Available under an AEShareNet 
licence or a Creative
Commons 
licence.
Emergent Draft of 31 May 2008
Prepared for an Invited Keynote at a 1-day Seminar on 'Location Privacy' at the University of N.S.W., 23 July 2008
© Xamax Consultancy Pty Ltd, 2008
Available under an AEShareNet licence or a Creative
Commons licence.
This document is at http://www.anu.edu.au/people/Roger.Clarke/DV/YAWYB.html
A decade ago, technologies that could provide information about the location of a motor vehicle, or a computer, or a person, were in their infancy. A wide range of tools are now in use and in prospect, which threaten to strip away another layer of the limited protections that individuals enjoy.
An understanding of the landscape of location and tracking technologies, and of the issues that they give rise to, depends on establishing a specialist language that enables meaningful and reasonably unambiguous discussion to take place.
An outline of the familiar case of mobile phones, complemented by deeper assessments of road tolling and the surveillance of individual motor vehicles on the road, provides a basis for appreciation of the substantial threats that location technologies represent to free society.
Nearly a decade ago, Clarke(1999) reviewed location and tracking in a somewhat simpler world. The paper noted increasing intensity in the collection of transaction data, in the association of personal identifiers with that data, in the retention of that data, and in mining of that data. It also referred to the emergence of spies in people's pockets, wallets and purses (smartcards and cellular mobile phones), and in their cars (toll-road tags, and tagging by car-hire companies, insurers and investigators).
Those technologies are now well-established, and lack any form of regulatory framework. IP-address location remains laughably inaccurate. Cellular triangulation and signal-differential techniques, and self-reporting of GPS measurements, are also error-prone, but their accuracy and precision appear to be improving. RFID and NFC devices identify and locate chips with reasonable reliability, and, because of their short range, with considerable accuracy. Meanwhile, ANPR surveillance of traffic is being introduced without even the slightest regard for its impact on privacy and freedom.
For the last four decades, discussions of privacy and surveillance have primarily focussed on the collection and handling of personal data. In effect, the orientation has been towards 'you are what you've transacted with us'. The march of information technology has resulted in the scope of the transactions that are being captured expanding wildly. Now organisations in both the public and private sectors are seeking data about where people are, in order to use it - sometimes at least nominally for them, but in practice mostly against them. The almost complete absence of data destruction requirements means that data about 'where you are now' is kept, and becomes a trail of 'where you've been'. The presumption underlying the exploitation of this pool of data is that 'you are where you've been'. This paper's purpose is to delineate the nature of these technologies, and of what they do to privacy.
This paper commences with a brief overview of key concepts underlying the subsequent discussion. One cluster of relevant concepts comprises real-world entities (particularly humans and vehicles), identities, and pseudonymity and anonymity. A second cluster comprises the concept of location and the process of acquiring it, and the concept and process of tracking.
Building on these ideas, the paper briefly surveys the privacy impacts of location technologies, in order to set the scene for subsequent, more focussed papers. It notes that one's location is potentially very sensitive personal data. But the tracking of people's movements both real-time, and retrospectively, lifts the threat to a much higher level.
This section provides an overview of the concepts of identity, entity and nymity. It draws heavily on relevant parts of Clarke (2001) and Clarke (2004).
The term 'entity' refers to any item that exists in the real world. It is sufficiently generic to be applicable to a rock, a chair, a motor vehicle, a device with a computer embedded in it, and a human being.
The term 'identity' refers to a particular presentation of an entity, such as a role that the entity plays in particular circumstances. For example, a motor vehicle is an entity. It may have multiple identities over time, such as taxi and getaway car. A mobile phone is an entity, but it may take up different identities depending on the SIM placed in it. A computer is an entity, but each process that runs on it is capable of being an identity distinct from both the entity and the other identities represented by other processes.
People perform many roles, and most individuals are known by different names in different contexts. In some cases, the intention is dishonourable or criminal; but in most cases the adoption of multiple personae is neither, but rather reflects the diversity of contexts in which they act, including within their family, their workplace(s), their profession, community service and art. In common law countries, people are in no way precluded from using multiple identities or aliases. Actions that take advantage of multiple or situation-specific identities in order to cause harm or circumvent the law are, on the other hand, criminal offences.
An identity may be distinguished from other, similar identities through the use of some kind of label or signifier. For example, a SIM card has a SMI-card identifier, a process running in a computer has a process-ID, and a human being has (many) names and codes assigned to them.
Similarly, an entity may be distinguished from other, similar entities through the use of some kind of label or signifier. Even some rocks have names or numbers, motor vehicles have vehicle id numbers (VINs), engine numbers and registration 'numbers', mobile phones have unique numbers associating with housing, and human beings have biometrics. Given that the term for an item of information that distinguishes an identity is 'identifier', it is convenient to refer to an item of information that distinguishes an entity as an 'entifier'.
An identifier that can be linked to the underlying entity only with considerable difficulty is commonly called a pseudonym. If an identifier cannot be linked to an entity at all, then it is usefully called an anonym. And a term that usefully encompasses both pseudonyms and anonyms is nym.
Anonymity is a characteristic of records and transactions, such that they cannot be associated with any particular entity, whether from the data itself, or by combining it with other data. Pseudonymity is a characteristic of Records and Transactions, such that they cannot be associated with any particular entity unless legal, organisational and technical constraints are overcome. And a term that encompasses both anonymity and pseudonymity is nymity.
The concepts of location and tracking, discussed below, clearly apply to entities. However they may also apply to identities in various circumstances, and hence to nyms.
This section provides an overview of the concepts of location and tracking. It draws heavily on relevant parts of Clarke (1999a).
By an entity's location is meant a description of its whereabouts, in relation to other, known objects or reference points. Examples include the following:
The 'space' within which an entity's location is tracked is generally physical or geographical. All of the above examples relate to location within physical space. Other kinds of 'space' exist and location within such spaces may be defined in other terms. For example, a location may be virtual, as in the case of a person's successive interactions with a particular organisation. A particularly important example is 'network space'. An IP-address records the location in network space of a software process entity (which necessarily is running in a computer entity).
Location can be ascertained with varying degrees of precision, and varying degrees of accuracy and reliability. The location of installed devices such as fixed ATMs and EFT/POS terminals may be quite exact, and reliable. The locations of some EFT/POS terminals (e.g. those in taxis) are much more ambiguous, as are those of small modems, codecs and Ethernet and other network interfacing cards, which may be removed from their recorded location. Devices such as cellular phones, and portable and hand-held computers, are designed to be mobile, and additional information is needed in order to draw inferences about their location at the time of a particular event. Some kinds of location definition may be limited to a line or cone (e.g. those relying on directional mechanisms), or an area bounded by three or more lines (e.g. those relying on triangulation).
Measures of location may be available with varying degrees of timeliness. By this is meant the lag that occurs between the event, and the availability to a person undertaking surveillance of the transaction data reflecting that event.
By tracking is meant the plotting of the trail, or sequence of locations, within a space that is followed by an entity over a period of time.
Due to timeliness limitations, data may only be available for retrospective analysis of a path that was followed at some time in the past. A 'real-time' trace, on the other hand, enables the organisation undertaking the surveillance to know where the entity is at any particular point in time, with a degree of precision that may be as vague as a country, or as precise as a suburb, a building, or a set of co-ordinates accurate to within a few metres. Moreover, a person in possession of a real-time trace is in many circumstances able to infer the subject's immediate future path with some degree of confidence.
This section provides an overview of the privacy threats inherent in location and tracking. It draws heavily on relevant parts of Clarke (1999a). The threats arise from individual technologies, and the trails that they generate, from compounds of multiple technologies, and from amalgamated and cross-referenced trails captured using multiple technologies and arising in multiple contexts.
The fundamental concepts of dataveillance and the risks it embodies are examined in Clarke (1988).
Location and tracking technologies give rise to data-collections that disclose a great deal about the movements of entities, and hence about individuals associated with those entities. Given an amount of data about a person's past and present locations, the observer is likely to be able to impute aspects of the person's behaviour and intentions. Given data about multiple people, intersections of many different kinds can be computed, interactions can be inferred, and group behaviour, attitudes and intentions imputed.
Location technologies therefore provide, to parties that have access to the data, the power to make decisions about the entity subject to the surveillance, and hence to exercise control over it. Where the entity is a person, it enables those parties to make determinations, and to take action, for or against that person's interests. These determinations and actions may be based on place(s) where the person is, or place(s) where the person has been, but also on place(s) where the person is not, or has not been. Tracking technologies extend that power to the succession of places the person has been, and also to the place that they appear to be going.
The nature and extent of the intrusiveness is dependent on a variety of characteristics of location and tracking technologies. An analysis is provided in Clarke (1999b), encompassing such factors as the intensity of the data collection process, the data quality, data retention and destruction, and data accessibility.
Dangers that are especially apparent include the following:
The degree of impact on each individual depends on their psychological profile and needs, and their personal circumstances, in particular what it is that they wish to hide, such as prior misdemeanours, habits, and life-style, or just the details of their personal life. Some categories of individual are in a particularly sensitive position. 'Persons-at-risk' is a useful term for people whose safety and/or state of mind are greatly threatened by the increasing intensity of data-trails, because discovery of their location is likely to be followed by the infliction of harm, or the imposition of pressure designed to repress the person's behaviour. Examples include VIPs, celebrities, notorieties, different-thinkers, victims of domestic violence, people in sensitive occupations such as prison management and psychiatric health care, protected witnesses, and undercover law enforcement and security operatives.
Marketers have an interest in identifying population segments and networks, and in building personal behaviour profiles. More sinister applications arise because so-called 'counter-terrorism' laws have greatly reduced the controls over data gathering, storage and access, over inferencing about where people have been and whose paths people have crossed, and over detention, interrogation and prosecution.
A wide variety of location and tracking technologies exist. They are mostly oriented towards entities, and their effective operation depends on the collection of entifiers that distinguish the particular entity and enable transaction data to be reliably associated with the appropriate entity and perhaps with other transactions. Some technologies are relevant to spaces other than physical space (especially net space), and some to identities rather than entities. In Clarke (1999a), a great many specific instances of location and tracking technologies were catalogued and outlined.
During the intervening decade, a few of these have become noticed by the general public. In particular, there is an increasing appreciation that mobile phones have become not only a personal convenience, but only a spy in the person's pocket, reporting continually the device's presence in a particular cell (and hence continually disclosing its location to an accuracy of 100m to a few km), even when nominally switched off.
Cell-phone location and tracking data is subject to security and some privacy regulation, but most of the features have been designed from an engineering perspective and privacy protections are incidental rather than intrinsic. The protections are subject to very subtantial exceptions. The protections have been ripped apart by extended powers for law enforcement agencies during the long national security extremism' phase that followed 12 September 2001. The protections are subject to compromise by the increasing prevalence of public-private partnerships, and the vast concessions that Governments are granting for-profit corporations in return for taking over the burden of infrastructure provision and maintenance.
The assessments of particular technologies in Clarke (1999a, 1999b) and above were of necessity superficial. In order to complement that broad scan, this section contains vignettes that examine in greater depth two specific and highly problematical technologies that have exploded onto the scene, that are subject to almost no meaningful privacy controls, and that have extraordinary and highly negative implications for privacy, and for civil liberties and political freedoms more generally.
[Currently a separate discussion draft]
[Currently a separate discussion draft]
TEXT
[Brief summary of general and specific points about location and tracking technologies, their threats, and the almost complete absence of controls.
[Tie back to 'You Are Where You've Been'
Information technology shares a key characteristic with an elephant: it doesn't know how to forget. It needs to be taught how, and very quickly.
Clarke R. (1988) 'Information Technology and Dataveillance' Commun. ACM 31,5 (May 1988) 498-512, at http://www.anu.edu.au/people/Roger.Clarke/DV/CACM88.html
Clarke R. (1994) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues' Information Technology & People 7,4 (December 1994) 6-37, at http://www.anu.edu.au/people/Roger.Clarke/DV/HumanID.html
Clarke R. (1999a) 'Person-Location and Person-Tracking: Technologies, Risks and Policy Implications' Proc. 21st Int'l Conf. on Privacy and Personal Data Protection, pp.131-150, Hong Kong, 13-15 September 1999. Revised version in Information Technology & People 14, 2 (Summer 2001) 206-231, at http://www.anu.edu.au/people/Roger.Clarke/DV/PLT.html
Clarke R. (1999b) 'Relevant Characteristics of Person-Location and Person-Tracking Technologies' A separately-published Appendix to Clarke (1999a), Xamax Consultancy Pty Ltd, Canberra, October 1999, at http://www.anu.edu.au/people/Roger.Clarke/DV/PLTApp.html
Clarke R. (2001) 'Authentication: A Sufficiently Rich Model to Enable e-Business' Xamax Consultancy Pty Ltd, December 2001, at http://www.anu.edu.au/people/Roger.Clarke/EC/AuthModel.html
Clarke R. (2004) 'Identification and Authentication Fundamentals' Xamax Consultancy Pty Ltd, May 2004, at http://www.anu.edu.au/people/Roger.Clarke/DV/IdAuthFundas.html
Clarke R. (2006) 'What's 'Privacy'?' Prepared for a Workshop at the Australian Law Reform Commission on 28 July 2006, at http://www.anu.edu.au/people/Roger.Clarke/DV/Privacy.html
Clarke R. (2007) 'What 'Überveillance' Is, and What To Do About It' Invited Keynote, Proc. 2nd RNSA Workshop on the Social Implications of National Security', 20 October 2007, University of Wollongong, at http://www.anu.edu.au/people/Roger.Clarke/DV/RNSA07.html
Clarke R. (2008) 'Dissidentity' Xamax Consultancy Pty Ltd, Canberra, March 2008, at http://www.anu.edu.au/people/Roger.Clarke/DV/Dissidentity.html
Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., a Visiting Professor in the E-Commerce Programme at the University of Hong Kong, and a Visiting Professor in the Department of Computer Science at the Australian National University.
| Personalia | Photographs | Access Statistics |
|
These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content). |
|
|
The Australian National University
Visiting Professor, Faculty of Engineering and Information Technology |
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA Tel: +61 2 6288 1472, 6288 6916 |
Created: 23 February 2008 - Last Amended: 31 May 2008 by Roger Clarke - Site Last Verified: 15 February 2005
This document is at www.anu.edu.au/people/Roger.Clarke/DV/YAWYB.html
Mail to Webmaster - © Xamax Consultancy Pty Ltd, 1995-2006 - Privacy Policy