|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Precedent (Australian Lawyers Alliance) |
Website and app developers routinely collect location data. This data is so rich and revealing of patterns of movement and behaviour that, notwithstanding an absence of direct identifiers like name or address, location data alone can often at least individuate, if not also lead to the identification of, individuals.
This article will outline the types of data collected, the harms that might flow to individuals as a result, and when location data is (and is not) regulated by privacy laws. In particular, recent law reform developments will be examined to illustrate the need for Australian legislation to be updated so that it includes the notion of individuation, as well as identification, as potential vectors for privacy harm.
The advent of mobile phones enabled telephony providers to track our location and movements for the first time. With the shift to smartphones, that information has spread well beyond just our phone providers; many smartphone applications (apps) use a mixture of GPS, Bluetooth and Wi-Fi signals to pinpoint locations whenever we carry our phones.
A global ‘sweep’ of more than 1,200 mobile apps by privacy commissioners around the world in 2014 found that three-quarters of all the apps examined requested one or more permissions; the most common was location.[1] Disturbingly, 31 per cent of apps requested information that was not relevant to the app’s stated functionality. A prominent example was a torch app which tracked users’ precise location and sold that data to advertisers.[2] More recently, a scan of 136 COVID-19-related apps for the Defcon security conference found that three quarters of the apps asked for location data, even those where the stated functionality was simply to monitor the user’s symptoms.[3]
In other cases, apps might use location data for the stated purpose of the app. For example, the Muslim prayer app Salaat First, in addition to reminding its users when to pray, highlights where their closest mosque is and shows which direction to turn in order to face Mecca. However, such apps may also be recording users’ granular location information, and selling it on to a data broker (which may in turn sell the information to law enforcement or security agencies as well as to commercial firms), without the user’s knowledge or consent.[4]
It is not only the apps we install on our mobile phones that can track our location. Bluetooth signals emitted by wearable devices can be collected by third parties and venues such as shopping centres and airports (or, briefly, by rubbish bins in London),[5] which use media access control (MAC) addresses – unique device identifiers broadcast by the devices – to detect how populations are moving within a space and to identify repeat visitors.[6]
Bluetooth beacons can also be used to link online advertising to offline transactions. Having purchased MasterCard transaction data in the US to better tie offline purchases to online advertisements,[7] Google offers advertisers the ability to see whether an ad click or video view results in an in-store purchase within 30 days.[8] Connecting to shopping centre Westfield’s free WiFi involves agreeing to a set of terms and conditions which include linking the mobile device ID with the individual’s WiFi use.[9]
Location data is highly granular. One study suggested that four points of geolocation data alone can potentially uniquely identify 95 per cent of the population.[10] Mark Pesce, a futurist, inventor and educator, has described the geolocation data collected by and broadcast from our smartphones as ‘almost as unique as fingerprints’.[11]
Data showing where a person has been may reveal not only the obvious, such as where they live and work and who they visit, but also potentially sensitive information such as visits to a church or a needle exchange, a strip club or an abortion clinic. Some app-makers claim they can even tell which floor of a building people are on.[12]
A recent example is the analysis conducted by Singaporean company Near on the movements of workers at an abattoir in Melbourne, which was the centre of an outbreak during the first COVID-19 lockdown period in early 2020. Near claimed that it could track this small cohort of workers to specific locations, including shops, restaurants and government offices.[13] Near uses ‘anonymous mobile location information’ collected ‘by tapping data collected by apps’ to provide insight into the precise movements of individuals, in order to offer advertisers ‘finer slices of audiences to reach highly qualified prospective customers’.[14] It boasts of having ‘the world's largest data set of people’s behavior [sic] in the real-world’, consisting of 1.6 billion ‘users’ across 44 countries, and processing 5 billion events per day.[15]
Location information can then be used to target individuals. For example, anti-abortion activists use geo-fencing to target online ads at women as they enter abortion clinics.[16] Near has reported that it could target individuals with messaging about the Australian Government’s COVIDSafe app: ‘We can support app adoption, saying to someone you’ve been to a postcode or a high-risk area and encourage them to download the app. That’s quite easy to do’.[17] This is despite the company’s claim that its data is ‘anonymized [sic] to protect privacy’.[18]
None of these technologies – or their ability to impact on people’s private lives or autonomy – depend on the identifiability of the data subject. Digital platforms, publishers, advertisers, ad brokers and data brokers claim to work outside the reach of privacy laws because the data in which they trade is ‘de-identified’, ‘anonymised’ or ‘non-personal’.[19]
In response to such claims of protecting privacy through anonymity, the New York Times’ Privacy Project used publicly available information about people in positions of power, linked with a dataset of location data drawn from mobile phone apps. The dataset included 50 billion location pings from the phones of more than 12 million Americans in Washington, New York, San Francisco and Los Angeles. The result was highly invasive:
‘We followed military officials with security clearances as they drove home at night. We tracked law enforcement officers as they took their kids to school. We watched high-powered lawyers (and their guests) as they traveled [sic] from private jets to vacation properties. ... We wanted to document the risk of underregulated surveillance. ... Watching dots move across a map sometimes revealed hints of faltering marriages, evidence of drug addiction, records of visits to psychological facilities. Connecting a sanitized [sic] ping to an actual human in time and place could feel like reading someone else’s diary.’[20]
Whether or not any particular piece of data meets the definition of ‘personal information’ is a threshold legal issue for the operation of most privacy and data protection laws (referred to throughout this article collectively as ‘data privacy laws’) around the world. The definition of ‘personal information’ (or its equivalents, such as ‘personal data’) determines the boundaries of what is regulated and protected by the privacy principles and the data subject rights that follow.[21]
Privacy principles, tempered by exceptions for some scenarios, set out the obligations of regulated entities when they are handling personal information. And data subject rights create actionable rights for individuals in relation to the personal information held about them.
The key limitation is that almost all data privacy laws only offer legal protection to individuals who are ‘identifiable’. For example, the Australian Privacy Act 1988 (Cth) turns on the definition of ‘personal information’, which is:
‘information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not [emphasis added].’[22]
Yet the richness of location data in particular, along with advances in data analytics and the predictive capabilities of machine learning and artificial intelligence technologies, are creating new challenges for the law’s ability to draw a clear line between what is ‘personal information’ and what is not.[23]
Data privacy laws do not exist to protect data, but to protect people. It is the people who can be singled out because of data, and then tracked, profiled, targeted and even manipulated, who matter.
The assumption upon which most data privacy laws rest is that identifiability is the key to harm: for example, ‘the underlying conceptual focus of defining personal information in Australian privacy laws regards the revealment of identity as the social harm to be protected’.[24] In other words, the assumption is that no harm can befall an individual from the handling of their personal information if they cannot be identified from the data; that information which might otherwise cause embarrassment, humiliation, or physical, psychological or financial risks cannot cause such harms if no one knows whom the information is about.
However, in the 21st century, that assumption is no longer true. The digital environment has turned on its head the assumption that identifiability – in the sense of knowing a person’s concrete or legally verifiable ‘identity’ – is the only vector for privacy harm. As the Office of the Australian Information Commissioner has noted, ‘harm can be caused by just knowing attributes of an individual, without knowing their identity’.[25]
A number of case studies illustrate how the public release of location data about individuals whose identity was unknown even to the data collector can enable groups or individuals to be singled out for targeting. In each case the dataset had purportedly been ‘de-identified’ but each release created the possibility of serious privacy harms, including physical safety risks for some individuals in the dataset.
One disturbing recent example is the finding that publicly disclosed, de-identified data about public transport cards used in the city of Melbourne could be used to find patterns showing young children travelling without an accompanying adult. Those children could be targeted by a violent predator as a result, without the perpetrator needing to know anything about the child’s identity.[26]
In March 2014, the New York City Taxi & Limousine Commission released data recorded by taxis’ GPS systems.[27] The dataset covered more than 173 million individual taxi trips taken in New York City during 2013. The FOI applicant used the data to create a visualisation of a day in the life of a NYC taxi,[28] and published the raw data online for others to use. It took computer scientist Vijay Pandurangan less than one hour to re-identify each vehicle and driver for all 173 million trips.[29] Then postgrad student Anthony Tockar found that the geolocation and timestamp data alone could potentially identify taxi passengers. Using other public data like celebrity gossip blogs, he was able to determine where and when various celebrities got into taxis, thus identifying exactly where named celebrities went, and how much they paid.[30] Tockar also developed an interactive map showing the drop-off address for each taxi trip that had begun at a notorious strip club. The same could be done to identify the start or end point for each taxi trip to or from an abortion clinic or a mosque, and to target the individuals living at the other addresses as a result – without ever needing to learn their identity.
The release of Strava fitness data in 2017[31] famously led to a student pointing out that the heat maps could be used to locate sensitive military sites, because military personnel often jog routes just inside the perimeter of their base.[32] Others have noted that the heat map highlighted patterns of road patrols out of military bases in combat zones including those in Afghanistan, Iraq, and Syria.[33] Further, a Strava user has explained how she discovered that her workout routes were accessible to (and commented on by) strangers, even though she had used the privacy settings in the app to prevent public sharing of her data or identity.[34]
If the objective of data privacy laws is to protect people’s privacy, those laws need to grapple with a broader view of the types of practices that can harm privacy – regardless of whether an individual’s identity is known or revealed.
Much effort is expended by advertisers and others wishing to track people’s movements and behaviours, whether offline or online, in convincing privacy regulators and consumers that their data is non-identifying and that therefore there is no cause for concern. Whether in double-blind data matching models or through the use of homomorphic encryption to compare data from multiple different sources (the sharing of which would be prohibited if the data was ‘identifiable’), the current obsession is how to avoid identifying anybody, so that the activity can proceed unregulated by data privacy laws.
Instead, the focus should be on how to avoid causing harm to individuals.
If the end result of an activity is that an individual can be individuated from a dataset, such that they could, at an individual level, be tracked, profiled, targeted, contacted, or subject to a decision or action that impacts upon them, that is a privacy harm they may need protecting against. Note that whether or not any particular conduct should then be prevented by the application of data privacy laws will depend on the context; for example, an intervention for fraud prevention or crime detection is a different proposition to online behavioural advertising. It is within the more detailed privacy principles that each data privacy law defines the allowable purposes for the collection, use or disclosure of personal information.
In the digital environment, ‘not identified’ is no longer an effective proxy for ‘will suffer no privacy harm’. Individuation should be anticipated by, and explicitly built into, data privacy laws as well.
Newer privacy statutes are moving towards embracing individuation, as well as identification, within their definitions of personal information or personal data:
• The 2016 European General Data Protection Regulation refers to ‘singling out’ in Recital 26, although whether or not individuation without leading to identification is within the scope of this phrase is a matter of some debate.[35]
• The 2017 Information Security Standard in China, which fleshes out the expectations of how the 2016 Cybersecurity Law applies in practice, incorporates data which ‘can reflect the activities of a natural person [emphasis added]’. Privacy academic Professor Graham Greenleaf and IP lawyer Scott Livingston describe this second possible element as ‘a fairly expansive broadening away from information that “identifies” an individual to any information that may “reflect” a specific person (without necessarily identifying) them’. Greenleaf and Livingston further suggest that the effect is to regulate data, ‘which gives the organisation the capacity to interact with a person on an individuated basis’ using data which does not necessarily enable the data subject to be identifiable.[36]
• The 2018 California Consumer Privacy Act expressly includes, within its definition of personal information, data which is ‘capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household [emphasis added]’;[37] and includes within its definition of ‘unique identifier’: ‘a persistent identifier that can be used to recognize [sic] a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier [emphasis added]’.[38]
• The 2019 Nigerian data protection regulation explicitly defines ‘identifiable information’ to include ‘information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in a context [emphasis added]’ within its definition of ‘personal data’.[39]
• The 2019 international standard on Privacy Information Management, ISO 27701, incorporates data which could be ‘directly or indirectly linked’ to an individual, regardless of whether the individual can be identified, within its definition of ‘personally identifiable information’.[40]
Lawyers advising clients who may have been harmed by the use of their data should consider sceptically claims that data has been ‘de-identified’ to the point that no individual is reasonably identifiable from the data.
Location data in particular is so rich and revealing of patterns of movement and behaviour that, notwithstanding an absence of direct identifiers like name or address, it can often at least individuate, if not also lead to the identification of, individuals.
While the Australian Privacy Act is currently under review, including in relation to the definition of ‘personal information’,[41] other data privacy laws around the world have already incorporated a broader test for what should be within the scope of privacy protection, moving beyond requiring identification as the only threshold criteria towards also regulating practices that can individuate an individual.
This is a revised version of an article previously published in the Privacy Law Bulletin 17.6 (September 2020).
Anna Johnston is the founder and Principal of Salinger Privacy, a specialist privacy consulting and training firm, and the author of Demystifying De-identification and Algorithms, AI, and Automated Decisions – A guide for privacy professionals. EMAIL anna@salingerprivacy.com.au.
[1] Office of the Privacy Commissioner of Canada, ‘From APP-laudable to dis-APP-ointing, global mobile app privacy sweep yields mixed results’ (9 September 2014) <https://www.priv.gc.ca/en/blog/20140909/>.
[2] See Federal Trade Commission, ‘Android flashlight app developer settles FTC charges it deceived consumers’ (Media release, 5 December 2013) <https://www.ftc.gov/news-events/press-releases/2013/12/android-flashlight-app-developer-settles-ftc-charges-it-deceived>.
[3] L Hautala, ‘COVID-19 contact tracing apps create privacy pitfalls around the world’, CNet (8 August 2020) <https://www.cnet.com/news/covid-contact-tracing-apps-bring-privacy-pitfalls-around-the-world/>.
[4] J Cox, ‘Leaked location data shows another Muslim prayer app tracking users’, Motherboard (12 January 2021) <https://www.vice.com/en/article/xgz4n3/muslim-app-location-data-salaat-first>.
[5] CBS News, ‘U.K. bars trash cans from tracking people with Wi-Fi’ (12 August 2013) <https://www.cbsnews.com/news/uk-bars-trash-cans-from-tracking-people-with-wi-fi/>.
[6] J Polonetsky and E Renieris, Privacy 2020: 10 Privacy Risks and 10 Privacy Enhancing Technologies to Watch in the Next Decade (Future of Privacy Forum Whitepaper, January 2020) 4, <https://fpf.org/wp-content/uploads/2020/01/FPF_Privacy2020_WhitePaper.pdf>.
[7] See BBC News, ‘Google and Mastercard in credit card data deal’ (31 August 2018) <https://www.bbc.co.uk/news/technology-45368040>.
[8] See <https://support.google.com/google-ads/answer/6190164?hl=en-GB>.
[9] See <https://www.westfield.com.au/terms-and-conditions#wi-fi-terms-of-use-and-privacy-terms>.
[10] Y de Montjoye, CA Hidalgo, M Verleysen and VD Blondel, ‘Unique in the crowd: The privacy bounds of human mobility’, Scientific Reports, No. 1376, March 2013, <https://www.nature.com/articles/srep01376?ial=1>.
[11] Mark Pesce was keynote speaker at the OAIC Business Breakfast for Privacy Awareness Week in May 2015; this quote is from the author’s contemporaneous notes from the event.
[12] D Pierce, ‘Location is your most critical data, and everyone's watching’, Wired (27 April 2015) <https://www.wired.com/2015/04/location/>.
[13] See Near, ‘Workers tracked 20km from infected abattoir’ (18 May 2020) <https://blog.near.co/news/workers-tracked-20km-from-infected-abattoir/>.
[14] See Near, ‘We know which suburb eats more pizza by analysing data from 15 million Australians’ (17 June 2019) <https://blog.near.co/news/we-know-which-suburb-eats-more-pizza-by-analyzing-data-from-15-million-australians/>.
[15] See <https://near.co/data/>.
[16] S Coutts, ‘Anti-choice groups use smartphone surveillance to target “abortion-minded women” during clinic visits’, Rewire News Group (25 May 2016) <https://rewirenewsgroup.com/article/2016/05/25/anti-choice-groups-deploy-smartphone-surveillance-target-abortion-minded-women-clinic-visits/>.
[17] See Near, above note 13.
[18] Ibid.
[19] Dr K Kemp, Submission in Response to the Australian Competition and Consumer Commission Ad Tech Inquiry Issues Paper (Submission, 26 April 2020) <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3587239>.
[20] SA Thompson and C Warzel, ‘Twelve million phones, one dataset, zero privacy’, New York Times (19 December 2019) <https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html>.
[21] I do note some exceptions, such as the European ePrivacy Directive, which is not limited in its scope to ‘personal data’; and some Asian laws such as Japan’s which can apply obligations to de-identified data as well as to identifiable data.
[22] Privacy Act 1988 (Cth), s6(1).
[23] Office of the Victorian Information Commissioner, Artificial Intelligence and Privacy: Issues and Challenges (Issues paper, August 2018) 8–9, <https://ovic.vic.gov.au/wp-content/uploads/2021/04/Artificial-Intelligence-and-Privacy-Issues-And-Challenges.docx>.
[24] M Burdon and P Telford, ‘The conceptual basis of personal information in Australian privacy law’, Murdoch University Electronic Journal of Law, 2010, Vol. 17, No. 1, 27.
[25] Office of the Australian Information Commissioner, ‘What is personal information?’ (5 May 2017) 21, <https://www.oaic.gov.au/agencies-and-organisations/guides/what-is-personal-information>.
[26] Dr C Culnane, Associate Professor B Rubinstein, and Associate Professor V Teague, ‘Two data points enough to spot you in open transport records’, Pursuit, University of Melbourne (15 August 2019) <https://pursuit.unimelb.edu.au/articles/two-data-points-enough-to-spot-you-in-open-transport-records>.
[27] C Whong, ‘FOILing NYC’s taxi trip data’ (18 March 2014) <https://chriswhong.com/open-data/foil_nyc_taxi/>.
[28] Available at <https://chriswhong.github.io/nyctaxi/>.
[29] V Pandurangan, ‘On taxis and rainbows: Lessons from NYC’s improperly anonymized taxi logs’, Medium (22 June 2014) <https://tech.vijayp.ca/of-taxis-and-rainbows-f6bc289679a1>.
[30] A Tockar, ‘Riding with the stars: Passenger privacy in the NYC taxicab dataset’, Neustar (15 September 2014) <https://agkn.wordpress.com/2014/09/15/riding-with-the-stars-passenger-privacy-in-the-nyc-taxicab-dataset/>.
[31] See D Robb, ‘Building the global heatmap’, Medium (1 November 2017) <https://medium.com/strava-engineering/the-global-heatmap-now-6x-hotter-23fc01d301de>.
[32] Nathan Ruser pointed out his finding on Twitter. See <https://twitter.com/Nrg8000/status/957318498102865920>.
[33] A Thomas, ‘No place to hide: Privacy implications of geolocation tracking and geofencing’, SciTech Lawyer, Vol. 16, No. 2, American Bar Association, 17 January 2020.
[34] R Spinks, ‘Using a fitness app taught me the scary truth about why privacy settings are a feminist issue’, Quartz (1 August 2017) <https://qz.com/1042852/using-a-fitness-app-taught-me-the-scary-truth-about-why-privacy-settings-are-a-feminist-issue/>.
[35] M Paterson and M McDonagh, ‘Data Protection in an era of big data: The challenges posed by big personal data’, Monash University Law Review, Vol. 44, No. 1, 2018, 16; Dr F J Zuiderveen Borgesius, ‘Singling out people without knowing their names – Behavioural targeting, pseudonymous data, and the new Data Protection Regulation’, Computer Law & Security Review, Vol. 32, No. 2, April 2016, 256–71; and Professor Wachter and Dr Mittelstadt, ‘A right to reasonable inferences: Re-thinking data protection law in the age of big data and AI’, Columbia Business Law Review, No. 1, 2019.
[36] G Greenleaf and S Livingston, ‘China’s personal information standard: The long march to a privacy law’, Privacy Laws & Business International Report, Vol. 150, 2017, 25–8.
[37] California Consumer Privacy Act 2018, s1798.140(o)(1).
[38] Ibid, s1798.140(o)(1)(x).
[39] Nigeria Data Protection Regulation 2019.
[40] ISO, ISO/IEC 27701:2019, <https://www.iso.org/standard/71670.html>.
[41] See Australian Government, Attorney-General’s Department, Review of the Privacy Act 1988, <https://www.ag.gov.au/integrity/consultations/review-privacy-act-1988>.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/PrecedentAULA/2021/50.html