How to avoid losing locational privacy


You’ve never heard the term before? Well, here’s what it is according to the Electronic Frontier Foundation (EFF): “Locational privacy (also known as “location privacy”) is the ability of an individual to move in public space with the expectation that under normal circumstances their location will not be systematically and secretly recorded for later use.”

In what ways could you be located and your location recorded? For one thing, security cameras have become ubiquitous; they’re in every parking garage, convenience store, liquor store, bank, ATM machines, you name it. In some cities your passage is recorded by taking a snapshot of your vehicle license plate as you move through traffic intersections. The EFF notes notes that “…systems which create and store digital records of people’s movements through public space [are being] woven inextricably into the fabric of everyday life. We are already starting to see such systems now, and there will be many more in the near future.”

Here are some examples you might already be using or have read about:

  • Monthly transit swipe-cards
  • Electronic tolling devices (FastTrak, EZpass, congestion pricing)
  • Cellphones
  • Services telling you when your friends are nearby
  • Searches on your PDA for services and businesses near your current location
  • Free Wi-Fi with ads for businesses near the network access point you’re using
  • Electronic swipe cards for doors
  • Parking meters you can call to add money to, and which send you a text message when your time is running out

Perhaps you’ve heard about the new rage in apps that post your location to Twitter or Facebook? One of those is My Latitude, an application that lets you publish your Google Latitude position in your profile page. This is accomplished using the Google Latitude Public Badge. There’s another called Android Location Services for those phones. If you’re using any of those, you’re losing your locational privacy.

You may say, “So, what? What do I care if people know where I’m going? I’m not doing anything wrong.” Maybe so, in your eyes. But in the post-9/11 climate, there’s a hyper-sensitivity toward anything that could be construed as terrorist activity. Not only that, but anyone who may have it in for you could cause you no end of trouble. The EFF document provides this insight:

The systems discusssed [in my previous post] have the potential to strip away locational privacy from individuals, making it possible for others to ask (and answer) the following sorts of questions by consulting the location databases:

  • Did you go to an anti-war rally on Tuesday?
  • A small meeting to plan the rally the week before?
  • At the house of one “Bob Jackson”?
  • Did you walk into an abortion clinic?
  • Did you see an AIDS counselor?
  • Have you been checking into a motel at lunchtimes?
  • Why was your secretary with you?
  • Did you skip lunch to pitch a new invention to a VC? Which one?
  • Were you the person who anonymously tipped off safety regulators about the rusty machines?
  • Did you and your VP for sales meet with ACME Ltd on Monday?
  • Which church do you attend? Which mosque? Which gay bars?
  • Who is my ex-girlfriend going to dinner with?

Are you beginning to get the idea? Pretty scary, if you ask me. So what do you do?


We can’t stop the cascade of new location-based digital services. Nor would we want to–the benefits they offer are impressive. What urgently needs to change is that these systems need to be built with privacy as part of their original design…

Our contention is that the easiest and best solution to the locational privacy problem is to build systems which don’t collect the data in the first place.

How is that possible? I’ll tell you in How!

I’ve shown how the EFF recommends building location systems which don’t collect the data in the first place. How is that accomplished? Cryptographic protocols. One of these is electronic cash. Electronic cash refers to means by which an individual can pay for something using a special digital signature which is anonymous but which guarantees the recipient that the can redeem it for money; it acts just like cash! Transfer of money at places like toll booths and fuel pumps would not be tied to any specific individual.

Another approach would involve the use of anonymous credentials for certain types of passes and access cards. The EFF document provides an explanation:

These give [a person] a special set of digital signatures with which he can prove that he is entitled to enter the [restricted location] (i.e. prove you’re a paying customer) or get on the bus. But the protocols are such that these interactions can’t be linked to him specifically and moreover repeated accesses can’t be correlated with one another. That is, the [restricted location] knows that someone authorized to enter has come by, but it can’t tell who it was, and it can’t tell when this individual last came by. Combined with electronic cash, there are a wide-range of card-access solutions which preserves locational privacy.

Of course, these aren’t the only solutions (though they may become the only ones that are reliable). There is also good old data retention and erasure. If there is no real need to keep location data beyond a short period of time, then it should be deleted. The problem with that approach is that companies who acquire locational data have incentives to keep it. Picture a third-party advertising service that automatically feeds you advertising about local businesses based on your where you are logged in. The data about your movements about town and the planet are valuable demographics to use in highly targeted ad campaigns.

In the end, the real concern is with government:


…there’s no guarantee that a government won’t suddenly pass a law requiring … companies and government agencies to keep all of their records for years, just in case the records are needed for “national security” purposes. This last concern isn’t just idle paranoia: this has already happened in Europe, and the [United States] Government has toyed with the same idea…

In the long run, the decision about when we retain our location privacy (and the limited circumstances under which we will surrender it) should be set by democratic action and lawmaking.

Indeed.

Posted in:
About the Author

Ken Harthun

Ken is our resident security expert with years of experience in the field. He can also carry a tune as an accomplished musician. Ken has written for many publications and presently is a contributor to IT Knowledge Exchange.