The introduction of mobile location services not only paved the way for potential benefits for the users but it also resulted in a number of additional issues, out of which privacy protection is termed as the most critical one.
 
The resulting initiatives from mobile location services can become extremely intrusive and even put at risk the privacy of a mobile user's personal data.
 
In order to know more about privacy challenges, TheWhereBusiness' Correspondent Ritesh Gupta spoke to Stephen Deadman head of Legal - Privacy, Security & Content Standards, Vodafone Group Services Limited. Excerpts:
 
Ritesh Gupta: Can you provide an insight into privacy challenges as of today?
 
Stephen Deadman: Since the first geo-location services emerged back in the early 2000s, they have raised concerns about privacy. The primary concern has been with unauthorised surveillance, i.e. enabling others to track you without your knowledge or approval. Not only is your location at any point in time particularly personal to you - because your location can reveal a great deal about you and who you associate with - but it also invokes concerns about the potential for unwanted physical contact and hence risks to personal safety and security.  The area where this has been of most concern is in respect of children.  Services that enable a user to be located by another we refer to as `passive' location services, meaning that the locatee is essentially a passive participant in the process of being located. Services where a user is locating themselves, e.g. in order to find a nearby café, etc, we refer to as `active', because the user is actively seeking their own location. It was concerns with passive services, particularly around child safety, that triggered the mobile industry in the UK to respond with the first self-regulatory Code of Practice for location services in 2004.
 
In this early stage of the development of location services, the only viable source of location data was from mobile operators, and the capability of the platforms and devices most users were using were limited. In the last few years, however, we have seen a number of important developments, with the consequence that location services have begun to achieve the levels of sophistication and take up that were predicted in the early years. For instance:
 
?          alternative sources of location information to cellular location are now freely and widely available - GPS , WiFi, open cell ID, etc.
?          the advance of the smart-phone, providing third party application developers with open platforms they can write for and a radically improved user experience for users to discover interesting applications and run them on their devices; and
?          the proliferation of the app stores, enabling developers to directly reach the end user, increasingly with billing and charging capabilities enabling developers to easily monetize their apps.
 
One of the interesting trends as a result of these developments is that location is increasingly an enhancement to other, existing services, particularly social media apps, rather than a service in itself, such as navigation. And it is in this area of social applications and services where important challenges lie ahead.
 
The ability for users to share their location with others could blur, in some people's minds, the distinction between what I have described as `passive' and `active' services.  Where users actively connect with and share with other users, the sharing of location is still really an active service, but with a social component, i.e. I seek my own location, then I choose to share that location with others. I refer to this `active social' location.
 
With passive services the focus of self-regulatory efforts has been to ensure that the person being located is adequately informed and has consented to being located - this was the approach with the UK Code of Practice. But with active social location services, it's the user who is choosing to share their location. Hence, the focus should be less on passive controls such as consent, and more about designing apps and services with user friendly and intuitive controls and defaults to ensure that users don't unwittingly share too much and have adequate control over how these features are used. The issue therefore becomes more about application or service design, rather than the traditional, and somewhat legalistic, notions of `notice and consent'.  
 
RG: It is acknowledged that the legal framework for processing location data generated in positioning systems, including LBS, is very complex indeed. With three European Directives that partially overlap, using not mutually exclusive definitions of personal data, traffic data, and location data, it is a Herculean task to determine which legal provisions apply when LBS providers process location data. How do you assess the situation?
 
SD: The legal framework is complicated, but so is the way location aware services and technology have evolved. The key question is to firstly understand what type of location information we are talking about. For instance, location information can be derived from multiple sources - mobile location (derived from a mobile operator's core network), GPS, WiFi location, open cell ID, and so on.
 
Different types of data can give rise to different consequences under the EU legal framework. For instance, Article 9 of the ePrivacy Directive (2002/58/EC) regulates `location data' that is generated by the mobile network. But this will not apply to GPS location information, even if carried over a mobile connection, which has nothing really to do with a cellular network.
 
Even if the ePrivacy Directive does not apply, there is the question of whether the general Data Protection Directive (95/46/EC) applies. This really turns upon the question of whether the location information in question, and any associated information, is `personal data'. This is likely to be the case for many personal location services where the location information is associated with an identity for the person being located (even if that is not a `real world' identity). But also bear in mind that there are a number of location services that I would describe as `non-personal' location services. For example, services that use location data to monitor footfall through an area (a mall for example) or traffic volumes along a stretch of motorway. These types of services don't link location with a discrete individual, or identity, and so shouldn't raise concerns under data protection or privacy law if designed in the right way.
 
Similarly, truly anonymous location services should not cause concerns from a privacy perspective; but a word of caution here - the notion of anonymity is particularly hazardous when dealing with the physical locations of persons.  For example, if you look at my location traces over the course of a week, you can pretty quickly work out where I live. (it's where I end up at the end of most days and turn my phone off). Coupled with my movements throughout the day, you could take a guess at who I work for. Those two pieces of information would often be enough for you to identify me from other publicly available sources of data. Where we go tells anyone interested a lot of information about us.
 
To complicate matters a bit further, even if the data that is being collected is `personal data', it doesn't automatically follow that the relevant application provider is responsible for that data under applicable data protection law. That is only likely to be the case if the provider is exercising control over that data, meaning that the provider is determining the purposes and means of processing that data. So for instance, if an application provider provides an application that enables a user to obtain their own location using the GPS module in their mobile device, and then to share that location (perhaps along with other personal details that they may have uploaded to the app or service) with their friends, who is the controller of that data? It certainly isn't clear that it would always be the app provider - and this is a subject that European privacy authorities have recently struggled to get to grips with.
 
RG: It is said that apart from the difficulties arising from the sheer complexity of the legal framework, there are also problems with respect to unclear definitions and unresolved legal questions. What's your take on this?
 
SD: Undoubtedly there are aspects of the legal framework that are unclear. But really it's the fact that services and technology have evolved around the regulatory framework.  So, while there is some regulation of location services - the ePrivacy Directive - this now largely misses the target, because it's based on an assumption that location data would derive from, and be controlled by, mobile operators. In fact, with a variety of positioning technologies now available, location information has almost become `ambient', a part of our technological environment. These types of technology are not subjected to the regime under the ePrivacy Directive.
 
And even when you look at the general data protection regime under the Data Protection Directive, it is often difficulty to determine whether an application or service is caught, because of questions about whether any particular provider is subject to EU data protection and privacy laws at all where it is established outside the EU.
 
The Navigation & Location Summit Europe 2010
 
Vodafone Group Services Limited's Stephen Deadman is scheduled to speak at The Navigation & Location Summit Europe 2010 to be held in Berlin (15-16 June) this year. For more information, click here:
 
or contact:
 
Helen Raff
General Manager
TheWhereBusiness
+44 (0) 207 375 7582 (UK)
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it