion and distrust. The Guidelines needed to help companies craft policies and
notices that state in clear and unambiguous terms, how they will use, collect, aggregate and
share specific location data. Visibility into the business models and financial motivations of
companies in the use of personal data including location data is a critical component of trans-
parency. The ability to audit and trace usage rights is also an element of transparency.
Choice and Informed Consent: In the B2C environment, a robust Informed Consent policy
is needed, which is a key element in transparency and building trust. Informed Consent is
more than a mere notification or request to use one’s location information. For example, a
mobile application’s simplistic request to “use your present location” is insufficient. Informed
consent gives the user a clear understanding of how the data may be used, aggregated and
shared. Permission to use the data without this level of understanding is not informed consent.
This requires a usage-based opt-in policy with potentially more than a simple yes/no choice.
Informed consent is what provides real individual choice.
These guiding principles and considerations led us to structure the Guidelines as follows:
1. Guidelines and Recommendations for the Management of Location Data (Part 3). This includes
internal management practices and external customer facing practices for standardized commu-
nication with the marketplace and customers on how their location data is used. 20
2. Location Data Privacy Risk and Transparency Assessment to gauge strengths and weaknesses
relative to privacy policies and procedures (Part 4).
We are also developing an online Location Data Privacy “Scorecard” which is a detailed tool that
produces a Location Data Privacy Index (LDPI) score based on the answers to in-depth questions. The
LDPI score can be used to benchmark against peers, and to communicate an organization’s state of
location data privacy management to the market. Whereas the Location Data Privacy Review in Part 4
provides a high-level (High, Medium, Low) indication of current risk exposure, the online assessment
provides an actual score and recommendations to improve the score, and therefore location data
privacy management.Part 3 – Guidelines & Recommendations
for the Management of Location Data
Ask most people about sources of location data and they will quickly think of some of the more
common ones such as the ubiquitous “this app would like to use your location” notice on a mobile
phone, a mapping application or even a credit card transaction. But these are just the tip of the ice-
berg. A lot of location data collection happens “below the surface” where people are likely unaware it
is even taking place. Table 3 shows examples of the different ways location is tracked and gathered.
Table 3. Sources of Location Data
CATEGORY EXAMPLES
Retail Product Tagging
Consumer Loyalty Programs
Products Contests
Product Warranty / Registration
Mobile Mobile Network (Cell Towers)
Communications / Mobile Device Usage (GPS)
Location-Based WiFi (Retail Hotspots, Hotels, Airports, in-Flight, clothing)
Apps
Mapping Apps
Social Media Correspondence
Email
Social Location Specific Apps (FourSquare, Loopt etc.)
Media Chat (Facebook, Twitter, etc.) 21
Photo Tagging (InstaGram, Flickr, etc.)
Financial e-Commerce Transactions
Transactions Credit Card Use
Online Banking & Bill Paying
Online transactions (PayPal)
Enterprise / Customer Data (Ex: Disney customer experience bracelet)
Organization Employee data (emails, social media, work schedules, mobile phone use,
Data personnel files)
Forms, registrations, surveys
Open Data/Publicly available data
IP Address
Healthcare Remote Vital Signs Monitoring (Blood Pressure Meters, Heart Monitors, etc.)
Electronic Health Records
Emergency Room Check-In
E-Health apps (exercise, running, diet, nutrition, etc.)
Security Cameras
Turnstiles
Personal tracking devices
Travel Mobile-Enabled Check-in (Airlines, Hotels, Rental Cars)
WiFi Hotspots (Hotels, In-Flight, Restaurants)
Toll Pass Cards
Train/Bus Passes
Other Web Traffic and Searches, Local SearchEstablishing a set of recommendations that address the diversity of applications and guard against abuse
while fostering innovation is crucial. Transparency is key. Individuals must also have confidence that the
businesses who collect their location data will be good stewards – using it in beneficial ways while safe-
guarding and respecting their privacy.
The following recommendations collectively form a set of ‘good practices’ any business should
follow. They include recommendations for internal policies and procedures that can mitigate risks
of privacy infringement. They also include recommendations on sharing the risk with individuals by
enabling the individual to make informed choices. Recommendations that pertain more to certain
types of companies or situations are appropriately noted.
Questions of harm and infringement are still unresolved legal and policy issues. When does location
privacy infringement occur? At the collection level? At the aggregation level? At the distribution level?
Does location data collected that is not shared cause harm? Should an individual whose location
information is being collected have the right to choose whether the information is collected and how
it can be used?
These recommendations assume that harm and infringement turn on the intended and actual use of
the location data. As such the recommendations focus on transparency and disclosure so that provid-
ers act as good stewards of sensitive location information and individuals are provided the option to
protect their location privacy or to knowingly give up their privacy in exchange for a service.
Most of the recommendations in this section apply to specific situations or areas. However there are a few
overall guidelines that pertain across the board regardless of whether the issue is one of policy, notice and
consent, permission or usage. Our recommendation for implementing the Guidelines is to:
Keep it Simple: Make it easy to understand. Use “everyday” language not jargon or legalese and
keep it brief.
22
Make it Clear: Be “crisp”. No fine print or various stipulations. Make use of graphics, charts and
icons wherever possible.
Use Common Methods: Use tools and techniques people are familiar with and accustomed to
using such as pop-up screens, tick boxes and such. There should be no learning curve.
Each recommendation has three components:
1 General Guideline which acts as an overarching principle;
2 Specific Recommendation which illustrates how to implement the general guideline; and
3 Example which describes a business scenario, use case or good practice.You can also read
