29th International Conference of
Data Protection and Privacy Commissioners
"Ubiquitous Computing" Dragon
13h30 - 16h00
Terra Incognita, workbook series # 4
Table of contents
- Dr. Alexander Dix — Chair
- Ms. Éloïse Gratton
- Dr. David Lyon
- Dr. Michael G. Michael
- Mr. John B. Morris, Jr.
Background Paper: "Longitude and Latitude: location technologies and privacy concern"
- Cell phones and location information for emergency response and commercial applications
- GPS location tracking in commercial fleet management and in personal vehicle use
- ANPR and advanced CCTV tracking systems used for public surveillance
- The tracking potential of Radio Frequency Identification (RFID) systems
- Wi-Fi Positioning Systems: tracking wireless personal devices
Dr. Alexander Dix
Dr. Alexander Dix, LL.M. (Lond.), was elected Commissioner for Data Protection and Freedom of Information by the Berlin State Parliament in June 2005. He was Commissioner of the State of Brandenburg for seven years and has 22 years experience in data protection and has published extensively. A specialist in telecommunications and media, he chairs the International Working Group on Data Protection in Telecommunications ("Berlin Group"). He is also a member of the Art. 29 Working Party of European Data Protection Supervisory Authorities, where he represents the Data Protection Authorities of the 16 German States (Länder). A native of Bad Homburg, Hessen, he graduated from Hamburg University with a degree in law in 1975. He received a Master of Laws degree from London University after studies at the London School of Economics and Political Science in 1976, and a Doctorate in law from Hamburg University in 1977.
Ms. Eloïse Gratton
Gratton is a partner at McMillan Binch Mendelsohn where she practices law in the areas of commercial law and information technology. Prior to joining the firm, she acted as Director of Corporate & Legal Affairs for a wireless marketing company. She serves as head of the Legal Council of the Toronto-based Society of Internet Professionals. As a member of the Mobile Marketing Association Privacy & Consumer Acceptance Committee, she actively participated in drafting privacy guidelines for the mobile marketing industry. She acts as Vice-chair of the Canadian IT Law Association Ad hoc Privacy Committee and is Senior Consultant (for Quebec) of the Canadian Privacy Institute. Ms. Gratton speaks frequently at national and international technology conferences and is a published author on emerging technologies and legal matters. She is the author of the CCH book entitled Internet and Wireless Privacy: A Legal Guide To Global Business Practices.
Dr. David Lyon
David Lyon is the Principal Investigator of the Globalization of Personal Data Project and the Director of the Surveillance Project at Queen’s University.
Professor Lyon has been working on surveillance issues since the 1980s, when he discussed surveillance as one of the key issues of information-based societies in The Information Society: Issues and Illusions (Polity 1988). Since then he has been involved in many debates over information politics and policy in Canada and around the world as a result of his research and publications including The Electronic Eye (1994), Surveillance Society (2001) and Surveillance after September 11 (Polity 2003).
He is a founding editor of the e-journal Surveillance and Society and has particular research interests in national ID cards, aviation security and surveillance and in promoting the cross-disciplinary and international study of surveillance. He is currently preparing Identifying Citizens: Software, Social Sorting and the State for Polity Press (2008).
Dr. Michael G. Michael
Dr. Michael G. Michael, Ph.D., MA(Hons), MTh, BTh, BA is a theologian and historian who brings a unique perspective on Information Technology and Computer Science. Presently he is an honorary fellow in the School of Information Systems and Technology, at the University of Wollongong, Australia. He is the former coordinator of Information & Communication Security Issues and since 2005 has guest-lectured and tutored in Location-Based Services, IT & Citizen Rights, Principles of eBusiness, and IT & Innovation. He has presented papers at numerous IEEE conferences including the International Conference on Mobile Business, the International Conference on Mobile Computing and Ubiquitous Networking, and RFID Eurasia. He is currently co-authoring a book titled, Innovative Automatic Identification and Location-Based Services: From Bar Codes to Chip Implants. Alongside Dr Katina Michael he has introduced the concepts of ‘überveillance’ and ‘electrophorus’ into the privacy and bioethics literature.
Mr. John B. Morris, Jr.
John B. Morris, Jr. is General Counsel at the Center for Democracy & Technology, and the Director of CDT's "Internet Standards, Technology and Policy Project." Prior to joining CDT in 2001, Mr. Morris was a partner in the law firm of Jenner & Block, where he litigated groundbreaking cases in Internet and First Amendment law. As part of CDT’s "Standards Project," Morris has actively participated in the work of the Internet Engineering Task Force, including the "GeoPriv" group working on location privacy in wireless and voice over IP contexts.
Mr. Morris received his B.A. magna cum laude with distinction from Yale University and his J.D. from Yale Law School, where he was the Managing Editor of the Yale Law Journal. Following law school, he worked as a staff attorney at the Southern Center for Human Rights in Atlanta, Georgia before joining Jenner & Block in 1990.
29th International Conference of
Data Protection and Privacy Commissioners
Paper commissioned by the Office of the Privacy Commissioner of Canada. The views and opinions contained in this document are those of the author and do not necessarily reflect the views and opinions of the Office of the Privacy Commissioner of Canada nor of the Government of Canada.
Ubiquitous Computing: Geo-tracking Workshop
A background paper for the 29th International Conference of Data Protection and Privacy Commissioners
Longitude and Latitude: location technologies and privacy concerns
When Marco Polo set out on his voyages of discovery, most of the world was literally Terra Incognita-- unknown and unmapped. Today, every part of the Earth’s surface has been mapped and new location-based technologies can pinpoint someone’s location within 10 to 20 metres, almost anywhere on Earth.
This paper serves as a resource document for the Geo-tracking Workshop. It describes location technologies and their various applications so as to explore the inherent privacy issues, particularly those involving tracking or surveillance of individuals. Workshop attendees are invited share their own concerns and insights about location tracking and how best to ensure that rights to control personal location information are solidly entrenched as tracking technologies expand in the marketplace.
What is surveillance?
Surveillance, as defined in A Report on the Surveillance Society, is any "purposeful, routine, systematic and focused attention paid to personal details, for the sake of control, entitlement, management, influence or protection."1 When accomplished through automated means, it is sometimes referred to as "dataveillance".2 Location technologies that can pinpoint the whereabouts of a person or object are critical elements of dataveillance.
What are location technologies?
A 2005 paper published by Canadian researchers who are working on the Queen’s University Surveillance Project defines location technologies as technologies that meet three specific criteria. They can pinpoint locations, they can report these continuously, and they can do it in real time.3
In other words, they can locate objects equipped with location-tracking devices at any time and without interruption provided the devices are turned on, emit tracking signals and the signals are accessible.
The Queen’s researchers considered two technologies predominant in current location tracking applications: those that locate a cellular telephone or similar wireless device through technology that can be deployed in a cellular phone network; and those that can locate a GPS (Global Positioning System) receiver.
Nevertheless, other technologies have been or could be used to track individuals’ movements, but more sporadically. For example, in the UK, which already has the highest concentration of closed circuit television (CCTV) systems for surveillance, Automated Number Plate Recognition (ANPR) technology is a rapidly advancing policing and surveillance tool.
Conventional CCTV systems can also be used for more precise tracking of individuals using facial recognition software. By its nature, facial recognition is not ubiquitous as it depends upon individuals being continuously in plain view of successive video cameras.
Radio-frequency identification (RFID) chips are another potential location tracking technology. They have become increasingly smaller and cheaper, leading to greater expectations of their use in individual products. RFID chips are now widely used to track shipping containers and pallets at ports and in warehouses, and are now embedded in individual products, including articles of clothing. They can track employees within company premises and monitor vehicle use on toll highways.
Katherine Albrecht and Liz McIntyre, in their book Spychips, paint a disquieting picture of a future world where billions of items contain RFID chips and "the whereabouts of everything and everyone will be known at all times and accessible to anyone with access to the databases, authorized or otherwise".4
Such a surveillance capability would depend upon a massive network of interconnected RFID readers, since passive RFID devices have a limited reading range of a few centimetres to a few metres.5 However, RFID tags embedded in identity documents such as drivers’ licenses, immigration visas and passports will permit the intermittent tracking of individuals as they move through RFID-reader equipped checkpoints. The ultimate example of personalization of these devices is implanting them in humans for identification, to store emergency medical information, and even to replace the need for cash or a credit card when visiting a club.
Another intermittent surveillance technology is Wi-Fi Positioning Systems (WPS) which enable Wi-Fi network operators to pinpoint the location of wireless signal-emitting devices such as laptop computers to within 20 to 40 metres. The base of wireless computing users is growing exponentially, providing an exceptional opportunity for new commercial location-based services, but also increased dataveillance.
This paper will briefly consider the geo-tracking privacy issues associated with all of the above technologies, under the following headings:
- Cell phones and location information for emergency response and commercial applications
- GPS location tracking in commercial fleet management and in personal vehicle use
- Automated Number Plate Recognition (ANPR) and advanced CCTV tracking systems used for public surveillance
- The tracking potential of RFID technologies
- WPS and the tracking of computers and other wireless personal devices.
Cell phones and location information for emergency response and commercial applications
With the rapid growth in cellular telephone use, emergency services providers (known as Public Safety Answering Points or PSAPs) began demanding that cellular phones offer the same functionality as wireline telephones so police, fire and ambulance services could better locate wireless emergency calls. The first requirements for what is known as wireless E911 originated in the United States and required the introduction of new tracking technologies in the cellular phone network.
The rollout of wireless E911 in the United States, Canada and other countries has occurred in stages. In phase 1, network operators were required to provide PSAPs with limited cell/sector directional information and the cellular phone number of the caller. However, this information had little value in locating a caller, and was used primarily to identify the service to which the call should be routed.
In the second phase (required under revised U.S. Federal Communications Commission (FCC) rules), wireless carriers were expected to employ network-based location technologies to locate the mobile phone user within 50 metres for 67 per cent of 911 calls, and 150 metres for 95 per cent of calls.6
Ultimately, network-based technologies were incapable of meeting this accuracy standard and wireless carriers turned instead to GPS-equipped phones which can provide location information to within a few metres if there is clear line of sight to GPS satellites. Other solutions use a hybrid of GPS-equipped phones and signal processing within the network to better identify the caller’s location to within 10 metres.7
In Canada, phase 2 location tracking is now in field trials while, in the U.S., more aggressive FCC deadlines have pushed U.S. carriers into full implementation in some communities. (In the U.S., a request from a PSAP is required for implementation of Phase 2 wireless E911 within a particular jurisdiction.) E112 is also being rolled out throughout the European Union, with phase 1 ubiquitous in theory by 2003 and higher performance location services expected to penetrate the market by 2006.8 In reality, many EU countries have not yet begun to implement cellular location tracking, which has resulted in infringement proceedings against 11 EU members.9
The privacy implications
E911 services: Historically, the use of wireless location services for E911 purposes has generated little documented privacy concern as the benefits seemingly outweighed any associated privacy loss. Users of GPS-enabled phones can turn off the positioning capabilities, while network operators can restrict the use of location technologies to situations where a caller has dialled 911.10 Contractual and regulatory rules can also bind PSAPs on their use of location information.
However, mounting concerns about cyber-crime and terrorist activities have now shifted the balance of national security and privacy and expanded the interest in collection and use of location information.11 U.S. policy makers and regulators, in particular, have been seized with the importance of wireless location services following 9/11.
One report on E911 implementation in the U.S. stated: "the increased emphasis being placed on homeland security, the critical role played by E911 systems and services in assuring homeland security, and the increased dependence on wireless networks, make the automatic provision of location information with wireless emergency calls as much a national priority as a local one".12
Law enforcement and security access: The legal basis for U.S. law enforcement agencies to obtain mobile phone users’ location information was established in the Communications Assistance for Law Enforcement Act (CALEA)13 . The act directed the telecommunications industry to design, develop and deploy solutions to meet law enforcement requirements to conduct lawfully-authorized electronic surveillance. Location information protocols developed under CALEA permit law enforcement agencies—with a court order—to obtain whatever caller location information a wireless carrier is able to produce.14
Privacy advocates have raised concerns about potential lowering of standards for law enforcement agencies to obtain such information following passage of the USA PATRIOT ACT which expanded FBI surveillance powers. In 2005, two U.S. magistrates (in separate decisions) ruled that permitting the FBI and other police agencies to track the location of cell phone users under this Act under a routine tracking order, without showing some evidence of actual criminal activity, violated constitutional rights of protection against "unreasonable search and seizure."15
More recently, in 2006, a different judge determined that the FBI could monitor the location of Americans by constantly tracking their cell phone signals without providing evidence of criminal activity.16
In Canada, similar privacy concerns have been expressed about a proposed law to strengthen Canadian law enforcement intercept capabilities, including to obtain wireless location information under a production order where the police have "reasonable grounds to suspect" criminal activity. In response, Privacy Commissioner Jennifer Stoddart noted a former Supreme Court Justice’s view that the day has now finally arrived when a device has been developed "that will be able to track our every movement for indefinite periods even without visual surveillance"17. She urged that, at the very least, such unseen, ubiquitous and precise tracking capability should only be permitted on a higher threshold of "reasonable grounds to believe" rather than "reasonable grounds to suspect".18
One of the privacy concerns about law enforcement location tracking is that it introduces "wholesale surveillance." As U.S. privacy and security expert Bruce Schneier has written:
"Years ago, surveillance involved trench-coated detectives following people down streets. It was laborious and expensive, and was only used when there was reasonable suspicion of a crime. Modern surveillance is the police officer sitting at a computer with a satellite image of an entire neighborhood. It's the same, but it's completely different. It's wholesale surveillance."19
James Dempsey, Policy Director with the U.S.-based Center for Democracy & Technology, likened the implementation of E911 to turning cell phones into ankle bracelets, and called for stronger constitutional restrictions on law enforcement’s ability to obtain court orders for location data.20
David Lyon, Stephen Marmura and Pasha Peroff of the Queen’s University Surveillance Project have also pointed out the potential of E911 mobile phone location data to be used for greater police surveillance.
"It seems equally likely that the continued development of [this] system in Canada will provide law enforcement in this country with ever more precise and revealing data on individuals suspected of committing illegal acts. At the same time, such developments will likely go unnoticed by many or most citizens."21
Consumer malaise: Lack of citizen concern about location tracking may become a more important issue as organizations, particularly communications carriers, offer commercial services based on mobile telephones. So far, services such as vehicle tracking for fleet operators are focussed on commercial users. However, as more precise location information becomes available, it will offer opportunities for location-based text messaging and advertising to consumers, as well as services aimed at finding individuals, such as child-locator or friend-locator services. Australian location services privacy expert Dr. Katina Michael, in fact, describes location-based technologies as a "cultural-changing force" where "pervasive computing will become a dominant force in the way we live, work, and interact with one another".22
As David Lyon and his colleagues point out, "the opportunities to develop new revenue options and pitch services directly to individual needs are endless, and could become increasingly attractive as LBS (location-based services) is integrated with a ‘rise in complementary technologies such as digital mapping and wireless communications peripherals’."23
In Internet and Wireless Privacy, Éloïse Gratton cites research that consumer location services based on E911 technology could account for 40 per cent of a carrier’s mobile data services revenue by 2007.24 Ms. Gratton identified such services as emergency roadside assistance, mapping and security services for vehicles, proximity-based advertising, a friends finder service, M-commerce at point of sale, and even M-dating where your cell phone location helps a prospective partner locate you.
Useful v intrusive: A 2003 study suggested that individuals’ concerns about the intrusiveness of mobile phone-based location services went down as the usefulness of the service went up. For example, of four proposed services, study participants considered most "privacy invasive" one that would allow a retailer to send a message suggesting it was time for lunch whenever a mobile phone user passed a restaurant. Considered less invasive were services that would automatically set the ring function to silent mode whenever the user attended a meeting, went to class, went to a movie or entered a restaurant. A service ranked highly useful but also highly intrusive would tell users the location of predefined friends, provided they also had mobile phones.25
Where to go from here?
The introduction of new mobile phone-based location services raises several important questions:
- What level of notice and consent should be required before carriers may use or disclose location information to third parties for commercial purposes?
- Under what conditions should law enforcement agencies have access to location information for surveillance purposes and what safeguards are required to prevent abuse of such access?
- What privacy solutions provide users greater control over their location information when using cellular phones or similar devices?
GPS location tracking in commercial fleet management and in personal vehicle use
The Global Positioning System (GPS) provides accurate location and timing data to users worldwide using 24 satellites and sophisticated signal triangulation technology. GPS is vital to commercial aviation and marine transportation, surveying and mapping, and a growing number of other commercial applications.
Originally developed as a military system, the Pentagon first made GPS available for commercial use under a selective availability policy which restricted signal accuracy to within 30 metres. On May 1, 2000, this signal degradation feature was turned off allowing civilian users to pinpoint locations with up to three metre accuracy. GPS is available free of charge, worldwide for peaceful civil, commercial and scientific applications.
To end reliance on the U.S system (which the Bush Administration has stated could be selectively disabled to prevent use by terrorist groups or hostile nations26), the European Union and European Space Agency are planning a competitive system known as GALILEO. However, disputes among European firms building the €3.2 billion project are likely to delay commercial operations until well after 2010.27
There are close to two million GPS/wireless devices in use in the U.S alone, monitoring fleet vehicles, trailers, construction equipment and mobile workers. The number is expected to grow to close to six million by 2009.28 One analyst has predicted the number of commercial GPS users in the U.S. will reach nearly 70 million by 2011.29
The privacy implications
Two GPS applications have raised privacy concerns in recent years. The first is the growing use in fleet management systems to compute precise location of company vehicles, whether the vehicles are stationary or moving, and the speed and direction of travel. This data is often combined with vehicle diagnostics data and maintenance schedules to improve fleet efficiency. A linked use is other employee tracking, such as providing workers with GPS-equipped cell phones in order to monitor their location offsite.
The second application is the growing use of GPS technology in personal vehicles, including car rentals. A 2002 GPS world markets study estimated that in-vehicle navigation and telematics services would be the largest GPS market segment by 2006, accounting for 41 per cent of all GPS use.30
Commercial vehicles/employee tracking: Employee tracking and use of GPS to track company vehicles has raised numerous privacy issues. In Canada, in an important finding under the federal Personal Information Protection and Electronic Documents Act, the Office of the Privacy Commissioner determined that
- employee consent was required to collect GPS location data that could be associated with an individual employee (although such consent could be implied through the employment relationship), and
- the purposes for collecting such data must be reasonable.31
Reasonable purposes included asset protection and management, worker safety, and improved productivity by integrating GPS with the vehicle dispatch system.
However, the Office concluded that "performance management" of individual employees via inferences drawn from GPS data was overly privacy invasive and therefore in contravention of the law. The Commissioner stated that "[W]hile using GPS to track a vehicle is not overly privacy invasive, routinely evaluating worker performance based on assumptions drawn from GPS information impinges on individual privacy."32
In the U.S., where worker privacy rights are poorly protected by state or federal laws, only the State of Connecticut has legislation requiring employers that conduct electronic monitoring to post a notice in the workplace. In civil litigation, however, courts have set limits on employee surveillance outside the workplace, ruling that it must be reasonable, unobtrusive and for a job-related purpose.33 Employers are, nevertheless, within their legal rights to use GPS monitoring within the workplace, subject to worker ability to limit use through labour actions. For example, the Teamsters Union won a battle with UPS that prevented the company from using GPS tracking for discipline purposes.34
In the European Union, where the EU Directive35 requires employment information be protected under law, countries have developed guidelines on location monitoring. For example, the UK Information Commissioner has published guidelines specifying that employers must consider whether the benefits of monitoring justify the adverse impact. The guidelines add that, where private use of a vehicle is allowed, monitoring its movements when used privately, without the freely given consent of the user, will rarely be justified. The Commissioner recommends a ‘privacy button’ or other arrangement that allows the monitoring to be disabled.36
Monitoring private vehicles: GPS devices have also found widespread use in private vehicles for mapping and manufacturer support services. General Motors’ OnStar system, for example, is now used by more than four million subscribers and provides a platform for a range of new location-based services such as location-based advertising. As early as 2001, OnStar President Chet Huber explained how in-vehicle, location-prompted marketing might work:
"At some point, you would set up your profile and all of the things you're shopping for – maybe not urgently shopping for but they're on your to-buy list – will get bounced against the database. You'll be driving along and it will say, ‘Oh, by the way, within three miles of where you are now, that DVD player you said you wanted is on sale at Circuit City.’"37
While such location-based marketing would ostensibly be based on customers setting up profiles and consenting to sharing data with marketers, privacy advocates have raised questions about such services.
Beth Givens, founder of the Privacy Rights Clearinghouse, observed that, with the growing number of monitoring systems, "Now, the car is Big Brother".38
The event that shone the spotlight on auto monitoring was Acme Rent-a-Car’s practice of using GPS to monitor its customers’ driving speeds, then fining them directly if they exceeded 126 Km/h (79 mph). Details of the monitoring were hidden in the fine print of the rental agreement. In one widely reported incident, Acme docked a customer $450 for speeding three times. A Connecticut court ordered Acme to stop this practice and pay back about $12,000 in fines it had collected since the monitoring began.
Where to go from here?
- To what extent is employee and customer surveillance reasonable or warranted?
- How should GPS system operators provide notice of monitoring and how should they obtain consent for such practices?
- Under what conditions should location data be made available to third parties, including law enforcement agencies?
ANPR and advanced CCTV tracking systems used for public surveillance
ANPR systems: Automated Number Plate Recognition (ANPR) technology, which the UK is now rolling out as a nation-wide policing and surveillance tool, is just one example of how video surveillance systems are being adapted with advanced digital surveillance features.
The UK ANPR system records license plate numbers using optical character recognition technology combined with digital cameras mounted in police vehicles, or in conjunction with existing CCTV systems. In a pilot project by 23 police departments underway since 1994, ANPR proved capable of checking up to 3,000 number plates per hour of vehicles traveling up to 160 Km/h. Newer infrared cameras produce an accuracy rate of 95 per cent. The Home Office is now implementing a national program and establishing a national vehicle intelligence data warehouse. Under such a system, every vehicle using public roadways could be recorded as it passed by strategically located ANPR cameras.39
Facial recognition systems: Another example of advanced video surveillance is the use of facial recognition technology. In 2001 Dr. Ann Cavoukian, Ontario’s Information and Privacy Commissioner, investigated the use of such technology in Ontario’s eight casinos which are regulated by a public body, the Ontario Alcohol and Gaming Commission.40
The casinos used a facial recognition technology developed by Biometrica Systems Inc. and a database of known and suspected casino cheats. Casinos also had access to a computer network that allows North American casinos to rapidly communicate with each other about suspected cheaters. Ontario casinos’ use of this technology was overseen by specially trained police officers who only accessed the facial recognition software database when they had reasonable suspicion that an individual was engaging in criminal activity.
The privacy implications
The Commissioner concluded that this use of facial recognition technology coupled with video surveillance complied with the province’s privacy legislation. However, she also determined that a privacy impact assessment should have been conducted before the system was introduced and notices should be posted in casinos to advise patrons that police may be collecting their personal information by both video surveillance and face recognition technology.
Ms. Cavoukian also pointed out that this use of biometrically enhanced video surveillance is a far cry from the type of enhanced scanning used in other public environments. She cited the scanning by Tampa, Florida police of faces of an estimated 100,000 fans and workers at the 2001 SuperBowl. The images were digitally scanned and covertly compared to an extensive, customized database of known felons, terrorists and con artists.41
The American Civil Liberties Union (ACLU) was extremely troubled by this event and the announced use of facial recognition software for other public surveillance projects. The ACLU observed that it was "unprecedented expansion" in high-tech surveillance and the technology should not be used to create a "virtual line up" of Americans who are not suspected of having done anything wrong.42
This led New York lawyer Mark Milone to ask, in an article about biometric surveillance, "How many times a day do we want to be the subject of a lineup when we leave our homes?".43
Stating that such advanced surveillance facilitates the tracking of individuals, potentially on a national scale, Mr. Milone called for governments and industry to pay closer attention to the risks of such surveillance technology.
Integrating databases and surveillance systems: The technological capacity for biometrically-enhanced surveillance is increasing at a relentless pace. While systems now in place are geographically limited – for example, New York’s Statue of Liberty now incorporates a facial recognition system linked to a U.S. database of terror suspects44 – the time may come, as the ACLU warns, when the entire life of a city could be monitored, with vast databases of stored imagery that can be scanned with facial recognition technology to identify people, learn where they have been and perhaps even where they are at the present moment.45
The prospect of a Europe-wide database of passport, visa and residence permits has also prompted several European data commissioners to comment that such a system risks "becoming a mass surveillance infrastructure tracking the movements of all residents and citizens".46
The same can be said of any type of advanced surveillance system that relies on readily observable but uniquely identifiable information such as license plates and facial characteristics which can be linked to a specific location.
Where to go from here?
The privacy community needs to consider what positions it will take and what concerns it will raise as such systems inevitably expand in scope and use.
- Should system controllers be required to establish reasonable grounds for extensive surveillance systems?
- Is advising the subjects the only constraint on use of these systems?
- Are there situations when surveillance systems are too fundamental an invasion of privacy?
The tracking potential of Radio Frequency Identification (RFID) systems
RFID systems are an automated identification method that relies on storing and retrieving data from RFID tags using radio waves. The tags are miniaturized, low cost transmitters with varying reading ranges that can be embedded in products, vehicles, animals—and even humans. The tags can be "promiscuous", meaning they can be read by any RFID reader; or secure, requiring some type of password or authentication.
Implanting in humans has generated the most attention as a potential location tracking technology. In 2004 the Chicago Sun-Times reported that at least 160 federal prosecutors and investigators working for Mexico’s Attorney General Office had received subcutaneous chip implants, with key members of the military, police and even staff in the President’s office to follow.47
In Canada, RFID tags have replaced bar codes for tracking cattle destined for slaughterhouses, and for vehicle tracking on toll highways in two provinces. But, at least so far, government have not used them in any widespread public applications.
The U.S. has considered their use for border security purposes, including a Department of Homeland Security request (since dropped) for information from commercial vendors for RFID tracking capabilities that could locate and identify a tag, with 100 per cent accuracy, inside a car, truck or bus from 25 feet away, while the vehicle was travelling as fast as 88 Km/h (55 mph).48
Considerable attention has been paid to the commercial uses of RFID tags, especially Wal-Mart’s efforts to advance their use in supply chain management.
The privacy implications
Use of RFID systems in any purposeful applications designed to track individuals’ movements has been slow to materialize, at least outside of an employment context. Nevertheless, privacy advocates remain concerned about the ability to link private and public RFID reader networks and databases for ubiquitous surveillance.
Researchers at the Queen’s University Surveillance Project point out that RFID tags, with their relatively limited reading distance, cannot by themselves be used to track locations continuously or in real-time.49 However, U.S. law professor Jonathan Weinberg suggests information sharing among operators of discrete reader networks could create a massive shared network which becomes a "Panopticon geolocator".50
Privacy activists also point out that the capacity of Electronic Product Code (EPC) tags is such that all objects around the globe could be uniquely identified, enabling the development of a global tracking and profiling infrastructure.51 The key factor that permits such ubiquitous tracking is that most RFID chips are designed to be promiscuous.
Simson Garfinkel and Henry Holzman have explained that the vast majority of chips deployed so far are promiscuous because this approach is less expensive and the systems are easier to manage. The authors contrast these with secure tags, which only respond when a password or other authentication is provided, require passwords or encryption codes to be distributed in advance and properly controlled, creating an exceedingly difficult management problem.52
Professor Colin has also observed that location tracking can predict the trajectory of an individual, helping to ascertain not only where the individual is at a given moment, but also the individual’s likely destination. He states that a person may be very concerned that others would discover the end point of their journey. Equally important, he points out that current location technology is simply not sufficiently refined to connect identifiable individuals with precise geo-spatial coordinates, which can result in erroneous linkage of persons to locations.53
The privacy community, especially data commissioners and policy makers, have begun to address RFID location-tracking issues.
In 2003, a resolution, adopted at the 25th International Conference on Data Protection and Privacy Commissioners, advocated permitting individuals to delete data or destroy RFID tags in their possession. The resolution also stated that "[T]he remote reading and activating of RFID tags, without any reasonable opportunity for the person in possession of the tagged object to influence this process, would raise additional privacy concerns".54
In a 2005 working document, the Article 29 Data Protection Working Party noted the capability of RFIDs to "surreptitiously collect a variety of data all related to the same person; track individuals as they walk in public places (airports, train stations, stores); enhance profiles through the monitoring of consumer behaviour in stores; read the details of clothes and accessories worn and medicines carried by customers".55
A subsequent policy framework for a 2006 European Commission workshop on RFID issues sought to identify the types of applications with privacy and data protection implications; address how proper usage of RFID technology can be ensured, including through self regulatory practices, additional legal provisions or other compliance mechanisms; and discuss privacy enhancing technologies for RFID deployment.56
Domestically, data commissioners have also moved on setting standards for use. For example, both Canadian Privacy Commissioner Jennifer Stoddart and Ontario Information and Privacy Commissioner Ann Cavoukian have developed industry guidelines and continue consulting industry and government on appropriate uses of RFID which may collect personal information.
European data commissioners in Germany (the Federal Commissioner), Italy and the United Kingdom have all issued detailed guidance on RFID use, with consumer consent required for continued activation of chips after a customer has purchased an RFID-equipped product, and express prohibitions on unauthorized monitoring of people’s movements.
Questions remain, however, about how effective such guidelines will be and whether widespread RFID deployment will indeed usher in an age of ubiquitous and invisible tracking, including use of such devices for police or security intelligence purposes.
Where to go from here?
- Are concerns about ubiquitous RFID tracking realistic or overblown as industry groups have repeatedly stated?
- Are voluntary guidelines or existing laws sufficient or do we need specific new laws to govern RFID use?
- Is specific technology—such as a mandatory "kill function" on RFID tags—required to protect public interests?
- Should individuals who refuse RFID tracking be legally entitled to equivalent non-RFID-based services and products?
Wi-Fi Positioning Systems: tracking wireless personal devices
"Wi-Fi" (short for wireless fidelity) is a term developed by the international Wi-Fi Alliance to describe wireless local area network products that are based on common technical standards and allow users of wireless devices to have broadband Internet communications in public areas or "hotspots".
According to the Wi-Fi Alliance, by 2007 the number of Wi-Fi networks or public access "hotspots" is projected to number 530,000 in the United States, almost 800,000 in Europe, and more than a million in Asia.57
Linked to the growing number of public places where people can use laptop computers and other wireless devices, is the growth of Wi-Fi Positioning Systems (WPS) which can pinpoint the location of wireless devices to within 20 metres. One U.S. company, Skyhook Wireless, Inc., now has WPS coverage in major U.S. cities equating to 70 per cent of the U.S. population base, and is now expanding into Canada and Europe. Skyhook has also introduced Loki, a toolbar that provides location-based services to Wi-Fi users.
WPS can also be used inside buildings, where research suggests accuracy is possible to within one to three metres of a Wi-Fi equipped device.58 Intel has set a goal of developing one-metre accuracy for both indoor and outdoor applications.59
WPS works by measuring the time it takes for signals to travel from every Wi-Fi access point that responds to a device's initial "who's-there" request. The more access points there are in a geographic area, the more accurate the measurement will be. It takes about two seconds for WPS to compute a user’s location.
WPS has distinct advantages over other location technologies (including GPS) in dense urban locations as it does not require direct line of sight to a satellite. Some commercial services are being offered that combine both WPS and GPS, to provide ubiquitous location tracking in urban, suburban, rural and remote areas.
The privacy implications
The privacy concerns about the tracking capability have become more pronounced as municipal Wi-Fi systems are beginning to provide large-scale wireless access to the Internet in urban centres. The City of San Francisco’s announced plans for a municipal Wi-Fi system prompted questions from such privacy groups as the Electronic Frontier Foundation (EFF), American Civil Liberties Union (ACLU) and Electronic Privacy Information Center (EPIC). They asked "Will users be tracked from session to session, creating an archive of their online activity? Will the Wi-Fi service provider try to commercialize the data? Will the data be protected from interception by others?"60.
At heart is the ability of corporate interests (in the case of civil suits), law enforcement and national security agencies to use location information to track and potentially uncover the identities of individuals seeking to preserve their privacy rights or even constitutionally protected rights of free speech. For example, civil society groups cite American courts as having recognized that Internet users "who have committed no wrong should be able to participate online without fear that someone who wishes to harass or embarrass them can file a frivolous lawsuit and thereby gain the power of the court’s order to discover their identities".62
With the heightened tension between privacy rights and security interests, the outstanding question in the case of municipal Wi-Fi systems is how far network operators will go to protect privacy interests in the face of legal demands to hand over location or other identifying information.
Other solutions to managing location privacy may result from the development of new privacy rules for location-emitting devices. The Internet Engineering Task Force (IETF) Geographic Location/Privacy Working Group (Geopriv WG) has created a set of standards for sending location information over the Internet that incorporates privacy rules. The PIDF-LO (Presence Information Data Format - Location Object) privacy rules are designed to give users of location-emitting devices some control over how long location information can be retained by a third party and whether consent is provided for retransmitting this information.63
In a recent article, John Morris, Director of the Center for Democracy & Technology (CDT) Internet Standards, Technology and Policy Project, (who helped develop this standard) gives an example of how it might work. A wireless device user might send a message to a host server asking "Where is the closest Starbucks to where I am right now?" Depending on the user’s privacy settings, the host could be required to respond to this query and then immediately discard the location information.64
Development of a more robust privacy framework is underway which will, in theory, give users considerable control over who can access location information and for what purposes. At the same time, users could define how granular the information can be – for example, an exact location or just that the user is in a particular city. Mr. Morris explains, "Geopriv offers the opportunity to convey fairly robust and potentially complex privacy rules along with location information". However, he adds the caveat--which applies to all location tracking technologies: "It can’t, however, provide guarantees that those rules will be honoured or followed in any given situation".65
Absent such rules or regulatory control of location information, there are profound societal consequences to enhanced location tracking, as A Report on the Surveillance Society points out:
"… the concern remains that consumer surveillance will continue to perpetuate and amplify social divides and sorting that is antithetical to democratic principles. Consumer surveillance then stands to increase as a ‘cybernetic triage’ separating consumers based on their presumed economic and political value rather than on their initiative and self-determination."
Not surprisingly, there are also profound differences in awareness and attitude towards location technologies and their privacy impacts based on age. Various researchers, for example the Pew Research Center, have found that teenagers and young adults embrace new technologies with more enthusiasm and have far less regard for privacy consequences.66 This suggests the emergence of a generation that is techno-savvy but unfazed by the Orwellian possibilities of location technology.
Where to go from here?
- How do we foster greater understanding of the privacy impacts of technologies such as Wi-Fi positioning systems?
- If there are cultural, social and age divides that affect user attitudes towards technology, how can such divides be factored into the social acceptance of the technology, its purposes and consent to its use?
- What role should privacy commissioners and civil society and privacy groups play in addressing location information privacy impacts?
The following documents are useful further reading on geo-tracking.
- A Report on the Surveillance Society, Kirstie Ball, David Lyon, David Murakami Wood, Clive Norris, Charles Raab, a report for the UK Information Commissioner by the Surveillance Studies Network, September 2006.
- Bigger Monster, Weaker Chains: The Growth of an American Surveillance Society, Jay Stanley and Barry Steinhardt, American Civil liberties Union, January 2003.
- Location Technologies: Mobility, Surveillance and Privacy, David Lyon, Stephen Marmura and Pasha Peroff, The Surveillance Project, Department of Sociology, Queen’s University, Kingston, March 2005.
- On Your Tracks: GPS Tracking in the Workplace, Nanette Green Kaminski and William Tran, National Workrights Institute, Princeton, N.J., Feb. 2007.
- RFID Applications, Security and Privacy, Simson Garfinkel and Henry Holtzman, editors, Addison-Wesley, New Jersey, 2005.
- Spychips: how major corporations and government plan to track your every move with RFID, Katherine Albrecht and Liz McIntyre, Nelson Current, Tennessee, 2005.