Location Data

View

Many people think that location data isn't personal data, provided that it's not linked to something that uniquely identifies you, like your name or your phone number. So, your favorite app is selling your precise GPS coordinates on to data brokers - but it could have been anyone who stayed overnight at that house, visited that addiction recovery clinic on Wednesday, or attended that protest, right?

Unfortunately, there are many cheap data sources that bad actors can use to link "anonymized" location data to a person. For example, in the US, a major income stream for the DMV (Department of Motor Vehicles) in each state is selling the personal data of anyone who registers a vehicle or has a driving license issued there. In New York state, for example, it costs just $10 to get someone's photo, name, address, telephone number, and even their medical information. Once you have someone's address, it doesn't take much effort to identify which "anonymized" user they are in the database - just look for night-time coordinates close to that address.

📚 Reading Assignment 1: FTC v. Kochava, Inc. - US Federal Trade Commission

"The Federal Trade Commission filed a lawsuit against data broker Kochava Inc. for selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations. Kochava’s data can reveal people’s visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities. The FTC alleges that by selling data tracking people, Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence."

"...These injuries are exacerbated by the fact that, as described above, Kochava lacks any meaningful controls over who accesses its location data feed...The collection and use of their location data are opaque to consumers, who typically do not know who has collected their location data and how it is being used. Indeed, once information is collected about consumers from their mobile devices, the information can be sold multiple times to companies that consumers have never heard of and never interacted with."


What you can do

  • Assess whether you even need to process location data at all. If location isn't part of your product's functionality and it's simply an additional revenue stream, then try to drive cultural change within your company. That is of course a big ask. Perhaps your CTO might change their mind about your business model if you invite them to sit down with you while you look through all their location data your app has collected over the last 6 months 😜 On a more serious note, the Giving Voice to Values series offers one perspective on how to communicate your ethical values at work, while the Foundations of Humane Technology course teaches some strategies for driving corporate cultural change.
  • If you do need to store location data for your product's functionality, make sure you inform users why you are collecting it, ask for the user's consent, and use the coarsest-grained location feasible if possible. If you're using the location just for news personalization, for example, you only need the user's city or region rather than their precise location.
  • Consider how you will handle sensitive locations, for example places of worship and clinics for physical and mental health. This data could be particularly harmful for your users if it is exposed (through a data breach, sale to a data broker, or acquisition by law enforcement). Data showing that a woman in Texas visited an abortion clinic, for example, could lead to her arrest and prosecution.
📚 Reading Assignment 2: On Locational Privacy, and How to Avoid Losing it Forever - Andrew J. Blumberg and Peter Eckersley, Electronic Frontier Foundation. This guide is now a little dated (it mentions making searches on your PDA!) but has some excellent suggestions on how to process location data in a privacy-preserving way.

"Our contention is that the easiest and best solution to the locational privacy problem is to build systems which don’t collect the data in the first place. This sounds like an impossible requirement (how do we tell you when your friends are nearby without knowing where you and your friends are?) but in fact as we discuss below it is a reasonable objective that can be achieved with modern cryptographic techniques..."

"We should note that even the existence of location databases stripped of identifying tags can leak information. For instance, if I know that Vera is the only person who lives on Dead End Lane, the datum that someone used a location-based service on Dead End Lane can be reasonably linked to Vera. This problem is widely acknowledged (and studied) in the context of epidemiological data as well: it turns out to be relatively easy to deduce the identity of individual disease victims from “anonymized” geographic information about the location of cases. Generally speaking, one solution to this problem is to restrict the use of location-based services to high density areas. There are more complicated cryptographic solutions that are also possible..."


Further Reading