What is location data? According to Information Commissioner`s Office, location data is “any data processed in an electronic communications network or by an electronic communications service indicating the geographical position of the terminal equipment of a user of a public electronic communications service, including data relating to—
(f) the latitude, longitude or altitude of the terminal equipment;
(g) the direction of travel of the user; or
(h) the time the location information was recorded”.
In this case we are talking about personal information which can be gathered anywhere by using mobile apps, accessing free Wi-Fi, sharing photos with friends and etc.
Our Turtler Team requested privacy experts to share their thoughts about this issue and asked them these questions:
- Why should people care about their location data and safeguard it?
- What possible things could ever happen if location and tracking data gets into the wrong hands?
- What should people and companies do to minimize the risk?
So, let`s see what they have answered.
1. Why should people care about their location data and safeguard it?
"It is not widely recognised but it can take just 4 locations to specifically identify an individual from their locations (study, actual study). Knowing a person’s location data can identify elements of their character or behaviours that they may prefer to keep private. For example, that the individual attends church regularly, or a diet club or AA meeting", - says Mr. Mike Martin from Griffin House Consultancy. Mr. Martin is a qualified and experienced Data Professional and co-founded ADMAR Support Services in 1990 after leaving the Metropolitan Police where he worked at New Scotland Yard as a civilian.
"Location data can be used as an identifier and therefore, depending on the context, can positively identify an individual. If you think about how most of our everyday services are enabled by location data, it can be easily understood how your location can be deemed as your personal data. This can have a significant effect in the way that your apps and service providers track your physical and online movements. Many of these apps base their entire service provision in geographical localization, such as map apps, transportation network apps or fitness apps. This means that enabling localization is an essential function in order for the end-user to properly use the app and benefit from the service.
However, there are other applications and service providers that are very unclear on the reason for processing location data. The best examples are social media applications. These companies still have some work to do in clearly informing and explaining their customer base the reasons and purposes for tracking location data as there is a clear imbalance in how customers and companies benefit from it. While users benefit from the fact that they may get more accurate suggestions for friends and events, these companies profit from delivering very specific targeted advertisements based on each individuals’ location.
The best thing that end-users could do is to disable location tracking settings from applications that are very unclear on how they plan on using that information,"- says Mr. Sandro Sandri, Privacy and Data Protection Consultant at HewardMills, a DPO-firm that specialises in acting as an appointed DPO and in providing support to internal DPOs for large multinational organisations.
"You need to care about your location, because marketing is going to be directed towards you depending on where you currently reside. It’s also a risk to let all of your GPS data, either in apps or images, to give way of your physical location. This is especially important when it comes to children and those in countries with heavy surveillance concerns,"- says Mr. Matthew Pascucci, Cybersecurity Practice Manager at CCSI with over 16 years’ experience in IT focusing on Cybersecurity. He’s the founder of Frontline Sentinel and a board member on the local chapters of InfraGard and OWASP.
"Technology on location data has evolved over the years, where now businesses can actually pinpoint your location through not only through use of GPS but also Wi-Fi and cellphone connectivity etc. While the users benefit by getting to places and finding relevant offers and information of their choices, it poses a risk of being tracked and monitored none-the-less. Use of this information of unsuspecting users of Uber service is a great example, where it came into light that Uber was tracking their customers not only when they were in the cab but also beyond it, as part of a hidden agenda of Uber to profile its customers.
In addition, it came out later that they continued to track the users even when they had chosen to delete the Uber app from their smart-phones. Such risks clearly go up with more and more people in emerging markets adopting use of technology enabled via internet and smart-phones (navigation based services/apps, social networking tools, weather reporting apps etc.).
The advent of social media and internet based companies like Google, Facebook, Instagram, etc. has only made things worse with users knowingly and often unknowingly sharing their travel plans, location information etc. and sometimes at the expense of their own as well as safety of their family and friends. This is a proof enough that the user behavior has to be more cautious and that can only happen when they take informed decisions about sharing their location data,"- says Mr. Abhishek Pandey, Head Data Privacy - Asia, Middle East & Africa region, Novartis. Mr. Abhishek Pandey is a certified privacy professional (CIPP/Asia) with over two decades of exciting professional career in both service and product based organizations across pharma, IT/ITeS, and hospitality industries.
"Increased use of smartphones has led to increased use of Location Based Services and GPS location tracking over recent years. GPS tracking is now common place in many areas, from wildlife studies to track animal behaviours, to safeguarding of dementia suffers, the tracking of criminals and even for predictions of tourism trends. It’s so common place now many of us keep our location settings on permanently, which is especially true for the younger ‘digital natives’ whom, according to research, are less concerned about their online privacy than older users.
So what’s the big deal? Most of the time we are happy to share our location data with our friends and social media contacts and willingly ‘check-in’ to places to show we’re ‘having fun’. Well, maybe this isn’t an issue, at least on the face of things, but what about the third parties our location data is subsequently shared with? You may have heard that ‘data is the new oil’, our data being extremely valuable to marketeers and the ‘free’ apps we use sell our data and push targeted adverts at us in order to generate revenue. Often the profile built on us doesn’t contain our name or personal details, but it does contain our device information from which we could be identified, as well as details such as our purchasing history, location history and personal preferences, data that can be used to target us with relevant offers when we walk into a store for example – hang on - special offers when we go shopping? Sounds great doesn’t it? However, what about our personal privacy? Should this sharing of our data concern us?
After all, in return for sharing our data we are able to access some pretty cool personalised online services. Well, with these ‘cool’ benefits come risks, and yes, we are right to have concerns,"- is written on behalf of The DPO Centre Ltd. The DPO Centre is the UK’s national data protection resource centre. It delivers experience, knowledge and enthusiasm, assisting organisations of all sizes and levels of complexity to identify and address the ever growing number of issues brought about by data protection legislation.
2. What possible things could ever happen if location and tracking data gets into the wrong hands?
"To the individual it is an invasion of privacy (imagine two employees are sharing the same location every evening), and they could claim compensation for distress. However, from a Controller’s point of view tracking staff may be a breach of the GDPR’s notion of ‘Power Imbalance’. There have been instances of virtual stalking by Managers in large organizations like Uber,"- continues Mr. Mike Martin from Griffin House Consultancy.
"If we look at what happened with Strava’s global heat map and the way by which it revealed the location of US military bases and soldiers’ training routes, it becomes self-evident that there is a need to mitigate the upcoming risks of enabling location tracking. In this example highly confidential information was leaked due to the soldiers’ location data being enabled on their devices. Similar situation may occur with civilians.
There is a particular subset of personal data called sensitive data, which groups all data that can potentially discriminate individuals. On a theoretical example, if location data is able to indicate that a particular data subject visits certain places such as churches, clinics or trade unions on a regular basis, then the application would be processing that individual’s sensitive data. This would significantly increase the risk of profiling individuals’ based on their sensitive data, which can potentially lead to discriminatory processing,"- says Mr. Sandro Sandri from HewardMills.
"We’ve seen many issues with countries or even law enforcement using GPS data to limit the voice of citizens or to profile users based off location,"- mentioned Mr. Matthew Pascucci from CCSI.
"The question should not be about data falling into the wrong hands. There are obvious safety and security concerns. The question is how do companies that use data and tracking technology do so in a transparent and ethical manner. If individuals are aware that they are being tracked they want to ensure the data is collected legally and never stored beyond its intended use,"- says Mrs. Estella Cohen, Senior Privacy Consultant at TrustArc.
"As illustrated above there are companies who use your data, including your location data to profile you as an individual, including but not limited to where you work, who do you meet, what are your buying, eating and travelling choices, how you drive, what’s your internet footprint etc.
If this information gets into wrong hands it can be easily misused against you by influencing your decisions, charging you more price for products, services, insurance etc., compromise your and your family’s security and wellbeing, thereby restricting your fundamental rights to free choice, liberty , safety and security etc,"- says Mr. Abhishek Pandey from Novartis.
"While location based services can be extremely useful, their use comes with risks. For example, what if the information falls into the wrong hands? Imagine the location of our children being tracked by predators, or that we are tracked visiting a drug treatment clinic, or psychiatrist, or our movements reveal our political or religious affiliations (forming sensitive personal data) and this information is used against us? Furthermore, without due care we no longer have control of who can see when we are on holiday (and our home is empty), or if we are travelling home by train late at night, alone…
Also, unless we switch off geotagging in photos, images we share will contain metadata revealing the exact location of where the photo was taken – photos posted to social media ‘walking alone in the woods’ could put us at risk, or advertising an expensive item on eBay could alert burglars to the location of their next crime.
Identity theft and stalking are other personal risks we may face, both of which are on the rise, but use of location data is also common place in the business world and can pose risks to an organisation. Unauthorised access to location data could leave a business exposed. This data could for example potentially lead an employee being tracked visiting the same coffee shop for lunch each day, or catching the same train home, resulting in the theft of a laptop containing sensitive data (or worse). Or an employee could be tracked meeting with a competitor leading to unauthorised disclosure of a business merger or acquisition, or be tracked visiting questionable establishments bringing the business into disrepute.
As mentioned, when a customer allows a business to track their movements it can lead to the business gaining a better understanding of their habits and allow targeted ’geo-marketing. Web content can also be tailored depending on the location a web-site is being viewed from. However, there are other business uses such as vehicle tracking for fleet management purposes. This can reduce insurance premiums, increase employee efficiency and help with business decisions. This technology can also be used to allow customers to track deliveries. It is important for the business to remember however that such data is covered by regulations and can form ‘personal data’. This must therefore be carefully managed to ensure tracking is carried out for company purposes only, and data must be kept securely to avoid potential risks to staff and property, i.e. when transporting valuable items. Security is also important to mitigate the risk of the business suffering a data breach,"- is written on behalf of The DPO Centre Ltd.
3. What should people and companies do to minimize the risk?
"From an individual’s point of view they need to read and appreciate the privacy notice and understand the implications. Personally, I want to know what tracking is going on and have the opportunity to review and delete it if I so choose. From an organization’s perspective they need to have oversight and governance in place. For example, safety checks to show if the tracking software has been accessed. I would want to see four-eye due-diligence oversight, perhaps Manager ‘A’ has to approve use by Staff ‘B’. An email is automatically sent to the user notifying of search. A user dashboard allows the Data Subject to see who accessed what information and when; to be 100% GDPR compliant, perhaps even give the Data Subject the option to withhold or release the information, especially if in their own time and it would reveal something sensitive which is nothing to do with the Controller,"- advised Mr. Mike Martin.
"In these situations anonymization is a key. However, it does not solve everything as location data can create patterns and patterns are highly valuable as we have seen with the Strava example. The GDPR has enhanced individuals’ rights so enabling easy and efficient instruments for activating the right to be forgotten or the right to object to processing can create protect individuals’ rights and reduce companies’ risk of non-compliance with the provisions of the GDPR and PECR. Going forward, these companies should approach location data on a Privacy by Design basis. This would mean especially embedding DPIAs (Data Privacy Impact Assessments) on every new project, solution, tool or software that will process data subjects’ personal data. Also, for many of these companies, consent will be paramount for processing this data whenever location data is not an essential feature of their service provision,"-
recommended Mr. Sandro Sandri.
"GDPR is creating a big push to have this more transparent, but it’s not going to solve the problem. We need to understand the permissions of the how this is being used, especially with mobile applications, and have an understanding of why, when and how it’s being used,"- said Mr. Matthew Pascucci.
"People and companies each play an important part in minimizing privacy risks. Users need to take responsibility for becoming aware of privacy settings and controls. I call this Privacy by Awareness. At the same time, companies must implement Privacy by Design strategies in all aspects of their products and services to ensure privacy is built in by default,"- recommended Mrs. Estella Cohen.
"Some tips for individuals and companies:
- Whenever there is an option to select your location (area, city etc.) over allowing GPS to track your location – individuals must go with the former, more so when a company’s privacy policies are unclear and unspecific.
- Users must weigh on benefits of enabling location services or sharing their travel plan, location etc. Often such benefits cannot replace the associated risks.
- Both users and companies must be aware of existing and upcoming technology trends and how they are/can be used to monitor or track public at large e.g. since most of us use google, it has a footprint of every single place we have visited and every single internet site we have visited. Consult experts in this area before making important personal or business decisions.
- Companies must minimize collection of data including that related to tracking or monitoring individuals and collect it only for legitimate purposes. Also where ever being collected, provide users clear explanation of the purpose and a choice to opt-in (default being Opt-out) and opt-out at any point in time.
- Companies also have a responsibility to ensure such information is used only for the purpose for which individuals have opted-in , is retained only as long as necessary for that purpose and is protected through-out its life-cycle from getting into wrong hands,"- said Mr. Mr. Abhishek Pandey.
"To minimise the risk of location tracking, actions could include:
- Users should only enable the location tracking when in active use for a specific purpose, and then switch it off.
- Geotagging should be turned off on the camera to prevent the addition of location data to photos – and users should be careful about what they share (i.e. do not share holiday photos online until returning home).
- Do not give apps permission to access location data unless absolutely necessary, and be careful which apps are downloaded.
- Read and understand the privacy policies to understand exactly how data will be used before agreeing to the terms and conditions of use.
- Security of devices is important and users should review configuration / privacy settings and ensure anti-virus software is installed and regularly updated.
- Companies should train staff to increase their awareness of how to reduce risks in order to allow them to protect themselves, and the business.
- There should be procedures in place to maintain and update company equipment to ensure data security.
- Companies should implement policies regarding their use of tracking data where appropriate. The arrival of the GDPR and (in the UK) the DPA 2018 brings tougher rules around the collection and use of personal data, which includes location data when it relates to an identifiable individual. With consent likely to be the lawful basis for processing of such location data, many service providers will need to review the way the consent is collected with affirmative action now being required. Service providers must also ensure they implement appropriate policies and procedures governing the use of the data obtained and review contracts with any third-parties with whom data is shared. Businesses using applications to track staff should also review their policies and security measures regarding this data,"- recommends the DPO Centre.
At the beginning, these three questions seemed very simple and easy to answer. However, still waters run deep. GDPR and DPA control usage of personal data and help individuals protect themselves from cyber attacks. Anyway, better safe than sorry. Try to follow privacy experts` recommendations and keep your beloved ones and yourselves safe.