Recent events in the mobile space have shined a light on subscriber location and location privacy. This is a topic that is near and dear to us at Location Labs, and one that we, and our industry partners, have been thinking about for a long time. It’s not surprising to see it finally getting broader attention. To many people, both end users and lawmakers alike, the subject is a new one, and likely isn’t something that they’ve considered from a privacy perspective.
In our view, the best way to approach the subject of location privacy is to apply the same rules to personal location information as to any other personal information that is considered private, such as credit card numbers or the content of phone calls. Frankly, there really is no difference.
From the mobile operator or device platform provider perspective, subscriber location is a necessary component of providing the service, and thus they may consider location an asset for auxiliary use. That is, they are directly exposed to location data in the course of providing the service, and in fact may be involved in generating it, and therefore may use it in other ways. For example, operators need to know something about your location to route an incoming call to the correct cell or base station. Such an argument ultimately carries no water. Why? Consider the credit card analogy. Merchants are required to collect credit card information as part of the payment process. Visibility of this information in no way provides the merchant with license to use this information for other purposes, or to share it unnecessarily with third parties.
Carrying our analogy further, let’s consider the common expectation of the end user again using the credit card as an example. When I sign up for a credit account, I do so with the understanding that many parties across the value chain will be exposed to my sensitive information. These details are necessary for the service to be provided. What I do not expect is that sensitive information, such as the credit card number itself, will be provided to an unnecessary third party, or be handled in such a way that a malicious third party will be able to obtain access to it. That is, there is a reasonable assumption that all parties are aware, and will accept, that the credit card number is considered sensitive and private and thus, standard practices of privacy and security will be adhered to.
There is simply no reason to consider personal location data to be any different.
Based on this understanding, when a user engages in a location service, they are correct in assuming that all parties involved in providing the service acknowledge and accept that their location is sensitive and will be treated as such. They are correct in assuming that their location data will not be used for any purpose beyond directly supporting the service at hand unless they explicitly provide consent to some external use. They are correct in assuming that their location data will be treated with care, using a reasonable standard of data security.
Finally, consider the question of ownership. Who really owns personal location data, derived say from a mobile network operator, and what are the implications of this? We very much want to say that the users themselves own their own location data, and are provided all the rights associated with it. This is almost certainly the ideal long-term goal. Recall, however, that the network operator is required to both obtain and utilize subscriber location as part of providing the service. In this context, they would be generating and handling an asset that belongs to the end user. We might turn matters on their head and suggest that the end user enter into a contract with the network operator acknowledging this fact, and further, that the end user provide a limited license back to the network provider for the express purposes of providing mobile service. Similar to the credit card example, there really is no difference here.
The challenges we face in coming to terms with subscriber location are to a large extent resolved if we simply consider mobile location to be like any other personal information and subject to the same standard norms of privacy and security. Once we’ve accepted this premise, the rest will follow.
Scott Hotes is CTO and senior vice president of Engineering at Location Labs. Twitter: @sahotes
Filed Under: Industry regulations