Assessing technology system contributions to urban dweller vulnerabilities

Lindsay J. Robertson+, Katina Michael+, Albert Munoz#

+ School of Computing and Information Technology, University of Wollongong, Northfields Ave, NSW 2522, Australia

# School of Management and Marketing, University of Wollongong, Northfields Ave, NSW 2522, Australia

Received 26 March 2017, Revised 16 May 2017, Accepted 18 May 2017, Available online 19 May 2017

https://doi.org/10.1016/j.techsoc.2017.05.002

Highlights

• Individual urban-dwellers have significant vulnerabilities to technological systems.

• The ‘exposure’ of a technological system can be derived from its configuration.

• Analysis of system ‘exposure’ allows valuable insights into vulnerability and its reduction.

Abstract

Urban dwellers are increasingly vulnerable to failures of technological systems that supply them with goods and services. Extant techniques for the analysis of those technological systems, although valuable, do not adequately quantify particular vulnerabilities. This study explores the significance of weaknesses within technological systems and proposes a metric of “exposure”, which is shown to represent the vulnerability contributed by the technological system to the end-user. The measure thus contributes to the theory and practice of vulnerability reduction. The results suggest specific and general conclusions.

1. Introduction

1.1. The scope and nature of user vulnerability to technological systems

Today's urban dwelling individuals are end-users that increasingly depend upon the supply of goods and services produced by technological systems. These systems are typically complex [1–4], and as cities and populations grow, demands placed on these systems lead to redesigns and increases in complexity. End-users often have no alternative means of acquiring essential goods and services and thus a failure in a technology system has implications for the individual that are disproportionately large compared to the implications for the system operator/owner. End users may also lack awareness of the technological systems that deliver these goods and services, inclusive of system complexity and fragility, yet may be expected to be concerned for their own security. The resulting dependence on technology justifies the observed concern that there is a vulnerability incurred by users, from the systems that provide them with goods and services.

Researchers [5–7], alongside the tradition of military strategists [8], have presented a socio-technical perspective on individual vulnerability, drawing attention to the complexity of the technological systems tasked with the provision of essential goods and services. Meanwhile, other researchers have noted the difficulties of detailed performance modelling of such systems [9–11].

The vulnerability of an urban dweller has also been a common topic within the popular press for example “Cyber-attack: How easy is it to take out a smart city?” [12], which speculated how such phenomena as the “Internet of Things” affect the vulnerability of connected systems. Other popular press topics have included the possibility that motor vehicle systems are vulnerable to “hacking” [13].

There is furthermore a widespread recognition that systems involving many 'things that can go wrong' are fragile. Former astronaut and United States Senator John Glenn stated in his (1997) retirement speech [14] mentioned “… the question I'm asked the most often is: ‘When you were sitting in that capsule listening to the count-down, how did you feel?’ ‘Well, the answer to that one is easy. I felt exactly how you would feel if you were getting ready to launch and knew you were sitting on top of two million parts - all built by the lowest bidder on a government contract’ …” His concern was justified, and most would appreciate that similar concerns apply to more mundane situations than the Mercury mission.

National infrastructure systems are typically a major subset of the technological systems that deliver goods and services to individual end-users. Infrastructure systems are commonly considered to be inherently valuable to socio-economic development, with the maintenance of security and functionality often emphasized by authors such as Gómez et al. (2011) [15]. We argue that infrastructural systems actually have no intrinsic value to the end-user, and are only valuable until another option can supply the goods and services to the user with lower vulnerability, higher reliability or both. If a house-scale sewage treatment technology were economical, adequately efficient and reliable, then reticulated, centralised sewage systems would have no value. We would also argue that the study of complete technological systems responsible for delivery of goods or services to an end-user, is distinguishable from the study of infrastructural systems.

For the urban apartment dweller, significant and immediate changes to lifestyle quality would occur if any of a list of services became unavailable. To name a few, these services would include those that allow the flow of work information, financial transactions, availability of potable water, fuel/power for lighting, heating, cooking and refrigeration, sewage disposal, perishable foods and general transport capabilities. Each of these essential services are supplied by technological systems of significant complexity and face an undefined range of possible hazards. This paper explores the basis for assessing the extent to which some technological systems contribute to a user's vulnerability.

Perrow [16] asserts that complexity, interconnection and possibility of major harm make catastrophe inevitable. While Perrow's assertion may have intuitive appeal, there is a need for a quantitative approach to the assessment of vulnerability. Journals (e.g. International Journal of Emergency Management, Disasters) are devoted to analysing and mitigating individuals' vulnerabilities to natural disasters. While there is an overlap of topic fields, disaster scenarios characteristically assume geographically-constrained, simultaneous disruption of a multitude of services and also implicitly assume that the geographically unaffected regions can and will supply essential needs during reconstruction. This research does not consider the effects of natural disasters, but rather the potential for component or subsystem disruptions to affect the technological system's ability to deliver goods and services to the end-user.

Some technological systems-such as communications or water distributions systems-transmit relevant goods and services via “nodes” that serve only aggregate or distribute the input goods and services. Such systems can be characterised as “homogeneous” and are thus distinguished from systems that progressively create as well as transmit goods, and thus require a combination of processes, input- and intermediate-streams and services. The latter type of system are thus categorized as heterogeneous, such heterogeneity must be accommodated in an analysis measure.

1.2. Quantification as prelude to change

We propose and justify a quantification of a technological system contributions to the vulnerability of an urban dwelling end-user who is dependent upon its outputs. The proposed approach can be applied to arbitrary heterogeneous technological systems and can be shown to be a valid measure of an attribute that had previously been only intuitively appreciated. Representative examples are used to illustrate the theory, and preliminary results from these examples illustrate some generalised concerns and approaches to decreasing urban dwelling end user “exposure” to technological systems. The investigation of a systems exposure will allow a user to make an informed assessment of their own vulnerability, to reduce their exposure by making changes to system aspects within their control. The investigation of a system's exposure will allow a user to make an informed assessment of their own vulnerability, to reduce their exposure by making changes to system aspects within their control. Quantifying a system's exposure will allow a system's owner to identify weaknesses, and to assess the effect of hypothetical changes.

2. Quantification of an individual's “exposure”: development of theory

2.1. Background to theory

Consider an individual's level of “exposure” by two scenarios: a first scenario where a specific service can only be supplied to an end-user by a single process, which is dependent on another process, which is in turn dependent on a third process. In the second scenario, the same service can be offered to the user by any one of three identical processes with no common dependencies. Any end-user of the service could reasonably be expected to feel more “exposed” under the first scenario than under the second. Service delivery systems are likely to involve complex processes that include at least some design redundancies, but also include single-points-of-failure, and cases where two or more independent failures would deny the supply of the service. For such systems, the “exposure” of the end user may not be obvious, but it would be useful to distinguish quantitatively and to be able to distinguish quantitatively among alternative configurations.

The literature acknowledges the importance of a technological configuration's contribution to end-user vulnerability [6], yet such studies do not quantitatively assess the significance of the system configuration. Reported approaches to vulnerability evaluation can be broadly categorized according to whether they consider homogeneous or heterogeneous systems, whether they assume a static or a dynamic system response, and whether system configuration is, or is-not used as the basis for the development of metrics. The published literature on risk analysis (including interconnected system risks), resilience analysis, and modelling all have a bearing on the topic, and are briefly summarised below:

Risk analysis may be applied to heterogeneous or homogeneous systems, the analysis does not analyse dynamic system responses and limits analysis to a qualitative assessment of the effect of brainstormed hazards. Classical risk analysis [17–20] requires an initial description of the system under review, however practitioners commonly only generate descriptions lacking specific system configuration detail. While many variations are possible, it is common for an expert group to carry out the risk analysis by listing all identified hazards and associated harms. Experts then categorise identified harms by severity, and hazards according to the vulnerability of the system and the probability of hazard occurrence. Risk events are then classified by the severity, based on harm magnitude, and hazards probability. Undertaking a risk analysis is valuable, yet without a detailed system definition to which the assessments of hazard and probability are applied, probability-of-occurrence evaluations may be inaccurate or fail to identify guided hazards, and the analysis may fail to identify specific weaknesses. Another issue exists if the exercise fails to account for changes to instantaneous system states; if the system is close to design capacity upon hazard occurrence, the probability of the hazard causing harm is higher than if the hazard occurred at a point in time when the system operates at lower capacities. Finally, the use of categories that correlate harm and hazard to generate a risk evaluation are inherently coarse-grained, meaning that changes to system configuration or components may- or may-not trigger a change to the category that is assigned to the risk.

Another analysis approach is that of “Failure Modes and Effects Analysis” (FMEA) [21], which examines fail or go conditions of each component within a system, ultimately producing a tabulated representation of the permutations and combinations of input “fail” criteria that cause system failure. FMEA is generally used to demonstrate that a design-redundancy requirement of a tightly-defined system is met.

'Resilience' has been the topic of significant research, much of which is dedicated to the characterization of the concept and definitional consensus. One representative definition [22] is “ … the ability of the system to withstand a major disruption within acceptable degradation parameters and to recover within an acceptable time … ” This definition is interpreted [23–25] quantitatively as a time-domain variable measuring one or more characteristics of the transient response. For complex systems, derivation of time-domain responses to a specific input disruption can be expected to be difficult, and such a derivation will only be valid for one particular initial operational state and disruption event. Responses to each possible system input and initial condition would generate a new time-domain response, and so a virtually infinite number of transient responses would be required to fully characterize the 'resilience' of a single technological system. All such approaches implicitly assume that the disturbance is below an assumed ‘maximum tolerable’ level, so the technological system's response will be a continuous function, i.e. the system will not actually fail. As resilience analysis applies to the aforementioned scenarios, a methodological issue exists in that evaluations of this kind are post-hoc observations, where feedback from event occurrences lead to design changes. Thus, an implicit assumption exists that the intention of resilient design is to minimise the disturbance to an ongoing provision of goods and services, rather than prevent output failure. Resilience analysis examines each permutation and combination of input, and constraining scope to failures, as input. As this method considers system responses to external stimulus, it requires a detailed knowledge of system configurations and system configuration, but is only practical for relatively simple cases (the difficulty of modelling large systems, has been noted by others [9]).

A third approach constructs a model of the target system in order to infer real world behaviour. The model - as a simplified version of the real world system - is constructed for the purposes of experimentation or analysis [26]. Applied to the context of end-user vulnerability, published simplifications of communication systems, power systems and water distribution systems commonly assume system homogeneity. For example, a graph theory approach will consider the conveyance of goods and services as a single entity transmitted across a mesh of edges and vertices that each serve to either disperse or distribute the product. Once a distribution network is represented as a graph, it is possible to mathematically describe the interconnection between specified vertices [10], and to draw conclusions [27] regarding the robustness of the network. Tanaka and colleagues [28] noted that it is possible to represent homogeneous networks using graph theory notation and thus make graph theory analyses possible. Common graph theory metrics consider the connections of each edge and do not consider the possibility that an edge could carry a different service from another edge. Because the graph theory metrics assume a homogeneous system, these metrics cannot be applied directly to heterogeneous systems in which interconnections do not always carry the same goods or services.

2.2. Exposure of a technological system

In order to obtain a value for the technological system contribution to end-user vulnerability that enables comparisons among system configurations a quantitative analytical technique is needed. To achieve this, four essential principles are proposed to allow and justify the development of a metric that evaluates the contribution of a heterogeneous technological system, to the vulnerability of an individual. These principles are:

(1) Application to individual end-user: an infrastructural system may be quite large and complex. Haimes and Jiang [11] considered complex interactions between different infrastructural systems by assigning values to degrees of interaction: the model allows mathematical exploration of failure effects but (as is acknowledged by these authors) depends on interaction metrics that are difficult to establish. This paper presents an approach that is focussed on a representative single end-user. When an individual user is considered, not only is the performance of the supply system readily defined, but the relevant system description is more hierarchical and less amorphous. Our initial work has also suggested that if consideration of failures requiring more than 3 simultaneous and unrelated hazards, then careful modelling can generate a defensible model without feedback loops.

(2) Service level: it is possible to not only describe goods or services that are delivered to the individual (end-user), but also to define a service level at which the specified goods or services either are-, or are-not delivered. From a definitional standpoint, this approach allows the output of a technological system to be expressed as a Boolean variable (True/False), and allows the effect of the configuration of a technological system to be measured against a single performance criterion. For some goods/services, additional insights may be possible from separate analyses at different service levels (e.g. water supply analyzed at “normal flow” and at “intermittent trickle”) however for other goods/services (e.g. power supply) a single service level (power on/off) is quite reasonable.

(3) Hazard and weakness link: events external to a technology system only threaten the output of the technology system if the external events align with a weakness in the technology system. If a hazard does not align with a weakness then it has no significance. Conversely if a weakness exists within a technological system and has not been identified, then hazards that can align with the weakness are also unlikely to be recognised. If the configuration of a particular technology system is changed, weaknesses may be removed while other weaknesses may be added. Therefore, for each weakness added, an additional set of external events can be newly identified as hazards - and correspondingly for each weakness that is removed, the associated hazards cease to be significant. Processes capable of failure and input streams that could become unavailable, are weaknesses that are significant regardless of the number and/or type of hazards of sufficient magnitude to cause failure, that might align with any specific example of such a weakness.

(4) Hazard probability: Some (e.g. extreme weather events) hazards occur randomly, can be assessed statistically, and will have a higher probability of occurrence over a long time period. Terrorist actions or sabotage in particular, do not occur randomly but must be considered as intelligently (mis)guided hazards. The effect of a guided hazard upon a risk assessment is qualitatively different from the effect of a random hazard. The guided hazard will occur every time the perpetrator elects to cause the hazard and therefore the hazard has a probability of 1.0. It is proposed that the significance of this distinction has not been fully appreciated. A malicious entity will seek out weaknesses, regardless of whether these have been identified by a risk assessment exercise or not. Since either random or guided hazards have an equal effect, and have a probability approaching 1 for a long time period, we argue that a risk assessment based upon the 'probability' (risk) of a hazard occurring is a concept with limited usefulness, and vulnerability is more validly assessed by assuming that all hazards (terrorist action, component failure or random natural event) will occur sooner or later, hence having a collective probability of 1.0. As soon as the assumption is made that sooner-or-later a hazard will occur, assessment of the technological systems contribution to user vulnerability can be refocussed from consideration of hazard probability to consideration of the number and type of weaknesses with which (inevitable) hazards can align.

A heterogeneous technological system may involve an arbitrary number of linked operations, each of which (consistent with the definition of stated by Slack et al. [29]requires inputs, executes some transformation process, and produces an output that is received by a subsequent process and ultimately serves an end-user. If the output of such a system is considered to be the delivery- or non-delivery of a nominated service-level output to an individual end-user, then the arbitrary heterogeneous technological system can be described by a configured system of notional AND/OR/NOT functions [30] whose inputs/outputs include unit-operations, input streams, intermediate product streams and services. For example, petrol is dispensed from a petrol station bowser to a car if fuel is present in the bulk tank, the power to a pump is available, a pipework and pump are operational and the required control signal is valid. Hence, a notional “AND” gate with these 5 inputs will model the operation of the dispensing system. The valid control signal will be generated when another set of different inputs is present, and the provision of this signal can be modelled by a notional “AND” function with nominated inputs. The approach allows the operational configuration of a heterogeneous technological system to be represented by a Boolean algebraic expression. Fig. 1 illustrates the use of Boolean operations to represent a somewhat more complex technological system.

Fig. 1. Process and stream operations required for system: Boolean representation.

 

Having represented a specific technological system using a Boolean algebraic expression, a 'truth table' can be constructed to display all permutations of process and stream availabilities as inputs, and technological system output as a single True or False value. From the truth table, a count of the cases in which a single input failure will cause output failure, and assign that total to the variable “E1”. A count of the cases where two input failures (exclusive of inputs whose failure will alone cause output failure) cause output failure, and assign that total value to E2. A further count of the cases in which three input failures cause output failure (and where neither single nor double input failures within that triple combination would alone cause output failure) and assign that total value to the variable “E3” and similarly for further “E” values. A simple algorithm can generate all permutations of “operate or fail” for every input process and stream. If a “1” is considered as a “operate” and “0” is considered as a “fail”, then for a model with n inputs (streams and processes) 2n options are input. If the algorithm outputs are applied to each binary representation of input states (processes and streams) and the output conditions (operate or fail) are recorded the input conditions for each output fail combination, the E1 etc. values can be computed (the E1 is the number of output-failure conditions where only a single input has failed). A truth-table approach to generating exposure metrics is illustrated in Fig. 2.

Fig. 2. Evaluation of exposure, by analysis of Boolean expression.

Fig. 2. Evaluation of exposure, by analysis of Boolean expression.

The composite metric {E1, E2, E3 … En}, is therefore mapped from the Boolean representation of the heterogeneous system and characterizes the weaknesses of that system in the contribution of the technological configuration to end-user vulnerability. Indeed, for a given single output at a defined service level - described by a Boolean value, representing “available” or “not available” - it is possible to isomorphically map an arbitrary technological system onto a Boolean algebraic expression. Thus, it is possible to create a homomorphic mapping (consistent with the guidance of Suppes [31] to a composite metric that characterizes the weakness of the system. Furthermore, the metric allows for comparison of the exposure level of alternative technological systems and configurations.

Next, we consider whether the measure represents the proposed attribute, by considering validity criteria. Hand [32] states that construct validity “involves the internal structure of the measure and also its expected relationship with other, external measures …” and “… thus refers to the theoretical construction of the test: it very clearly mixes the measurement procedure with the concept definition”. Since the Boolean algebraic expression represents all processes, streams and interactions, it can be directly mapped to a Process Flow Diagram (PFD) and so is an isomorphic mapping of the technological system with respect to processes and streams. The truth table is a homomorphic mapping of output conditions and input combinations, with output values unambiguously derived from the input values, but the configuration cannot be unambiguously derived from the output values. The {E1, E2, E3 … En} values are therefore a direct mapping of the system configuration.

Since the configuration and components of the system are represented by a Boolean expression, and the exposure metric {E1, E2, E3 … En} is assembled directly from the representation of the technological system, it has sufficient “construct validity” in the terms proposed by Hand [32]. The representational validity of this metric to the phenomenon of interest (viz. contribution to individual end-user vulnerability) must still be considered [31,32], and two justifications are proposed. Firstly, the representation of “exposure” using {E1, E2, E3 … En} supports the common system engineering “N+1”, “N+2” design redundancy concepts [33]. Secondly, the cost of achieving a given level of design redundancy can be assumed to be related to “E” values and so enumerating these will support decisions on value propositions of alternative projects, a previously-identified criterion for a valid metric.

Generating an accurate exposure metric as described, requires identification of processes and streams, which in practice requires a consideration of representation granularity. If every transistor in a processor chip were considered as a potential cause of failure, the “exposure” value calculated for the computer would be exceedingly high. If by contrast, the computer were considered as a complete, replaceable unit, then it would be assigned an exposure value of 1. A pragmatic definition of granularity will address this issue: if some sub-system of interest is potentially replaceable as a unit, and can be attacked separately from other sub-systems, then the sub-system of interest should be considered as a single potential source of failure. This definition allows adequate precision and reproducibility by different practitioners.

Each input to an operation within a technological system will commonly be the output of another technological system, which will itself have a characteristic “exposure”. The contribution of the predecessor system's exposure to the successor system must be calculated. This problem is generalised by considering that each input to a Boolean ‘AND’ or ‘OR’ operation has a composite exposure metric, and developing the principles by which the operation's output can be calculated from these inputs. Consider, for example, an AND gate that has three inputs (A, B and C), whose inputs have composite exposure metrics {A1, A2, A3 … }, {B1, B2, B3 … } and {C1, C2, C3 … }. The contributory exposure components are added component-wise, hence the resulting exposure of an AND operation is {(A1+B1+C1), (A2+B2+C2), (A3+B3+C3) … (An + Bn + Cn)}. The generalised calculation of contributory exposure is more complex for the OR operation. For an OR gate with three inputs (A, B and C), each of which has composite exposure metric {A1, A2, A3 … }, {B1, B2, B3 … } and {C1, C2, C3 … }:

• The output E1 value is 0

• The output E2 value is 0

• The output E3 value is 2((A1−1)+(B1−1)+(C1−1)),((A2−1)+(B2−1)+(C2−1)), ((A3−1)+(B3−1)+(C3−1)) since one fail from each input must occur for the output to fail, however each remaining combination of fails contributes to the E3 value

• The E4 and subsequent values are calculated in exactly the same way as the E3 value.

Since the contributory system has effectively added streams and processes, the length of the output exposure vector is increased when the contributory system is considered. The proposed approach is therefore to nominate a level to which exposure values will be evaluated. If, for example, this level is set at 2, then the representation would be considered to be complete when it could be shown that no contributory system adds to the E2 values of the represented system.

3. Implications from theory

The current levels of expenditure on infrastructure “hardening” are well reported in popular press. The theory presented is proposed to be capable, for a defined technological system, of quantitatively comparing the effectiveness of alternative projects. The described measure is also proposed to be capable of differentiating between systems that have higher or lower exposure, and thus allowing prioritisation of effort. The following examples have undergone a preliminary analysis. The numerical outputs are dependent on system details and boundaries, nevertheless, the authors' preliminary results indicate the output that is anticipated, and are considered to demonstrate the value of the principles. The example studies are diverse and examine well-defined services and service levels for the benefit of a representative individual end-user. Each example involves a technological system (with a range of processes, intermediate streams, and functionalities) and may therefore be expected to include a number of cases in which a single stream/process failure will cause the service delivery to fail - and a number of other cases in which multiple failures would result in the non-delivery of the defined service. The analyses also collectively identify common contributors, technological gaps, and common principles that inform improvement decisions. In each example case, the delivered service and level is established, following which the example is described and the boundaries confirmed. The single-cause of failure items (contributors to the E1 value) are assessed first, followed by the dual-combination causes of failure (contributors to the E2 values) and then the E3 values. It is assumed that neither maintenance nor replacement of components are required within the timeframe considered – i.e., outputs will be generated as long as their designed inputs are present, and the processes are functional.

3.1. Example 1: Petrol station, supply of fuel to a customer

The “service” in this case is the delivery, within standard fuel specifications (including absence of contaminants) and at standard flow rate, of petrol into a motor vehicle at the forecourt of a petrol-station. The scope includes the operation of the forecourt pumps, the underground fuel storage tanks, metering and transactional services. Although storage is significant, the refilling of the underground tanks from fuel stored in national-reserves can only be accomplished by a limited number of approaches, which must occur frequently relative to the considered timeframe and must be considered. Since many sources supply the bulk collection depot, the analysis will not go further back than the bulk storage depot. Similarly, the station is unlikely to have duplicated power feeders from the nearest substation and so this supply must be considered. The financial transaction system and the communications system it uses, must be included in the consideration.

On the assumption that the station is staffed, sanitary facilities (sewage, water) are also required (see Fig. 3). While completely automated “truck stop” fuel facilities exist, facilities as described are common and can reasonably be called representative. The fuel dispensing systems in both cases are almost identical, however the automated facilities cannot normally carry out cash transactions, and the manned stations commonly sell other goods (food and drink) and may provide toilet facilities.

Fig. 3. Operation of petrol station.

In work not reported here, the exposure metrics of the contributory systems have been estimated as EFTPOS financial transaction {49, 12, 1}, staff facilities system {36, 4, 6}, power {2, 3, 0}. Based on these figures, the total exposure metric for the petrol delivered to the end user is estimated at {92, 20, 8}.

In evaluating the exposure metric, the motor/petrol-pump and pipework connections do not generate E3 values (more than 3 failures would be required to cause a failure of the output function) since the petrol station has four pumps. The petrol station power supply affects several plant items that are local to the petrol station, and so is represented at the level which allows a valid assessment of its exposure contribution. For bulk petrol supply, numerous road system paths exist, tankers and drivers are capable of bringing fuel from the refinery to the station and so these do not affect the E3 values. The electricity distribution system has more than three feed-in power stations and is assumed to have at least 3 High Voltage (HV) lines to major substations, however local substations commonly have only two voltage-breakdown transformers, and a single supply line to the petrol station would be common. The local substation and feeders are assumed to be different for the sewage treatment plant, the bulk petrol synthesis and banking system clearing-house (and are accounted for in the exposure metrics for those systems), but the common HV power system (national grid) does not contribute to the E3 values, and so it is not double-counted in assessing the power supply exposure of the petrol station and contributory systems. While EFTPOS and sewage systems have had high availability, this analysis emphasizes the large contribution they make to the user's total exposure, and thus suggest options for investigation.

This example illustrates the significance of the initial determination of system boundaries. This example output is defined as fuel supplied to a user's vehicle at a representative petrol station. Other studies might consider a user seeking petrol within a greater geographic region (e.g. neighbourhood). In that case the boundaries would be determined to consider alternative petrol station and also subsystems that are common to local petrol stations (power, sewage, financial transactions, bulk fuel) and subsystems (e.g. local pumps) where design redundancy is achieved by access to multiple stations.

3.2. Example 2: Sewage system services for apartment-dweller

Consider the service of the sanitary removal of human waste, as required, via the lavatory installed in an urban apartment discharging to a wastewater treatment plant. The product of the treatment operation being environmentally acceptable treated water to waterways, and solid waste at environmentally acceptable specifications to landfill.

The technology description assumes that the individual user lives in an urban area with a population of 200,000 to 500,000. This size is selected because it is representative of a large number of cities. An informal survey of the configuration of sewage systems used by cities within this size range, reveals a level of uniformity, and hence the configuration in the example is considered “representative”.

The service is required as needed and commences from the water-flushed lavatory, and ends with the disposal of treated material. Electric power supplies to pumping stations and to local water pumps, are unlikely to have multiple feeders and will be considered to the nearest substation. The substation can be expected to have multiple feeders and so it is not considered necessary to consider the electric power supply further “back”. Significant pumping stations would commonly have a “Local/Manual” alternative control system capability, in which a remote control is normal, but allowing an operator to select “manual” at the pump station and thereafter operate the pumps and valves locally.

Operationally, the cistern will flush if town water is available and the lift pump is operational and power is available to the lift-pump. The lavatory will flush if the cistern is full. The waste will be discharged to the first pumping station if the pipework is intact (gravity fed). The first pumping station will operate if either main or backup pump are operational and power is available and either operator is available or control signal is present. The power signal will be available if signal lines are operational and signal equipment is operational and power for servo motors are available and remote operator or sensor is operational. The waste will be delivered to the treatment station if the major supply pipework is operational. The treatment station will be operational (i.e. able to separate and coalesce the sewage into a solid phase suitable for landfill, and an environmentally benign liquid that can be discharged to sea or river) if the sedimentation tank and discharge system are operable and the biofilm contactor is operational and the clarifier/aerator is operational and the clarifier sludge removal system is operational and power supply is available and operators are available. The sludge can be removed if roads are operational and driver and truck and fuel is available.

Several single sources of failure (contributors to E1 value) can be discerned. The power supply to local water pump, gravity fed pipework from lavatory to first pumping station and power supply to the first pump station. Manual control of the pumping station is possible, then this contributes to the E2 value, otherwise the control system wiring and logic will contribute to the E1 value. Assuming duplicate pumping station pumps, these contribute to the E2 value. Few of the treatment plant processes will be duplicated and so will contribute to the E1 values. For the urban population under consideration, the treatment plant is unlikely to have dual power feeds, and so the power supply contributes to the E1value.

For real treatment plants, most processes will include bypasses or overflow provisions. If the service is interpreted to specify the discharge of environmentally acceptable waste, then these bypasses are irrelevant to this study. However, if the “service” were defined with relaxed environmental impact requirements, then the availability of bypasses would mean that treatment plant processes would contribute to E2 values. Common reports of untreated sewage discharge following heavy rainfall events indicate that the resilience of treatments plants is low.

The numerical values of exposure presented in Table 1 are based on a representative design. It is noted that design detail may vary for specific systems. .

Table 1. Contributions to exposure of sewage system.

Preliminary research included the commissioning of a risk analysis by a professional practitioner of a sewage system defined to an identical scope, components and configuration of the target system. While the risk analysis generated useful results, it failed to identify all of the weaknesses that were identified by the exposure analysis.

3.3. Example 3: Supply of common perishable food to apartment-dweller

For the third example, a supply of a perishable food will be considered. The availability to a (representative) individual consumer, of whole milk with acceptable bacteriological, nutritional and organoleptic properties will be considered to represent the “service” and associated service level. Fresh whole milk is selected because it is a staple food and requires a technological system that is similar to that required by other nominally processed fresh food. Nevertheless, the technological system is not trivial - the pasteurisation step requires close control if bacteriological safety is to be obtained without deterioration of the nutritional and taste qualities.

At the delivery point, a working refrigerator and electric power are required. Transit to the apartment requires electric power to operate the elevator. Transport from the retail outlet requires fuel, driver, operational vehicle, and roads. The retail outlet requires staff, electric power, functional sewage system, functional water supply, functional lighting, communications and stocktaking system and access to financial transaction capability. Transport to the retail outlet requires fuel, driver, roadways and operational trucks. The processing and packaging system requires pasteurisation equipment, control system, Cleaning In Place (CIP) system, CIP chemical supply, pipework-and-valve changeover system for CIP, electric-powered pumps, electrically operated air compressors, fuel and fired hot water heaters, packaging equipment, packaging material supplies, water supply, waste water disposal, sewage system and skilled operators. Neither the processing facilities, nor the retail outlet, nor the apartment would commonly not have duplicated electric power feeders and so these and associated protection systems must be considered back to the nearest substation. The substation can be assumed to have multiple input feeders, and so the electric power system need not be considered any further upstream of the substation. The heating system (hot water boiler and hot water circulation system) for the pasteurizer would commonly be fired with fuel oil, but including enough storage that it would commonly be supplied directly from a fuel wholesaler.

The processes leading from raw milk collection up to the point where pasteurised and chilled milk is packaged, are defined in considerable detail by regulatory bodies - and can therefore be considered to be representative. There will be variation in packaging equipment types, however each of these can be considered as a single process and single “weakness”. Distribution to supermarkets, retail sales and distribution to individual dwellings are similar across most of the western world and are considered to be adequately representative. Neither the processing plant nor the retail outlet are staffed and so require an operational sewage disposal system and water supply.

Delivery of the milk will be achieved if the refrigeration unit in the apartment is operational and power is supplied to it and packaged product is supplied. Packaged product can be supplied if apartment elevator and power are available and individual transport from the retail outlet is functional and retailing facilities exist and are supplied with power and are staffed and have functional financial transaction systems. The retail facility can be staffed if skilled persons are available and transport allows them to access the facility and staff facilities (water, sewage systems) are operational. The sewage system is functional if water supply is available and pumping station is functional and is supplied with power and control systems are available. The bulk consumer packs are delivered to the retail outlet if road systems and drivers and vehicles and fuel is available. The packaged product is available from the processing facility if fuel is available to heat the pasteurizer and power is available to operate pumps and control system is operable and skilled operators are available and homogeniser is operational and compressed air for packaging equipment is available and packaging equipment is operational. Product can be made if CIP chemicals are available and CIP waste disposal is operational. Since very many suppliers and transport options are capable of supplying raw milk to the processing depot, the study need not consider functions/processes that are further upstream to the processing depot, i.e. the on-farm processes or the raw milk delivery to the processing depot.

Several single sources of failure (contributors to E1 value) can be identified: Power supply to the refrigerator (and cabling to the closest substation), roads fuel vehicle and driver, staff and power supply (and cabling to substation) at the retail outlet. Staff facilities (and hence the exposure contributions from the sewage system) must be considered. Provided the retail outlet is able to accept cash or paper-credit notes, then the payment system contributes to the E2 value, however if the retail outlet is constrained to electronic payments then many processes associated with the communications and banking systems will contribute to the E1 value. Roads, and fuel for bulk distribution will contribute to the E1 value, however drivers and trucks contribute to higher E values, since many drivers and trucks can be assumed to be available. The power supply to the processing and packing facility will contribute to the E1 value. The tight specifications and regulatory standards for consumer-quality milk will generally not allow any bypassing of processes, and so each of the major processes (reception, pasteurisation, standardisation, homogenisation and packaging) will all contribute to the E1 values. The milk processing and packaging facility will also need fuel for the Cleaning in Place (CIP) system and will need staff facilities - and hence the exposure contribution of the sewage system must be considered.

The examples demonstrate three commonalities. Firstly, it is both practical and informative to evaluate contributors to E1, E2 etc. variables for a broad range of cases and technologies. Secondly, sources of vulnerability that are specific to the examples can be identified, and thirdly principles for reduction of vulnerability can be readily articulated. In the petrol station supply example, one could consider eliminating the operator to obtain a greater reduction in exposure, eliminating needs for sewage, water, than retaining the operator and allowing cash transactions.

Some common themes can also be inferred among the examples, in general principles for exposure reduction likely to be applicable to other cases: The example studies contain intermediate streams: if such intermediate streams have specifications that are publicly available (open-source), there is increased opportunity for service substitution from multiple sources, and a reduction in the associated exposure values. Proprietary software and data storage are a prominent example of lack of standardisation despite the availability of such approaches as XML. Currently, electronic financial transactions require secure communications between an EFTPOS terminal and the host system, and the verification and execution of the transaction between the vendor's bank account and the purchaser's bank account. These processes are necessarily somewhat opaque. Completely decentralised transactions are possible as long as both the seller and vendor agree upon a medium of exchange. The implications of either accepting- or not-accepting a proposed medium of exchange are profound for the “exposure” created. Although the internet was designed to be fault tolerant, its design requires network controllers to determine the path taken by data, and in practice this has resulted in huge proportions of traffic being routed through a small number of high bandwidth channels. This is a significant issue: if the total intercontinental internet traffic (including streamed movies, person-to-person video chats, website service and also EFTPOS financial transaction data) were to be routed to a low-bandwidth channel, the financial transaction system would probably fail. Technological systems such as the generation of power using nuclear energy, are currently only economic at very large-scale, and hence represent dependencies to a large number of systems and users. Conversely, a system generating power using photovoltaic cells, or using external combustion (tolerant of wide variations in fuel specification) based on microalgae grown at village level, would probably be inherently less “exposed”. In every case where a single-purpose process forms an essential part of a process, it represents a source of weakness. By contrast, any “general purpose” or “re-purpose-able” component can, by definition, contribute to decreasing exposure. Human beings' ability to apply “common sense” and their unlimited capacity for re-purposing, are the epitome of multi-purpose processors. The capability to incorporate humans into a technological system is possibly the single most effective way to reduce “exposure”. The “capability to incorporate” may require some changes that do not inherently affect the operation of a system, merely incorporate a capability, such as the inclusion of a hand-crank capability in a petrol pump.

The examples (fuel supply, sewage disposal, perishable food) also uncover the existence of technological gaps, and where a solution would decrease exposure. Such gaps include the capability to store significant electrical energy locally (this is a more significant gap than is the capability to generate locally), a truly decentralised/distributed and secure communication system, and an associated knowledge storage/access system, a fully decentralised financial system that allows safe storage of financial resources and safe transactions, a decentralised sewage treatment technology, and less centralised technological approaches for the supply of both food and water and a transport system capable of significant load-carrying though not necessarily high speed, with low-specification roadways and broadly-specified energy supplies.

4. Discussion

The detailed definition of a technological system allows a more rigorous process for identification of hazards, by ensuring that all system weaknesses are considered. Calculating the exposure level of a technological system is not proposed as a replacement for risk analysis, but as a technique that offers specific insights and also increases the rigour of risk analysis. Indexing a measure of contribution-to-vulnerability is both simplified and enhanced in value if the measure is indexed to the delivery of specific goods/services, at defined levels, to an individual end-user. This approach will allow clarification of the extent to which a given project will benefit the individual. The analysis is applicable to any technological system supplying a specified deliverable at a given service level to a user. It is recognised that while some hazards e.g. a major natural or man-made disaster may affect more than one system, the analysis of the technological exposure of each system remains valid and valuable. The analysis of hazard-probability is of limited value over either long timeframes or when hazards are guided, and that characterising the number and types of weaknesses in a technological system is a better indicator of the vulnerability which it contributes to the person who depends on its outputs. An approach to quantifying the “exposure” of a technological system has been defined and justified as a valid representation of the contribution made to the vulnerability of the individual end-user. The approach is generates a fine-grained metric {E1, E2, E3 … En} that is shown to accurately measure the vulnerability incurred by the end-user: calculation of the metric is tedious but not conceptually difficult; the measure is readily able to be verified and replicated, and the calculated values allow detailed investigation of the effect of hypothesized changes to a target system. The approach has been illustrated with a number of examples, and although only preliminary analyses have been made, the practicality and utility of the approach has been demonstrated. Only a small number of example studies have been presented, although they have been selected to address a range of needs experienced by actual urban-dwellers. In each case the scope and technologies used are proposed to be representative, and hence conclusions drawn from the example studies can be considered to be significant.

Even the preliminary analyses of the examples have indicated two distinct categories of contributors to vulnerability: weaknesses that are located close to the point of final consumption, and highly centralised technological systems such as communications, banking, sewage, water treatment and power generation. In both of these categories the user's exposure is high despite limited design redundancy, however the users exposure could be reduced by selecting or deploying technology subsystems with lower exposure close to point-of-use, and by using public standards to encourage multiple opportunities for service substitution. The use of an exposure metric has been shown to provides measure of the vulnerability contributed by a given technological system to the individual end-user, has been shown to be able to be applied to representative examples of technological systems. Although results are preliminary, the metric has been shown to allow the derivation of both specific and generalised conclusions. The measure can integrate with-, and add value to-existing techniques such as risk analysis.

The approach is proposed as a theory of exposure, including conceptual definitions, domain limitations, relationship-building and predictions that are proposed [34] as essential criteria for a useful theory.

Acknowledgement

This research is supported by an Australian Government Research Training Program (RTP) Scholarship.

References

[1] J. Forrester, Industrial Dynamics, MIT Press, Boston, MA (1961)

[2] R. Ackoff, Towards a system of systems concepts, Manag. Sci., 17 (11) (1971), pp. 661-671

[3] J. Sterman, Business Dynamics: Systems Thinking and Modelling for a Complex World, McGraw-Hill Boston (2000)

[4] I. Eusgeld, C. Nan, S. Dietz, System-of-systems approach for interdependent critical infrastructures, Reliab. Eng. Syst. Saf., 96 (2011), pp. 679-686

[5] T. Forester, P. Morrison, Computer unreliability and social vulnerability, Futures, 22 (1990), pp. 462-474

[6] B. Martin, Technological vulnerability technology in society, 18 (1996), 511–523A

[7] L. Robertson, From societal fragility to sustainable robustness: some tentative technology trajectories, Technol. Soc., 32 (2010), pp. 342-351

[8] M. Kress, Operational Logistics: the Art and Science of Sustaining Military Operations, 1-4020-7084-5, Kluwer Academic Publishers (2002)

[9] L. Li, Q.-S. Jia, H. Wang, R. Yuan, X. Guan, Enhancing the robustness and efficiency of scale-free network with limited link addition, KSII Trans. Internet Inf. Syst., 6 (2012), pp. 1333-1353

[10] A. Yazdani, P. Jeffrey, Resilience enhancing expansion strategies for water distribution systems: a network theory approach, Environ. Model. Softw., 26 (2011), pp. 1574-1582

[11] Y.Y. Haimes, P. Jiang, Leontief based model of risk in complex interconnected infrastructures, ASCE J. Infrastruct. Syst., 7 (2001), pp. 1-12

[12] Cyber-attack: How Easy Is it to Take Out a Smart City?. (New Scientist, 4 August 2015), (https://www.newscientist.com/article/dn27997-cyber-attack-how-easy-is-it-to-take-out-a-smart-city/, retrieved 22 Mar 2017).

[13] Jeep Drivers Can Be HACKED to DEATH: All You Need Is the Car's IP Address (e.g. The Register, 21 Jul 2015). (https://www.theregister.co.uk/2015/07/21/jeep_patch/, retrieved 22 Mar 2017).

[14] J. Glenn (Sen), Quotation from Retirement Speech, Seen online at (1997), http://www.historicwings.com/features98/mercury/seven-left-bottom.html, in Feb 2014

[15] C. Gómez, M. Buriticá, M. Sánchez-Silva, L. Dueñas-Osorio, Optimization-based decision-making for complex networks in disastrous events, Int. J. Risk Assess. Manag., 15 (5/6) (2011), pp. 417-436

[16] C. Perrow, Normal Accidents: Living with High-risk Technologies, Basic Books, New York (1984)

[17] P. Chopade, M. Bikdash, Critical infrastructure interdependency modelling: using graph models to assess the vulnerability of smart power grid and SCADA networks, 8th International Conference and Expo on Emerging Technologies for a Smarter World, CEWIT 2011(2011)

[18] ISO GUIDE 73, Risk Management — Vocabulary, (2009)

[19] A. Gheorghe, D. Vamadu, Towards QVA - Quantitative vulnerability assessment: a generic practical model, J. Risk Res., 7 (2004), pp. 613-628

[20] ISO/IEC 31010, Risk Management— Risk Assessment Techniques', (2009)

[21] FMEA, MIL-STD-1629A, Failure Modes and Effects Analysis (1980)

[22] Y.Y. Haimes, On the definition of resilience in systems, Risk Anal., 29 (2009), pp. 498-501, 10.1111/j.1539-6924.2009.01216.x, 2009 Note page 498

[23] K. Khatri, K. Vairavamoorthy, “A new approach of risk analysis for complex infrastructure systems under future uncertainties: a case of urban water systems. ”Vulnerability, Uncertainty, and Risk: analysis, Modeling, and Management, Proceedings of the ICVRAM 2011 and ISUMA 2011 Conferences (2011), pp. 846-856

[24] Y. Shuai, X. Wang, L. Zhao, Research on measuring method of supply chain resilience based on biological cell elasticity theory, IEEE Int. Conf. Industrial Eng. Eng. Manag. (2011), pp. 264-268

[25] Munoz M. Dunbar, On the quantification of operational supply chain resilience, Int. J. Prod. Res., 53 (22) (2015), pp. 6736-6751

[26] A.M. Law, Simulation Modelling and Analysis, McGraw-Hill, New York (2007)

[27] L. Barabási, E. Bonabeau, EScale-free networks, Sci. Am., 288 (2003), pp. 60-69

[28] G. Tanaka, K. Morino, K. Aihara, Dynamical robustness in complex networks: the crucial role of low-degree nodes, Nat. Sci. Rep., 2/232 (2012)

[29] N. Slack, A. Brandon-Jones, R. Johnston, Operations Management 7th Edition by Dawson Books, (2013), ISBN-13: 978–0273776208 ISBN-10: 0273776207

[30] ISO/IEC 9075–2, Information Technology – Database Languages – SQL, (2011)

[31] P. Suppes, Measurement theory and engineering, Dov M. Gabbay, Paul Thagard, John Woods (Eds.), Handbook of the Philosophy of Science, Philosophy of Technology and Engineering Sciences, vol. 9, Elsevier BV (2009)

[32] D. Hand, Measurement Theory and Practice: the World through Quantification, Wiley (2004), ISBN: 978-0-470-68567-9.ISO/IEC 31010:2009–(Risk Management - Risk Assessment Techniques)

[33] Ponemon Institute, 2013 Study on Data Center Outages, Retrieved, (2013), http://www.emersonnetworkpower.com/documentation/en-us/brands/liebert/documents/white%20papers/2013_emerson_data_center_outages_sl-24679.pdf, Dec 2016

[34] J.G. Wacker, A definition of theory: research guidelines for different theory-building research methods in operations management, J. operations Manag., 16.4 (1998), pp. 361-385

Vitae

L Robertson is a professional engineer with a range of interests, including researching the level and causes of vulnerability that common technologies incur for individual end-users.

Dr Katina Michael, SMIEEE, is a professor in the School of Computing and Information Technology at the University of Wollongong. She has a BIT (UTS), MTransCrimPrev (UOW), and a PhD (UOW). She previously worked for Nortel Networks as a senior network and business planner until December 2002. Katina is a senior member of the IEEE Society on the Social Implications of Technology where she has edited IEEE Technology and Society Magazine for the last 5+ years.

Albert Munoz is a Lecturer in the school of management, operations & marketing, at the Faculty of Business at the University of Wollongong. Albert holds a PhD in Supply Chain Management from the University of Wollongong. His research interests centre on experimentation with systems under uncertain conditions, typically using discrete event and system dynamics simulations of manufacturing systems and supply chains.

1 Abbreviation: Failure Modes and Effects Analysis, FMEA.

2 The terminology used is typical for Australasia: other locations may use different terminology (e.g. “gas” instead of “petrol”).

Keywords

Technological vulnerability, Exposure, Urban individual, Risk

Biographies

L Robertson is a professional engineer with a range of interests, including researching the level and causes of vulnerability that common technologies incur for individual end-users.

Dr Katina Michael, SMIEEE, is a professor in the School of Computing and Information Technology at the University of Wollongong. She has a BIT (UTS), MTransCrimPrev (UOW), and a PhD (UOW). She previously worked for Nortel Networks as a senior network and business planner until December 2002. Katina is a senior member of the IEEE Society on the Social Implications of Technology where she has edited IEEE Technology and Society Magazine for the last 5+ years.

Albert Munoz is a Lecturer in the school of management, operations & marketing, at the Faculty of Business at the University of Wollongong. Albert holds a PhD in Supply Chain Management from the University of Wollongong. His research interests centre on experimentation with systems under uncertain conditions, typically using discrete event and system dynamics simulations of manufacturing systems and supply chains.

Citation: Lindsay J. Robertson, Katina Michael, Albert Munoz, "Assessing technology system contributions to urban dweller vulnerabilities", Technology in Society, Vol. 50, August 2017, pp. 83-92, DOI: https://doi.org/10.1016/j.techsoc.2017.05.002

Social acceptance of location-based mobile government services for emergency management

Abstract

Location-based services deployed by governments can be used to assist people manage emergencies via their mobile handsets. Research delineating the acceptance of public services in the domain of emergency management has been scantly investigated in information systems. The main aim of this study is to assess the viability of location-based mobile emergency services by: (i) exploring the issues related to location-based services and their nationwide utilisation for emergency management; (ii) investigating the attitudinal and behavioural implications of the services; and (iii) examining the social acceptance or rejection of the services and identify the determinants of this acceptance or rejection. The results reveal that both attitude and perceived usefulness demonstrate a good prediction power of behavioural intention. Although perceived ease of use was found not to be a predictor of attitude, the results affirm its influence on perceived usefulness. The results also demonstrate the role of trust as the most influential determinant of individual perception of the usefulness of the services. Further, the results indicate that only the collection of personal location information, as a perceived privacy concern, had a significant negative impact on trust. Implications and future research are also discussed.

Highlights

► We investigate the public offerings of location-based services in the domain of emergency management.

► We examine the social acceptance or rejection of the services and identify the determinants of this acceptance or rejection.

► Attitude has a significant role in influencing behavioural intention towards using the services for emergency management.

► Trust is the most influential determinant of individual perception of the usefulness of the services.

1. Introduction

Emergencies and disasters have been part of our existence since the recording of history and will always be part of the continuing cycle of life and death. The 2001 terror attacks on New York City, the 2004 Indian Ocean Tsunami, the 2010 Haiti earthquake, and the 2012 Hurricane Sandy in the United States and Canada are just a few telling examples of what societies can endure. According to the United Nations’ International Strategy for Disaster Reduction Platform (2005), one of the main reasons for the loss of life in an emergency event is lack of early warning information. Therefore, in response to the lack of timely information, governments around the world have been exploring mobile phones as an additional feasible channel for disseminating information to people in emergency situations. The Short Message Service (SMS) and the Cell Broadcast Service (CBS) currently represent the feasible services that could be utilised for geo-specific emergency purposes as they can operate with almost all kinds of mobile handsets available today (Aloudat and Michael, 2010). We call such a service “location-based mobile government service for emergency management”.

Samsioe and Samsioe (2002) argued that an electronic service that has location capabilities should be able to fulfil the following three separate activities so as to be accurately defined as a location-based service (LBS): (i) estimate the location of the device; (ii) produce a service based on the estimated location; and (iii) deliver the location-enhanced service to that device. Accordingly, location-based services (LBS) for emergency management would involve the following: first, the location of the mobile handset can be estimated by using Cell-ID related technologies (Spiekermann, 2004); second, the mobile telecommunications network can produce an emergency information service, formed as an SMS or CBS, on events such as fire, flood, heavy rain, or hurricane, around the estimated location; and third, the warning message can then be sent to mobile handsets in the vicinity of the emergency to alert people.

After examining the related literature, it is clear that there is a marked scarcity of theoretical and empirical research that touches on the issues pertaining to the nationwide deployment of LBS for emergency management by governments. Furthermore, early studies have neglected the assessment of the acceptance and adoption of these services, along with their determinants, in the public domain. Accordingly, we seek to fill this gap by assessing the viability of location-based mobile government services within the national emergency management arrangements; Australia as a case study. To achieve this, we aim to investigate the social acceptance or rejection of location-based mobile government emergency services in Australia and identify the determinants of the acceptance or rejection.

The rest of this paper is organised as follows. Section 2 reviews the existing literature on the issues related to utilising LBS for emergency management. Section 3 develops a research model that demonstrates the acceptance of the services and their determinants. Section 4 describes the research method applied in this study. Section 5 reports the data analysis conducted to test the research model and Section 6 provides a discussion of the results. The contributions and limitations of this study and directions for future research are discussed in Section 7.

2. Issues related to LBS and emergency management

2.1. Visibility of LBS as a solution for emergency management

An individual may not be aware of the possible utilisation of location-based mobile phone services for emergency management and, therefore, it could be argued that the direct advantages or disadvantages of such utilisation would not be visible to him or her (Karahanna et al., 1999; Kurnia and Chien, 2003). An early explanation of these common phenomena came from Zajonc (1968) who defined it as the “mere exposure effect”. This describes the case where a person does not know or has little knowledge about a phenomenon, but by repeatedly exposing him or her to related stimulus objects, the repetition is capable of changing his or her beliefs towards the phenomenon either positively or negatively.

One of the key attributes of the Diffusion of Innovation (DOI) Theory by Rogers (1962) is observability, which was later segmented by Moore and Benbasat (1991) into two distinct constructs of demonstrability and visibility. The interpretation of visibility surmises that an innovation may not be new, but its benefits could be unknown to the public or even to governments. This is probably the case with LBS where these services have been available for several years, yet their general usage rates, specifically in the domain of emergency management are still extremely limited worldwide (Frost and Sullivan research service, 2007; O’Doherty et al., 2007; Aloudat and Michael, 2011).

2.2. The quality features of location-based emergency services

Service quality is defined as “a global judgement, or attitude, relating to the superiority of the service” (Parasuraman et al., 1988, p. 16).The quality of a service is, therefore, a result of subjective understanding, evaluation, and judgement of its merits. This understanding could, unfortunately, raise several judgement-related issues regarding the desired features of a service. Such issues could be easily augmented in the world of electronic services (e-services), such as LBS, especially in the absence of widely accepted and reliable instruments to quantifiably measure the quality features of an e-service. As a direct result of the absence of “agreed-upon” e-service quality models for all kinds of e-services, researchers have been compelled to use traditional service quality scales, such as the SERVQUAL model of Parasuraman et al. (1988), to measure the quality features of e-services (Liljander et al., 2002). In these traditional models however the interpersonal character of the delivery has the main impact on determining the quality of the service and, therefore, such models cannot truly be applied to the paradigm of e-services (Boshoff, 2007). Several studies suggested alternative instruments to measure e-service quality. Examples include Kaynama and Black (2000), and Zeithaml et al. (2000, 2002). But, Boshoff (2007) strongly argued that most of these proposed instruments had flaws since they were either too narrowly focused on a specific kind of e-services or failed to address the e-service from the perspective of the medium through which the service is provided or delivered.

In general, the quality of an e-service has been discerned as a multifaceted concept with different dimensions proposed for different service types (Zeithaml et al., 2002; Zhang and Prybutok, 2005). Unfortunately, in the context of LBS there is no existing consummate set of dimensions that can be employed to measure the quality features of the services and, subsequently, to measure their impact on an individual’s opinion about the utilisation of the services for emergency management. Therefore, defining a dimensional measurable set for location-based mobile phone emergency services would not be a straightforward task since there is almost no scholarly research regarding such a set. Nonetheless, the quality dimensions of a location-based mobile phone service that are expected to be relevant to emergency situations were adapted from Liljander et al. (2002), but were revised to accurately reflect the quality measurements of LBS in their new context (i.e. emergency management). The dimensions include reliabilityresponsivenesscustomisationassurance/trust, and user interface.

The interpretation of the reliability concept follows Kaynama and Black (2000), Zeithaml et al. (2002) and Yang et al. (2003) as the currency and accuracy of the service information. To be considered reliable, the LBS needs to be delivered with the best possible service information, in the best possible state, and within the promised time frame (Liljander et al., 2002).

It is reasonable to postulate that the success of a location-based mobile phone emergency service depends on the ability of the solution provider to disseminate the service information to a large number of people in a timely fashion. Due to the fact that fast response to changing situations or to people’s emergent requests is considered as providing timely information, then timeliness is closely related to responsiveness (Lee, 2005). Therefore, investigating the responsiveness of the LBS would be relevant in this context. In general, examining the influence of currencyaccuracy, and responsivenessquality features on public opinion is expected to provide an insight into the extent to which LBS is generally considered sufficiently trustworthy to be utilised for emergency management.

The User interface dimension comprises factors such as aesthetics, which could not be evaluated in this exploratory research as respondents will not have access to the LBS enabled applications for emergency management. Customisation refers to the state where information is presented in a tailored format to the user. Since LBS is customised based on the location of the recipient’s mobile handset and also on the type of information being sent, customisation is already an intrinsic quality in the core features of location-based mobile phone emergency services. Therefore, the service quality dimensions that are expected to impact on the acceptance or rejection of location-based mobile phone emergency service, and accordingly are investigated include:

(1) Perceived currency: the perceived quality of presenting up-to-the-minute service information during emergencies.

(2) Perceived accuracy: the individual’s perception about the conformity of location-based mobile phone emergency service with its actual attributes of content, location, and timing.

(3) Perceived responsiveness: the individual’s perception of receiving a prompt information service in the case of an emergency (Parasuraman et al., 1988; Liljander et al., 2002; Yang et al., 2003).

2.3. Risks of utilising LBS for emergency management

Risk of varying types exists on a daily basis in human life. Koller (1988) believed that the nature of the situation determines the type of risk and its potential effects. In extreme situations such as emergencies, risk perceptions stem from the fact that the sequence of events and the magnitude of the outcome are usually unknown or cannot be totally controlled. Risky situations affect public confidence in technology used in such situations (Im et al., 2008). Uncertainty is a salient element of risk. Two distinct types of uncertainty have been differentiated by Bensaou and Venkatraman (1996): behavioural and environmental. In the context of LBS, behavioural uncertainty arises when users cannot ascertain the behavioural actions of other LBS parties, especially in extreme events. Risk perceptions may be projected here in several forms. First, a personal risk could be perceived because the LBS user may not be able to guarantee that the service provider will fulfil its expected role under extreme emergency conditions. Physical, psychological, and social risk perceptions could all be envisaged here as personal risks (Jacoby and Kaplan, 1972). Second, the decision might hold a perception of economic risk as it might lead to a monetary loss in private properties or assets. Third, a privacy risk may be perceived since there can be some concerns that the service provider would act opportunistically in emergencies in a way that would disclose valuable personal information to other parties, collect an inordinate amount of information, or use the collected information for purposes other than and beyond the emergency situation itself and without any prior consent from the LBS user.

The second type of uncertainty is environmental, which originates because emergencies, by their nature, cannot usually be predicted in their exact timing or severity. Thus, the LBS user may reasonably assume that in an extreme condition the underlying infrastructure supporting location-based mobile phone emergency services would be compromised as in any other telecommunications model. Several risk perceptions may also be projected here. First, a perception of a personal risk could originate when the user is uncertain whether or not the LBS infrastructure would cope with the emergency situation, which might lead to a potential risk to the personal safety or the safety of important others (i.e. family members, friends, or working companions). Again, physical, psychological and social risk perceptions could all be conceived here as personal risks (Jacoby and Kaplan, 1972). Second, a perception of a performance risk emanates from the possibility that the location-based emergency service may suffer or not perform as it is intended or desired. There may not be a perception of a direct personal risk to the individual’s own safety, but the idea of a service failure when it is most needed could increase concerns about service performance and resilience in emergencies. A third environmental risk could be perceived financially when there is a possibility of monetary loss of private property or assets due to service failure (Featherman and Pavlou, 2003).

2.4. Trust in LBS for emergency management

Trust has long been regarded as an important aspect of human interactions and mutual relationships. Basically, any intended interaction between two parties proactively requires an element of trust predicated on the degree of certainty in one’s expectations or beliefs of the other’s trustworthiness (Mayer et al., 1995; Li, 2008). In the “relatively” uncertain environments of e-services, including LBS (Kaasinen, 2005; Lee, 2005), uncertainty leads individuals to reason about the capabilities of LBS and its expected performance in emergency situations, which eventually brings them to either trust the service by willingly agreeing to use it or distrust the service by simply refusing to use it. In emergencies, individuals may consider the possible risks associated with LBS before using such services. Therefore, individuals are likely to trust the service and engage in a risk taking relationship if they perceive that the benefits of using LBS surpass its risks. However, if high levels of risk are perceived, then it is most likely that individuals will not have trust in the service and, therefore, will not engage in risk-taking behaviour by using it (Mayer et al., 1995). Consequently, it could be posited that trust in an LBS is a pivotal determinant of utilising the services for emergency management where great uncertainty is always present.

Trust has generally been defined as the belief that allows a party to willingly become vulnerable to the trustee after having taken the characteristics of the trustee into consideration, whether the trustee is another person, a product, a service, an institution, or a group of people (McKnight and Chervany, 2001). In our context, the definition encompasses trust in the government providing the service and trust in the technology and underlying infrastructure through which the service is provided (Carter and Bélanger, 2005). But, since willingness to use the location-based mobile phone emergency service is an indication that the person has considered the characteristics of both the service and the service provider, including any third parties, then it is highly plausible to say that investigating trust propensity in the service will provide a prediction of trust in both the service and its provider. The ability to provide such a prediction is based upon the importance of trust in the service and its underlying technologies, which has been clearly recognised before in acceptance and adoption literature (Kini and Choobineh, 1998; Kim et al., 2001). It could be argued, however, that trust should be examined with the proposition that the person knows or, at least, has a presumption of knowledge about the service, its benefits, and the potential risks associated with its utilisation. Nonetheless, it should be noted here that trust, per se, is a subjective interpretation of the actual trustworthiness of the service, given the current extremely limited utilisation of LBS in the domain of emergency management.

2.5. Privacy concerns pertaining to LBS emergency services

A classical and commonly quoted definition of privacy is that it is “the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” (Westin, 1967, p. 7).

In the context of LBS, the traditional commercial use of the services where a high level of detail about the user’s information is regularly available for the mobile service provider, may not raise much sensitivity towards privacy from users since the user’s explicit consent is a prerequisite for initiating the services in most cases. However, in emergencies, pertinent government departments and law enforcement agencies have the power to temporarily set aside the person’s right to privacy by not informing the person when, where, and for how long his or her personal information would be collected and/or monitored. This is based on the assumption that the consent of the person is already implied when location information is collected and/or monitored in emergency situations. Nonetheless, the idea of their personal information perennially availability to other parties and the belief that the individual has incomplete control or no control over the collection and/or surveillance, the extent, the duration, the timing, or the amount of information being collected could raise privacy concerns.

Good intentions are generally assumed in the relation between the government and its people, as governments usually communicate with the individuals in regard to what kind of data will be collected in emergencies, the extent of the collection, and when data will be collected. However, the implications of suspending consent of the person, even temporarily, may have long-term adverse effects and negative impacts on public perception of LBS solutions in general. This also has the potential to generate debate on the right of the individual in an absolute privacy state and the power of governments to dispense with that right of privacy (Perusco et al., 2006), even when the services are suggested by the government for emergency management purposes.

Four privacy concerns have been identified by Smith et al. (1996). They are collectionunauthorised secondary use, errors in storage, and improper access of the collected data. These concerns can be examined when investigating privacy concerns pertaining to LBS (Junglas and Spitzmuller, 2006). Collection is defined as the concern that extensive amounts of location information or other personal identifiable information would be collected by the government when using LBS during emergencies. Unauthorised secondary use is defined as the concern that information is collected for emergency purposes using LBS, but will ultimately be used for other purposes by the government without the explicit authorisation/consent of the individual for those other uses. Errors in storage describe the concern that the procedures taken to protect against accidental or deliberate errors in storing the location information while utilising LBS are inadequate. Improper access is the concern that the stored location information is accessed by parties in the government who do not have the authority to do so.

3. Research model and hypotheses development

A special adaptation of the Theory of Reasoned Action (TRA) (Fishbein and Ajzen, 1975; Ajzen and Fishbein, 1980) has been introduced by Davis (1986, 1989) in the form of a Technology Acceptance Model (TAM). According to TRA, the actual behaviour of an individual is determined by the individual’s intention to perform that behaviour. Such intention is the result of a joint function and/or influence of the subjective norms and the individual’s attitude towards engaging in that specific behaviour. TAM postulates that the usage of a technology (i.e. the actual adoption of the technology) can be predicted as behaviour by the individual’s intention to use the technology. The individual’s intention to use can be determined by his or her attitude towards using that technology. In TAM, both the attitude and intention are postulated as the main predictors of accepting the technology. The attitude is presumed to act as a mediator between the behavioural intention and two key influential beliefs: the perceived ease of use of the technology, and its perceived usefulness. TAM posits a direct link between perceived usefulness and behavioural intention. The model also posits that the perceived usefulness of the technology is directly influenced by the perceived ease of use of that technology.

Firstly and based on original TAM, the following hypotheses are formulated:

H1 Intention to use location-based mobile phone emergency services is positively related to attitude towards the services.

H2 Intention to use location-based services in emergencies is positively associated with perceived usefulness of the services.

H3 Attitude towards location-based mobile phone emergency services is positively associated with perceived usefulness of these services.

H4 Attitude towards using location-based mobile phone emergency services is positively associated with perceived ease of use of the services.

H5 Perceived ease of use of location-based services has a positive impact on perceived usefulness of the services for emergency management purposes.

Due to its parsimony and predictive power, TAM has been widely applied, empirically validated, and extended in many studies related to user acceptance of information technology, (see for example, Venkatesh, 2000; Venkatesh and Davis, 2000; Pavlou, 2003; Djamasbi et al., 2010; Mouakket and Al-Hawari, 2012). However, TAM is a general model that only provides overall information about technology acceptance and usage and does not specify the determinants of perceived usefulness and perceived ease of use as the two main beliefs included in the model. Therefore, further information is needed regarding the specific factors that may affect a certain technology’s usefulness and ease of use from individual perspective; as this can guide the design and development of the technology in the right direction (Mathieson, 1991). Indeed, Venkatesh and Davis (2000)suggested that user behavioural beliefs included in TAM could be affected by external variables. TAM also theories that the effects of external variables on intention to use are mediated by perceived usefulness and perceived ease of use (Venkatesh, 2000). As such, this research utilises visibility, perceived risk, perceived service quality, perceived privacy concerns, and trust as external factors affecting perceived usefulness and perceived ease of use in TAM.

The rest of the research hypotheses, presented in the following sections, are completely consistent with the structural formulation of TAM and do not violate in any way TAM’s grounded theory of TRA. All the hypothesised effects of the external constructs in the proposed research model would only be exhibited on the internal variables of the model (i.e. attitude and intention) through the full mediation of TAM’s internal beliefs (i.e. perceived usefulness and perceived ease of use). Any other arrangement beside those mentioned must be considered as another model, and not TAM.

3.1. Effect of perceived service quality on perceived usefulness

It could be posited that an individual perception of how useful LBSs are in emergencies would be highly influenced by the degree to which the individual perceives the services to be accurate, current, and responsive. The research conceptual model follows the same rationale as TAM, which postulates the perceived ease of use of a technology as a direct determinant of its perceived usefulness. Perceived ease of use is defined as the degree to which the individual believes that using LBS would be free of physical and mental effort (Davis, 1989). It is then justifiable to postulate that ease of use is directly related to technical service quality features of LBS since the individual’s evaluation of the service’s ease of use is closely associated with the convenient design of the service itself. This is perhaps why ease of use has been conceived by several researchers as one of the core dimensions of service quality (Zeithaml et al., 2002; Yang et al., 2003; Zhang and Prybutok, 2005). Building upon this and following the trails of TAM, the currency, accuracy, and responsiveness service quality constructs are theorised in the research model as direct determinants of the perceived usefulness of the location-based mobile phone emergency service. The following hypotheses are proposed:

H6a: There is a positive relationship between perceived responsiveness of the location-based mobile phone emergency service and its perceived usefulness.

H6b: There is a positive relationship between the perceived currency of the location-based mobile phone emergency service and its perceived usefulness.

H6c: There is a positive relationship between the perceived accuracy of the location-based mobile phone emergency service and its perceived usefulness.

3.2. Effect of visibility on perceived usefulness

Visibility is defined as the extent to which the actual use of location-based mobile phone emergency service is observed as a solution by the individual. Following a line of reasoning in former studies, such as Karahanna et al. (1999) and Kurnia and Chien (2003), the perception of an individual of the usefulness of the location-based mobile phone emergency service is positively related to the degree to which the service solution is visible to that individual. The following hypothesis is presented:

H7: Perceived usefulness of the location-based mobile phone emergency service increases as the visibility of the service application increases in the context of use.

3.3. Effect of perceived risk on perceived usefulness

As it is practically rational to believe that the individual would perceive different types of risk during an emergency situation, it might be quite difficult to examine each risk facet as being separate to others since they can be inextricably intertwined in such situations. Therefore, following the theoretical reasoning of Pavlou (2003), the perceived risks will be investigated as a higher-order uni-dimensional concept that embraces the two types of uncertainty identified earlier, that is, behavioural and environmental.

A number of former studies have shown that public perceptions of the inherent risks in e-services can be a pivotal barrier to the acceptance of the services (Campbell and Goodstein, 2001; Featherman and Pavlou, 2003; Pavlou and Gefen, 2004; Heijden et al., 2005; Lee and Rao, 2005; Xu et al., 2005; Junglas and Spitzmuller, 2006; Horst et al., 2007). But, more importantly, in the mobile telecommunications environment people feel more vulnerable to the risks of the underlying technologies since there are always concerns about information loss or delivery failure because of the nature of the media through which information is usually delivered to them (Bahli and Benslimane, 2004).

Based on the interpretations of Pavlou and Gefen (2004) and Heijden et al. (2005), the perceived risk is defined as the individual belief as to the potential loss and the adverse consequences of using location-based mobile phone emergency services and the probability that these consequences may occur if the services solution is used for emergency management. Bearing in mind the high degree of uncertainty that is usually associated with emergency situations, it is argued that perceptions of risk would have a highly negative impact on individual perception of the usefulness of location-based mobile phone emergency services. Therefore, the following hypothesis is presented:

H8: Perceived risks from using location-based mobile phone emergency services have a negative influence on the perceived usefulness of the services.

3.4. Effect of trust on perceived usefulness

Despite the general consensus of the existence of a mutual relationship between trust and risk, the two concepts should be investigated separately when examining their impact on public acceptance of LBS since they usually show different sets of antecedents (Junglas and Spitzmuller, 2006). Trust and perceived risks are primarily essential constructs when uncertainty is present (Mayer et al., 1995). However, each has a different type of interrelationship with uncertainty. While uncertainty augments the risk perceptions of using location-based mobile phone emergency services trust reduces the individual’s concerns regarding the possible negative consequences of using the services, thus alleviating the uncertainty around services performance. Therefore, since trust in the LBS can lessen uncertainty associated with the services, thus reducing the perceptions of risk, it is theorised that the perceived risk is negatively related to an individual’s trust in the service. This is in line with a large body of former empirical research, which supports the influence of trust on perceptions of risk (Gefen et al., 2003). In addition, by reducing uncertainty trust is assumed to create a positive perspective regarding the usefulness of the services and provide expectations of an acceptable level of performance. Accordingly, trust is postulated to positively influence the perceived usefulness of location-based mobile phone emergency services and, therefore, the following hypotheses could be proposed:

H9: Trust in location-based mobile phone emergency services positively influences the perceived usefulness of the services.

H10: Trust in location-based mobile phone emergency services negatively impacts the risks perceived from using the services.

3.5. Effects of perceived privacy concerns on usefulness, trust, and risk

Perceived privacy concerns are expected to have a direct negative impact on the perceived usefulness of LBS. In addition, other prominent constructs of trust and perceived risks are also assumed to have mediating effects on the relationship between perceived privacy concerns and perceived usefulness since both constructs (i.e. trust and perceived risks) could be reasonably regarded as outcomes of the individual assessment of the privacy concerns (Junglas and Spitzmuller, 2006). For instance, if a person is not greatly concerned about the privacy of his or her location information, then it is most likely that that individual trusts the services, thus perceiving them to be useful. On the other hand, if the perceptions of privacy concerns are high, the individual would probably not engage in a risk taking behaviour, due to the high levels of risks perceived, thus resulting in lower perceptions of the usefulness of the services. Building on this reasoning, the perceived privacy concerns are theorised in the research model as direct determinants of both trust and risk perceptions. While the perceived privacy concerns are postulated to have a negative impact on trust in the services, they are theorised to positively influence on the perceived risks associated with using LBS.

Reductions in information privacy are generally the product of two types of activities: observing information about the person and sharing this information with others (Bridwell, 2007). Accordingly, the influences of two pertinent privacy concerns (i.e. collection and unauthorised secondary use) on individual acceptance of location-based mobile phone emergency services are proposed as the bases for the following hypotheses:

H11a: Collection as a perceived privacy concern negatively impacts the perceived usefulness of location-based mobile phone emergency services.

H11b: Unauthorised secondary use as a perceived privacy concern negatively impacts the perceived usefulness of location-based mobile phone emergency services.

H12a: Collection as a perceived privacy concern has a negative impact on trust in location-based mobile phone emergency services.

H12b: Unauthorised secondary use as a perceived privacy concern has a negative impact on trust in location-based mobile phone emergency services.

H13a: Risks perceived from using location-based mobile phone emergency services are positively associated with perceived privacy concerns about collection.

H13b: Risks perceived from using location-based mobile phone emergency services are positively associated with perceived privacy concerns about unauthorised secondary use.

Based on the proposed hypotheses, the research conceptual model is illustrated in Fig. 1.

Fig. 1. A conceptual model of location-based mobile phone emergency service acceptance.

4. Research method

4.1. Research context

Rapid proliferation of mobile platforms presents a real opportunity for the Australian Government to utilise location-based mobile services as an integral information lifeline in times of perils, especially now when Australians are becoming increasingly mobile; not only in the way they move, live and communicate, but also in the way they acquire information relevant to their whereabouts and various daily life activities. Utilising location-based services for emergency management has the potential to augment the overall levels of safety by increasing the situational awareness among people about threatening events in their immediate surrounds, thus helping to avoid unnecessary casualties, injuries or damages. The value of location-based mobile emergency services in Australia was realised after the Australian Federal, States and Territories Governments announced in 2009 their future intentions to utilise mobile services under the National Emergency Warning System (NEWS).

Location-based mobile services could help to find a solution to one of the intrinsic issues in most conventional emergency warning systems today that usually require the recipient to be anchored to an information channel at the time information is disseminated for one to receive an alert or warning message. However, given the current lack of research, not only in Australia but also globally, in relation to understanding the various implications of a nationwide utilisation of various mobile government location-based services for personal safety and public warning purposes, this study contends the pressing need for such a research. The results of this study would be of high importance to government, business and society at large.

4.2. Survey questionnaire

As attitude and intention are postulated as the main predictors of social acceptance or rejection of location-based mobile government emergency services, the researchers used a survey to examine and understand public attitudes and intentions towards using the services once the services are introduced by the Australian Government for emergency management solutions in the future. A five-point Likert rating scale was used in the questionnaire part of the survey. Each set of items or questions reflects a construct in the research conceptual model. The items and the studies from which the items were adapted can be found in Appendix A. At the end of the questionnaire, an open-ended question was used to solicit general comments, opinions, and additional information from the survey participants about the services.

4.3. Survey testing

Validating and testing the survey are essential processes in empirical information systems research (Straub, 1989). The survey testing was carried out in three separate steps. First, an observational study was conducted with two persons, both with minimal knowledge about location-based services. This lack of former knowledge was necessary to calculate the average time needed for each person to become acquainted with the topic of the study and complete the survey. Second, 600 pilot surveys were randomly distributed by hand. The results of the pilot survey provided the researchers with the needed grounds for testing the survey before its large-scale deployment. Third, the internal reliability of the survey was evaluated. Reliability reflects the internal consistency of the scale items measuring the same construct for the selected data if the survey is redeployed on the same population. After revision, values for all measurements were higher than the common threshold value of 0.7. The evaluation results (i.e. Composite reliability and Cronbach’s alpha scores) of the internal reliability are presented in Table 1.

 

Table 1. The internal consistency and discriminant validity of the research constructs.

4.4. Main survey

After survey testing, around 1350 surveys were mailed randomly by hand to households in the Illawarra region and the City of Wollongong, New South Wales, Australia. Participants were asked to return their copies to the researchers in a reply-paid envelope provided with the survey within three weeks. Three hundred and four filled surveys were returned, yielding an acceptable 22.52% response rate. Amongst the 304 surveys, 59 were returned with comments in their open-ended question. However, after excluding all unusable partial responses, 290 surveys remained for the statistical analysis.

5. Data analysis

5.1. Description of the survey population

The data of the survey subjects were summarised and reported in aggregated form to maintain anonymity and confidentiality of all respondents. Out of the 290 replies to the survey, 110 were female (37.9%) and 180 were male (62.1%). The sample showed that 43.1% (N = 125) of the respondents were between 18 and 25 years old, 21.7% (N = 63) were between 26 and 34 years old, 18.6% (N = 54) were between 35 and 44 years old, 12.4% (N = 36) were between 45 and 54 years old, 3.4% (N = 10) were between 55 and 64 years old, and only two people who were aged 65 or above completed the survey.

5.2. The partial least squares analysis results

The Smart PLS 2.0 M3 software (Ringle et al., 2005) was used to analyse the two components of the research model together: the calculation of the measurement model (i.e. the outer model) and the assessment of the structural model (i.e. the inner model) (Barclay et al., 1995).

5.2.1. The measurement model

Assessment of measurement models should examine: (1) individual item reliability, (2) internal consistency, and (3) discriminant validity (Barclay et al., 1995). To evaluate item reliability, Barclay et al. (1995) recommended accepting only items with a loading of 0.707 or more. However, Hair et al. (2006) argued that items with a factor loading of 0.5 or more are significant enough and could be retained. The measurement items of the research model were loaded heavily on their respective constructs (reported in Appendix A), with all loadings considerably above 0.5, thus demonstrating adequate reliability for all items.

Because all reliability scores are above 0.7 (i.e. Composite reliability and Cronbach’s alpha scores reported in Table 1) the internal consistency criteria are also met (Nunnally and Bernstein, 1994).

The third step in assessing the measurement model involves examining its discriminant validity where two conditions should be met. First, the off-diagonal elements in Table 1represent correlations of all latent variables, whereas the diagonal elements are the square roots of the average variances extracted (AVE) of the latent variables. The AVE of any latent variable should be greater than the variance shared between the latent variable and other latent variables (Barclay et al., 1995), i.e. the diagonal elements should be greater than corresponding off-diagonal elements. Data shown in Table 1 satisfy this requirement. Second, the indicators should load more highly on their respective construct than on any other construct, with all correlations being significant at (p ⩽ 0.05) level at least. Data reported in Table 2 satisfy this condition.

Table 2. Cross loadings of the constructs and their items.

Table 1. The internal consistency and discriminant validity of the research constructs. Representative only. For full table see ScienceDirect, Elsevier.

5.2.2. The structural model

The general aim of the structural model is to give an explanation of the theorised relationships (i.e. the hypotheses) amongst the constructs. Fig. 2 illustrates the results and also shows R2 values obtained for each endogenous variable (i.e. intention, attitude, usefulness, risk, and trust) in the structural model.

Fig. 2. The partial least squares (PLS) results of the research conceptual model.

As shown in Fig. 2, the attitude towards using location-based mobile phone emergency services (b = 0.241, p < 0.00.1) was a significant predictor of behavioural intention to use the services, thus supporting H1. The perceived usefulness (b = 0.444, p < 0.001) was also an influential predictor of intention, thus validating H2. Both attitude and perceived usefulness demonstrated a good prediction power of intention with R2 at 0.365, indicating an explanation level at 36.5% of the variance of behavioural intention to use the services in the future. Perceived usefulness (b = 0.471, p < 0.001) was a significant predictor of attitude, thus validating H3. However, H4 was not supported since perceived ease of use did not have any significant influence on attitude. On the contrary, the effect of perceived ease of use (b = 0.273, p < 0.001) on perceived usefulness was significant, thus validating H5.

Both the perceived usefulness and perceived ease of use were able to explain more than 26% of the variance of the attitude towards using the service, while the antecedents of the perceived usefulness were able to explain more than 45% of its variance with R2 at 0.454.

The positive effects of trust on perceived usefulness (b = 0.341, p < 0.001) and negatively on perceived risk (b = −0.334, p < 0.001) were significant, thus validating H9 and H10, respectively. The privacy concern of collection (b = −0.175, p < 0.05) had a significant negative impact on trust in the service, which supports H12a.

Hypotheses H6a, H6b, H6c, H7, H8, H11a, H11b, H12b, H13a and H13b were all not statistically supported and, therefore, should be rejected.

5.3. The research conceptual model “goodness-of-fit”

The “goodness-of-fit” measure provides a reasonable indication of how well the sampled data fits the conceptual model being proposed (Gefen et al., 2000). However, since there is no direct “goodness-of-fit” measure generated by the partial least squares method, the measure can be generally estimated based on the adequacy of three main indexes that include (i) construct reliability (internal consistency) being above 0.7 for all the constructs of the conceptual model, (ii) high acceptable R2, and (iii) significant path coefficients (t-statistics) between the constructs (Barclay et al., 1995; Gefen et al., 2000).

As illustrated in Table 1, all the reliability scores from two separate tests (i.e. composite reliability test and Cronbach’s alpha scores) exceeded the 0.7 threshold, indicating high internal consistency for all constructs in the research model. The R2’s of the attitude and intention constructs were above 25%, a highly acceptable prediction level in empirical research (Arlinghaus and Griffith, 1995; Gaur and Gaur, 2006). Although 10 out of the 17 path coefficients were insignificant, the path coefficients to the main predictors of social acceptance of location-based mobile phone emergency services (i.e. attitude and intention) evinced extremely high significance levels at p < 0.001, with all coefficients to be above the 0.2 threshold indicated by Chin (1998) as implying a very meaningful relationship. Accordingly, the goodness-of-fit for this research model is established since the analysis of the two components of the partial least squares model; the measurement model and the structural model, have shown good results in almost all of the statistical tests performed.

6. Discussion of the findings

6.1. Perceived usefulness

The perceived usefulness of LBS for emergency management was the key driver behind the individual positive attitude towards using the services and his or her behavioural intention towards using the services in the future. The services were perceived to be highly useful despite (i) the risks that are perceived to be associated with the utilisation of this kind of electronic services, (ii) the probability of the excessive collection of personal location information by governments utilising the services, and (iii) the probability of the unauthorised secondary use of the collected information. The findings about the usefulness of LBS completely support the few earlier studies of LBS acceptance, such as Chang et al. (2006) and Junglas and Spitzmuller (2006), in which the role of usefulness was identified as a key driver of individuals’ attitudes and intentions towards using the services despite concerns about the privacy of their locational information.

Reflecting on the arguments presented earlier, the antecedents of perceived usefulness of LBS for emergency management were: perceived quality features of the service, trust in the service and service providers, the social risks perceived in utilising the service, the privacy concerns perceived with the utilisation of the service, visibility of the service application, and perceived service ease of use. These antecedents were collectively successful in explaining more than 45% of the usefulness variance of the LBS for emergency management. This high level of explanation in the service usefulness variance, standing at 45.4%, provides reasonable indicators of the issues that can be brought into focus if there is ever a pressing need by governments to improve public perception of the usefulness of LBS for emergency management, thus positively enhancing the overall social acceptance of the services.

6.2. Perceived ease of use

The findings evince weak evidence for the existence of any direct effect of perceived ease of use of LBS on the individual’s attitude towards using the services. Therefore, it could be suggested that the public, in general, are willing to accept the utilisation of LBS for emergency management regardless of how easy or difficult they are to use. Nevertheless, the findings did verify the high impact of perceived ease of use of the services on the perceived usefulness of the services, which provides a strong indication that people would perceive the services to be more useful if they were easier to use. Accordingly, there is a reasonable ground to suggest that the perceived ease of use of the services has an indirect influence on an individual’s attitude towards using the services through the mediating role of the perceived usefulness of the services.

In general, these findings can inform the design of LBS solutions. Designers will need to contrive service offerings with easy-to-use design interfaces once the services are utilised for emergency management, making the services as intuitive as possible to use during emergency situations, and comprehensible to everyone, including the young, the elderly, and the non-technologically inclined.

6.3. Visibility

In general, visibility of LBS emergency management solutions can provide the opportunity for many people to observe and judge the application of the services in the usage context, providing an effective and direct means for the individual to evaluate the usefulness of the services (Karahanna et al., 1999). However, the findings show that visibility of LBS solutions is not statistically significant in determining the perceived usefulness of the services. One rational explanation for this result is that LBS are not yet widely utilised for emergency management and, therefore, the individual cannot easily observe the application of the services in the context of emergencies. However, a highly intuitive rationale is that the specific usage context (i.e. emergency management) eliminates the importance of observing the application of the LBS by the public for these services to be judged as useful, since any means, service, or technology that is used for emergencies is perceived, by the very nature of these situations, to be useful, regardless of how visible its application to the public.

6.4. Quality features

Investigating the quality features of LBS emanated from the need to understand the acceptable degree of service quality anticipated by the prospective user when the service is utilised for emergency management, given the fact that limited knowledge about the actual service quality dimensions of the service is currently available. However, the findings demonstrate the insignificant role of the perceived quality features of LBS in shaping the individual perception of the usefulness of the services for emergency management. One can then speculate that the findings reflect uncertainty about the performance impact of LBS in terms of accuracy, currency, and responsiveness on the usefulness of the services, which can only be grounded in the fact that the services have not yet been widely implemented for emergency management. Even with the insignificant impact, in statistical terms, of the perceived service quality features on the perceived usefulness of the services, service quality features did actually emerge in the answers to the open-ended question as one of the important issues pertaining to the possible nationwide utilisation of the services for emergency management in Australia.

6.5. Perceived social risks

The social risks perceived from using LBS had an extremely weak impact on the perceived usefulness of the services. One explanation for this insignificant impact is that the public may perceive location-based services to be a part of the well-established mobile telecommunications networks, thus being mature enough to permit the useful delivery of safety information or warning notifications during emergency situations without any potential high risks. Taking this into consideration, the risks associated with the use of LBS for emergency management are actually part of the risks impacting the entire cellular network infrastructure and not necessarily only impacting these particular services.

6.6. Privacy concerns

Perceived privacy concerns, including excessive collection of personal location information and the unauthorised secondary use of that information, were both posited to play determining roles in (i) diminishing individual trust in LBS, (ii) augmenting the risks perceived from using the services for emergency management, and (iii) negatively impacting the perceived usefulness of the services. However, the findings indicate that only the collection of personal location information, as a perceived privacy concern, had a significant negative impact on trust in the services while all other effects are statistically too insignificant to be reported.

It is of particular interest that unauthorised secondary use was without any effect on trust, unlike the collection of personal location information. One reason might stem from the very nature of the act of collection itself. Usually, when location data for a location-based service is collected, it would be done automatically and the individual is typically unaware of this collection process (Junglas et al., 2008). Nonetheless, the findings suggest that this automated process of collection, even in emergency management settings, whether the process is known to the individual or not, signifies a personal lack of control for the individual over his or her collected data. This contributed to a greater degree towards distrusting use of LBS for emergency management than any other privacy concern.

The findings also reveal that the two privacy concerns, collection of personal location information and unauthorised secondary use, did not have any significant influence in increasing perception of social risks from using LBS for emergency management. This indicates that there is some threshold level that must be reached in the privacy concerns hierarchy of effects before such risks are perceived (Drennan et al., 2006). Nonetheless, some did perceive the privacy concerns to be important even in emergency situations, reflected in the significant negative impact of the collection of personal location information on trust in the services. Still, it is argued that the negative impact of privacy concerns will not be enough to prevent the public from engaging in a risk taking relationship when they perceive the benefits of utilising LBS for emergency management as surpassing their perceived risks.

Although the impacts of the collection and unauthorised secondary use on service usefulness are insignificant in statistical terms, the unexpected positive effects of the two constructs on usefulness (as illustrated in Fig. 2) imply that people are inclined to concede a degree of privacy in return for potential benefits in extreme situations such as emergencies. One explanation for this might be that people may perceive the outcome of the extensive collection of their locational data and the secondary use of that data in an emergency situation to be always in their favour when these activities (i.e. collection and secondary use) are practised by the government. The findings could also suggest that the context of emergencies is quite sufficient to produce an adverse impact on some of the “traditionally negative” aspects of information privacy concerns.

6.7. Trust

The definition of trust in LBS encompasses individual trust in the government controlling and providing the services and trust in the technology and underlying infrastructure through which the services are provided (Carter and Bélanger, 2005). The findings show the highly significant role of trust as the most influential determinant of individual perception of the usefulness of the services, suggesting that reducing uncertainty is indeed a key component in social acceptance of the services that deserves on-going attention from the government.

The findings about the significant role that trust plays strongly corroborate several previous studies about the need to investigate trust in empirical research of location-based services (Kaasinen, 2005; Junglas and Spitzmuller, 2006; Rao and Troshani, 2007).

The findings of this study also demonstrate the pronounced role of trust in ameliorating the social risks perceived to arise from using the LBS for emergency management, thus breaking down these barriers to the usefulness of the services. These particular findings suggest that besides the significant direct influence of trust on perceived usefulness of the services, trust also indirectly influences usefulness of the services through perceived risks. This validates the earlier conceptualisation of the trust-risk relationship in the research model in this paper, in which the directionality of the relationship flows from trust to perceived risks.

Consequently, what is of a greater concern to the success of an emergency service offering is that people can willingly bestow their trust on the service, trust the message that is provided to them by the service in the case of an emergency, and, most importantly, trust the government as the provider and controller of these services.

6.8. Analysis of the open-ended question

Amongst the 304 surveys, 59 were returned with comments in the open-ended question. Twenty-three people discussed “quality” and others discussed “product reliability” features. The emphasis in the comments was that without quality and reliability LBS solutions for emergency management would be useless. For example, one respondent wrote: “I have some concerns about the accuracy. Sometimes it may not direct you to the right position in the shortest available path”. Another 17 people said that they look forward to seeing LBS utilised for emergency management in the near future, but at the same time they were worried that their personal information would be used illegally or for other purposes. Further, 11 people mentioned the regulations and laws. They thought that the government should pay more attention to formulating laws and regulations surrounding the utilisation of the services if the government wants to apply LBS for emergency management. The final eight answers can be viewed as general hopes for such technologies as LBS to be utilised as soon as possible for emergency management in Australia. From the open answers, we can see that people cared about the quality, privacy, laws, and regulations related to LBS. Consequently, it is highly recommended that governments should take such opinions into consideration before applying LBS within emergency management arrangements.

7. Implications

This study adds to the scholarly literature in a relatively new area and in which there has been little research investigating the public offerings of location-based services in the domain of emergency management. Although there have been several studies about the technical feasibility aspects for utilising LBS as advanced mobile government location-enabled applications for personal safety and public warning purposes there is however scant theoretical and empirical research concerning the investigation of different aspects in relation to the utilisation of the services in the domain of emergency management, such as the behavioural, social, technical, administrative, regulatory, and legal aspects. This is an evident gap in the current body of research and this paper makes a significant contribution to that body of research.

The findings of this paper also contribute to the current theories and models of acceptance by providing empirical evidence to support the retention of the attitude construct in the attitude-behaviour relationship of TAM. This is grounded upon the significant role of attitude in influencing behavioural intention towards using LBS for emergency management, thus enhancing the overall ability to predict social acceptance or rejection of these services. The findings completely validate, and are in line with, several social psychology studies in which the role of attitude as an important determinant of behavioural intention has been strongly emphasised (Ajzen, 2002; Dennis et al., 2004). The retention of attitude as one of the endogenous constructs within the nomological structure of TAM provides an additional momentum to arguments seeking to preserve the theoretical integrity of the Model and, consequently, the Model’s base theory of TRA. At the same time, this paper strongly signals the importance of examining individual attitude in acceptance research, especially when studying social acceptance of new government initiatives and services.

Although the research model was explicitly employed to predict social acceptance of location-based mobile government services for emergency management, the model can be easily viewed as a generic model that can credibly serve as a candidate model for future studies to predict acceptance of location-based services in other usage contexts, applications, scenarios, and/or settings. This is because all of the theorised constructs of the model are highly relevant to the intrinsic characteristics of LBS. Examples would include law enforcement applications of LBS, such as investigating their surveillance implications, capturing location-based evidence, and the social and ethical issues pertaining to the application of the services for counter-terrorism, arrest support, traffic violations, or riot control.

An issue that has been largely overlooked in the acceptance literature in respect to LBS is the quality features of these services, and the degree to which the perceptions of service quality actually impact on accepting the services. One of the main contributions of this study is the introduction of a highly justifiable theoretical foundation for investigating perceived quality features of LBS in the context of emergency management. Given the general lack of dedicated measurements for such quality features in the literature, it is argued that the service quality scales that were developed in this research, including accuracy, currency, and responsiveness, could be naturally adapted when researching acceptance of LBS, not only in the context of emergencies, but also in other usage contexts and settings.

Several opportunities for further empirical research have emerged from this study, but the most worthwhile is an examination of public opinion after national implementation and deployment of LBS for emergency management. Such a study could investigate, in the long term, how and why the determinants of acceptance change or reshape after the adoption and diffusion of the services, and whether or not the relationships between these determinants are consistent over time. This type of work reflects arguments by Karahanna et al. (1999) of the need to examine and, at the same time, differentiate between the beliefs of the individual in the pre-adoption phase (symbolic adoption), where one’s assessment leads into one’s decision to accept or reject the LBS for emergency management, and those beliefs in the post-adoption phase (actual adoption), which is marked by actual usage or take-up of the services.

Another interesting starting point for further research is the contradictions that were found between this study and most of the previous research about the influence of privacy concerns on an individual’s acceptance of LBS. Although it has been shown that the usage context of emergencies was quite sufficient to alleviate perceptions of privacy concerns, and despite the fact that it was not significant in statistical terms, a future cross-sectional comparative research taking into account several usage contexts is needed to further ascertain the role of the context of usage on the perceptions of location information privacy concerns.

8. Conclusions

Disasters and large scale emergencies that have the potential to disrupt the orderly manner of the civil society are considered national security challenges today. As Australians are becoming increasingly mobile in the way they acquire information about their whereabouts, the Australian government is contemplating the introduction of nationwide location-enabled mobile phone warning and alerting methods and techniques. Mobile government emergency applications, specifically location-based mobile phone emergency services are presented as a valuable addition within the envisaged emergency management apparatuses of the government for safeguarding people during emergencies anywhere and anytime. Indeed, governments have a responsibility to their citizens to inform and protect them against both conventional and unconventional threats, being natural or human-made.

Given the importance of this topic in the context of Australia and the fact that only very few studies tackled the utilisation of location-based mobile services in emergency management worldwide, this study aimed to investigate the social acceptance or rejection of location-based mobile government emergency services along with their determinants. The overall results of this study indicated that Australians are willing to accept such services in emergency situations. Indeed, our results indicated that behavioural intention is a function of both attitude and perceived usefulness. Perceived ease of use, according to results, has no influence on attitude. Further, the results confirmed that perceived usefulness is a strong direct predictor of attitude. Interestingly, the role of trust in determining individual perception of the usefulness of the services was found to be highly influential. Finally and from privacy concerns’ perspective, the results indicated that collection of personal location information is the only factor that has a significant negative impact on trust.

This study does not come without limitations and this can be addressed in future research. Although the response rate of the survey of this study was proven to be statistically adequate, a desirable goal was to obtain a higher response rate than the one acquired to have additional confidence in the generalizability of the findings. One possible solution for future research is to employ additional surveying techniques, such as the anonymous web-based surveying approach, along with the traditional mail survey approach to potentially increase the overall response rate. Further, as this study was designed and tested in the Australian context, future comparative cross-national studies between Australia and other countries would also be quite compelling. Such studies would shed light on the role of culture and government, such as the role and influence of government administration, in creating disparities in the factors determining the acceptance or rejection of location-based emergency services. Finally, due to time constraints, we could not afford conducting a longitudinal study although it may be useful here given that human behaviour is quite dynamic.

Appendix A. Measures and factor loadings of constructs∗

Appendix A. Measures and factor loadings of constructs∗ Partial table. See ScienceDirect>Elsevier for full table/appendix.

References

R. Agarwal, J. Prasad, Are individual differences germane to the acceptance of new information technologies? Decision Sciences, 30 (2) (1999), pp. 361-391

I. Ajzen, Residual effects of past on later behavior: habituation and reasoned action perspectives, Personality & Social Psychology Review (Lawrence Erlbaum Associates), 6 (2) (2002), pp. 107-122

I. Ajzen, M. Fishbein, Understanding Attitudes and Predicting Social Behavior, (first ed.), Prentice Hall, Englewood Cliffs, NJ (1980)

Aloudat, A., Michael, K., 2010. The application of location based services in national emergency warning systems: SMS, cell broadcast services and beyond. In: Proceedings of the National Security Science and Innovation, Australian Security Research Centre, Canberra, Australia, September 23, 2010, pp. 21–49 (September 23).

A. Aloudat, K. Michael, The socio-ethical considerations surrounding government mandated location-based services during emergencies: an Australian case study, M. Quigley (Ed.), ICT Ethics and Security in the 21st Century: New Developments and Applications (first ed.), IGI Global, Hershey, PA (2011), pp. 129-154

S.L. Arlinghaus, D.A. Griffith, Practical Handbook of Spatial Statistics, (first ed.), CRC Press, Boca Raton, FL (1995)

B. Bahli, Y. Benslimane, An exploration of wireless computing risks: development of a risk taxonomy, Information Management & Computer Security, 12 (3) (2004), pp. 245-254

D.W. Barclay, R. Thompson, C. Higgins, The partial least squares (PLS) approach to causal modeling: personal computer adoption and use as an illustration, Technology Studies: Special Issue on Research Methodology, 2 (2) (1995), pp. 285-309

Bensaou and Venkatraman, 1996, M. Bensaou, N. VenkatramanInter-organizational relationships and information technology: a conceptual synthesis and a research framework, European Journal of Information Systems, 5 (1996), pp. 84-91

C. Boshoff, A psychometric assessment of E–S–Qual: a scale to measure electronic service quality, Journal of Electronic Commerce Research, 8 (1) (2007), p. 101

S.A. Bridwell, The dimensions of locational privacy, H.J. Miller (Ed.), Societies and Cities in the Age of Instant Access (first ed.), Springer, Dordrecht, The Netherlands (2007), pp. 209-226

M.C. Campbell, R.C. Goodstein, The moderating effect of perceived risk on consumers’ evaluations of product incongruity: preference for the norm, Journal of Consumer Research, 28 (3) (2001), pp. 439-449

L. Carter, F. Bélanger, The utilization of e-government services: citizen trust, innovation and acceptance factors, Information Systems Journal, 15 (1) (2005), pp. 5-25

S. Chang, Y.-J. Hsieh, C.-W. Chen, C.-K. Liao, S.-T. WangLocation-based services for tourism industry: an empirical study, Ubiquitous Intelligence and Computing, Springer, Berlin, Heidelberg (2006), pp. 1144-1153

W.W. Chin, The partial least square approach to structural equation modeling, G.A. Marcoulides (Ed.), Modern Methods for Business Research (first ed.), Lawrence Erlbaum Associates, Inc., Mahwah, NJ (1998), pp. 295-336

G.A. Churchill, A paradigm for developing better measures of marketing constructs, Journal of Marketing Research, 16 (1) (1979), pp. 64-74

Davis, F.D., 1986. A technology acceptance model for empirically testing new end-user information systems: theory and results. Doctoral Dissertation, MIT Sloan School of Management, Massachusetts Institute of Technology, Cambridge, MA, viewed 4 September 2007.

F.D. Davis, Perceived usefulness, perceived ease of use, and user acceptance of information technology, MIS Quarterly, 13 (3) (1989), pp. 318-340

Dennis, A.R., Venkatesh, V., Ramesh, V., 2004. Adoption of Collaboration Technologies: Integrating Technology Acceptance and Collaboration Technology Research. Information Systems Department, Kelley School of Business, Indiana University, 17 November 2007. <http://sprouts.aisnet.org/174/1/tr142.pdf>.

S. Djamasbi, D. Strong, M. DishawAffect and acceptance: examining the effects of positive mood on the technology acceptance model, Decision Support Systems, 48 (2) (2010), pp. 383-394

J. Drennan, G.S. Mort, J. PrevitePrivacy, risk perception, and expert online behavior: an exploratory study of household end users, Journal of Organizational and End User Computing, 18 (1) (2006), pp. 1-22

M.S. Featherman, P.A. PavlouPredicting E-services adoption: a perceived risk facets perspective, International Journal of Human–Computer Studies, 59 (4) (2003), pp. 451-474

M. Fishbein, I. AjzenBelief, Attitude, Intention, and Behavior: An Introduction to Theory and Research, Addison-Wesley Publishing Co., Reading, Massachusetts (1975)

Frost and Sullivan Research Service, 2007. Asia Pacific Location-based Services (LBS) Markets, viewed 28 August 2007. <http://www.frost.com.ezproxy.uow.edu.au/prod/servlet/report-brochure.pag?id=P08D-01-00-00-00>.

A.S. Gaur, S.S. Gaur, Statistical Methods for Practice and Research: A Guide to Data Analysis using SPSS, (first ed.), Sage Publications, Thousand Oaks, CA (2006)

Gefen, D., Srinivasan Rao, V., Tractinsky, N., 2003. The conceptualization of trust, risk and their electronic commerce: the need for clarifications. In: Proceedings of the 36th Annual Hawaii International Conference on System Sciences. 6–9, January, 2009, viewed 6 January 2009, IEEEXplore Database.

D. Gefen, D.W. Straub, M. BoudreauStructural equation modeling and regression: guidelines for research practice, Communications of the Association for Information Systems, 4 (7) (2000), pp. 1-78

J.F. Hair, B. Black, B. Babin, R.E. Anderson, R.L. Tatham, Multivariate Data Analysis, (sixth ed.), Pearson Prentice Hall, New Jersey (2006)

Heijden, H.v.d., Ogertschnig, M., Gaast, L.v.d., 2005. Effects of context relevance and perceived risk on user acceptance of mobile information services. In: Proceedings of the 13th European Conference on Information Systems (ECIS 2005), Regensburg, Germany, May 26–28, 2005, viewed 15 September 2008, Google Scholar Database.

M. Horst, M. Kuttschreuter, J.M. Gutteling, Perceived usefulness, personal experiences, risk perception and trust as determinants of adoption of e-government services in The Netherlands, Computers in Human Behavior, 23 (4) (2007), pp. 1838-1852

I. Im, Y. Kim, H.-J. Han, The effects of perceived risk and technology type on users’ acceptance of technologies, Information & Management, 45 (1) (2008), pp. 1-9

Jacoby, J., Kaplan, L.B., 1972. The components of perceived risk. In: Proceedings of the Third Annual Conference of the Association for Consumer Research, Association for Consumer Research, Chicago, IL, November 1972, pp. 382–393.

Junglas, I., Spitzmuller, C., 2005. A research model for studying privacy concerns pertaining to location-based services. In: Proceedings of the 38th Annual Hawaii International Conference on System Sciences (HICSS’05), Hawaii, January 3–6, 2005, viewed 22 August 2007, IEEEXplore Database.

Junglas, I., Spitzmuller, C., 2006. Personality traits and privacy perceptions: an empirical study in the context of location-based services. In: Proceedings of the International Conference on Mobile Business, Copenhagen, Denmark, June 2006, viewed 14 August 2007, IEEEXplore Database, p. 11.

I.A. Junglas, N.A. Johnson, C. Spitzmüller, Personality traits and concern for privacy: an empirical study in the context of location-based services, European Journal of Information Systems, 17 (4) (2008), pp. 387-402

Kaasinen, E., 2005. User acceptance of mobile services – value, ease of use, trust and ease of adoption. Doctoral Dissertation. Tampere University of Technology, Tampere, Finland, viewed 27 July 2007.

E. Karahanna, D.W. Straub, N.L. Chervany, Information technology adoption across time: a cross-sectional comparison of pre-adoption and post-adoption beliefs, MIS Quarterly, 23 (2) (1999), pp. 183-213

S.A. Kaynama, C.I. Black, A proposal to assess the service quality of online travel agencies, Journal of Professional Services Marketing, 21 (1) (2000), pp. 63-68

Kim, D.J., Braynov, S.B., Rao, H.R., Song, Y.I., 2001. A B-to-C trust model for online exchange. In: Proceedings of the Seventh Americas Conference on Information Systems, Boston, MA, 2–5 August, viewed 03 September 2008, pp. 784–787.

Kini, A., Choobineh, J., 1998. Trust in electronic commerce: definition and theoretical considerations. In: Proceedings of the 31st Annual Hawaii International Conference on System Sciences, vol. 4, viewed 13 November 2008, IEEE Xplore Database, pp. 51–61.

M. Koller, Risk as a determinant of trust, Basic & Applied Social Psychology, 9 (4) (1988), pp. 265-276

Kurnia, S., Chien, A.-W.J., 2003. The acceptance of online grocery shopping, paper presented to the 16th Bled eCommerce Conference, Bled, Slovenia, 9–11 June.

Lee, J., Rao, H.R., 2005. Risk of Terrorism, Trust in Government, and e-Government Services: An Exploratory Study of Citizens’ Intention to use e-Government Services in a Turbulent Environment, York Centre for International and Security Studies (YCISS), 10 December 2008, <http://www.yorku.ca/yciss/whatsnew/documents/WP30-Lee_and_Rao.pdf>.

T. Lee, The impact of perceptions of interactivity on customer trust and transaction intentions in mobile commerce, Journal of Electronic Commerce Research, 6 (3) (2005), pp. 165-180

P.P. Li, Toward a geocentric framework of trust: an application to organizational trust, Management and Organization Review, 4 (3) (2008), pp. 413-439

V. Liljander, A.C.R. Van-Riel, M. Pura, Customer satisfaction with e-services: the case of an on-line recruitment portal, M. Bruhn, B. Stauss (Eds.), Jahrbuch Dienstleistungsmanagement 2002 – Electronic Services (first ed.), Gabler Verlag, Wiesbaden, Germany (2002), pp. 407-432

K. Mathieson, Predicting user intentions: comparing the technology acceptance model with the theory of planned behavior, Information Systems Research, 2 (3) (1991), pp. 173-191

R.C. Mayer, J.H. Davis, F.D. Schoorman, An integrative model of organizational trust, Academy of Management Review, 20 (3) (1995), pp. 709-734

D.H. McKnight, N.L. Chervany, What trust means in e-commerce customer relationships: an interdisciplinary conceptual typology, International Journal of Electronic Commerce, 6 (2) (2001), pp. 35-59

G.C. Moore, I. Benbasat, Development of an instrument to measure the perceptions of adopting an information technology innovation, Information Systems Research, 2 (3) (1991), pp. 192-222

S. Mouakket, M.A. Al-Hawari, Investigating the factors affecting university students’ e-loyalty intention towards the Blackboard system, International Journal of Business Information Systems, 9 (3) (2012), pp. 239-260

J.C. Nunnally, I.H. Bernstein, Psychometric Theory, (third ed.), McGraw-Hill, New York (1994)

K. O’Doherty, S. Rao, M.M. Mackay, Young Australians’ perceptions of mobile phone content and information services: an analysis of the motivations behind usage, Young Consumers: Insight and Ideas for Responsible Marketers, 8 (4) (2007), pp. 257-268

A. Parasuraman, L. Berry, V. Zeithaml, SERVQUAL: a multiple-item scale for measuring service quality, Journal of Retailing, 64 (1) (1988), pp. 12-40

P.A. Pavlou, Consumer acceptance of electronic commerce: integrating trust and risk with the technology acceptance model, International Journal of Electronic Commerce, 7 (3) (2003), pp. 101-134

P.A. Pavlou, D. Gefen, Building effective online marketplaces with institution-based trust, Information Systems Research, 15 (1) (2004), pp. 37-59

Perusco, L., Michael, K., Michael, M.G., 2006. Location-based services and the privacy-security dichotomy. In: Proceedings of the Third International Conference on Mobile Computing and Ubiquitous Networking, London, 11–13 October, viewed 02 June 2007, Researh Online: University of Wollongong Database, pp. 91–98.

S. Rao, I. Troshani, A conceptual framework and propositions for the acceptance of mobile services, Journal of Theoretical and Applied Electronic Commerce Research, 2 (2) (2007), pp. 61-73

Ringle, C.M., Wende, S., Will, A., 2005, SmartPLS 2.0 (M3) Beta.

E.M. Rogers, Diffusion of Innovations, (first ed.), Free Press of Glencoe, New York (1962)

J. Samsioe, A. Samsioe, Introduction to location based services: markets and technologies

R. Reichwald (Ed.), Mobile Kommunikation: Wertschöpfung, Technologien, neue Dienste, Gabler, Wiesbaden, Germany (2002), pp. 417-438

H.J. Smith, S.J. Milberg, S.J. Burke, Information privacy: measuring individuals’ concerns about organizational practices, MIS Quarterly, 20 (2) (1996), pp. 167-196

S. Spiekermann, General aspects of location-based services, J. Schiller, A. Voisard (Eds.), Location-Based Services (first ed.), Elsevier, San Francisco, CA (2004), pp. 9-26

D.W. Straub, Validating instruments in MIS research, MIS Quarterly, 13 (2) (1989), pp. 147-169

United Nations’ International Strategy for Disaster Reduction Platform, 2005, United Nations’ International Strategy for Disaster Reduction Platform for the Promotion of Early Warning 2005, ‘Early Warning and Disaster Reduction’, paper presented to the World Conference on Disaster Reduction, Kobe, Hyogo, Japan, 18–22 January.

Van der Heijden, H., Verhagen, T., Creemers, M., 2001. Predicting online purchase behavior: replications and tests of competing models’. In: Proceedings of the 34th Annual Hawaii International Conference on System Sciences, Maui, Hawaii, 3–6 January 2001, viewed 11 November 2007, IEEEXplore Database.

V. Venkatesh, Determinants of perceived ease of use: integrating control, intrinsic motivation, and emotion into the technology acceptance model, Information Systems Research, 11 (4) (2000), pp. 342-365

V. Venkatesh, F.D. Davis, A theoretical extension of the technology acceptance model: four longitudinal field studies, Management Science, 46 (2) (2000), pp. 186-204

Xu, H., Teo, H.-H., Tan, B.C.Y., 2005. Predicting the adoption of location-based services: the role of trust and perceived privacy risk. In: Proceedings of the 26th International Conference on Information Systems, Las Vegas, USA, 31 December, viewed 20 August 2007, GoogleScholar Database, pp. 11–14.

Z. Yang, R.T. Peterson, S. Cai, Services quality dimensions of Internet retailing: an exploratory analysis, Journal of Services Marketing, 17 (7) (2003), pp. 685-700

R.B. Zajonc, Attitudinal effects of mere exposure, Journal of Personality and Social Psychology, 9 (2) (1968), pp. 1-27

Zeithaml, V.A., Parasuraman, A., Malhotra, A., 2000. A Conceptual Framework for Understanding e-Service Quality: Implications for Future Research and Managerial Practice. MSI Working Paper Series, Working Paper 00-115, Marketing Science Institute, Cambridge, MA, viewed 09 November 2007.

V.A. Zeithaml, A. Parasuraman, A. Malhotra, Service quality delivery through web sites: a critical review of extant knowledge, Academy of Marketing Science, 30 (4) (2002), p. 362

X. Zhang, V.R. Prybutok, A consumer perspective of E-service quality, IEEE Transactions on Engineering Management, 52 (4) (2005), pp. 461-477

Keywords: Location-based service, Emergency management, Social acceptance, Mobile government, Government deployment

Citation: Anas Aloudat, Katina Michael, Xi Chen, Mutaz M.Al-Debei, "Social acceptance of location-based mobile government services for emergency management", Telematics and Informatics, Vol. 31, No. 1, February 2014, Pages 153-171. DOI: https://doi.org/10.1016/j.tele.2013.02.002

Location-based services (LBS) regulatory framework in Australia

Abstract

Location-based services (LBS) are defined as those applications that combine the location of a mobile device associated with a given entity (individual or object) together with contextual information to offer a value-added service. LBS solutions are being deployed globally, and in some markets like Australia, without appropriate regulatory provisions in place. Recent debates in Australia have addressed the need to bridge the gap between technological developments and legal/regulatory provisions. This requires an assessment of the regulatory environment within a given social context such as Australia. The core components of such an investigation include: (a) composing a conceptual framework for analysing regulation of technologies such as LBS, one that is sensitive to public policy themes and challenges, and (b) applying this conceptual framework to the Australian setting in order to sketch and define the components of the present framework, and identify areas for improvement through a process of validation. This paper addresses these aims, demonstrating how the current regulatory framework in Australia is bound by legislation with respect to privacy, telecommunications, surveillance, and national security (that is, anti-terrorism), in addition to a set of industry guidelines for location-service providers (LSPs). The existing Australian framework, however, is lacking in its coverage and treatment of LBS and location data, and does not adequately address the themes and challenges in the defined conceptual framework.

1. Introduction

Measuring the need for LBS regulation and engaging in related dialogue requires an informed understanding of regulation and public policy in general, and of existing LBS regulatory practices and frameworks. One approach is to consider regulation in the context of government and governance (Braithwaite et al., 2007, p. 3):

Governments and governance are about providing, distributing, and regulating. Regulation can be conceived as that large subset of governance that is about steering the flow of events and behaviour, as opposed to providing and distributing.

That is, regulation is concerned with “the effects of actions, not on the actions or the means of the actions themselves” (Koops, 2006, p. 6). Various theories and approaches to regulation exist. According to the Australian Law Reform Commission (ALRC), regulatory theory (in relation to information privacy) may include principles-based and compliance- or outcomes-oriented methods (ALRC, 2008, pp. 234–40).

Public policy, on the other hand, can take on various definitions and may involve ambiguity (Bridgman and Davis, 2004, p. 3). In simple terms, public policy is “about what governments do, why, and with what consequences” (Fenna, 1998, p. 3). However, there are a variety of interpretations of the term, as summarised by Maddison and Denniss (2009, pp. 3–4) based on the work of numerous authors in the public policy sphere. Importantly, the authors state that regardless of interpretation, public policy can be viewed in one of two ways: either as “the result of authoritative choice” in which government ministers play a dominant role in decision-making, or as “the result of structured interaction” involving cooperation between players and appreciation of conflicting interests (Maddison and Denniss, 2009, p. 4). That is, regulation is a set of rules designed to govern the operation and intervention of stakeholders. This operation is often in a market setting and thus lends itself to economic analysis (Stigler, 1971). Stigler's work recognised the strong interactions of the regulated with a regulator in the implementation of regulation and its enforcement. This paper similarly argues that regulation and public policy-making processes in the technology realm rely on a process of collaboration and consultation amongst industry stakeholders. With respect to regulatory choices regarding LBS, interaction between government and industry stakeholders is necessary given that the delivery of a given solution is reliant on the involvement of a range of stakeholders such as wireless network operators and handset vendors.

For the purpose of this paper, it should be noted that regulation and public policy-related processes are complex practices that vary from one context to the next and evolve as new debates emerge whereby existing processes and regulatory mechanisms must be reassessed. This interaction is made more complex in the Australian Federal environment where the constitution determines that some aspects of LBS are legislated at a national level and some at a state level. This necessitates an appraisal of current State and Federal legislation relevant to LBS in a manner that allows the regulatory framework and existing measures to be drawn, subsequently allowing the outcomes to be employed as the basis for future work. As such, this paper aims to develop a conceptual framework detailing how to examine LBS regulation, subsequently applying the framework to the Australian case. The outcome will be a sketch of the current LBS regulatory environment in Australia and the subsequent validation of the existing regime. An aspect of Australian law that assists this inquiry is the common approach taken by the States to their legislation. This common basis with a focus on Federal law means that this paper can provide a preliminary sketch of the existing national framework.

Current literature and studies relating to the LBS regulatory environment note that suitable regulatory frameworks are essential to industry development, from the perspective of safeguarding the interests of multiple stakeholders, notably, providers and users, in addition to government entities and society as a whole. Such frameworks should ideally address the ethical dilemmas and social implications of LBS, whilst also being sensitive to the regulatory and public policy challenges associated with emerging technologies in general. Furthermore, and in light of the divergent uses of LBS, Dobson and Fischer (2003, p. 51) call for protective mechanisms that enable the “legitimate uses”, while preventing undesirable exploitation. Similarly, Smith (2006, p. 725) acknowledges the potential benefits, whilst also suggesting further legislation to safeguard personal location information. The significance of adequate regulatory provisions is two-fold. First, regulation encourages fairness and consistent rules for providers. Second, regulation functions to safeguard individuals thereby increasing their support and trust in LBS (Cuijpers and Koops, 2008, p. 881; FIDIS, 2007, p. 10).

Regardless of the potential benefits of LBS, authors such as Clarke and Wigan (2011)indicate that LBS “have far outstripped both public awareness and legal and policy attention”, a situation they claim is exceedingly risky. The consequences of lack of regulation, specifically of tracking services and control over location histories by government, organisations and interested individuals, are great in terms of privacy in particular (Barreras and Mathur, 2007, p. 177). Cho (2005) claims that while concerned individuals are advocating regulation (p. 209) others are advancing the self-regulation movement (p. 253). Determining the most suitable response is indeed a challenge, one that requires the current regulatory environment and/or framework to be mapped out. However, it has been suggested that a single approach to regulation, such as legislation or self-regulation for instance, will fail to suffice. Xu et al. (2009, p. 163) agree that a single approach to regulating privacy in particular will not account for the interests of the diverse stakeholders comprising the LBS industry. Herbert (2006, p. 437), on the other hand, recommends an elementary reassessment of the manner in which emerging technologies, such as human tracking technologies, affect privacy as the basis for initiating a suitable legal response. In fact, the same sentiments apply for any regulatory issue associated with LBS. That is, a fundamental re-evaluation of the implications of LBS, in conjunction with an understanding of the regulatory and public policy challenges that apply, is indispensable.

The following section offers an overview of the significant themes and challenges pertaining to LBS regulation thereby providing a conceptual framework for examining LBS regulation; Section 3 introduces the Australian framework by applying the conceptual framework drawn from Section 2; Section 4 summarises and validates the main components in the Australian framework, noting areas for future research and Section 5provides the concluding remarks for this paper.

2. Conceptual framework for analysing LBS regulation

It is essential that a conceptual framework for LBS regulation be built on a preliminary understanding of the regulatory and public policy challenges associated with emerging technologies such as LBS. It has been noted that regulatory challenges in the LBS domain stem from the mounting gap between technology deployment and the employment of appropriate safeguards, legal or otherwise, to govern various aspects of LBS. For instance, in relation to modern surveillance technologies, Marx (1999, p. 63)observes the increasing gap between technological potential and present measures designed to offer protection. This gap has long been attributed to a lack of response in social and political spheres (Clarke, 2001, p. 13). Relevant scholarship is generally focussed on the inability for law to reflect technological change, a perspective that Moses (2011, p. 787) feels requires adjustment, given the mutually shaping characteristics of law and technology and the belief that “[t]he law should not race ahead by anticipating technological trajectories that may never come to pass. Rather, a useful goal should be to have mechanisms in place to ensure that law is designed around the socio-technical landscape of the present or, more realistically, the recent past.”

Aside from the interaction between technology and law, the study of regulation according to Svantesson (2011, pp. 243–245), often introduces researchers to a persistent set of themes which are centred on the claims that: (a) technological development will inevitably out-pace law-making processes, (b) legal professionals possess inadequate knowledge of technology, (c) globalisation and internationalisation necessitate consideration of multiple jurisdictions, and (d) the growth potential of technology has not been realised in domains such as e-commerce. While originally recommended for the internet regulation context, Svantesson's work is utilised as the basis for this framework in that it offers a clear summary of the themes relevant to all technological domains including LBS. Importantly, Svantesson's work posits that a successful regulatory framework must be sensitive to numerous challenges specific to the regulation of emerging technologies. However, that sensitivity does not mean that regulation has to be technologically determinative. A well-designed principles-based regulatory regime can address each of these four issues.

Fig. 1 provides a summary of these challenges, which have been derived from the secondary literature sources cited in this paper, in addition to a summary of Svantesson's primary themes which directly impact on the challenges. The distinct challenges are discussed below which when combined form a conceptual framework upon which the existing Australian framework and regimes in other contexts can be validated.

Fig. 1. Conceptual framework for examining LBS regulation and the associated regulatory themes impacting on the framework.

2.1. The Australian policy and regulatory context

Regulation refers to the set of rules which apply to a specific environment. These rules might be prescriptive and enforced rigidly, or they may be set by agreement between the entities being regulated. A regulatory environment can be likened to the rules for playing a game. In a regulated industry, there may be legislation, subordinate legislation made under specific laws (confusingly, often called regulations) and a set of conventions, adopted by stakeholders, which form part of the rules. In the Australian context, the rules can be changed by: changing the legislation; changing the subordinate legislation; by ministerial determination; by regulator action; or by stakeholders changing self-regulatory or co-regulatory codes.

Any changes are complicated by the Australian convention of amending legislation much more regularly than repealing and replacing it. By convention, amending legislation is named differently to the amended act. For legislation introduced since about 1990, the intention of legislation is set out in a section of the law entitled “Objects of the Act”. This section is intended to set out the principles behind the legislative framework. In the Australian context, these principles are generally designed to be general and not technology-specific. However, subordinate legislation may be technologically determinative, even if the primary legislation is not.

2.2. Technology-specific versus technology-neutral

A primary regulatory challenge exists in determining the suitability of technology-specific versus technology-neutral legislation. A popular belief in selected literature and in the government domain is the need for inclusive legislation that is broad enough to apply to present and future technologies, ensuring that laws remain up-to-date. This is the basic premise underlying the technology-neutral approach to legislation which “appears to have three main aims: future proofing, online and offline equivalence, and encouraging the development and uptake of the regulated technology” (Reed, 2007, p. 275). This approach is often incorrectly perceived in a positive sense, disregarding the fact that “technology-neutral language” does not necessarily account for the dynamic nature of technological change (Moses, 2007, p. 270). It has been argued by Koops (2006, pp. 5–6)that the phrase technology-neutral can imply different meanings and be examined from regulatory, technological and legislative perspectives (p. 26). For a comprehensive treatment of the concept and the varying interpretations and perspectives, refer to Koops (2006) and Reed (2007). According to Australia's Privacy Commissioner with reference to the Commonwealth Privacy Act 1988, technology-neutral legislation refers to the regulation of “information handling without referring to specific technologies”, granting flexibility and ensuring relevance as new technologies emerge (Pilgrim, 2010, p. 23).

It has been argued that parliaments “are using the spurring notion of ‘technology-neutral’ legislation as one excuse for inaction” (Clarke, 2003), resulting in a situation in which “[n]ew powers are granted through technological ambiguity rather than clear debate” (Escudero-Pascual and Hosein, 2004, p. 82). However, Pilgrim (2010, p. 24) contends that adopting this approach does not necessarily mean overlooking developments in technology. Other authors also insist that “legal regulation should define principles, functions and requirements, drawn from the experience (or anticipation) of using specific technologies, rather than provisions regulating the specific technologies themselves” (Székely et al., 2011, p. 183). Yet, Reed (2007, pp. 279–280) and Moses (2007, pp. 270–274) are sceptical of whether such legislation can be achieved in the drafting process as language that accounts for technology-neutrality is difficult to adequately reflect the nature of technological evolution. Even if accomplished, Hosein (2001, p. 29) claims that the approach is deceitful as it may disregard critical factors unique to certain technologies.

An alternative approach calls for technology-specific legislation, which is not without its drawbacks. Several researchers maintain that seeking technology-specificity will produce issues relating to the future applicability of legislation in that technological progress may render the law ineffectual and redundant (Koops, 2006, p. 27; Székely et al., 2011, pp. 182–183). Nonetheless, authors such as Ohm (2010) declare that there is a compelling case for technology-specific legislation. In an article titled The Argument against Technology-Neutral Surveillance Laws, Ohm explains that technology-neutral concepts are often emphatically embraced (p. 1685). This thereby prohibits the potential benefits of technology-specificity from being garnered, even though there are several flaws in technology-neutrality whereby the benefits of the approach can be offset by limitations specifically in relation to surveillance (p. 1686). However, Ohm claims that “longevity” is an advantage of technology-neutral legislation (p. 1702) but also suggests general principles that can be applied to technology-specific legislation that will address issues of redundancy and achieving a suitable degree of specificity (pp. 1702–1710). The selection of the technology-neutral versus technology-specific approach to legislation should be perceived as a choice, and technology-neutrality should not be presumed the most suitable means of regulating technology (Reed, 2007, p. 282–283; Ohm, 2010, p. 1686).

In the Australian context, the use of technology-neutral primary legislation and technologically determinative, and more frequently amended subordinate legislation, is intended to provide both options to create an optimal regulatory environment. However in the context of LBS, the optimisation function is complicated by the fact that there is no primary or subordinate legislation on LBS. As will be shown in this paper, LBS crosses a range of regulatory regimes, all of which are optimised for the principles set out in the primary legislation. As a result, the extent to which each approach applies to LBS has yet to be examined and cannot be so until the existing regulatory landscape has been defined and reviewed. LBS are positioned in a complex and multi-faceted regulatory environment with no single LBS regulatory framework.

2.3. Legislation versus self-regulation

An additional concern, particularly for industry, is exercising caution in the introduction of legal measures so as not to stifle development of particular technologies or industries. The Telecommunications Act 1997 (Cth) at Section 5 states that telecommunications should be regulated in a manner that promotes the greatest practicable use of industry self-regulation consistent with the objects of the Act. However, the Privacy Act 1988 (Cth)and the Telecommunications (Interception and Access) Act 1979 (Cth) have no such reference.

In the context of LBS, the telecommunications sector stakeholders would anticipate self-regulation as the core of the regulatory environment. On the other hand, a privacy advocate would expect a regulatory approach which is strictly rules based (legislation and subordinate legislation). This creates a potential struggle between the two forms of regulatory implementation. In the context of online privacy, Hirsch (2010, pp. 22–33)describes this struggle. Hirsch (2010, p. 3) also claims that the self-regulation has been dominant to date. Self-regulation is an ideal approach for advancing the growth of the information and communications technologies (ICT) sector (Koops, 2006, p. 9). An overview of industry self-regulation theory and literature is presented in Hemphill (2004, pp. 83–84). While self-regulation can assume many forms, Gunningham and Rees (1997, pp. 364–365) differentiate between the individual and group approaches. The first refers to autonomous regulation by an individual entity and the second to collective regulation, an example of which is industry self-regulation requiring cooperation amongst entities. According to the authors, other distinctions can also be made relative to economic versus social factors, in addition to the level of government involvement in the self-regulation process, including the degree to which self-regulation is mandated (p. 365). There is the belief that self-regulation complemented by some form of government involvement is of greater value than self-regulation alone (p. 366).

The self-regulation approach is typically favoured by industry due to its ability to facilitate and adapt to market and technological developments, and may accompany government regulation particularly in cases where gaps in the latter exist (Cleff, 2010, p. 162). The approach is frequently expressed as a fitting antidote to the limiting nature of legislative action. For example, O'Connor and Godar (2003, pp. 257–260) argue that industry self-regulation is preferable to legislation, eliminating the need for restrictive laws that hamper progress within the industry as was the case in the telemarketing arena. The researchers also state that self-regulatory measures should be developed with sensitivity to ethical concerns, otherwise they will be perceived unfavourably by consumers (O'Connor and Godar, 2003, p. 259). Only then can self-regulation demonstrate potential and be beneficial. Theoretical benefits include “speed, flexibility, sensitivity to market circumstances and lower costs”, but practically self-regulation generally falls short of these expectations (Gunningham and Rees, 1997, p. 366).

This is due to self-regulation being criticised as a means of avoiding State involvement and other forms of regulation (Gunningham and Rees, 1997, p. 370; Clarke, 2003), enabling industry to achieve its goals to the detriment of the public. Furthermore, the capacity for self-regulation to address societal concerns, such as consumer privacy, is questionable due largely to the lack of transparency, and as such the approach can merely serve as an adjunct to government regulation (Cleff, 2010, p. 162). Industry self-regulation should nonetheless be considered earnestly, although an understanding of its dimensions and known restrictions is indispensable (Gunningham and Rees, 1997, p. 405). Self-regulation and industry involvement in regulatory processes may be beneficial to consumers and other stakeholders. However, validating its value when compared with legislation requires an assessment of the level of independent oversight that exists, the manner in which self-regulation is implemented and the extent to which it complements present legislation and regulatory mechanisms.

2.4. Multiple and competing stakeholder interests

In considering the balance between rules-based regulation and self-regulation, a notable challenge emerges surrounding the importance of accounting for multiple and competing interests. That is, how the views of multiple stakeholders can be integrated without creating “regulatory capture” (see for example, Dal Bó, 2006) by the stakeholders with the greatest commercial or political power. This may theoretically be achieved by employing the co-regulatory approach to regulation. While the co-regulatory approach is an involved process that embodies countless complexities and facets (Hirsch, 2010, pp. 6–8, 41–46), and has been regarded a promising means of collaboratively managing multiple interests, it is also essential to recognise that such collaboration will involve reconciling rival perspectives. From the discussion above, it is apparent that certain entities will favour particular forms of and approaches to regulation. For example, there is often opposition from the technical and scientific communities in relation to legislation, which is typically perceived as a possible impediment to the technology development process (Székely et al. 2011, p. 183). Such communities are generally in favour of self-regulation and technology-based approaches in that they ensure industry progress is not hindered. However, these sentiments are not supported by all stakeholders. The LBS industry, with its varied value chain, consists of a wide range of stakeholders and its composition is dependent on a given LBS solution.

2.5. Flexible regulatory structures

In addition to being sensitive to varying stakeholder interests, a regulatory environment must be cognisant of the rapid and/or continual changes caused by technological innovations. This may require contemplation of flexible regulatory structures. However, it is likely that a regulatory framework would have no greater level of flexibility as a standards body dealing with the same innovations. For the purpose of this discussion, flexibility simply refers to the general need for the regulatory environment to deal with constant technological change. This is an important element as the pace of technological development and usage “raises the question whether law in general manages to keep up” (Cleff, 2010, p. 161). The level of flexibility does not require the law to “keep up”. Rather, it requires the regulatory environment to be able to flex. Nonetheless, the introduction of flexible regulatory structures capable of adapting to and incorporating developments in technology remains a challenge, one which technology-neutrality and self-regulation attempt to surmount. The introduction of adaptable structures demands a nuanced understanding of the nature of emerging technologies, and related legal and ethical challenges. Székely et al. (2011, p. 183) claim this to be an issue, given that a relatively limited number of legal experts possess such knowledge, a claim supported by Svantesson (2011, p. 244).

It is within this multi-faceted and intricate regulatory environment that the need for LBS regulation in Australia must be investigated, an environment that is characterised by diverse approaches to ICT regulation and privacy, that complicate regulatory debates associated with technologies such as LBS. The following section identifies the Australian regulatory framework for LBS, which is largely legislation-based but is supplemented by self-regulation. This is followed by the application of the conceptual framework drawn together in this section to the Australian case in order to validate the existing scheme. A sketch of the LBS regulatory framework in Australia has not yet been attempted, nor has the validity of such a framework been previously measured. This paper will consequently provide the foundations for further study into the need for LBS regulation in Australia.

3. LBS regulatory framework in Australia

Research into LBS regulation is very much context-dependent as each setting will inevitably embody a distinctive approach to regulation, based on numerous factors. This approach may involve a review of existing legal frameworks, for example, in addition to an assessment of the unique cultural, political, economic and other factors that define such regulatory frameworks. These differences demand an independent reflection of respective regulatory settings. Initially, context delineates the “structured social settings with characteristics that have evolved over time (sometimes long periods of time), and are subject to a host of causes and contingencies of purpose, place, culture, historical accident, and more” (Nissenbaum, 2010, pp. 129–130). With respect to regulation and the law, context produces challenges across jurisdictions, affecting both internationalisation of legal frameworks pertaining to LBS and interpretation of laws within specific settings. Such issues are evident in the implementation of the European legal framework for LBS, in which Member States have integrated applicable European Union Directives in alternative ways, resulting in varied coverage and distinct difficulties in the respective nations, as demonstrated in a report by the FIDIS Consortium (FIDIS, 2007).

The importance of context to regulatory and public policy discussions is not restricted to the jurisdictional issues but is also apparent in sub-contexts. For example, Marx (1999, p. 46) identifies “setting” as being of particular importance in terms of LBS usability contexts. That is, a location-monitoring solution that aids a skier in the event of an avalanche is perceived in a different light to the same device being covertly installed in an individual's vehicle. To form the foundations for a context-based investigation of LBS regulation in Australia, the Australian regulatory framework for LBS is presented in this section.

The present regime in Australia is comprised of and dominated by a collection or patch-work of federal and state-based laws that relate – albeit to varying degrees – to diverse aspects of LBS, in addition to numerous industry-based codes that seek to protect the interests of consumers and organisations. With respect to legislation, federal laws relating to privacy (Cho, 2005APF, 2007ALRC, 2008Rodrick, 2009), telecommunications(APF, 2007Nicholls and Rowland, 2007Nicholls and Rowland, 2008a,bRodrick, 2009), surveillance (APF, 2007ALRC, 2008Rodrick, 2009VLRC, 2009Attorney General's Department, 2011Michael and Clarke, 2012) and national security/anti-terrorism apply (Rix, 2007VLRC, 2009Attorney General's Department, 2011Michael and Clarke, 2013). With respect to self-regulatory schemes, industry-based guidelines such as those developed by Communications Alliance and the Australian Mobile Telecommunications Association (AMTA) are of significance. The respective approaches are now examined in greater detail.

Author of Geographic Information Systems and the Law: Mapping the Legal Frontiers(1998) and Geographic Information Science: Mastering the Legal Issues (2005) is GIS and legal scholar, George Cho. Both of Cho's works analyse the legal implications of geographic information and related technologies. In the first book, Cho (1998, pp. 27–28)explains that an elementary appreciation of the legal and policy challenges associated with GIS requires disaggregation of the terms geographic, information, and systems to define issues within individual themes. The author claims that information (and data) are central to these challenges (p. 28) given their ability to “be beneficial or detrimental to individuals, groups and ultimately to society at large” (p. 31) and to symbolise various power relations (p. 130). The “double-edged” nature of GIS simultaneously grants access while also enabling abuse and invasion of privacy (p. 131), thus requiring a policy response that may be enacted through “education of the public, facilitation, regulation and the provision of incentives” (p. 166). In sketching the LBS regulatory framework throughout this paper and considering the available regulatory choices, it is crucial to be mindful of this “double-edged” nature of LBS, specifically that LBS applications and devices can enable constructive uses on the one hand and simultaneously facilitate less desirable uses on the other.

In Cho's second book (2005, pp. 17–18) he advances the discussion by outlining the intricacies characterising GIS-related policy development given the multitude of actors, the abundance of applications and the rise in m-commerce and geo- or g-commerce services. Providing introductory material relating to policy, law and the relationship between the latter and GIS, Cho maintains that policy challenges are of equivalent value to technical considerations associated with geographic information access, implementation and usage (p. 27). With respect to GPS, and tracking more specifically, the author asserts that policy debates are generally concerned with privacy and human rights violations (p. 44). The privacy threat is largely the effect of “the new inferences that may be obtained by correlating geographic information with personal information” (p. 211). In Australia, the privacy threat and its varying implications fall within the scope of a regulatory framework that has been described as “ad-hoc”, entailing approaches such as legislation and self-regulation that aim to safeguard personal and information privacy (p. 217). The framework is based on existing legal safeguards that aim to protect public and private sector handling of information in accordance with a collection of privacy principles (p. 257), notably, the Privacy Act 1988 (Cth) (see also, Privacy Amendment (Private Sector) Act 2000 (Cth); Morris, 2010). For a comprehensive listing of privacy-related legislation, including state-based laws omitted from this paper, see Clarke (2010) and APF (2007).

3.1. Privacy legislation

The Privacy Act 1988 was amended in November 2012 to introduce the Australian Privacy Principles (APP). These principles come into effect in March 2014. The APPs are a single set of principles that apply to both agencies and organisations, which are together defined as APP entities. While the APPs apply to all APP entities, in some cases, they impose specific obligations that apply only to organisations or only to agencies. The APP concerning anonymity or pseudonymity (APP 2) and cross-border disclosure (APP 8) will have an impact on LBS providers. The APPs extend the existing obligations on data collection to rebalance the rights of collectors of personal information and an individual's right to privacy. There are also stricter controls on the collection and use of sensitive information.

The Office of the Australian Information Commission (OAIC) offers further information about the APPs which cover sensitive personal information handling (OAIC, n.d.). The Privacy Act 1988 defines ‘sensitive information’ as: “information or an opinion about an individual's: (i) racial or ethnic origin; or (ii) political opinions; or (iii) membership of a political association; (iv) religious beliefs or affiliations; or (v) philosophical beliefs; or (vi) membership of a professional or trade association; or (vii) membership of a trade union; or (viii) sexual preferences or practices; or (ix) criminal record; that is also personal information” (Part II, Section 6). Sensitive information can also encompass health and genetic information. In the context of the Privacy Act 1988, personal information refers to “information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion” (Part II, Section 6).

It has been argued that the major dilemma in relation to LBS, location privacy and existing legislation is that the location of an individual may not necessarily be regarded as sensitive personal information. However, the obligations under the Privacy Act 1988 in respect to personal information under the APP are relatively onerous. It has been argued that processed LBS data presents sizeable privacy implications (Cho, 2005, p. 258).

The 2012 amendments to the Privacy Act 1988 were guided by The Australian Law Review Commission's (ALRC, 2008) report entitled For Your Information: Australian Privacy Law and Practice. This took into account submissions such as the policy statement by the Australian Privacy Foundation (APF) on “the use of positional data relating to mobile devices as a means of locating and tracking the individuals carrying them” (APF, 2011). That is, current government policy is that the privacy legislation in Australia deals with LBS-related privacy concerns at the federal level. One state, Victoria, has attempted to address these issues through human rights legislation (Michael and Clarke, 2012, pp. 4–5).

3.2. Telecommunications legislation

Location data is not, however, only subject to privacy legislation but also falls within the scope of the Telecommunications Act 1997 (Cth) and the Telecommunications (Interception and Access) Act 1979 (Cth). These laws collectively deal with telecommunications content and data interception, disclosure and use. The Telecommunications Act 1997 prohibits the disclosure and use of telecommunications metadata and telecommunications content. This prohibition is clarified in section 275A to include location information and a limited exemption to this prohibition for the purpose of providing “location dependent carriage services” is given in section 291A. However, there is no immunity provided for LBS which do not have a carriage component.

Relevant to this discussion, the ALRC's report outlines the interaction between the Privacy Act 1988 and the Telecommunications Act 1997 noting that both laws aim to regulate privacy and various forms of information (ALRC, 2008). The Privacy Act relates to safeguarding personal information, while Part 13 of the Telecommunications Act “regulates the use or disclosure of information or a document” (ALRC, 2008, p. 2381). The review, questions whether both privacy regimes are required, outlining a number of differing stakeholder opinions (ALRC, 2008, pp. 2385–8). Furthermore, it concludes with the opinion that while there is observable “merit in the promulgation of telecommunications privacy regulations under the Privacy Act to regulate the handling of personal information” (ALRC, 2008, p. 2388), “both the Telecommunications Act and the Privacy Act should continue to regulate privacy in the telecommunications industry” (p. 2389), however, the exchange between the two laws requires clarification (p. 2391). It would have been feasible, if it were government policy, for the amendments to the Privacy Act that were made in 2012 to have a set of consequential amendments to other legislation such as the Telecommunications Act 1997. The absence of such an amendment implies that there is no policy imperative requiring such a change.

The Telecommunications (Interception and Access) Act 1979, on the other hand, is intended “to protect the privacy of personal communications by generally prohibiting interception of those communications, subject to limited exceptions in which privacy is outweighed by other considerations”, and functions alongside Part 13 of the Telecommunications Act 1997 (Nicholls and Rowland, 2007, pp. 86–87). However, the Telecommunications (Interception and Access) Act 1979 does not have the objects of the Telecommunications Act (Nicholls and Rowland, 2008a, p. 349). Significantly, the Telecommunication (Interception and Access) Act 1979 generates three regimes for intercepting telecommunications content and data. The first deals with communications metadata (including in real time), the second with stored communications, and the third is concerned with the content of communications itself (Rodrick, 2009, pp. 376–378). The regulatory framework for this legislation can be analysed by using the European Telecommunications Standards Institute (ETSI) approach set out in TS 101 671. This sets out three handover interfaces that relate to (in ascending order): the relationship between the communications operator and the law enforcement agency; the request for and delivery of communications metadata; and the request for and delivery of communications content. This is depicted in Fig. 2.

Fig. 2. Interaction between communications operators and law enforcement agencies.

In Australia, there is an obligation on all communications providers (carriers and carriage service providers) to provide assistance to law enforcement agencies. Handover Interface 1 does this by legislation and by contract with law enforcement agencies in the case of the largest carriers. Handover Interface 2 is used for the delivery of communications metadata and this does not require a warrant (Rodrick, 2009, p. 384). The absence of a requirement for a warrant in Australia and merely consideration of the target's privacy expectations in the case of real-time metadata is unusual (Nicholls, 2012, p. 49). Communications content, either stored or being carried across a network is delivered over Handover Interface 3 in response to a warrant.

Relevant to LBS and this paper, it is crucial to determine the extent to which location information falls within the scope of federal telecommunications legislation, specifically the Telecommunications (Interception and Access) Act 1979. Of particular value is ascertaining whether location information signifies telecommunications data, in which case the implications for disclosure to and access by specific agencies is great given that such data may then be lawfully “disclosed to ASIO and law enforcement agencies without a warrant and without any independent oversight” (Rodrick, 2009, p. 391). In an article titled Regulating the Use of Telecommunications Location Data by Australian Law Enforcement AgenciesNicholls and Rowland (2008b, p. 174) argue that telecommunications data, or the metadata relevant to communications including location details, are increasingly being provided to law enforcement agencies in the absence of a warrant. The authors also note that an oversight process is lacking, a situation that is inconsistent with European and US models (Nicholls and Rowland, 2008b, p. 181).

That is, Australia “appears to be isolated in its approach of placing the power to have location metadata supplied on a prospective basis to law enforcement agencies” (Nicholls and Rowland, 2008b, p. 181). This is exceedingly problematic given that a definition of telecommunications data is non-existent in the legislation (Nicholls and Rowland, 2008b, p. 174) and that a certain degree of ambiguity is required in incorporating future technologies (p. 179). However, this is likely to result in issues whereby the agencies seeking location data are able to independently control the definition or the type of metadata requested (Nicholls and Rowland, 2008b, p. 180). Thus, agencies are lawfully able to access location data on a prospective basis. This ability for close to real-time access of location data will facilitate “live tracking” (Nicholls and Rowland, 2008b, p. 176).

As examined earlier in reference to federal privacy legislation, the (privacy) risks are intensified with increases in accuracy and greater use of mobile devices for tracking purposes, further questioning the suitability of present telecommunications legislation in Australia, especially given the capability for telecommunications data to be accessed without a warrant and devoid of an “independent oversight” process (Rodrick, 2009, p. 404). There has been a push for more rigorous safeguards, summarised succinctly by Rodrick (2009, p. 407): “In light of the fact that prospective location information is tantamount to surveillance, access to it should be procured only via a warrant, and, as is the case with the interception and stored communications regimes, in deciding whether to issue a warrant, the issuing authority should be required to have regard to the degree to which the privacy of a person would be interfered with”.

3.3. Surveillance legislation

The use of surveillance devices is generally prohibited under the laws of the states and territories in Australia. Each state and territory prohibits the use of tracking devices and then provides an exception to the prohibition for law enforcement agencies. A tracking device is usually defined to mean “any electronic device capable of determining or monitoring the location of a person or an object or the status of an object”. That is, an LBS device would generally be prohibited under state law if it was used for surveillance. However, if the person being tracked by the device was aware of the tracking then the use of the device would not be prohibited. Example LBS tracking devices could include smart phone-based location-monitoring solutions and dedicated data logging devices that may be mounted to a particular surface or wired into a vehicle.

The state-based exceptions refer to the law enforcement agencies of that state. As a result, the Surveillance Devices Act 2004(Cth) was introduced to provide a regime that permitted the use of surveillance devices (including tracking devices) across state and territory boundaries. The Surveillance Devices Act 2004 sets out the process through which warrants, emergency and tracking device authorisations can be obtained in relation to surveillance devices for law enforcement and other purposes (Attorney General's Department, 2011). Part 1, Section 6 of the act presents a number of definitions important for this article: “data surveillance device means any device or program capable of being used to record or monitor the input of information into, or the output of information from, a computer, but does not include an optical surveillance device…device includes instrument, apparatus and equipment… surveillance device means: (a) a data surveillance device, a listening device, an optical surveillance device or a tracking device; or (b) a device that is a combination of any 2 or more of the devices referred to in paragraph (a); or (c) a device of a kind prescribed by the regulations… tracking device means any electronic device capable of being used to determine or monitor the location of a person or an object or the status of an object.”

Michael and Clarke (2013) note that law enforcement agencies, in particular, may utilise LBS for personal and mass surveillance, which are often justified as means of maintaining security, despite the lack of an adequate judicial process in some cases.

The Victorian Law Reform Commission (VLRC) published a consultation-based report on the subject of Surveillance in Public Places (VLRC, 2010). While the report is largely state-focused, it covers many aspects relevant to this investigation and discusses limitations in current surveillance laws and the need for “modernising” existing state-based legislation (refer to Chapter 6 of the report). With specific reference to the Surveillance Devices Act 2004, the VLRC's accompanying consultation paper specifies its applicability to national security and surveillance efforts, explaining that the federal law does not seek to overrule state-based legislation (VLRC, 2009). In combination with the Telecommunications (Interception and Access) Act 1979, the Surveillance Devices Act 2004 does, nevertheless, intend to “provide enforcement and national security agencies with significant investigative tools, including the ability to obtain warrants to intercept communications, obtain access to stored communications, install and use surveillance devices, and to obtain access to telecommunications data while still protecting the privacy of individuals” (Attorney General's Department, n.d.).

While the federal Surveillance Devices Act 2004 generally requires a warrant for surveillance, Sections 37–39 of the legislation indicate the conditions or circumstances under which a warrant is not required. Explicitly section 39 outlines the provisions in relation to tracking devices; that is: “(1) A law enforcement officer may, with the written permission of an appropriate authorising officer, use a tracking device without a warrant in the investigation of a relevant offence” and “(3) A law enforcement officer may, with the written permission of an appropriate authorising officer, use a tracking device without a warrant in the location and safe recovery of a child to whom a recovery order relates”. A tracking device can also be used by a law enforcement agency without a warrant if there is now requirement to enter premises or a vehicle (for example, by installing a magnetically mounted GPS device).

Additional rules relating to the authorisation also apply. For example, the authorisation must specify the period of validity, which should not exceed 90 days (section 39 (7)). It is clear that there are situations in which a location-enabled tracking device may be lawfully deployed, utilised and retrieved by certain law enforcement agencies. In cases where personal information has been collected using such surveillance devices, the Privacy Act 1988 will then apply.

3.4. National security and anti-terrorism legislation

Federal anti-terrorism laws also grant organisations, notably ASIO and the Australian Federal Police (AFP), the facility to conduct surveillance activities and gather information believed to be in the interest of national security. For example, The Australian Security Intelligence Organisation Act 1979 (Cth) enables ASIO to gather information considered to be of value in the deterrence of an act of terrorism (Attorney General's Department, 2011). ASIO is specifically granted the ability “to obtain a warrant to detain and question persons (who do not themselves have to be suspected of terrorism offences) in order to gather intelligence related to terrorist activity” as a form of preventative measure (Rix, 2007, p. 104). The Criminal Code Act 1995 (Cth), grants the AFP powers relating to questioning and surveillance (VLRC, 2010, p. 21). It also covers procedures relating to court orders, detention, questioning and search, and the collection of information and documents (Rix, 2007, p. 106). The implications of these pieces of legislation in particular, and the extent to which they apply to LBS, surveillance, tracking and location information have not been sufficiently examined and remain unclear. It has previously been suggested that these laws fail to protect human rights (Rix, 2007, p. 107), and with respect to the ASIO Act, the government has “unquestioningly granted powers to national security agencies to use location technology to track citizens”, justifying surveillance as a necessary means of ensuring Australians are protected from terrorist threats (Michael and Clarke, 2012, p. 2).

3.5. Industry guidelines for location-service providers

The LBS regulatory framework in Australia is not limited to legislation, but also includes self-regulation in the form of industry guidelines. The main industry body for all telecommunications operators in Australia is Communications Alliance. Its Guideline G557:2009 Standardised Mobile Service Area and Location Indicator Register, uses a coarse LBS to identify the geographic location of calls from mobile and nomadic devices to the emergency services.

Guidelines have also been released by the Australian Mobile Telecommunications Association (AMTA). AMTA is “the peak industry body representing Australia's mobile telecommunications industry” (AMTA, n.d.). In 2010, AMTA released guidelines intended for location-service providers (LSP) to mitigate the threats associated with misuse of passive LBS (AMTA, 2010, p. 4), which are services that do not rely on active participation by the user once initial consent has been granted (p. 5). The guidelines were developed by AMTA's working party that comprised major stakeholders in Australia, including Nokia, Optus, Telstra and Vodafone Hutchison Australia (AMTA, 2010, p. 26), providing an example of the self-regulation approach in practice. Although AMTA's guidelines were built on the NPPs and other relevant legislation (AMTA, 2010, p. 5), by April 2013 they had not been updated to reflect the amendments to the Privacy Act. The guidelines document also encourages compliance with relevant Australian laws (AMTA, 2010, p. 17) including a selection of those identified throughout this paper.

In theory, industry guidelines are significant in that they are a form of self-regulation aimed at addressing regulatory concerns, such as the risks associated with LBS usage, without the need for legislative action. As such, they form a crucial component of the LBS regulatory framework. AMTA's guidelines represent the industry's effort to ensure consumer privacy protection and safety when utilising available LBS applications – yet they have not been amended to reflect legislative change in the privacy arena. It is noteworthy that the industry-based self-regulation approach has its critics. For instance, Cho (2005, p. 236) himself claims that while self-regulation affords flexibility to industry stakeholders and symbolises a proactive approach to privacy concerns, it may by the same token be perceived an inadequate safeguard. In the context of AMTA's guidelines, Michael and Clarke (2012, p. 5) are similarly critical of the efficacy of self-regulation, claiming that industry guidelines and codes are typically “a political tool to avoid regulation.”

4. Discussion: validating the Australian framework

4.1. Summarising and sketching the LBS regulatory framework in Australia

This paper serves to sketch the current LBS regulatory framework in Australia, identifying the components comprising the overall framework, as summarised in Fig. 3. Section 3demonstrated that the LBS regulatory framework in Australia is largely dominated by legal and industry-based regulatory approaches, in particular, commonwealth-based (federal) legislation and self-regulatory mechanisms applying across Australia. The extent to which each regulatory tool applies to LBS and location data was also covered.

Fig. 3. Components of the current LBS regulatory framework in Australia.

A number of issues inevitably emerge upon closer examination of the current LBS regulatory framework in Australia. With regards to privacy legislation, it was noted that (location) information derived from LBS solutions might or might not be personal information and is unlikely to be sensitive personal information. The Privacy Act may not cover the data. Regarding Australian telecommunications legislation, location data may not specifically be classed ‘telecommunications data’ in all circumstances. The location dependent carriage service introduces ambiguity regarding definitions. The state-based prohibition on the use of tracking devices means that the provision of LBS will require explicit permission of the users of an LBS device. This is similarly the case with respect to surveillance legislation, in which tracking devices can be deployed for surveillance purposes, and without a warrant, in specific situations as outlined in the federal legislation. The implications of this lawful but covert deployment of tracking devices are yet to be fully explored. Correspondingly, national security legislation grants increasing powers to various agencies to monitor individuals under the guise of maintaining national security and protecting the interests of Australian citizens. The legal mechanisms that apply to LBS require further review, as they fail to adequately cover various aspects relevant to LBS and location data and the laws are not necessarily consistent or matching. However, opportunities for policy implementing such a review have not been seized in recent legislative change.

Similarly, industry-based guidelines are lacking in their coverage of LBS. For example, AMTA's guidelines merely cover passive LBS or those that do not require user input once initial consent is given. This is not surprising as industry bodies self-regulate a narrow group. Self-regulation is poor at involving users and other industry representatives. Supplementary to these individual issues, it is essential at this point to validate the Australian regulatory scheme in view of the conceptual framework defined earlier in this paper, in order to identify the broad challenges that surface in examining the existing framework, summarised in Table 1.

Table 1. Validation of the LBS regulatory framework in Australia.

Challenges/considerations | Validation | Areas for improvement

Technology-specific versus technology-neutral

Australian framework is largely technology-neutral (with exception of industry guidelines) and is not LBS specific.

- Subordinate legislation and regulation could be extended to cover specifics of LBS and location data.

- This may necessitate continual review of regulatory settings as LBS solutions and underlying technologies evolve.

Legislation versus self-regulation

Existing framework draws on combined legal and industry-based approach to regulation, which allows for both government and industry involvement. However, self-regulation is a characteristic of telecommunications and not privacy legislation.

- Self-regulation is created by narrow industry groups and is lacking in its involvement of users.

- There could be closer collaboration between industry and government.

- Drawbacks of current regulation and industry-based tools identified in this paper should be addressed

Multiple and competing stakeholder interests

Government and industry have largely established the current Australian framework for LBS. However, it lacks a stronger level of collaboration and user involvement.

- Collaboration and consultation are crucial in the regulatory process to ensure stakeholder representation.

- Users, in particular, must be encouraged to participate.

- Individual stakeholders in government, industry and user segments should be identified and approached.

Flexible regulatory structures

Legislation in the present framework is not particularly flexible and does not easily cater for LBS solutions in the marketplace or any future developments. Subordinate legislation is more flexible.

- Technology-specificity is required to incorporate LBS and location data into subordinate legislation.

- Industry-based tools should be continually developed and should be adaptable to technological developments.

4.2. Validation: extent to which the existing framework is specific to LBS

When considering the technology-specific versus technology-neutral debate in light of the LBS regulatory framework in Australia, it is evident that the current framework entails largely technology-neutral elements. This suggests that the framework fails to account for the specifics of LBS in that it does not adequately account for location data. This generates a risk that concerns, unique to LBS, will be overlooked in the Australian context. Technology-neutrality creates ambiguity in definitions, as can be seen in the case of the Australian privacy and telecommunications legislation in particular. However, as Australian government policy has consistently adopted technology-neutral legislation, the focus of change needs to be on subordinate legislation and self-regulatory mechanisms. The absence of an appropriate regulatory environment for LBS is undesirable from the perspective of all stakeholders, particularly individuals. The existing framework requires further provisions for LBS and location data, and it is therefore expected that legal and industry-based regulatory mechanisms will require continual review in the present technological landscape that is dominated by constant developments in both underlying technologies and emerging (and novel) usability contexts.

4.3. Validation: value of existing legislative and self-regulatory mechanisms

The Australian regulatory framework for LBS demonstrates a combined approach to regulation, in which legal and industry-based mechanisms are concurrently implemented. It is often believed that the combined approach allows for the specifics of a given technology to be better incorporated, especially at the industry level and via self-regulatory mechanisms. The Australian initiative led by AMTA can be perceived as a move towards increased industry involvement and representation, and an attempt to avoid unnecessarily stifling the LBS industry. The concern, however, lies in the limitations of self-regulation and the consequence that the guidelines are narrow in their scope and their coverage of a wide range of LBS solutions. In terms of legislation, the specific drawbacks of existing laws have been identified, requiring a review of federal legislation to ensure their applicability to LBS and that the laws are consistent and corresponding. Furthermore, closer collaboration between government, industry and users would improve the legal and industry-based mechanisms in the current framework. That is, government and other stakeholders need to be involved in industry-based processes. This type of co-regulation reduces the negative impacts of self-regulation allowing industry to impart feedback, which informs legislative processes. Importantly, consumers have an opportunity to express ‘real-world’ concerns that would directly support both legislative and co-regulatory processes.

4.4. Validation: degree to which stakeholder interests are accounted for

While government and industry perspectives have somewhat been represented in the existing framework, further collaboration is required to account for the views of users. Furthermore, individual stakeholder types must be identified within the government, industry and user segments and collaboration of individual stakeholders must be encouraged to ensure that all interests are represented in the regulatory process. In the Australian context, collaboration and consultation with a wide range of LBS value chain stakeholders in lacking, but is essential in order to incorporate multiple and competing stakeholder interests.

4.5. Validation: level of flexibility

The Australian legislative framework does not provide a flexible regulatory structure. That is, the legislation is out-dated with respect to LBS and existing provisions do not naturally enable the absorption of new LBS solutions and features. It is suggested that a higher degree of technology-specificity is required in subordinate legislation, given the unique characteristics of LBS and location data which do not always fall within the scope of current definitions. However, this approach must be carefully constructed to ensure that the chosen regulatory mechanisms are adaptable as the technology evolves. In combination with considered co-regulatory tools and guidelines that have been developed in an objective manner, this should ensure a degree of flexibility, given that regulatory systems can adapt more quickly than legislative systems.

4.6. Future research and extending the Australian framework

This paper has set the groundwork for understanding the nature and extent of the LBS regulatory framework in Australia by sketching the components of the existing scheme and defining the extent to which the respective elements apply at the federal level. It has additionally set out the regulatory and public policy context within which the framework exists and the challenges that demand a certain degree of sensitivity by presenting a conceptual framework for analysing LBS regulation. It is recommended that future studies: (a) utilise the conceptual framework as a means of measuring the validity of a given regulatory framework in a specific setting, and (b) employ the defined Australian framework as the basis for examining the need for LBS regulation in Australia and understanding the manner in which LBS regulation should be implemented.

The Australian framework presented in this paper can be further extended as part of future work. Explicit areas for prospective research include: (a) broadening the scope of the framework to account for state-based legislation and additional industry-based mechanisms, (b) encouraging a greater focus on cross-cultural comparisons by comparing the Australian case with other, more mature examples such as the European data protection regime for LBS, (c) consulting with relevant stakeholders regarding the applicability and adequacy of the Australian framework and existing regulatory measures and contrasting the results with the outcomes of the validation process presented in this paper, and (d) improving the framework based on the suggested areas for improvement.

5. Conclusion

The focus of this paper was on developing a conceptual framework for analysing LBS regulation, presenting the components of the existing Australian framework and subsequently engaging in a process of validation. The validation process indicated that the LBS regulatory framework in Australia should: (i) account more specifically for LBS and location data, (ii) better incorporate legislative, self-regulatory and co-regulatory mechanisms, (iii) encourage a higher degree of collaboration with stakeholders in the LBS value chain, and (iv) encompass a higher degree of flexibility to ensure technological developments are integrated. The benefits to be garnered from this exercise include an accurate and detailed understanding of the current framework in Australia which has allowed areas for improvement to be identified. The ensuing outcomes can be used as the basis for future research in the LBS regulation field and provide a useful starting point for determining the need for LBS regulation in Australia.

Acknowledgements

The authors wish to acknowledge the funding support of the Australian Research Council (ARC) – Discovery Grant DP0881191 titled “Toward the Regulation of the Location-Based Services Industry: Influencing Australian Government Telecommunications Policy.” The views expressed herein are those of the authors and are not necessarily those of the ARC.

References

ALRC, For your information: Australian privacy law and practice, (2008), (ALRC report 108). 12 January 2012, http://www.alrc.gov.au.ezproxy.uow.edu.au/publications/report-108

AMTA, AMTA guidelines, 24 April 2012, www.amta.org.au/files/Location.Based.Services.Guidelines.pdf (2010)

About AMTA; n.d. 21 February 2012. http://www.amta.org.au/pages/About.AMTA.

APF, Privacy laws – Commonwealth of Australia, 20 February 2012, http://www.privacy.org.au/Resources/PLawsClth.html (2007)

APF, Location and tracking of individuals through their mobile devices, 20 February 2012, http://www.privacy.org.au/Papers/LocData.html (2011)

Attorney General's Department, Australian laws to combat terrorism, 20 February 2012, http://www.nationalsecurity.gov.au/agd/www/nationalsecurity.nsf/AllDocs/826190776D49EA90CA256FAB001BA5EA?OpenDocument (2011)

Attorney General's Department. Telecommunications interception and surveillance; n.d., 20 January 2012. http://www.ag.gov.au/Telecommunicationsinterceptionandsurveillance/Pages/default.aspx.

A. Barreras, A. Mathur, Wireless location tracking, [chapter 18], K.R. Larsen, Z.A. Voronovich (Eds.), Convenient or invasive: the information age, Ethica Publishing, United States (2007), pp. 176-186

J. Braithwaite, C. Coglianese, D. Levi-FaurCan regulation and governance make a difference? Regulation & Governance, 1 (2007), pp. 1-7

P. Bridgman, G. Davis, The Australian policy handbook, (3rd ed.), Allen & Unwin, Crows Nest, NSW (2004), 198 p.

G. Cho, Geographic information systems and the law: Mapping the legal frontiers, John Wiley & Sons, Chichester, West Sussex (1998), 337 p.

G. Cho, Geographic information science: mastering the legal issues, John Wiley & Sons Inc, Hoboken, NJ (2005), 440 p.

R. Clarke, While you were sleeping… surveillance technologies arrived, Australian Quarterly, 73 (1) (2001), pp. 10-14

R. Clarke, Privacy on the move: the impacts of mobile technologies on consumers and citizens, http://www.anu.edu.au/people/Roger.Clarke/DV/MPrivacy.html (2003)

R. Clarke, PAIs in Australia – a work-in-progress report, http://www.rogerclarke.com/DV/PIAsAust-11.html (2010)

R. Clarke, M. Wigan, You are where you've been: the privacy implications of location and tracking technologies, http://www.rogerclarke.com/DV/YAWYB-CWP.html (2011)

E.B. Cleff, Effective approaches to regulate mobile advertising: moving towards a coordinated legal, self-regulatory and technical response, Computer Law & Security Review, 26 (2010) (2010), pp. 158-169

C. Cuijpers, B.J. Koops, How fragmentation in European law undermines consumer protection: the case of location-based services, European Law Review, 33 (2008), pp. 880-897

E. Dal Bó, Regulatory capture: a review, Oxford Review of Economic Policy, 22 (2006), pp. 203-225

J.E. Dobson, P.F. Fisher, Geoslavery, IEEE Technology and Society Magazine, 22 (1) (2003), pp. 47-52

A. Escudero-Pascual, I. Hosein, Questioning lawful access to traffic data, Communications of the ACM, 47 (3) (2004), pp. 77-83

A. Fenna, Introduction to Australian public policy, Addison Wesley Longman Australia Pty Limited, South Melbourne, Australia (1998), 454 p.

FIDISD, 11.5: the legal framework for location-based services in Europe, http://www.fidis.net/ (2007)

N. Gunningham, J. Rees, Industry self-regulation: an institutional perspective, Law & Policy, 19 (4) (1997), pp. 363-414

T.A. Hemphill, Monitoring global corporate citizenship: industry self-regulation at a crossroads, The Journal of Corporate Citizenship, 14 (Summer 2004) (2004), pp. 81-95

W. Herbert, No direction home: will the law keep pace with human tracking technology to protect individual privacy and stop geoslavery?, I/S: A Journal of Law and Policy, 2 (2) (2006), pp. 409-473

D.D. Hirsch, The law and policy of online privacy: regulation, self-regulation, or co-regulation? (2010), p. 1–62, http://works.bepress.com.ezproxy.uow.edu.au/dennis_hirsch/61/

I. Hosein, The collision of regulatory convergence and divergence: updating policies of surveillance and information technology, The Southern African Journal of Information and Communication, 2 (1) (2001), pp. 18-33

B.J. Koops, Should ICT regulation be technology-neutral? [chapter 4], B.J. Koops, M. Lips, C. Prins, M. Schellekens (Eds.), Starting points for ICT regulation. Deconstructing prevalent policy one-liners, IT & law series, vol. 9, T.M.C. Asser Press, The Hague (2006), pp. 1-28, (online version). p. 77–108 (original version), http://papers.ssrn.com/sol103/papers.cfm?abstract_id=918746

S. Maddison, R. Denniss, An introduction to Australian public policy: theory and practice, Cambridge University Press, Port Melbourne, Victoria (2009), 281 p.

G.T. Marx, Ethics for the new surveillance, [chapter 2], C.J. Bennett, R. Grant (Eds.), Visions of privacy: policy choices for the digital age, University of Toronto Press, Toronto (1999), pp. 37-67

K. Michael, R. Clarke, Location privacy under dire threat as uberveillance stalks the streets, Precedent (Focus on Privacy/FOI), 108 (2012), pp. 1-8, (online version) & 24–9 (original article), http://works.bepress.com.ezproxy.uow.edu.au/kmichael/245/

K. Michael, R. Clarke, Location and tracking of mobile devices: uberveillance stalks the streets, Computer Law and Security Review, 29 (2) (2013), http://works.bepress.com.ezproxy.uow.edu.au/kmichael/305/

J.B. Morris, The privacy implications of commercial location-based services, Testimony before the House Committee on Energy and Commerce, Subcommittee on Commerce, Trade, and Consumer Protection and Subcommittee on Communications, Technology, and the Internet: 1–15, http://inews.berkeley.edu/files/CDT-MorrisLocationTestimony.pdf (2010)

L.B. Moses, Recurring dilemmas: the law's race to keep up with technological change, Journal of Law, Technology and Policy, 2007 (2) (2007), pp. 239-285

L.B. Moses, Agents of change: how the law ‘copes’ with technological change, Griffith Law Review, 20 (4) (2011), pp. 763-794

R. Nicholls, Right to privacy: telephone interception and access in Australia, Technology and Society Magazine, IEEE, 31 (2012), pp. 42-49

R. Nicholls, M. Rowland, Regulating the use of telecommunications location data by Australian law enforcement agencies, Criminal Law Journal, 32 (2008), pp. 343-350

R. Nicholls, M. Rowland, Message in a bottle: stored communications interception as practised in Australia, [chapter 7], K. Michael, M.G. Michael (Eds.), The second workshop on the social implications of national security (from Dataveillance to Uberveillance and the Realpolitik of the Transparent Society), University of Wollongong, IP Location-Based Services Research Program (Faculty of Informatics) and Centre for Transnational Crime Prevention (Faculty of Law), Wollongong, Australia (2007), pp. 83-96

Nicholls and Rowland, 2008b, R. Nicholls, M. RowlandRegulating the use of telecommunications location data by Australian law enforcement agencies, [chapter 14], K. Michael, M.G. Michael (Eds.), The third workshop on the social implications of national security (Australia and the New Technologies: Evidence Based Policy in Public Administration), University of Wollongong, IP Location-Based Services Research Program (Faculty of Informatics), Wollongong, Australia (2008), pp. 173-184

H. Nissenbaum, Privacy in context: technology, policy, and the integrity of social life, Stanford Law Books, Stanford, California (2010), 288 p.

P.J. O'Connor, S.H. Godar, We know where you are: the ethics of LBS advertising, [chapter Xiii], B.E. Mennecke, T.J. Strader (Eds.), Mobile commerce: technology, theory and applications, Idea Group Publishing, Hershey, US (2003), pp. 245-261

OAIC. Privacy Act; n.d. 20 February 2012. http://www.privacy.gov.au/law/act#.

P. Ohm, The argument against technology-neutral surveillance laws, Texas Law Review, 88 (2010) (2010), pp. 1685-1713

T. Pilgrim, Speech to biometrics institute privacy in Australia: challenges and opportunities, 27 May 2010, Amora Hotel Jamison, Sydney. p. 1–29, www.privacy.gov.au/materials/types/download/9516/7089 (2010)

Privacy Act 1988 (Cth). Commonwealth of Australia; 2 February, 2012. http://www.comlaw.gov.au/Details/C2011C00503/Download.

Privacy Amendment (Private Sector) Act 2000 (Cth), Privacy Amendment (Private Sector) Act 2000 (Cth). Commonwealth of Australia; 2 February 2012. http://www.comlaw.gov.au/Details/C2004A00748/Download.

C. Reed, Taking sides on technology neutrality, SCRIPT-ed, 4 (3) (2007), pp. 263-284

M. Rix, Australia and the ‘war against terrorism’: terrorism, national security and human rights, [chapter 8], K. Michael, M.G. Michael (Eds.), The second workshop on the social implications of national security (from Dataveillance to Uberveillance and the Realpolitik of the Transparent Society), University of Wollongong, IP Location-Based Services Research Program (Faculty of Informatics) and Centre for Transnational Crime Prevention (Faculty of Law), Wollongong, Australia (2007), pp. 97-112

S. Rodrick, Accessing telecommunications data for national security and law enforcement purposes, Federal Law Review, 37 (2009), pp. 375-415

G.D. Smith, Private eyes are watching you: with the implementation of the E-911 mandate, who will watch every move you make? Federal Communications Law Journal, 58 (2006), pp. 705-726

G.J. Stigler, The theory of economic regulation, The Bell Journal of Economics and Management Science, 2 (1971), pp. 3-21

Surveillance Devices Act 2004 (Cth). Commonwealth of Australia; 2 February 2012. http://www.comlaw.gov.au/Details/C2011C00646/Download.

D. Svantesson, A legal method for solving issues of internet regulation, International Journal of Law and Information Technology, 19 (3) (2011), pp. 243-263

I. Székely, M.D. Szabó, B. Vissy, Regulating the future? Law, ethics, and emerging technologies, Journal of Information, Communication & Ethics in Society, 9 (3) (2011), pp. 180-194

Telecommunications (Interception and Access) Act 1979 (Cth). Commonwealth of Australia; 2 February 2012. http://www.comlaw.gov.au/Details/C2012C00081/Download.

(Cth)Telecommunications Act 1997 (Cth). Commonwealth of Australia; 2 February 2012. http://www.comlaw.gov.au/Details/C2012C00084/Download.

The ASIO Legislation Amendment Act 2003 (Cth). Commonwealth of Australia; 2 February 2012. http://www.comlaw.gov.au/Details/C2004A01228/Download.

The Australian Security Intelligence Organisation Act 1979 (Cth). Commonwealth of Australia; 2 February 2012. http://www.comlaw.gov.au/Details/C2011C00585/Download.

VLRC, Surveillance in public places consultation paper, Victorian Law Reform Commission, Melbourne (2009), http://www.lawreform.vic.gov.au/projects/surveillance-public-places/surveillance-public-places-consultation-paper

VLRC Surveillance in public places, Final report 18, Victorian Law Reform Commission, Melbourne (2010), http://www.lawreform.vic.gov.au/projects/surveillance-public-places/surveillance-public-places-final-report

H. Xu, H.H. Teo, B.Y.C. Tan, R. Agarwal, The role of push–pull technology in privacy calculus: the case of location-based services, Journal of Management Information Systems, 26 (3) (2009), pp. 135-173

Keywords: Location-based services, Regulation, Legislation, Law, Self-regulation, Co-regulation, Industry guidelines, Privacy, Australia

Citation: Roba Abbas, Katina Michael, M.G. Michael, Rob Nicholls, Sketching and validating the location-based services (LBS) regulatory framework in Australia, Computer Law & Security Review, Vol. 29, No. 5, October 2013, pp. 576-589, DOI: https://doi.org/10.1016/j.clsr.2013.07.014

Location and tracking of mobile devices: Uberveillance stalks the streets

Abstract

During the last decade, location-tracking and monitoring applications have proliferated, in mobile cellular and wireless data networks, and through self-reporting by applications running in smartphones that are equipped with onboard global positioning system (GPS) chipsets. It is now possible to locate a smartphone user's location not merely to a cell, but to a small area within it. Innovators have been quick to capitalise on these location-based technologies for commercial purposes, and have gained access to a great deal of sensitive personal data in the process. In addition, law enforcement utilises these technologies, can do so inexpensively and hence can track many more people. Moreover, these agencies seek the power to conduct tracking covertly, and without a judicial warrant. This article investigates the dimensions of the problem of people-tracking through the devices that they carry. Location surveillance has very serious negative implications for individuals, yet there are very limited safeguards. It is incumbent on legislatures to address these problems, through both domestic laws and multilateral processes.

1. Introduction

Personal electronic devices travel with people, are worn by them, and are, or soon will be, inside them. Those devices are increasingly capable of being located, and, by recording the succession of locations, tracked. This creates a variety of opportunities for the people concerned. It also gives rise to a wide range of opportunities for organisations, at least some of which are detrimental to the person's interests.

Commonly, the focus of discussion of this topic falls on mobile phones and tablets. It is intrinsic to the network technologies on which those devices depend that the network operator has at least some knowledge of the location of each handset. In addition, many such devices have onboard global positioning system (GPS) chipsets, and self-report their coordinates to service-providers. The scope of this paper encompasses those already well-known forms of location and tracking, but it extends beyond them.

The paper begins by outlining the various technologies that enable location and tracking, and identifies those technologies' key attributes. The many forms of surveillance are then reviewed, in order to establish a framework within which applications of location and tracking can be characterised. Applications are described, and their implications summarised. Controls are considered, whereby potential harm to the interests of individuals can be prevented or mitigated.

2. Relevant technologies

The technologies considered here involve a device that has the following characteristics:

• it is conveniently portable by a human, and

• it emits signals that:

• enable some other device to compute the location of the device (and hence of the person), and

• are sufficiently distinctive that the device is reliably identifiable at least among those in the vicinity, and hence the device's (and hence the person's) successive locations can be detected, and combined into a trail

The primary form-factors for mobile devices are currently clam-shape (portable PCs), thin rectangles suitable for the hand (mobile phones), and flat forms (tablets). Many other form-factors are also relevant, however. Anklets imposed on dangerous prisoners, and even as conditions of bail, carry RFID tags. Chips are carried in cards of various sizes, particularly the size of credit-cards, and used for tickets for public transport and entertainment venues, aircraft boarding-passes, toll-road payments and in some countries to carry electronic cash. Chips may conduct transactions with other devices by contact-based means, or contactless, using radio-frequency identification (RFID) or its shorter-range version near-field communication (NFC) technologies. These capabilities are in credit and debit cards in many countries. Transactions may occur with the cardholder's knowledge, with their express consent, and with an authentication step to achieve confidence that the person using the card is authorised to do so. In a variety of circumstances, however, some and even all of those safeguards are dispensed with. The electronic versions of passports that are commonly now being issued carry such a chip, and have an autonomous communications capability. The widespread issue of cards with capabilities uncontrolled by, and in many cases unknown to, the cardholder, is causing consternation among segments of the population that have become aware of the schemes.

Such chips can be readily carried in other forms, including jewellery such as finger-rings, and belt-buckles. Endo-prostheses such as replacement hips and knees and heart pacemakers can readily carry chips. A few people have voluntarily embedded chips directly into their bodies for such purposes as automated entry to premises (Michael and Michael, 2009).

In order to locate and track such devices, any sufficiently distinctive signals may in principle suffice. See Raper et al. (2007a) and Mautz (2011). In practice, the signals involved are commonly those transmitted by a device in order to take advantage of wireless telecommunications networks. The scope of the relevant technologies therefore also encompasses the signals, devices that detect the signals, and the networks over which the data that the signals contain are transmitted.

In wireless networks, it is generally the case that the base-station or router needs to be aware of the identities of devices that are currently within the cell. A key reason for this is to conserve limited transmission capacity by sending messages only when the targeted device is known to be in the cell. This applies to all of:

• cellular mobile originally designed for voice telephony and extended to data (in particular those using the ‘3G’ standards GSM/GPRS, CDMA2000 and UMTS/HSPA and the ‘4G’ standard LTE)

• wireless local area networks (WLANs, commonly Wifi/IEEE 802.11x – RE, 2010a)

• wireless wide area networks (WWANs, commonly WiMAX/IEEE 802.16x – RE, 2010b).

Devices in such networks are uniquely identified by various means (Clarke and Wigan, 2011). In cellular networks, there is generally a clear distinction between the entity (the handset) and the identity it is adopting at any given time (which is determined by the module inserted in it). Depending on the particular standards used, what is commonly referred to as ‘the SIM-card’ is an R-UIM, a CSIM or a USIM. These modules store an International Mobile Subscriber Identity (IMSI), which constitutes the handset's identifier. Among other things, this enables network operators to determine whether or not to provide service, and what tariff to apply to the traffic. However, cellular network protocols may also involve transmission of a code that distinguishes the handset itself, within which the module is currently inserted. A useful generic term for this is the device ‘entifier’ (Clarke, 2009b). Under the various standards, it may be referred to as an International Mobile Equipment Identity (IMEI), ESN, or MEID.

Vendor-specific solutions also may provide additional functionality to a handset unbeknown to the end-user. For example, every mobile device manufactured by Apple has a 40-character Unique Device Identifier (UDID). This enables Apple to track its users. Not only Apple itself, but also marketers, were able to use the UDID to track devices. It has also been alleged that data emanating from these devices is routinely accessible to law enforcement agencies. Since late 2012, Apple has prevented marketers from using the UDID, but has added an Identifier for Advertisers (IFA or IDFA). This is temporary, and it can be blocked; but it is by default open for tracking, and turning it off is difficult, and is likely to result in reduced services (Edwards, 2012). In short, Apple devices are specifically designed to enable tracking of consumers by Apple, by any government agency that has authority to gain access to the data, and by all consumer-marketing corporations, although in the last case with a low-grade option available to the user to suppress tracking.

In Wifi and WiMAX networks, the device entifier may be a processor-id or more commonly a network interface card identifier (NIC Id). In various circumstances, other device-identifiers may be used, such as a phone number, or an IP-address may be used as a proxy. In addition, the human using the device may be directly identified, e.g. by means of a user-account name.

A WWAN cell may cover a large area, indicatively of a 50 km radius. Telephony cells may have a radius as large as 2–3 km or as little as a hundred metres. WLANs using Wifi technologies have a cell-size of less than 1 ha, indicatively 50–100 m radius, but in practice often constrained by environmental factors to only 10–30 m.

The base-station or router knows the identities of devices that are within its cell, because this is a technically necessary feature of the cell's operation. Mobile devices auto-report their presence 10 times per second. Meanwhile, the locations of base-stations for cellular services are known with considerable accuracy by the telecommunications providers. And, in the case of most private Wifi services, the location of the router is mapped to c. 30–100 m accuracy by services such as Skyhook and Google Locations, which perform what have been dubbed ‘war drives’ in order to maintain their databases – in Google's case in probable violation of the telecommunications interception and/or privacy laws of at least a dozen countries (EPIC, 2012).

Knowing that a device is within a particular mobile phone, WiMAX or Wifi cell provides only a rough indication of location. In order to generate a more precise estimate, within a cell, several techniques are used (McGuire et al., 2005). These include the following (adapted from Clarke and Wigan, 2011; see also Figueiras and Frattasi, 2010):

• directional analysis. A single base-station may comprise multiple receivers at known locations and pointed in known directions, enabling the handset's location within the cell to be reduced to a sector within the cell, and possibly a narrow one, although without information about the distance along the sector;

• triangulation. This involves multiple base-stations serving a single cell, at known locations some distance apart, and each with directional analysis capabilities. Particularly with three or more stations, this enables an inference that the device's location is within a small area at the intersection of the multiple directional plots;

• signal analysis. This involves analysis of the characteristics of the signals exchanged between the handset and base-station, in order to infer the distance between them. Relevant signal characteristics include the apparent response-delay (Time Difference of Arrival – TDOA, also referred to as multilateration), and strength (Received Signal Strength Indicator – RSSI), perhaps supplemented by direction (Angle Of Arrival – AOA).

The precision and reliability of these techniques varies greatly, depending on the circumstances prevailing at the time. The variability and unpredictability result in many mutually inconsistent statements by suppliers, in the general media, and even in the technical literature.

Techniques for cellular networks generally provide reasonably reliable estimates of location to within an indicative 50–100 m in urban areas and some hundreds of metres elsewhere. Worse performance has been reported in some field-tests, however. For example, Dahunsi and Dwolatzky (2012) found the accuracy of GSM location in Johannesburg to be in the range 200–1400 m, and highly variable, with “a huge difference between the predicted and provided accuracies by mobile location providers”.

The website of the Skyhook Wifi-router positioning service claims 10-m accuracy, 1-s time-to-first-fix and 99.8% reliability (SHW, 2012). On the other hand, tests have resulted in far lower accuracy measures, including an average positional error of 63 m in Sydney (Gallagher et al., 2009) and “median values for positional accuracy in [Las Vegas, Miami and San Diego, which] ranged from 43 to 92 metres… [and] the replicability… was relatively poor” (Zandbergen, 2012, p. 35). Nonetheless, a recent research article suggested the feasibility of “uncooperatively and covertly detecting people ‘through the wall’ [by means of their WiFi transmissions]” (Chetty et al., 2012).

Another way in which a device's location may become known to other devices is through self-reporting of the device's position, most commonly by means of an inbuilt Global Positioning System (GPS) chipset. This provides coordinates and altitude based on broadcast signals received from a network of satellites. In any particular instance, the user of the device may or may not be aware that location is being disclosed.

Despite widespread enthusiasm and a moderate level of use, GPS is subject to a number of important limitations. The signals are subject to interference from atmospheric conditions, buildings and trees, and the time to achieve a fix on enough satellites and deliver a location measure may be long. This results in variability in its practical usefulness in different circumstances, and in its accuracy and reliability. Civil-use GPS coordinates are claimed to provide accuracy within a theoretical 7.8 m at a 95% confidence level (USGov, 2012), but various reports suggest 15 m, or 20 m, or 30 m, but sometimes 100 m. It may be affected by radio interference and jamming. The original and still-dominant GPS service operated by the US Government was subject to intentional degradation in the US's national interests. This ‘Selective Availability’ feature still exists, although subject to a decade-long policy not to use it; and future generations of GPS satellites may no longer support it.

Hybrid schemes exist that use two or more sources in order to generate more accurate location-estimates, or to generate estimates more quickly. In particular, Assisted GPS (A-GPS) utilises data from terrestrial servers accessed over cellular networks in order to more efficiently process satellite-derived data (e.g. RE, 2012).

Further categories of location and tracking technologies emerge from time to time. A current example uses means described by the present authors as ‘mobile device signatures’ (MDS). A device may monitor the signals emanating from a user's mobile device, without being part of the network that the user's device is communicating with. The eavesdropping device may detect particular signal characteristics that distinguish the user's mobile device from others in the vicinity. In addition, it may apply any of the various techniques mentioned above, in order to locate the device. If the signal characteristics are persistent, the eavesdropping device can track the user's mobile device, and hence the person carrying it. No formal literature on MDS has yet been located. The supplier's brief description is at PI (2010b).

The various technologies described in this section are capable of being applied to many purposes. The focus in this paper is on their application to surveillance.

3. Surveillance

The term surveillance refers to the systematic investigation or monitoring of the actions or communications of one or more persons (Clarke, 2009c). Until recent times, surveillance was visual, and depended on physical proximity of an observer to the observed. The volume of surveillance conducted was kept in check by the costs involved. Surveillance aids and enhancements emerged, such as binoculars and, later, directional microphones. During the 19th century, the post was intercepted, and telephones were tapped. During the 20th century, cameras enabled transmission of image, video and sound to remote locations, and recording for future use (e.g. Parenti, 2003).

With the surge in stored personal data that accompanied the application of computing to administration in the 1970s and 1980s, dataveillance emerged (Clarke, 1988). Monitoring people through their digital personae rather than through physical observation of their behaviour is much more economical, and hence many more people can be subjected to it (Clarke, 1994). The dataveillance epidemic made it more important than ever to clearly distinguish between personal surveillance – of an identified person who has previously come to attention – and mass surveillance – of many people, not necessarily previously identified, about some or all of whom suspicion could be generated.

Location data is of a very particular nature, and hence it has become necessary to distinguish location surveillance as a sub-set of the general category of dataveillance. There are several categories of location surveillance with different characteristics (Clarke and Wigan, 2011):

• capture of an individual's location at a point in time. Depending on the context, this may support inferences being drawn about an individual's behaviour, purpose, intention and associates

• real-time monitoring of a succession of locations and hence of the person's direction of movement. This is far richer data, and supports much more confident inferences being drawn about an individual's behaviour, purpose, intention and associates

• predictive tracking, by extrapolation from the person's direction of movement, enabling inferences to be drawn about near-future behaviour, purpose, intention and associates

• retrospective tracking, on the basis of the data trail of the person's movements, enabling reconstruction of a person's behaviour, purpose, intention and associates at previous times

Information arising at different times, and from different forms of surveillance, can be combined, in order to offer a more complete picture of a person's activities, and enable yet more inferences to be drawn, and suspicions generated. This is the primary sense in which the term ‘überveillance’ is applied: “Überveillance has to do with the fundamental who (ID), where (location), and when (time) questions in an attempt to derive why (motivation), what (result), and even how (method/plan/thought). Überveillance can be a predictive mechanism for a person's expected behaviour, traits, likes, or dislikes; or it can be based on historical fact; or it can be something in between… Überveillance is more than closed circuit television feeds, or cross-agency databases linked to national identity cards, or biometrics and ePassports used for international travel. Überveillance is the sum total of all these types of surveillance and the deliberate integration of an individual's personal data for the continuous tracking and monitoring of identity and location in real time” (Michael and Michael, 2010. See also Michael and Michael, 2007Michael et al., 20082010Clarke, 2010).

A comprehensive model of surveillance includes consideration of geographical scope, and of temporal scope. Such a model assists the analyst in answering key questions about surveillance: of what? for whom? by whom? why? how? where? and when? (Clarke, 2009c). Distinctions are also needed based on the extent to which the subject has knowledge of surveillance activities. It may be overt or covert. If covert, it may be merely unnotified, or alternatively express measures may be undertaken in order to obfuscate, and achieve secrecy. A further element is the notion of ‘sousveillance’, whereby the tools of surveillance are applied, by those who are commonly watched, against those who are commonly the watchers (Mann et al., 2003).

These notions are applied in the following sections in order to establish the extent to which location and tracking of mobile devices is changing the game of surveillance, and to demonstrate that location surveillance is intruding more deeply into personal freedoms than previous forms of surveillance.

4. Applications

This section presents a typology of applications of mobile device location, as a means of narrowing down to the kinds of uses that have particularly serious privacy implications. These are commonly referred to as location-based services (LBS). One category of applications provide information services that are for the benefit of the mobile device's user, such as navigation aids, and search and discovery tools for the locations variously of particular, identified organisations, and of organisations that sell particular goods and services. Users of LBS of these kinds can be reasonably assumed to be aware that they are disclosing their location. Depending on the design, the disclosures may also be limited to specific service-providers and specific purposes, and the transmissions may be secured.

Another, very different category of application is use by law enforcement agencies (LEAs). The US E-911 mandate of 1999 was nominally a public safety measure, to enable people needing emergency assistance to be quickly and efficiently located. In practice, the facility also delivered LEAs means for locating and tracking people of interest, through their mobile devices. Personal surveillance may be justified by reasonable grounds for suspicion that the subject is involved in serious crime, and may be specifically authorised by judicial warrant. Many countries have always been very loose in their control over LEAs, however, and many others have drastically weakened their controls since 2001. Hence, in any given jurisdiction and context, each and all of the controls may be lacking.

Yet worse, LEAs use mobile location and tracking for mass surveillance, without any specific grounds for suspicion about any of the many people caught up in what is essentially a dragnet-fishing operation (e.g. Mery, 2009). Examples might include monitoring the area adjacent to a meeting-venue watching out for a blacklist of device-identifiers known to have been associated with activists in the past, or collecting device-identifiers for use on future occasions. In addition to netting the kinds of individuals who are of legitimate interest, the ‘by-catch’ inevitably includes threatened species. There are already extraordinarily wide-ranging (and to a considerable extent uncontrolled) data retention requirements in many countries.

Of further concern is the use of Automated Number Plate Recognition (ANPR) for mass surveillance purposes. This has been out of control in the UK since 2006, and has been proposed or attempted in various other countries as well (Clarke, 2009a). Traffic surveillance is expressly used not only for retrospective analysis of the movements of individuals of interest to LEAs, but also as a means of generating suspicions about other people (Lewis, 2008).

Beyond LEAs, many government agencies perform social control functions, and may be tempted to conduct location and tracking surveillance. Examples would include benefits-paying organisations tracking the movements of benefits-recipients about whom suspicions have arisen. It is not too far-fetched to anticipate zealous public servants concerned about fraud control imposing location surveillance on all recipients of some particularly valuable benefit, or as a security precaution on every person visiting a sensitive area (e.g. a prison, a power plant, a national park).

Various forms of social control are also exercised by private sector organisations. Some of these organisations, such as placement services for the unemployed, may be performing outsourced public sector functions. Others, such as workers' compensation providers, may be seeking to control personal insurance claimants, and similarly car-hire companies and insurance providers may wish to monitor motor vehicles' distance driven and roads used (Economist, 2012Michael et al., 2006b).

A further privacy-invasive practice that is already common is the acquisition of location and tracking data by marketing corporations, as a by-product of the provision of location-based services, but with the data then applied to further purposes other than that for which it was intended. Some uses rely on statistical analysis of large holdings (‘data mining’). Many uses are, on the other hand, very specific to the individual, and are for such purposes as direct or indirect targeting of advertisements and the sale of goods and services. Some of these applications combine location data with data from other sources, such as consumer profiling agencies, in order to build up such a substantial digital persona that the individual's behaviour is readily influenced. This takes the activity into the realms of überveillance.

All such services raise serious privacy concerns, because the data is intensive and sensitive, and attractive to organisations. Companies may gain rights in relation to the data through market power, or by trickery – such as exploitation of a self-granted right to change the Terms of Service (Clarke, 2011). Once captured, the data may be re-purposed by any organisation that gains access to it, because the value is high enough that they may judge the trivial penalties that generally apply to breaches of privacy laws to be well worth the risk.

A recently-emerged, privacy-invasive practice is the application of the mobile device signature (MDS) form of tracking, in such locations as supermarkets. This is claimed by its providers to offer deep observational insights into the behaviour of customers, including dwell times in front of displays, possibly linked with the purchaser's behaviour. This raises concerns a little different from other categories of location and tracking technologies, and is accordingly considered in greater depth in the following section.

It is noteworthy that an early review identified a wide range of LBS, which the authors classified into mobile guides, transport, gaming, assistive technology and location-based health (Raper et al., 2007b). Yet that work completely failed to notice that a vast array of applications were emergent in surveillance, law enforcement and national security, despite the existence of relevant literature from at least 1999 onwards (Clarke, 2001Michael and Masters, 2006).

5. Implications

The previous sections have introduced many examples of risks to citizens and consumers arising from location surveillance. This section presents an analysis of the categories and of the degree of seriousness with which they should be viewed. The first topic addressed is the privacy of personal location data. Other dimensions of privacy are then considered, and then the specific case of MDS is examined. The treatment here is complementary to earlier articles that have looked more generally at particular applications such as location-based mobile advertising, e.g. Cleff (20072010) and King and Jessen (2010). See also Art. 29 (2011).

5.1. Locational privacy

Knowing where someone has been, knowing what they are doing right now, and being able to predict where they might go next is a powerful tool for social control and for chilling behaviour (Abbas, 2011). Humans do not move around in a random manner (Song et al., 2010).

One interpretation of ‘locational privacy’ is that it “is the ability of an individual to move in public space with the expectation that under normal circumstances their location will not be systematically and secretly recorded for later use” (Blumberg and Eckersley, 2009). A more concise definition is “the ability to control the extent to which personal location information is… [accessible and] used by others” (van Loenen et al., 2009). Hence ‘tracking privacy’ is the interest an individual has in controlling information about their sequence of locations.

Location surveillance is deeply intrusive into data privacy, because it is very rich, and enables a great many inferences to be drawn (Clarke, 2001Dobson and Fisher, 2003Michael et al., 2006aClarke and Wigan, 2011). As demonstrated by Raper et al. (2007a, p. 32–3), most of the technical literature that considers privacy is merely concerned about it as an impediment to deployment and adoption, and how to overcome the barrier rather than how to solve the problem. Few authors adopt a positive approach to privacy-protective location technologies. The same authors' review of applications (Raper et al., 2007b) includes a single mention of privacy, and that is in relation to just one of the scores of sub-categories of application that they catalogue.

Most service-providers are cavalier in their handling of personal data, and extravagant in their claims. For example, Skyhook claims that it “respects the privacy of all users, customers, employees and partners”; but, significantly, it makes no mention of the privacy of the people whose locations, through the locations of their Wifi routers, it collects and stores (Skyhook, 2012).

Consent is critical in such LBS as personal location chronicle systems, people-followers and footpath route-tracker systems that systematically collect personal location information from a device they are carrying (Collier, 2011c). The data handled by such applications is highly sensitive because it can be used to conduct behavioural profiling of individuals in particular settings. The sensitivity exists even if the individuals remain ‘nameless’, i.e. if each identifier is a temporary or pseudo-identifier and is not linked to other records. Service-providers, and any other organisations that gain access to the data, achieve the capacity to make judgements on individuals based on their choices of, for example, which retail stores they walk into and which they do not. For example, if a subscriber visits a particular religious bookstore within a shopping mall on a weekly basis, the assumption can be reasonably made that they are in some way affiliated to that religion (Samuel, 2008).

It is frequently asserted that individuals cannot have a reasonable expectation of privacy in a public space (Otterberg, 2005). Contrary to those assertions, however, privacy expectations always have existed in public places, and continue to exist (VLRC, 2010). Tracking the movements of people as they go about their business is a breach of a fundamental expectation that people will be ‘let alone’. In policing, for example, in most democratic countries, it is against the law to covertly track an individual or their vehicle without specific, prior approval in the form of a warrant. This principle has, however, been compromised in many countries since 2001. Warrantless tracking using a mobile device generally results in the evidence, which has been obtained without the proper authority, being inadmissible in a court of law (Samuel, 2008). Some law enforcement agencies have argued for the abolition of the warrant process because the bureaucracy involved may mean that the suspect cannot be prosecuted for a crime they have likely committed (Ganz, 2005). These issues are not new; but far from eliminating a warrant process, the appropriate response is to invest the energy in streamlining this process (Bronitt, 2010).

Privacy risks arise not only from locational data of high integrity, but also from data that is or becomes associated with a person and that is inaccurate, misleading, or wrongly attributed to that individual. High levels of inaccuracy and unreliability were noted above in respect of all forms of location and tracking technologies. In the case of MDS services, claims have been made of 1–2 m locational accuracy. This has yet to be supported by experimental test cases however, and hence there is uncertainty about the reliability of inferences that the service-provider or the shop owner draw. If the data is the subject of a warrant or subpoena, the data's inaccuracy could result in false accusations and even a miscarriage of justice, with the ‘wrong person’ finding themselves in the ‘right place’ at the ‘right time’.

5.2. Privacy more broadly

Privacy has multiple dimensions. One analysis, in Clarke (2006a), identifies four distinct aspects. Privacy of Personal Data, variously also ‘data privacy’ and ‘information privacy’, is the most widely discussed dimension of the four. Individuals claim that data about themselves should not be automatically available to other individuals and organisations, and that, even where data is possessed by another party, the individual must be able to exercise a substantial degree of control over that data and its use. The last five decades have seen the application of information technologies to a vast array of abuses of data privacy. The degree of privacy intrusiveness is a function of both the intensity and the richness of the data. Where multiple sources are combined, the impact is particularly likely to chill behaviour. An example is the correlation of video-feeds with mobile device tracking. The previous sub-section addressed that dimension.

Privacy of the Person, or ‘bodily privacy’, extends from freedom from torture and right to medical treatment, via compulsory immunisation and imposed treatments, to compulsory provision of samples of body fluids and body tissue, and obligations to submit to biometric measurement. Locational surveillance gives rise to concerns about personal safety. Physical privacy is directly threatened where a person who wishes to inflict harm is able to infer the present or near-future location of their target. Dramatic examples include assassins, kidnappers, ‘standover merchants’ and extortionists. But even people who are neither celebrities nor notorieties are subject to stalking and harassment (Fusco et al., 2012).

Privacy of Personal Communications is concerned with the need of individuals for freedom to communicate among themselves, without routine monitoring of their communications by other persons or organisations. Issues include ‘mail covers’, the use of directional microphones, ‘bugs’ and telephonic interception, with or without recording apparatus, and third-party access to email-messages. Locational surveillance thereby creates new threats to communications privacy. For example, the equivalent of ‘call records’ can be generated by combining the locations of two device-identifiers in order to infer that a face-to-face conversation occurred.

Privacy of Personal Behaviour encompasses ‘media privacy’, but particular concern arises in relation to sensitive matters such as sexual preferences and habits, political activities and religious practices. Some privacy analyses, particularly in Europe, extend this discussion to personal autonomy, liberty and the right of self-determination (e.g. King and Jessen, 2010). The notion of ‘private space’ is vital to economic and social aspects of behaviour, is relevant in ‘private places’ such as the home and toilet cubicles, but is also relevant and important in ‘public places’, where systematic observation and the recording of images and sounds are far more intrusive than casual observation by the few people in the vicinity.

Locational surveillance gives rise to rich sets of data about individuals' activities. The knowledge, or even suspicion, that such surveillance is undertaken, chills their behaviour. The chilling factor is vital in the case of political behaviour (Clarke, 2008). It is also of consequence in economic behaviour, because the inventors and innovators on whom new developments depend are commonly ‘different-thinkers’ and even ‘deviants’, who are liable to come to come to attention in mass surveillance dragnets, with the tendency to chill their behaviour, their interactions and their creativity.

Surveillance that generates accurate data is one form of threat. Surveillance that generates inaccurate data, or wrongly associates data with a particular person, is dangerous as well. Many inferences that arise from inaccurate data will be wrong, of course, but that won't prevent those inferences being drawn, resulting in unjustified behavioural privacy invasiveness, including unjustified association with people who are, perhaps for perfectly good reasons, themselves under suspicion.

In short, all dimensions of privacy are seriously affected by location surveillance. For deeper treatments of the topic, see Michael et al. (2006b) and Clarke and Wigan (2011).

5.3. Locational privacy and MDS

The recent innovation of tracking by means of mobile device signatures (MDS) gives rise to some issues additional to, or different from, mainstream device location technologies. This section accordingly considers this particular technique's implications in greater depth. Limited reliable information is currently available, and the analysis is of necessity based on supplier-published sources (PI, 2010a2010b) and media reports (Collier, 2011a,b,c).

Path Intelligence (PI) markets an MDS service to shopping mall-owners, to enable them to better value their floor space in terms of rental revenues, and to identify points of on-foot traffic congestion to on-sell physical advertising and marketing floor space (PI, 2010a). The company claims to detect each phone (and hence person) that enters a zone, and to capture data, including:

• how long each device and person stay, including dwell times in front of shop windows;

• repeat visits by shoppers in varying frequency durations; and

• typical route and circuit paths taken by shoppers as they go from shop to shop during a given shopping experience.

For malls, PI is able to denote such things as whether or not shoppers who shop at one establishment will also shop at another in the same mall, and whether or not people will go out of their way to visit a particular retail outlet independent of its location. For retailers, PI says it is able to provide information on conversion rates by department or even product line, and even which areas of the store might require more attention by staff during specific times of the day or week (PI, 2012).

PI says that it uses “complex algorithms” to denote the geographic position of a mobile phone, using strategically located “proprietary equipment” in a campus setting (PI, 2010a). The company states that it is conducting “data-driven analysis”, but is not collecting, or at least that it is not disclosing, any personal information such as a name, mobile telephone number or contents of a short message service (SMS). It states that it only ever provides aggregated data at varying zone levels to the shopping mall-owners. This is presumably justified on the basis that, using MDS techniques, direct identifiers are unlikely to be available, and a pseudo-identifier needs to be assigned. There is no explicit definition of what constitutes a zone. It is clear, however, that minimally-aggregated data at the highest geographic resolution is available for purchase, and at a higher price than more highly-aggregated data.

Shoppers have no relationship with the company, and it appears unlikely that they would even be aware that data about them is being collected and used. The only disclosure appears to be that “at each of our installations our equipment is clearly visible and labelled with our logo and website address” (PI, 2010a), but this is unlikely to be visible to many people, and in any case would not inform anyone who saw it.

In short, the company is generating revenue by monitoring signals from the mobile devices of people who visit a shopping mall for the purchase of goods and services. The data collection is performed without the knowledge of the person concerned (Renegar et al., 2008). The company is covertly collecting personal data and exploiting it for profit. There is no incentive or value proposition for the individual whose mobile is being tracked. No clear statement is provided about collection, storage, retention, use and disclosure of the data (Arnold, 2008). Even if privacy were not a human right, this would demand statutory intervention on the public policy grounds of commercial unfairness. The company asserts that “our privacy approach has been reviewed by the [US Federal Trade Commission] FTC, which determined that they are comfortable with our practices” (PI, 2010a). It makes no claims of such ‘approval’ anywhere else in the world.

The service could be extended beyond a mall and the individual stores within it, to for example, associated walkways and parking areas, and surrounding areas such as government offices, entertainment zones and shopping-strips. Applications can also be readily envisaged on hospital and university campuses, and in airports and other transport hubs. From prior research, this is likely to expose the individual's place of employment, and even their residence (Michael et al., 2006a,b). Even if only aggregated data is sold to businesses, the individual records remain available to at least the service-provider.

The scope exists to combine this form of locational surveillance with video-surveillance such as in-store CCTV, and indeed this is claimed to be already a feature of the company's offering to retail stores. To the extent that a commonly-used identifier can be established (e.g. through association with the person's payment or loyalty card at a point-of-sale), the full battery of local and externally acquired customer transaction histories and consolidated ‘public records’ data can be linked to in-store behaviour (Michael and Michael, 2007). Longstanding visual surveillance is intersecting with well-established data surveillance, and being augmented by locational surveillance, giving breath to dataveillance, or what is now being referred to by some as ‘smart surveillance’ (Wright et al., 2010IBM, 2011).

Surreptitious collection of personal data is (with exemptions and exceptions) largely against the law, even when undertaken by law enforcement personnel. The MDS mechanism also flies in the face of telephonic interception laws. How, then, can it be in any way acceptable for a form of warrantless tracking to be undertaken by or on behalf of corporations or mainstream government agencies, of shoppers in a mall, or travellers in an airport, or commuters in a transport hub? Why should a service-provider have the right to do what a law enforcement agency cannot normally do?

6. Controls

The tenor of the discussion to date has been that location surveillance harbours enormous threats to location privacy, but also to personal safety, the freedom to communicate, freedom of movement, and freedom of behaviour. This section examines the extent to which protections exist, firstly in the form of natural or intrinsic controls, and secondly in the form of legal provisions. The existing safeguards are found to be seriously inadequate, and it is therefore necessary to also examine the prospects for major enhancements to law, in order to achieve essential protections.

6.1. Intrinsic controls

A variety of forms of safeguard exist against harmful technologies and unreasonable applications of them. The intrinsic economic control has largely evaporated, partly because the tools use electronics and the components are produced in high volumes at low unit cost. Another reason is that the advertising and marketing sectors are highly sophisticated, already hold and exploit vast quantities of personal data, and are readily geared up to exploit yet more data.

Neither the oxymoronic notion of ‘business ethics’ nor the personal morality of executives in business and government act as any significant brake on the behaviours of corporations and governments, because they are very weak barriers, and they are readily rationalised away in the face of claims of enhanced efficiencies in, for example, marketing communications, fraud control, criminal justice and control over anti-social behaviour.

A further category of intrinsic control is ‘self-regulatory’ arrangements within relevant industry sectors. In 2010, for example, the Australian Mobile Telecommunications Association (AMTA) released industry guidelines to promote the privacy of people using LBS on mobile devices (AMTA, 2010). The guidelines were as follows:

1. Every LBS must be provided on an opt-in basis with a specific request from a user for the service

2. Every LBS must comply with all relevant privacy legislation

3. Every LBS must be designed to guard against consumers being located without their knowledge

4. Every LBS must allow consumers to maintain full control

5. Every LBS must enable customers to control who uses their location information and when that is appropriate, and be able to stop or suspend a service easily should they wish

The second point is a matter for parliaments, privacy oversight agencies and law enforcement agencies, and its inclusion in industry guidelines is for information only. The remainder, meanwhile, are at best ‘aspirational’, and at worst mere window-dressing. Codes of this nature are simply ignored by industry members. They are primarily a means to hold off the imposition of actual regulatory measures. Occasional short-term constraints may arise from flurries of media attention, but the ‘responsible’ organisations escape by suggesting that bad behaviour was limited to a few ‘cowboy’ organisations or was a one-time error that will not be repeated.

A case study of the industry self-regulation is provided by the Biometrics Code issued by the misleadingly named Australian industry-and-users association, the Biometrics ‘Institute’ (BI, 2004). During the period 2009–2012, the privacy advocacy organisation, the Australian Privacy Foundation (APF), submitted to the Privacy Commissioner on multiple occasions that the Code failed to meet the stipulated requirements and under the Commissioner's own Rules had to be de-registered. The Code never had more than five subscribers (out of a base of well over 100 members – which was itself only a sub-set of organisations active in the area), and had no signatories among the major biometrics vendors or users, because all five subscribers were small organisations or consultants. In addition, none of the subscribers appear to have ever provided a link to the Code on their websites or in their Privacy Policy Statements (APF, 2012).

The Commissioner finally ended the farce in April 2012, citing the “low numbers of subscribers”, but avoided its responsibilities by permitting the ‘Institute’ to “request” revocation, over two years after the APF had made the same request (OAIC, 2012). The case represents an object lesson in the vacuousness of self-regulation and the business friendliness of a captive privacy oversight agency.

If economics, morality and industry sector politics are inadequate, perhaps competition and organisational self-interest might work. On the other hand, repeated proposals that privacy is a strategic factor for corporations and government agencies have fallen on stony ground (Clarke, 19962006b).

The public can endeavour to exercise countervailing power against privacy-invasive practices. On the other hand, individuals acting alone are of little or no consequence to organisations that are intent on the application of location surveillance. Moreover, consumer organisations lack funding, professionalism and reach, and only occasionally attract sufficient media attention to force any meaningful responses from organisations deploying surveillance technologies.

Individuals may have direct surveillance countermeasures available to them, but relatively few people have the combination of motivation, technical competence and persistence to overcome lethargy and the natural human desire to believe that the institutions surrounding them are benign. In addition, some government agencies, corporations and (increasingly prevalent) public–private partnerships seek to deny anonymity, pseudonymity and multiple identities, and to impose so-called ‘real name’ policies, for example as a solution to the imagined epidemics of cyber-bullying, hate speech and child pornography. Individuals who use cryptography and other obfuscation techniques have to overcome the endeavours of business and government to stigmatise them as criminals with ‘something to hide’.

6.2. Legal controls

It is clear that natural or intrinsic controls have been utter failures in privacy matters generally, and will be in locational privacy matters as well. That leaves legal safeguards for personal freedoms as the sole protection. There are enormous differences among domestic laws relating to location surveillance. This section accordingly limits itself to generalities and examples.

Privacy laws are (with some qualifications, mainly in Europe) very weak instruments. Even where public servants and parliaments have an actual intention to protect privacy, rather than merely to overcome public concerns by passing placebo statutes, the draft Bills are countered by strong lobbying by government agencies and industry, to the extent that measures that were originally portrayed as being privacy-protective reach the statute books as authority for privacy breaches and surveillance (Clarke, 2000).

Privacy laws, once passed, are continually eroded by exceptions built into subsequent legislation, and by technological capabilities that were not contemplated when the laws were passed. In most countries, location privacy has yet to be specifically addressed in legislation. Even where it is encompassed by human rights and privacy laws, the coverage is generally imprecise and ambiguous. More direct and specific regulation may exist, however. In Australia, for example, the Telecommunications (Interception and Access) Act and the Surveillance Devices Act define and criminalise inappropriate interception and access, use, communication and publication of location information that is obtained from mobile device traffic (AG, 2005). On the other hand, when Google Inc. intercepted wi-fi signals and recorded the data that they contained, the Privacy Commissioner absolved the company (Riley, 2010), and the Australian Federal Police refused to prosecute despite the action – whether it was intentional, ‘inadvertent’ or merely plausibly deniable – being a clear breach of the criminal law (Moses, 2010Stilgherrian, 2012).

The European Union determined a decade ago that location data that is identifiable to individuals is to some extent at least subject to existing data protection laws (EU, 2002). However, the wording of that so-called ‘e-Privacy Directive’ countenances the collection of “location data which are more precise than is necessary for the transmission of communications”, without clear controls over the justification, proportionality and transparency of that collection (para. 35). In addition, the e-Privacy Directive only applies to telecommunications service-providers, not to other organisations that acquire location and tracking data. King and Jessen (2010) discuss various gaps in the protective regimes in Europe.

The EU's Advisory Body (essentially a Committee of European Data Protection Commissioners) has issued an Opinion that mobile location data is generally capable of being associated with a person, and hence is personal data, and hence is subject to the EU Directive of 1995 and national laws that implement that Directive (Art. 29, 2011). Consent is considered to be generally necessary, and that consent must be informed, and sufficiently granular (p. 13–8).

It is unclear, however, to what extent this Opinion has actually caused, and will in the future cause, organisations that collect, store, use and disclose location data to change their practices. This uncertainty exists in respect of national security, law enforcement and social control agencies, which have, or which can arrange, legal authority that overrides data protection laws. It also applies to non-government organisations of all kinds, which can take advantage of exceptions, exemptions, loopholes, non-obviousness, obfuscation, unenforceability within each particular jurisdiction, and extra-jurisdictionality, to operate in ways that are in apparent breach of the Opinion.

Legal authorities for privacy-invasions are in a great many cases vague rather than precise, and in many jurisdictions power in relation to specific decisions is delegated to a LEA (in such forms as self-written ‘warrants’), or even a social control agency (in the form of demand-powers), rather than requiring a decision by a judicial officer based on evidence provided by the applicant.

Citizens in many countries are subject to more or less legitimate surveillance of various degrees and orders of granularity, by their government, in the name of law enforcement and national security. However, many Parliaments have granted powers to national security agencies to use location technology to track citizens and to intercept telecommunications. Moreover, many Parliaments have failed the public by permitting a warrant to be signed by a Minister, or even a public servant, rather than a judicial officer (Jay, 1999). Worse still, it appears that these already gross breaches of the principle of a free society are in effect being extended to the authorisation of a private organisation to track mobiles of ordinary citizens because it may lead to better services planning, or more efficient advertising and marketing (Collier, 2011a).

Data protection legislation in all countries evidences massive weaknesses. There are manifold exemptions and exceptions, and there are intentional and accidental exclusions, for example through limitations in the definitions of ‘identified’ and ‘personal data’. Even the much vaunted European laws fail to cope with extraterritoriality and are largely ignored by US-based service-providers. They are also focused exclusively on data, leaving large gaps in safeguards for physical, communications and behavioural privacy.

Meanwhile, a vast amount of abuse of personal data is achieved through the freedom of corporations and government agencies to pretend that Terms imposed on consumers and citizens without the scope to reject them are somehow the subject of informed and freely given consent. For example, petrol stations, supermarkets and many government agencies pretend that walking past signs saying ‘area subject to CCTV’ represents consent to gather, transmit, record, store, use and disclose data. The same approach is being adopted in relation to highly sensitive location data, and much vaunted data protection laws are simply subverted by the mirage of consent.

At least notices such as ‘you are now being watched’ or ‘smile, you are being recorded’ inform customers that they are under observation. On the other hand, people are generally oblivious to the fact that their mobile subscriber identity is transmitted from their mobile phone and multilaterated to yield a reasonably precise location in a shopping mall (Collier, 2011a,b,c). Further, there is no meaningful sense in which they can be claimed to have consented to providing location data to a third party, in this case a location service-provider with whom they have never had contact. And the emergent combination of MDS with CCTV sources becomes a pervasive view of the person, an ‘über’ view, providing a set of über-analytics to – at this stage – shopping complex owners and their constituents.

What rights do employees have if such a system were instituted in an employment setting (Michael and Rose, 2007, p. 252–3)? Are workplace surveillance laws in place that would protect employees from constant monitoring (Stern, 2007)? A similar problem applies to people at airports, or on hospital, university, industrial or government campuses. No social contract has been entered into between the parties, rendering the subscriber powerless.

Since the collapse of the Technology Assessment movement, technological deployment proceeds unimpeded, and public risks are addressed only after they have emerged and the clamour of concern has risen to a crescendo. A reactive force is at play, rather than proactive measures being taken to ensure avoidance or mitigation of potential privacy breaches (Michael et al., 2011). In Australia, for example, safeguards for location surveillance exist at best incidentally, in provisions under separate legislative regimes and in separate jurisdictions, and at worst not at all. No overarching framework exists to provide consistency among the laws. This causes confusion and inevitably results in inadequate protections (ALRC, 2008).

6.3. Prospective legal controls

Various learned studies have been conducted, but gather dust. In Australia, the three major law reform commissions have all reported, and all have been ignored by the legislatures (NSWLRC, 2005ALRC, 2008VLRC, 2010).

One critical need is for the fundamental principle to be recovered, to the effect that the handling of personal data requires either consent or legal authority. Consent is meaningless as a control over unreasonable behaviour, however, unless it satisfies a number of key conditions. It must be informed, it must be freely given, and it must be sufficiently granular, not bundled (Clarke, 2002). In a great many of the circumstances in which organisations are claiming to have consent to gather, store, use and disclose location data, the consumer does not appreciate what the scope of handling is that the service-provider is authorising themselves to perform; the Terms are imposed by the service-provider and may even be varied or completely re-written without consultation, a period of notice or even any notice at all; and consent is bundled rather than the individual being able to construct a pattern of consents and denials that suit their personal needs. Discussions all too frequently focus on the specifically-US notion of ‘opt-out’ (or ‘presumed consent’), with consent debased to ‘opt-in’, and deprecated as inefficient and business-unfriendly.

Recently, some very weak proposals have been put forward, primarily in the USA. In 2011, for example, two US Senators proposed a Location Privacy Protection Bill (Cheng, 2011). An organisation that collected location data from mobile or wireless data devices would have to state explicitly in their privacy policies what was being collected, in plain English. This would represent only a partial implementation of the already very weak 2006 recommendation of the Internet Engineering Task Force for Geographic Location/Privacy (IETF GEOPRIV) working group, which decided that technical systems should include ‘Fair Information Practices’ (FIPs) to defend against harms associated with the use of location technologies (EPIC, 2006). FIPs, however, is itself only a highly cut-down version of effective privacy protections, and the Bill proposes only a small fraction of FIPs. It would be close to worthless to consumers, and close to legislative authorisation for highly privacy-invasive actions by organisations.

Two other US senators tabled a GPS Bill, nominally intended to “balance the needs of Americans' privacy protections with the legitimate needs of law enforcement, and maintains emergency exceptions” (Anderson, 2011). The scope is very narrow – next would have to come the Wi-Fi Act, the A-GPS Act, etc. That approach is obviously unviable in the longer term as new innovations emerge. Effective legislation must have appropriate generality rather than excessive technology-specificity, and should be based on semantics not syntax. Yet worse, these Bills would provide legal authorisation for grossly privacy-invasive location and tracking. IETF engineers, and now Congressmen, want to compromise human rights and increase the imbalance of power between business and consumers.

7. Conclusions

Mobile device location technologies and their applications are enabling surveillance, and producing an enormous leap in intrusions into data privacy and into privacy of the person, privacy of personal communications, and privacy of personal behaviour.

Existing privacy laws are entirely incapable of protecting consumers and citizens against the onslaught. Even where consent is claimed, it generally fails the tests of being informed, freely given and granular.

There is an urgent need for outcries from oversight agencies, and responses from legislatures. Individual countries can provide some degree of protection, but the extra-territorial nature of so much of the private sector, and the use of corporate havens, in particular the USA, mean that multilateral action is essential in order to overcome the excesses arising from the US laissez fairetraditions.

One approach to the problem would be location privacy protection legislation, although it would need to embody the complete suite of protections rather than the mere notification that the technology breaches privacy. An alternative approach is amendment of the current privacy legislation and other anti-terrorism legislation in order to create appropriate regulatory provisions, and close the gaps that LBS providers are exploiting (Koppel, 2010).

The chimeras of self-regulation, and the unenforceability of guidelines, are not safeguards. Sensitive data like location information must be subject to actual, enforced protections, with guidelines and codes no longer used as a substitute, but merely playing a supporting role. Unless substantial protections for personal location information are enacted and enforced, there will be an epidemic of unjustified, disproportionate and covert surveillance, conducted by government and business, and even by citizens (Gillespie, 2009Abbas et al., 2011).

Acknowledgements

A preliminary version of the analysis presented in this paper appeared in the November 2011 edition of Precedent, the journal of the Lawyers Alliance. The article has been significantly updated as a result of comments provided by the referees and editor.

References

R. Abbas, The social and behavioural implications of location-based services: an observational study of users, Journal of Location Based Services, 5 (December 2011), pp. 3-4

R. Abbas, K. Michael, M.G. Michael, A. Aloudat, Emerging forms of covert surveillance using GPS-enabled devices, Journal of Cases on Information Technology, 13 (2) (2011), pp. 19-33

AG, What the government is doing: Surveillance Device Act 2004, Australian Government (25 May 2005) at http://www.ag.gov.au/agd/www/nationalsecurity.nsf/AllDocs/9B1F97B59105AEE6CA25700C0014CAF5?OpenDocument

ALRC, For your information: Australian privacy law and practice, (ALRC report 108), Australian Government (2008), 2, p. 1409–10, http://www.alrc.gov.au.ezproxy.uow.edu.au/publications/report-108

AMTA, New mobile telecommunications industry guidelines and consumer tips set benchmark for location based services, Australian Mobile Telecommunications Association (2010) at http://www.amta.org.au/articles/New.mobile.telecommunications.industry.guidelines.and.consumer.tips.set.benchmark.for.Location.Based.Services

N. Anderson, Bipartisan bill would end government's warrantless GPS tracking, Ars Technica (June 2011) at http://arstechnica.com/tech-policy/news/2011/06/bipartisan-bill-would-end-governments-warrantless-gps-tracking.ars

APF Revocation of the biometrics industry code, Australian Privacy Foundation (March 2012) at http://www.privacy.org.au/Papers/OAIC-BiomCodeRevoc-120321.pdf

B. Arnold, Privacy guide, Caslon Analytics (May 2008), at http://www.caslon.com.au/privacyguide19.htm

Art. 29, Opinion 13/2011 on geolocation services on smart mobile devices, Article 29 Data Protection Working Party, 881/11/EN WP 185, at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp185_en.pdf (16 May 2011)

BI Privacy code, Biometrics Institute, Sydney (April 2004) at http://web.archive.org/web/20050424120627/http://www.biometricsinstitute.org/displaycommon.cfm?an=1&subarticlenbr=8

A.J. Blumberg, P. EckersleyOn locational privacy, and how to avoid losing it forever, Electronic Frontier Foundation (August 2009), at https://www.eff.org/wp/locational-privacy

S. Bronitt, Regulating covert policing methods: from reactive to proactive models of admissibility, S. Bronitt, C. Harfield, K. Michael (Eds.), The social implications of covert policing (2010), pp. 9-14

J. Cheng, Franken's location-privacy bill would close mobile-tracking ‘loopholes’, Wired (17 June 2011), at http://www.wired.com/epicenter/2011/06/franken-location-loopholes/

K. Chetty, G.E. Smith, K. Woodbridge, Through-the-wall sensing of personnel using passive bistatic WiFi radar at standoff distances, IEEE Transactions on Geoscience and Remote Sensing, 50 (4) (April 2012), pp. 1218-1226

R. Clarke, Information technology and dataveillance, Communications of the ACM, 31 (5) (May 1988), pp. 498-512, at http://www.rogerclarke.com/DV/CACM88.html

R. Clarke, The digital persona and its application to data surveillance, The Information Society, 10 (2) (June 1994), pp. 77-92, at http://www.rogerclarke.com/DV/DigPersona.html

Clarke R. Privacy and dataveillance, and organisational strategy. In: Proc. I.S. Audit & Control Association (EDPAC'96), Perth, Western Australia; May 1996, at http://www.rogerclarke.com/DV/PStrat.html.

R. Clarke, Submission to the Commonwealth Attorney-General re: ‘a privacy scheme for the private sector: release of key provisions’ of 14 December 1999, Xamax Consultancy Pty Ltd (January 2000) at http://www.anu.edu.au/people/Roger.Clarke/DV/PAPSSub0001.html

R. Clarke, Person-location and person-tracking: technologies, risks and policy implications, Information Technology & People, 14 (2) (Summer 2001), pp. 206-231, at http://www.rogerclarke.com/DV/PLT.html

Clarke R. e-Consent: a critical element of trust in e-business. In: Proc. 15th Bled electronic commerce conference, Bled, Slovenia; June 2002, at http://www.rogerclarke.com/EC/eConsent.html.

R. Clarke, What's ‘privacy’? Xamax Consultancy Pty Ltd (2006), August 2006, at http://www.rogerclarke.com/DV/Privacy.html

R. Clarke, Make privacy a strategic factor – the why and the how, Cutter IT Journal, 19 (11) (2006), at http://www.rogerclarke.com/DV/APBD-0609.html

R. Clarke, Dissidentity: the political dimension of identity and privacy, Identity in the Information Society, 1 (1) (December 2008), pp. 221-228, at http://www.rogerclarke.com/DV/Dissidentity.html

Clarke R. The covert implementation of mass vehicle surveillance in Australia. In: Proc 4th workshop on the social implications of national security: covert policing, April 2009, ANU, Canberra; 2009a, at http://www.rogerclarke.com/DV/ANPR-Surv.html.

Clarke R. A sufficiently rich model of (id)entity, authentication and authorisation. In: Proc. IDIS 2009 – the 2nd multidisciplinary workshop on identity in the Information Society, LSE, 5 June 2009; 2009b, at http://www.rogerclarke.com/ID/IdModel-090605.html.

R. Clarke, A framework for surveillance analysis, Xamax Consultancy Pty Ltd (2009), August 2009, at http://www.rogerclarke.com/DV/FSA.html

R. Clarke, What is überveillance? (And what should be done about it?) IEEE Technology and Society, 29 (2) (Summer 2010), pp. 17-25, at http://www.rogerclarke.com/DV/RNSA07.html

Clarke R. The cloudy future of consumer computing. In: Proc. 24th Bled eConference; June 2011, at http://www.rogerclarke.com/EC/CCC.html.

R. Clarke, M. Wigan, You are where you've been: the privacy implications of location and tracking technologies, Journal of Location Based Services, 5 (3–4) (December 2011), pp. 138-155, http://www.rogerclarke.com/DV/YAWYB-CWP.html

E.B. Cleff, Implementing the legal criteria of meaningful consent in the concept of mobile advertising, Computer Law & Security Review, 23 (2) (2007), pp. 262-269

E.B. Cleff, Effective approaches to regulate mobile advertising: moving towards a coordinated legal, self-regulatory and technical response, Computer Law & Security Review, 26 (2) (2010), pp. 158-169

K. Collier, Stores spy on shoppers, Herald Sun (2011), 12 October 2011, at http://www.heraldsun.com.au/news/more-news/stores-spy-on-shoppers/story-fn7x8me2-1226164244739

K. Collier, Shopping centres' Big Brother plan to track customers, Herald Sun (2011), 14 October 2011, at http://www.heraldsun.com.au/news/more-news/shopping-centres-big-brother-plan-to-track-customers/story-fn7x8me2-1226166191503

K. Collier, ‘Creepy’ path intelligence retail technology tracks shoppers, news.com.au (2011), 14 October 2011, at http://www.news.com.au/money/creepy-retail-technology-tracks-shoppers/story-e6frfmci-1226166413071

F. Dahunsi, B. Dwolatzky, An empirical investigation of the accuracy of location-based services in South Africa, Journal of Location Based Services, 6 (1) (March 2012), pp. 22-34

J. Dobson, P. Fisher, Geoslavery, IEEE Technology and Society, 22 (2003), pp. 47-52, cited in Raper et al. (2007)

Economist, Vehicle data recorders – watching your driving, The Economist (23 June 2012), at http://www.economist.com/node/21557309

J. Edwards, Apple has quietly started tracking iphone users again, and it's tricky to opt out, Business Insider (11 October 2012) at http://www.businessinsider.com/ifa-apples-iphone-tracking-in-ios-6-2012-10

EPIC, Privacy and human rights report 2006, Electronic Privacy Information Center, WorldLII (2006) at http://www.worldlii.org.ezproxy.uow.edu.au/int/journals/EPICPrivHR/2006/PHR2006-Location.html

EPIC, Investigations of Google street view, Electronic Privacy Information Center (2012), at http://epic.org/privacy/streetview/

EU Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

Official Journal, L 201 (2002), 31/07/2002 P. 0037-0047, European Commission, at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML

J. Figueiras, S. Frattasi, Mobile positioning and tracking: from conventional to cooperative techniques, Wiley (2010)

S.J. Fusco, R. Abbas, K. Michael, A. Aloudat, Location-based social networking and its impact on trust in relationships, IEEE Technology and Society Magazine, 31 (2) (Summer 2012), pp. 39-50, at http://works.bepress.com.ezproxy.uow.edu.au/cgi/viewcontent.cgi?article=1326&context=kmichael

Gallagher T et al. Trials of commercial Wi-Fi positioning systems for indoor and urban canyons. In: Proc. IGNSS symposium, Queensland; 1–3 December 2009, cited in Zandbergen (2012).

J.S. Ganz, It's already public: why federal officers should not need warrants to use GPS vehicle tracking devices, Journal of Criminal Law and Criminology, 95 (4) (Summer 2005), pp. 1325-1337

A.A. Gillespie, Covert surveillance, human rights and the law, Irish Criminal Law Journal, 19 (3) (August 2009), pp. 71-79

IBM, IBM smart surveillance system (previous PeopleVision project, IBM Research (30 October 2011), at http://www.research.ibm.com.ezproxy.uow.edu.au/peoplevision/

D.M. Jay, Use of covert surveillance obtained by search warrant, Australian Law Journal, 73 (1) (Jan 1999), pp. 34-36

N.J. King, P.W. Jessen, Profiling the mobile customer – privacy concerns when behavioural advertisers target mobile phones, Computer Law & Security Review, 26 (5) (2010), pp. 455-478, and 2010; 26(6): 595–612

A. Koppel, Warranting a warrant: fourth amendment concerns raised by law enforcement's warrantless use of GPS and cellular phone tracking, University of Miami Law Review, 64 (3) (April 2010), pp. 1061-1089

P. Lewis, Fears over privacy as police expand surveillance project, The Guardian (15 September 2008) at http://www.guardian.co.uk/uk/2008/sep/15/civilliberties.police

B. van Loenen, J. Zevenbergen, J. de JongBalancing location privacy with national security: a comparative analysis of three countries through the balancing framework of the European court of human rights, N.J. Patten, et al. (Eds.), National security: institutional approaches, Nova Science Publishers (2009), [chapter 2]

M. McGuire, K.N. Plataniotis, A.N. Venetsanopoulos, Data fusion of power and time measurements for mobile terminal location, IEEE Transaction on Mobile Computing, 4 (2005), pp. 142-153, cited in Raper et al. (2007)

S. Mann, J. Nolan, B. Wellman, Sousveillance: inventing and using wearable computing devices for data collection in surveillance environments, Surveillance & Society, 1 (3) (June 2003), pp. 331-355, at http://www.surveillance-and-society.org/articles1(3)/sousveillance.pdf

Mautz R. Overview of indoor positioning technologies. Keynote. In: Proc. IPIN'2011, Guimaraes; September 2011, at http://www.geometh.ethz.ch/people/.../IPIN_Keynote_Mautz_2011.pdf.

D. Mery, The mobile phone as self-inflicted surveillance – and if you don't have one, what have you got to hide? The Register (10 April 2009) at http://www.theregister.co.uk/2009/04/10/mobile_phone_tracking/

Michael and Michael, 2007, K. Michael, M.G. Michael, From dataveillance to überveillance and the Realpolitik of the Transparent Society, University of Wollongong (2007) at http://works.bepress.com.ezproxy.uow.edu.au/kmichael/51

K. Michael, M.G. Michael, Innovative automatic identification and location-based services: from bar codes to chip implants, IGI Global (2009)

M.G. Michael, K. Michael, Towards a state of uberveillance, IEEE Technology and Society Magazine, 29 (2) (Summer 2010), pp. 9-16, at, http://works.bepress.com.ezproxy.uow.edu.au/kmichael/187

Michael K, McNamee A, Michael MG, Tootell H., Location-based intelligence – modeling behavior in humans using GPS. In: Proc. int'l symposium on technology and society, New York, 8–11 June 2006; 2006a, at http://ro.uow.edu.au/cgi/viewcontent.cgi?article=1384&context=infopapers.

Michael K, McNamee A, Michael MG. The emerging ethics of humancentric GPS tracking and monitoring. In: Proc. int'l conf. on mobile business, Copenhagen, Denmark. IEEE Computer Society; 2006b, at http://ro.uow.edu.au/cgi/viewcontent.cgi?article=1384&context=infopapers.

M.G. Michael, S.J. Fusco, K. Michael, A research note on ethics in the emerging age of uberveillance, Computer Communications, 31 (6) (2008), pp. 1192-1199, at http://works.bepress.com.ezproxy.uow.edu.au/kmichael/32/

Michael and Masters, 2006, K. Michael, A. Masters, Realized applications of positioning technologies in defense intelligence, H. Hussein Abbass, D. Essam (Eds.), Applications of information systems to homeland security and defense, Idea Group Publishing (2006), at http://works.bepress.com.ezproxy.uow.edu.au/kmichael/2

K. Michael, G. Rose, Human tracking technology in mutual legal assistance and police inter-state cooperation in international crimes, K. Michael, M.G. Michael (Eds.), From dataveillance to überveillance and the realpolitik of the transparent society. 1st ed, University of Wollongong, Wollongong (2007), pp. 241-256.

K. Michael, G. Roussos, G.Q. Huang, R. Gadh, A. Chattopadhyay, S.Prabhu, et al.Planetary-scale RFID services in an age of uberveillance, Proceedings of the IEEE, 98 (9) (2010), pp. 1663-1671

K. Michael, M.G. Michael, R. Abbas, The importance of scenarios in the prediction of the social implications of emerging technologies and services, Journal of Cases on Information Technology (JCIT) 13.2 (2011), pp. i-vii

A. Moses, Google escapes criminal charges for Wi-Fi snooping, The Sydney Morning Herald (6 December 2010) at http://www.smh.com.au/technology/security/google-escapes-criminal-charges-for-wifi-snooping-20101206-18lot.html

NSWLRC Surveillance, Report 108, NSW Law Reform Commission (2005) at http://www.lawlink.nsw.gov.au/lawlink/lrc/ll_lrc.nsf/pages/LRC_r108toc

OAIC. Office of the Australian Information Commissioner; April 2012, at http://www.comlaw.gov.au/Details/F2012L00869/Explanatory%20Statement/Text.

A.A. Otterberg, Note: GPS tracking technology: the case for revisiting Knotts and shifting the Supreme Court's theory of the public space under the fourth amendment, Boston College Law Review, 46 (2005) (2005), pp. 661-704

C. Parenti, The soft cage: surveillance in America from slavery to the war on terror, Basic Books (2003)

PI, Our commitment to privacy, Path Intelligence (2010), heading changed in late 2012 to ‘privacy by design’, at http://www.pathintelligence.com/en/products/footpath/privacy

PI, FootPath technology, Path Intelligence (2010) at http://www.pathintelligence.com/en/products/footpath/footpath-technology

PI Retail, Path Intelligence (2012), at http://www.pathintelligence.com/en/industries/retail

J. Raper, G. Gartner, H. Karimi, C. Rizos, A critical evaluation of location based services and their potential, Journal of Location Based Services, 1 (1) (2007), pp. 5-45

J. Raper, G. Gartner, H. Karimi, C. Rizos, Applications of location-based services: a selected review, Journal of Location Based Services, 1 (2) (2007), pp. 89-111

RE IEEE 802.11 standards tutorial, Radio-Electronics.com (2010), apparently of 2010, at http://www.radio-electronics.com/info/wireless/wi-fi/ieee-802-11-standards-tutorial.php

RE WiMAX IEEE 802.16 technology tutorial, Radio-Electronics.com (2010), apparently of 2010, at http://www.radio-electronics.com/info/wireless/wimax/wimax.php

RE Assisted GPS, A-GPS, Radio-Electronics.com (2012) apparently of 2012, at http://www.radio-electronics.com/info/cellulartelecomms/location_services/assisted_gps.php

Renegar BD, Michael K, Michael MG. Privacy, value and control issues in four mobile business applications. In: Proc. 7th int'l conf. on mobile business; 2008. p. 30–40.

J. Riley, Gov't ‘travesty’ in Google privacy case, ITWire, 20 (Wednesday 3 November 2010), p. 44, at http://www.itwire.com/it-policy-news/regulation/42898-govt-travesty-in-google-privacy-case

I.J. Samuel, Warrantless location tracking, New York University Law Review, 83 (2008), pp. 1324-1352

SHW Skyhook location performance at http://www.skyhookwireless.com/location-technology/performance.php (2012)

Skyhook. (2012). Website entries, including ‘frequently asked questions’ at http://www.skyhookwireless.com/whoweare/faq.php, ‘privacy policy’ at http://www.skyhookwireless.com/whoweare/privacypolicy.php and ‘location privacy’ at http://www.skyhookwireless.com/whoweare/privacy.php.

C. Song, Z. Qu, N. Blumm, A.-L. Barabási, Limits of predictability in human mobility, Science, 327 (5968) (2010), pp. 1018-1021.

A. Stern, Man fired thanks to GPS tracking, Center Networks (31 August 2007), at http://www.centernetworks.com/man-fired-thanks-to-gps-tracking

Stilgherrian, Forget government data retention, Google has you wired, Crikey (2 October 2012), at http://www.crikey.com.au/2012/10/02/forget-government-data-retention-google-has-you-wired/

USGovGPS accuracy, National Coordination Office for Space-Based Positioning, Navigation, and Timing(February 2012), at http://www.gps.gov/systems/gps/performance/accuracy/

VLRC, Surveillance in public spaces, Victorian Law Reform Commission (March 2010), Final report 18, at http://www.lawreform.vic.gov.au/wps/wcm/connect/justlib/Law+Reform/resources/3/6/36418680438a4b4eacc0fd34222e6833/Surveillance_final_report.pdf

D. Wright, M. Friedewald, S. Gutwirth, M. Langheinrich, E. Mordini, R.Bellanova, et al.Sorting out smart surveillance, Computer Law & Security Review, 26 (4) (2010), pp. 343-354

P.A. Zandbergen, Comparison of WiFi positioning on two mobile devices, Journal of Location Based Services, 6 (1) (March 2012), pp. 35-50

Keywords: Location-based systems (LBS), Cellular mobile, Wireless LAN, GPS, Mobile device signatures (MDS), Privacy, Surveillance, Überveillance

Citation: Katina Michael and Roger Clarke, "Location and tracking of mobile devices: Überveillance stalks the streets", Computer Law & Security Review, Vol. 29, No. 3, June 2013, pp. 216-228, DOI: https://doi.org/10.1016/j.clsr.2013.03.004

Heaven and Hell: Visions for Pervasive Adaptation

Abstract

With everyday objects becoming increasingly smart and the “info-sphere” being enriched with nano-sensors and networked to computationally-enabled devices and services, the way we interact with our environment has changed significantly, and will continue to change rapidly in the next few years. Being user-centric, novel systems will tune their behaviour to individuals, taking into account users’ personal characteristics and preferences. But having a pervasive adaptive environment that understands and supports us “behaving naturally” with all its tempting charm and usability, may also bring latent risks, as we seamlessly give up our privacy (and also personal control) to a pervasive world of business-oriented goals of which we simply may be unaware.

1. Visions of pervasive adaptive technologies

This session considered some implications for the future, inviting participants to evaluate alternative utopian/dystopian visions of pervasive adaptive technologies. It was designed to appeal to anyone interested in the personal, social, economic and political impacts of pervasive, ubiquitous and adaptive computing.

The session was sponsored by projects from the FET Proactive Initiative on Pervasive Adaptation (PerAda), which targets technologies and design methodologies for pervasive information and communication systems capable of autonomously adapting in dynamic environments. The session was based on themes from the PerAda book entitled “This Pervasive Day”, to be published in 2011 by Imperial College Press, which includes several authors from the PerAda projects, who are technology experts in artificial intelligence, adaptive systems, ambient environments, and pervasive computing. The book offers visions of “user heaven” and “user hell”, describing technological benefits and useful applications of pervasive adaptation, but also potential threats of technology. For example, positive advances in sensor networks, affective computing and the ability to improve user-behaviour modeling using predictive analytics could be offset by results that ensure that neither our behaviour, nor our preferences, nor even our feelings will be exempt from being sensed, digitised, stored, shared, and even sold. Other potentially undesirable outcomes to privacy, basic freedoms (of expression, representation, demonstration etc.), and even human rights could emerge.

One of the major challenges, therefore, is how to improve pervasive technology (still in its immature phase) in order to optimise benefits and reduce the risks of negative effects. Increasingly FET research projects are asked to focus on the social and economic impacts of science and technology, and this session aimed to engage scientists in wider issues, and consider some of the less attractive effects as well as the benefits from pervasive adaptation. Future and emerging technology research should focus on the social and economic impacts of practical applications. The prospect of intelligent services increasingly usurping user preferences as well as a certain measure of human control creates challenges across a wide range of fields.

2. Format

The networking session took the form of a live debate, primed by several short “starter” talks by “This Pervasive Day” authors who each outlined “heaven and hell” scenarios. The session was chaired by Ben Paechter, Edinburgh Napier University, and coordinator of the PerAda coordination action. The other speakers were as follows:

Pervasive Adaptation and Design Contractualism.

Jeremy Pitt, Imperial College London, UK, editor of “This Pervasive Day”.

This presentation described some of the new channels, applications and affordances for pervasive computing and stressed the need to revisit the user-centric viewpoint of the domain of Human-Computer Interaction. In dealing with the issues of security and trust in such complex systems, capable of widespread data gathering and storage, Pitt suggested that there is a requirement for Design Contractualism, where the designer makes moral and ethical judgments and encodes them in the system. No privacy or security model is of any value if the system developers will not respect the implicit social contract on which the model depends.

Micro-chipping People, The Risk vs Reward Debate

Katina Michael, University of Wollongong, Australia

Michael discussed the rise of RFID chip implantation in people as a surveillance mechanism, making comparisons with the CCTV cameras that are becoming commonplace in streets and buildings worldwide. These devices are heralding in an age of “Uberveillance”, she claims, with corporations, governments and individuals being increasingly tempted to read and record the biometric and locative data of other individuals. This constant tracking of location and monitoring of physical condition raises serious questions concerning security and privacy that researchers will have to face in the near future.

Who is more adaptive: the technology or ourselves?

Nikola Serbedzija, Fraunhofer FIRST, Germany

Serbedzija discussed how today's widespread information technologies may be affecting how we are as humans. We are now entering a world where information is replacing materiality, and where control over our individual data allows us to construct ourselves as we wish to be seen by others. Serbedzija then presented examples of research into ethically critical systems, including a reflective approach to designing empathetic systems that use our personal, physical data to assist us in our activities, for example as vehicle co-driving situations.

3. Conclusion

Following the presentations, the discussion was opened out and panellists answered questions from conference delegates. This was augmented by the use of a “tweet wall” which was open to delegates to send comments and opinions using a Twitter account. This was displayed on screen during the discussion session.

Keywords: Pervasive adaptation, ubiquitous computing, sensor networks, affective computing, privacy, security

Citation: Ben Paechter, Jeremy Pitt, Nikola Serbedzija, Katina Michael, Jennifer Willies, Ingi Helgasona, 2011, "Heaven and Hell: Visions for Pervasive Adaptation", Procedia Computer Science: The European Future Technologies Conference and Exhibition 2011, Vol. 7, pp. 81-82, DOI: https://doi.org/10.1016/j.procs.2011.12.025

Lend Me Your Arms: Use and Implications of RFID Implants

Abstract

Recent developments in the area of RFID have seen the technology expand from its role in industrial and animal tagging applications, to being implantable in humans. With a gap in literature identified between current technological development and future humancentric possibility, little has been previously known about the nature of contemporary humancentric applications. By employing usability context analyses in control, convenience and care-related application areas, we begin to piece together a cohesive view of the current development state of humancentric RFID, as detached from predictive conjecture. This is supplemented by an understanding of the market-based, social and ethical concerns which plague the technology.

1. Introduction

Over the past three decades, Radio-frequency identification (RFID) systems have evolved to become cornerstones of many complex applications. From first beginnings, RFID has been promoted as an innovation in convenience and monitoring efficiencies. Indeed, with RFID supporters predicting the growth of key medical services and security systems, manufacturers are representing the devices as ‘life-enhancing’. Though the lifestyle benefits have long been known, only recently have humans become both integral and interactive components in RFID systems. Where we once carried smart cards or embedded devices interwoven in clothing, RFID technology is now at a point where humans can safely be implanted with small transponders.

This paper aims to explore the current state of development for humancentric applications of RFID. The current state is defined by the intersection of existing development for the subjects and objects of RFID – namely humans and implants. The need for such a study has been identified by a gap in knowledge between present applications and future possibility. This study aims to overcome forecast and provide a cohesive examination of existing humancentric RFID applications. Analysis of future possibility is outside the scope of this study. Instead, a discussion will be provided on present applications, their feasibility, use and social implications.

2. Literature review

The literature review is organized into three main areas – control, convenience, and care. In each of these contexts, literature will be reviewed chronologically.

2.1. The context of control

A control-related humancentric application of RFID is any human use of an implanted RFID transponder that allows an implantee to have power over an aspect of their lives, or, that allows a third party to have power over an implantee. Substantial literature on humancentric control applications begins in 1997 with United States patent 5629678 for a ‘Personal Tracking and Recovery System’. Though the literature scientifically describes the theoretical tracking system for recovery of RFID-implanted humans, no further evidence is available to ascertain whether it has since been developed. Questions as to feasibility of use are not necessarily answered by succeeding literature. Reports of the implantation of British soldiers [1] for example lack the evidentiary support needed to assuage doubts. Further, many articles highlight the technological obstacles besieging humancentric RFID systems. These include GPS hardware miniaturization [2] and creating active RFID tags capable of being safely recharged from within the body. Further adding to reservation, much literature is speculative in nature. Eng [3], for example, predicts that tags will be melded into children to advise parents of their location.

Despite concerns and conjecture, actual implementations of humancentric control applications of RFID have been identified. Both Murray [4] and Eng documented the implantation of Richard Seelig who had tags placed in his hip and arm in response to the September 11 tragedy of 2001. This sophisticated technology was employed to provide security and control over personal identification information. Wilson [5] also provides the example of 11-year old Danielle Duval who has had an active chip (i.e. containing a rechargeable battery) implanted in her. Her mother believes that it is no different to tracking a stolen car, simply that it is being used for another more important application.

2.2. The context of convenience

A convenience-related humancentric application of RFID is any human use of an implanted RFID transponder that increases the ease with which tasks are performed. The first major documented experiment into the use of human-implantable RFID was within this context. Sanchez-Klein [6] and Witt [7] both journalize on the self-implantation of Kevin Warwick, Director of Cybernetics at the University of Reading. They describe results of Warwick’s research by his having doors open, lights switch on and computers respond to the presence of the microchip. Warwick himself gives a review of the research in his article ‘Cyborg 1.0’, however this report is informal and contains emotive descriptions of “fantastic” experiences [8].

Woolnaugh [9], Holden [10], and Vogel [11] all published accounts of the lead-up to Warwick’s second ‘Cyborg 2.0’ experiment and although Woolnaugh’s work involves the documentation of an interview, all three are narrative descriptions of proposed events rather than a critical analysis within definitive research frameworks. Though the commotion surrounding Warwick later died down, speculation did not with Eng proposing a future where credit card features will be available in implanted RFID devices. The result would see commercial transactions made more convenient.

2.3. The context of care

A care-related humancentric application of RFID is any human use of an implanted RFID transponder where function is associated with medicine, health or wellbeing. In initial literature, after the Cyborg 1.0 trial, Kevin Warwick envisioned that with RFID implants paraplegics would walk [7]. Building incrementally on this notion then is the work of Kobetic, Triolo and Uhlir who documented the study of a paraplegic male who had muscular stimuli delivered via an implanted RFID controlled electrical simulation system [12]. Though not allowing the mobility which Warwick dreamt of, results did include increased energy and fitness for the patient.

Outside the research sphere, much literature centers on eight volunteers who were implanted with commercial VeriChip RFID devices in 2002 trials. Murray [13], Black [14], Grossman [15] and Gengler [16] all document medical reasons behind the implantation of four subjects. Supplemented by press releases however, all reports of the trials were journalistic, rather than research-based. In contrast, non-trivial research is found in the work of Michael [17]. Her thesis uses a case study methodology, and a systems of innovation framework, to discuss the adaptation of auto-ID for medical implants.

2.4. Critical response to literature

More recent publications on humancentric RFID include the works of Masters [18], Michael and Michael [19], Perusco and Michael [20], Johnston [21], and Perakslis and Wolk [22]. Masters approaches the subject from the perspective of usability contexts, while Perusco and Michael use document analysis to categorise location services into tag, track and trace applications. Johnston uses content analysis to identify important themes in the literature, supplemented by a small-scale sample survey on the social acceptance of chip implants. Perakslis and Wolk also follow this latter methodology. Of the other (earlier) landmark studies, the majority are concerned with non-humancentric applications. Gerdeman [23], Finkinzeller [24] and Geers [25] all use case studies to investigate non-humancentric RFID and hence our methodological precedent is set here. The bulk of the remaining literature is newstype in nature and the absence of research frameworks is evident. The few exceptions to this include Woolnaugh [9] who conducted an interview and Murray [13] and Eng [3]who provide small case studies. In further criticism the news articles do not demonstrate technological trajectories but speculate on utopian implementations unlikely to be achieved by incremental development in the short to medium-term. Thus, any real value in these news articles can only be found in the documentation of events.

3. Research methodology

Several modes of academic inquiry were used in this study, though usability context analyses were the focal means of research. These analyses are similar to case studies as they investigate “a contemporary phenomenon within its real life context when the boundaries between phenomenon and context are not clearly evident” [26]. They also similarly use multiple sources of evidence, however are differentiated on the basis of the unit of analysis. In a usability context analysis methodology, units are not individuals, groups or organizations but are applications or application areas for a product, where ‘product’ is defined as “any interactive system or device designed to support the performance of users’ tasks” [27]. The results of multiple analyses are more convincing than a singular study, and the broad themes identified cover the major fields of current humancentric RFID development.

Further defining the research framework, the primary question to be answered – ‘what is the current state of application development in the field of humancentric RFID devices?’ – is justifiably exploratory. It entails investigation into contemporary technology usage and seeks to clarify boundaries within the research area. As such, this is a largely qualitative study that uses some elements of descriptive research to enhance the central usability context analyses. The usability context analyses are also supplemented by a discussion of surrounding social, legal and ethical ambiguities. By this means, the addition of a narrative analysis to the methodology ensures a thorough investigation of usage and context.

4. Usability context analysis: control

The usability context analysis for control is divided into three main sub-contexts – security, management, and social controls.

4.1. Security controls

The most basic security application involves controlling personal identification through identifying data stored on a transponder. In theory, the limit to the amount of information stored is subject only to the capacity of the embedded device or associated database. Further, being secured within the body, the loss of the identifier is near impossible even though, as has occurred in herd animals, there are some concerns over possible dislodgement. Accordingly, the main usability drawback lies with reading the information. Implanted identification is useless if it is inaccessible.

Numerous applications have been proposed to assist individuals who depend solely on carers for support. This group consists of newly-born babies, sufferers of mental illness, persons with disabilities and the elderly. One use involves taking existing infant protection systems at birthing centres and internalizing the RFID devices worn by newborns. This would aid in identifying those who cannot identify themselves. Further, when connected to security sensors and alarms, the technology can alert staff to the “unauthorized removal of children” [28]. The South Tyneside Healthcare Trust Trial in the UK is a typical external-use example case. Early in 1995, Eagle Tracer installed an electronic tagging system at the hospital using TIRIS electronic tags and readers from Texas Instruments. Detection aerials were hidden at exit points so that if any baby was taken away without authorisation, its identity would be known and an alarm raised immediately. The trial was so successful that the hospital was considering expanding the system to include the children’s ward. [29] Notably, a number of other institutions have already begun targeting RFID applications toward adolescents. In Japan students are being tagged in a bid to keep them safe. RFID transponders are being placed inside their backpacks and are used to advise parents when their child has arrived at school [30]. A similar practice is being conducted in California where children are being asked to “wear” RFID tags around their necks when on school grounds [31].

Commentators are using this lack of objection to external electronic tagging for minors to highlight the idea that a national identity system based on implants is not impossible. Some believe that there will come a time when it will be common for different groups in the population to have tags implanted at birth. In Britain, chip implantation was suggested for illegal immigrants, asylum seekers and even travellers. Smet [32] argued the following, “[i]f you look to our societies, we are already registered from birth until death. Our governments know who we are and what we are. But one of the basic problems is the numbers of people in the world who are not registered, who do not have a set identity, and when people move with real or fake passports, you cannot identify them.”

4.2. Management controls

Many smart card access systems use RFID technology to associate a cardholder with access permissions to particular locations. Replacing cards with RFID implants alters the form of the ‘key’ but does not require great changes to verification systems. This is because information stored on a RFID microchip in a smart card can be stored on an implanted transponder. Readers are similarly triggered when the transponder is nearby. This application would have greatest value in ‘mission critical’ workplaces or for persons whose role hinges upon access to a particular location. The implanted access pass has the added benefit of being permanently attached to its owner.

Access provision translates easily into employee monitoring. In making the implanted RFID transponder the access pass to certain locations or resources, times of access can be recorded to ensure that the right people are in the right place at the right time. Control in this instance then moves away from ideals of permission and embraces the notion of supervision. A company’s security policy may stipulate that staff badges be secured onto clothing or that employees must wear tags woven into their uniforms. Some employers require their staff to wear RFID tags in a visible location for both identification purposes and access control [33]. In this regard, Olivetti’s “active badge” was ahead of its time when it was first launched [34].

4.3. Social controls

In the military, transponders may serve as an alternative to dog tags. Using RFID, in addition to the standard name, rank and serial number, information ranging from allergies and dietary needs to shoe size can be stored. This purports to ease local administrative burdens, and can eliminate the need to carry identification documents in the field allowing for accurate, immediate identification of Prisoners-Of-War.

Just as humancentric applications of RFID exist for those who enforce law, so too do applications exist for people who have broken it. The concept of ‘electronic jails’ for low-risk offenders is starting to be considered more seriously. In most cases, parolees wear wireless wrist or ankle bracelets and carry small boxes containing the vital tracking technology. Sweden and Australia have implemented this concept and trials are taking place in the UK, US, Netherlands and Canada. In 2002, 27 American states had tested or were using some form of satellite surveillance to monitor parolees [14]. In 2005 there were an estimated 120,000 tracked parolees in the United States alone [35]. Whilst tagging low-risk offenders is not popular in many countries it is far more economical than the conventional jail. Social benefits are also present as there is a level of certainty involved in identifying and monitoring so-called ‘threats’ to society. In a more sinister scenario in South America, chip implants are marketed toward victims of crime rather than offenders. They are seen as a way “to identify kidnapping victims who are drugged, unconscious or dead” [36].

5. Usability context analysis: convenience

The usability context analysis for convenience is divided into three main sub-contexts – assistance, financial services and interactivity.

5.1. Assistance

Automation is the repeated control of a process through technological means. Implied in the process is a relationship, the most common of which involves linking an implantee with appropriate data. Such information in convenience contexts can however be extended to encompass goods or physical objects with which the implantee has an association of ownership or bailment. VeriChip for example, a manufacturer of human-implantable RFID transponders, have developed VeriTag for use in travel. This device allows “personnel to link a VeriChip subscriber to his or her luggage… flight manifest logs and airline or law enforcement software databases” [37]. Convenience is provided for the implantee who receives greater assurance that they and their luggage will arrive at the correct destination, and also for the transport operator who is able to streamline processes using better identification and sorting measures.

Advancing the notion of timing, a period of movement leads to applications that can locate an implantee or find an entity relative to them [38]. This includes “find me”, “find a friend”, “where am I” and “guide me to” solutions. Integrating RFID and GPS technologies with a geographic information systems (GIS) portal such as the Internet-based mapquest.com would also allow users to find destinations based on their current GPS location. The nature of this application lends itself toward roadside assistance or emergency services, where the atypical circumstances surrounding the service may mean that other forms of subscriber identification are inaccessible or unavailable.

5.2. Financial services

Over the last few decades, world economies have acknowledged the rise of the cashless society. In recent years though, alongside traditional contact cards, we have seen the emergence of alternate payment processes. In 2001, Nokia tested the use of RFID in its 5100-series phone covers, allowing the device to be used as a bank facility. RFID readers were placed at McDonalds drive-through restaurants in New York and the consumer could pay their bill by holding their mobile phone near a reader. The reader contacted a wireless banking network and payment was deducted from a credit or debit account. Wired News noted the convenience stating, “there is no dialing, no ATM, no fumbling for a wallet or dropped coins” [39]. These benefits would similarly exist with implanted RFID. Ramo has noted the feasibility, commenting that “in the not too distant future” money could be stored anywhere, as well as “on a chip implant under [the] skin” [40]. Forgetting your wallet would no longer be an issue.

It is also feasible that humancentric RFID eliminates the need to stand in line at a bank. Purely as a means of identification, the unique serial or access key stored on the RFID transponder can be used to prove identity when opening an account or making a transaction. The need to gather paper-based identification is removed and, conveniently, the same identification used to open the account is instantly available if questioned. This has similar benefits for automatic teller machines. When such intermediary transaction devices are fitted with RFID readers, RFID transponders have the ability to replace debit and credit cards. This is in line with Warwick’s prediction that implanted chips “could be used for money transfers, medical records, passports, driving licenses, and loyalty cards” [41].

5.3. Interactivity

On August 24, 1998 Professor Kevin Warwick became the first recorded human to be implanted with an RFID device. Using the transponder, Warwick was able to interact with the ‘intelligent’ building that he worked in. Over the nine days he spent implanted, doors formerly requiring smart card access automatically opened. Lights activated when Warwick entered a room and upon sensing the Professor’s presence his computer greeted him. Warwick’s ‘Project Cyborg 1.0’ experiment thus showed enormous promise for humancentric convenience applications of RFID. The concept of such stand-alone applications expands easily into the development of personal area networks (PANs) and the interactive home or office. With systems available to manage door, light and personal computer preferences based on transponder identification, further climate and environmental changes are similarly exploitable (especially considering non-humancentric versions of these applications already exist) [42].

Given the success of interacting with inanimate locations and objects, the next step is to consider whether person-to-person communication can be achieved using humancentric RFID. Such communication would conveniently eliminate the need for intermediary devices like telephones or post. Answering this question was an aim of ‘Project Cyborg 2.0’ with Warwick writing, “We’d like to send movement and emotion signals from one person to the other, possibly via the Internet” [43]. Warwick’s wife Irena was the second trial subject, being similarly fitted with an implant in her median nerve. Communicating via computer-mediated signals was only met with limited success however. When Irena clenched her fist for example, Professor Warwick received a shot of current through his left index finger [44]. Movement sensations were therefore effectively, though primitively, transmitted.

6. Usability context analysis: care

The usability context analysis for care is divided into three main sub-contexts – medical, biomedical and therapeutic.

6.1. Medical

As implanted transponders contain identifying information, the storage of medical records is an obvious, and perhaps fundamental, humancentric care application of RFID. Similar to other identification purposes, a primary benefit involves the RFID transponder imparting critical information when the human host is otherwise incapable of communicating. In this way, the application is “not much different in principle from devices… such as medic-alert bracelets” [16]. American corporation VeriChip markets their implantable RFID device for this purpose. Approved for distribution throughout the United States in April of 2002, it has been subject to regulation as a medical device by the Food and Drug Administration since October of the same year.

Care-related humancentric RFID devices provide unparalleled portability for medical records. Full benefit cannot be gained without proper infrastructure however. Though having medical data instantly accessible through implanted RFID lends itself to saving lives in an emergency, this cannot be achieved if reader equipment is unavailable. The problem is amplified in the early days of application rollout, as the cost of readers may not be justified until the technology is considered mainstream. Also, as most readers only work with their respective proprietary transponders, questions regarding market monopolies and support for brand names arise.

6.2. Biomedical

A biosensor is a device which “detects, records, and transmits information regarding a physiological change or the presence of various chemical or biological materials in the environment” [45]. It combines biological and electronic components to produce quantitative measurements of biological parameters, or qualitative alerts for biological change. When integrated with humancentric RFID, biosensors can transmit source information as well as biological data. The time savings in simultaneously gathering two distinct data sets are an obvious benefit. Further, combined reading of the biological source and measurement is less likely to encounter the human error linked with manually correlating data to data sources.

Implantable transponders allowing for the measurement of body temperature have been used to monitor livestock for over a decade [25]. As such, the data procurement benefits are well known. It does however give a revolutionary new facet to human care by allowing internal temperature readings to be gained, post-implantation, through non-invasive means. In 1994 Bertrand Cambou, director of technology for Motorola’s Semiconductor Products in Phoenix, predicted that by 2004 all persons would have such a microchip implanted in their body to monitor and perhaps even control blood pressure, their heart rate, and cholesterol levels.[46] Though Cambou’s predictions did not come to timely fruition, the multitude of potential applications are still feasible and include: chemotherapy treatment management; chronic infection or critical care monitoring; organ transplantation treatment management; infertility management; post-operative or medication monitoring; and response to treatment evaluation. Multiple sensors placed on an individual could even form a body area network (BAN).

An implantable RFID device for use by diabetes sufferers has been prototyped by biotechnology firm M-Biotech. The small glucose bio-transponder consisting of a miniature pressure sensor and a glucose-sensitive hydrogel swells “reversibly and to varying degrees” when changes occur in the glucose concentrations of surrounding fluids [47]. Implanted in the abdominal region, a wireless alarm unit carried by the patient continually reads the data, monitoring critical glucose levels.

6.3. Therapeutic

Implanted therapeutic devices are not new; they have been used in humans for many years. Alongside the use of artificial joints for example, radical devices such as pacemakers have become commonplace. The use of RFID with these devices however has re-introduced some novelty to the remedial solution [48]. This is because, while the therapeutic devices remain static in the body, the integration of RFID allows for interactive status readings and monitoring, through identification, of the device.

There are very few proven applications of humancentric RFID in the treatment usability sub-context at current if one puts cochlear implants [49] and smart pills aside [50]. Further, of those applications at the proof of concept stage, benefits to the user are generally gained via an improvement to the quality of living, and not a cure for disease or disability. With applications to restore sight to the blind [51] and re-establish normal bladder function for patients with spinal injuries already in prototyped form however, some propose that real innovative benefit is only a matter of time [52]. Arguably the technology for the applications already exists. All that needs to be prototyped is a correct implementation. Thus, feasibility is perhaps a matter of technological achievement and not technological advancement.

7. Findings

The choice of control, convenience and care contexts for analysis stemmed from the emergence of separate themes in the literature review; however the context analyses themselves showed much congruence between application areas. In all contexts, identification and monitoring are core functions. For control, this functionality exists in security and in management of access to locations and resources. For convenience, identification necessarily provides assistance and monitoring supports interactivity with areas and objects. Care, as the third context, requires identification for medical purposes and highlights biological monitoring as basic functionality.

Table 1. High level benefits and costs for humancentric RFID

With standard identification and monitoring systems as a basis, it is logical that so many humancentric applications of RFID have a mass target market. Medical identification for example is not solely for the infirm because, as humans, we are all susceptible to illness. Similarly, security and convenience are generic wants. Combined with similarities between contextual innovations, mass-market appeal can lead to convergence of applications. One potential combination is in the area of transportation and driver welfare. Here the transponder of an implanted driver could be used for keyless passive entry (convenience), monitoring of health (care), location based services (convenience), roadside assistance (convenience) and, in terms of fleet management or commercial transportation, driver monitoring (control).

Despite parallels and a potential for convergence, development contexts for humancentric RFID are not equal. Instead, control is dominant. Though care can be a cause for control and medical applications are convenient, it is control which filters through other contexts as a central tenet. In convenience applications, control is in the power of automation and mass management, in the authority over environments and devices. For care applications, medical identification is a derivative of identification for security purposes and the use of biosensors or therapeutic devices extends control over well-being. Accordingly, control is the overriding theme encompassing all contexts of humancentric RFID in the current state of development [53].

Alongside the contextual themes encapsulating the usability contexts are the corresponding benefits and costs in each area (Table 1). When taking a narrow view it is clear that many benefits of humancentric RFID are application specific. Therapeutic implants for example have the benefit of the remedy itself. Conversely however, a general concern of applications is that they are largely given to social disadvantages including the onset of religious objections and privacy fears.

7.1. Application quality and support for service

For humancentric RFID, application quality depends on commercial readiness. For those applications being researched, the usability context analyses suggest that the technology, and not the applications, present the largest hurdle. In his Cyborg 1.0 experiments for example, Professor Kevin Warwick kept his transponder implanted for only nine days, as a direct blow would have shattered the glass casing, irreparably damaging nerves and tissue.

Once technological difficulties are overcome and applications move from proof of concept into commercialization, market-based concerns are more relevant. Quality of data is a key issue. In VeriChip applications, users control personal information that is accessible, though stored in the Global VeriChip Subscriber Registry database, through their implanted transponder. The system does not appear to account for data correlation however, and there is a risk of human error in information provision and in data entry. This indicates the need for industry standards, allowing a quality framework for humancentric RFID applications to be created and managed.

Industry standards are also relevant to support services. In humancentric applications of RFID they are especially needed as much usability, adjunct to the implanted transponder, centers upon peripherals and their interoperability. Most proprietary RFID readers for instance can only read data from similarly proprietary transponders. In medical applications though, where failure to harness available technology can have dramatic results, an implantee with an incompatible, and therefore unreadable, transponder is no better off for using the application. Accordingly, for humancentric RFID to realize its promotion as ‘life-enhancing’, standards for compatibility between differently branded devices must be developed.

Lastly, the site of implantation should be standardized as even if an implanted transponder is known to exist, difficulties may arise in discerning its location. Without a common site for implantation finding an implanted RFID device can be tedious. This is disadvantageous for medical, location-based or other critical implementations where time is a decisive factor in the success of the application. It is also a disadvantage in more general terms as the lack of standards suggests that though technological capability is available, there is no social framework ready to accept it.

7.2. Commercial viability for the consumer

A humancentric application of RFID must satisfy a valid need to be considered marketable. This is especially crucial as the source of the application, the transponder, requires an invasive installation and, afterwards, cannot be easily removed. Add to this that humancentric RFID is a relatively new offering with few known long-term effects, and participation is likely to be a highly considered decision. Thus, despite many applications having a mass target market, the value of the application to the individual will determine boundaries and commercial viability.

Value is not necessarily cost-based. Indeed, with the VeriChip sold at a cost of $US200 plus a $10 per month service fee, it is not being marketed as a toy for the elite. Instead, value and application scope are assessed in terms of life enhancement. Therapeutic devices for example provide obvious remedial benefit, but the viability of a financial identification system may be limited by available infrastructure.

Arguably, commercial viability is increased by the ability of one transponder to support multiple applications. Identification applications for example are available in control, convenience and care usability contexts. The question arises however, as to what occurs when different manufacturers market largely different applications? Where no real interoperability exists for humancentric RFID devices, it is likely that users must be implanted with multiple transponders from multiple providers. Further, given the power and processing constraint of multi-application transponders in the current state of development, the lack of transponder portability reflects negatively on commercial viability and suggests that each application change or upgrade may require further implantation and bodily invasion.

7.3. Commercial viability for the manufacturer

Taking VeriChip as a case study, one is led to believe that there is a commercially viable market for humancentric applications of RFID. Indeed, where the branded transponder is being sold in North and South America, and has been showcased in Europe [54], a global want for the technology is suggested. It must be recognized, however, that in the current state of development VeriChip and its parent, Applied Digital Solutions have a monopoly over those humancentric RFID devices approved for use. As such, their statistics and market growth have not been affected by competition and there is no comparative data. The difference between a successful public relations campaign and reality is therefore hard to discern.

Interestingly, in non-humancentric commercial markets, mass rollouts of RFID have been scaled back. Problems have arisen specifically in animal applications. The original implementation of the 1996 standards, ISO 11784: ‘Radio-frequency identification of animals – Code structure’ and ISO 11785: ‘Radio-frequency identification of animals – Technical concept’ for example, were the subject of extensive complaint [55]. Not only did the standards not require unique identification codes, they violated the patent policy of the International Standards Organization. Even after the ISO standards were returned to the SC19 Working Group 3 for review, a general lack of acceptance equated to limited success. Moreover, moves have now been made to ban the use of implantable transponders in herd animals. In a high percentage of cases the transponder moved in the fat layer, raising concerns that it might be later consumed by humans. Further, the meat quality was degraded as animals sensing the existence of an implanted foreign object produced antibodies to ‘attack’ it [18].

8. Discussion

8.1. Personal privacy

Given its contactless nature and non-line-of-sight (nLoS) capability, RFID has the ability to automatically collect a great deal of data about an individual in a covert and unobtrusive way. Hypothetically, a transponder implanted within a human can communicate with any number of readers it may pass in any given day. This opens up a plethora of possibilities, including the ability to link data based on a unique identifier (i.e. the chip implant), to locate and track an individual over time, and to look at individual patterns of behaviour. The severity of violations to personal privacy increase as data collected for one purpose is linked with completely separate datasets gathered for another purpose. Consider the use of an implant that deducts programmed payment for road tolls as you drive through sensor-based stations. Imagine this same data originally gathered for traffic management now being used to detect speeding and traffic infringements, resulting in the automatic issue of a fine. Real cases with respect to GPS and fleet management have already been documented. Kumagi and Cherry [56] describe how one family was billed an “out-of-state penalty” by their rental company based on GPS data that was gathered for a completely different reason. Stanford [57] menacingly calls this a type of data use “scope creep” while Papasliotis [58] more pleasantly deems it “knowledge discovery”.

These notions of ‘every-day’ information gathering, where an implantee must submit to information gathering practices in return for access to services, offends the absolutist view of privacy and “an individual [having] the right to control the use of his information in all circumstances” [59]. Indeed, given their implantation beneath the skin, the very nature of humancentric transponders negates the individual’s ability to ‘control’ the device and what flows from it. Not only do the majority of consumers lack the technical ability to either embed or remove implants but they naturally lack the ability to know when their device is emitting data and when it is not. There is also a limited understanding of what information ‘systems’ are actually gathering. This becomes a greater danger when we note that laws in different jurisdictions provide little restraint on the data mining of commercial databases by commercial entities. In this instance, there would be little to stop RFID service providers from mining data collected from their subscribers and on-selling it to other organisations.

Moreover, even where ethical data usage is not questioned, intellectual property directives in Europe may hamper the promise of some service providers to keep consumer data private. According to Papasliotis [58] “… the proposed EU Intellectual Property (IP) Enforcement Directive includes a measure that would make it illegal for European citizens to de-activate the chips in RFID tags, on the ground that the owner of the tag has an intellectual property right in the chip. De-activating the tag could arguably be treated as an infringement of that right”.

8.2. Data security

Relevant approaches to RFID security in relation to inanimate objects have been discussed in the literature. Gao [60] summarises these methods as “killing tags at the checkout, applying a rewritable memory, physical tag memory separation, hash encryption, random access hash, and hash chains”. Transponders that are embedded within the body pose a different type of data security requirement though. They are not in the body so they can be turned off, this being a circumvention of the original purpose of implantation. Instead, they are required to provide a persistent and unique identifier. In the US however, also thwarting an original purpose, a study has shown that some RFID transponders are capable of being cloned, meaning the prospect of fraud or theft may still exist [61]. One possibility, as proposed by Perakslis and Wolk [22], is the added security of saving an individual’s feature vector onboard the RFID chip. Biometrics too, however, is fraught with its own problems [62]. Despite some moves in criminal justice systems, it is still controversial to say that one’s fingerprint or facial image should be held on a public or private database.

Unfortunately, whatever the security, researchers like Stanford believe it is a “virtual certainty” that tags and their respective systems “will be abused” by some providers [57]. Here, the main risk for consumers involves third parties gaining access to personal data without prior notice. To this end, gaining and maintaining the trust of consumers is essential to the success of the technology. Mature trust models need to be architected and implemented, but more importantly they need to be understood outside of an academic context. Though it is important that trust continues to grow as an area of study within the e-commerce arena, it will be the practical operation of oversight companies like VeriSign in these early days of global information gathering which will allow consumers to create their own standards and opinions.

Outside of clear ethical concerns regarding third-party interests in information, another temptation for service providers surrounds the use of data to target individual consumer sales in value-added services and service-sets relying on location information. Though not an extreme concern in itself, we note that any such sales will face the more immediate concern of deciding on a secure and standard location for implants. For now live services place the implant in the left or right arm but the problems with designating such a zone surround the possibility of exclusion. What if the consumer is an amputee or has prosthetic limbs? Surely the limited space of the human body means that certain things are possible, while others are not. Thus, recognizing the limitations of the human body, will service providers brand transponders and allow multifunctional tags for different niche services? Which party then owns the transponder? The largest service provider, the government or agency acting as an issuer, or the individual? Who is responsible for accuracy and liable for errors? And more importantly, who is liable for break-downs in communication when services are unavailable and disaster results?

8.3. Ethical considerations

Molnar and Wagner [63] ask the definitive question “[i]s the cost of privacy and security “worth it”?” Stajano [64] answers by reminding us that, “[t]he benefits for consumers remain largely hypothetical, while the privacy-invading threats are real”. Indeed, when we add to privacy concerns the unknown health impacts, the potential changes to cultural and social interaction, the circumvention of religious and philosophical ideals, and a potential mandatory deployment, then the disadvantages of the technology seem almost burdensome. For the present, proponents of emerging humancentric RFID rebuke any negatives “under the aegis of personal and national security, enhanced working standards, reduced medical risks, protection of personal assets, and overall ease-of-living” [22]. Unless there are stringent ethical safeguards however, there is a potential for enhanced national security to come at the cost of freedom, or for enhanced working standards to devalue the importance of employee satisfaction. The innovative nature of the technology should not be cause to excuse it from the same “judicial or procedural constraints which limit the extent to which traditional surveillance technologies are permitted to infringe privacy” [58].

Garfinkel et al. [61] provide a thorough discussion on key considerations in their paper. Though their main focus is on users of RFID systems and purchasers of products containing RFID tags, the conclusions drawn are also relevant to the greater sphere of humancentric RFID. Firstly, Garfinkel et al. begin by stipulating that a user has the right to know if the product they have purchased contains an RFID tag. In the current climate of human transponder implant acceptance, it is safe to assume that an individual who has requested implantation knows of their implant and its location. But, does the guardian of an Alzheimer’s patient or adult schizophrenic, have the right to impose an implant on behalf of the sufferer for monitoring or medical purposes [65]?

Secondly, the user has the right to have embedded RFID tags “removed, deactivated, or destroyed” [61] at or after purchase. Applied to humancentric implantation, this point poses a number of difficulties. The user cannot remove the implant themselves without some physical harm, they have no real way of finding out whether a remaining implant has in fact been ‘deactivated’, and destroying an implant without its removal from the body implies some form of amputation. Garfinkel et al.’s third ethical consideration is that an individual should have alternatives to RFID. In the embedded scenario users should then also have to ability to opt-in to new services and opt-out of their current service set as they see fit. Given the nature of RFID however, there is little to indicate the success or failure of a stipulated user requested change, save for a receipt message that may be sent to a web client from the server. Quite possibly the user may not be aware that they have failed to opt out of a service until they receive their next billing statement.

The fourth notion involves the right to know what information is stored on the RFID transponder and whether or not this information is correct, while the fifth point is “the right to know when, where and why a RFID tag is being read” [61]. This is quite difficult to exercise, especially where unobtrusiveness is considered a goal of the RFID system. In the resultant struggle between privacy, convenience, streamlining and bureaucracy, the number of times RFID transponders are triggered in certain applications may mean that the end-user is bombarded with a very long statement of transactions.

8.4. The privacy fear and the threat of totalitarianism?

Mark Weiser, the founding father of ubiquitous computing, once said that the problem surrounding the introduction of new technologies is “often couched in terms of privacy, [but] is really one of control” [59]. Indeed, given that humans do not by nature trust others to safeguard our own individual privacy, in controlling technology we feel we can also control access to any social implications stemming from it. At its simplest, this highlights the different focus between the end result of using technology and the administration of its use. It becomes the choice between the idea that I am given privacy and the idea that I control how much privacy I have. In this regard, privacy is traded for service.

Fig. 1. The privacy-security trade-off.

What some civil libertarians fear beyond privacy exchange though is a government-driven mandatory introduction of invasive technologies based on the premise of national security. While the safety and security argument has obviously paved the way for some technologies in response to the new environment of terrorism and identity fraud [38], there is now a concern that further advancements will begin to infringe on the freedoms that security paradigms were originally designed to protect. For invasive technology like humancentric RFID, the concerns are multiplied as the automated nature of information gathering means that proximity to a reader, and not personal choice, may often be the only factor in deciding whether or not a transponder will be triggered. Though most believe that government-imposed mandatory implantation is a highly unlikely outcome of advancements in humancentric RFID, it should be recognised that a voluntary implantation scheme offers negligible benefits to a government body given the incompleteness of the associated data set. This is equally true of private enterprises that mandate the use of transponders in employees, inmates or other distinct population groups.

Where the usability context of control then becomes the realm of government organizations and private enterprise, RFID regulation is increasingly important. Not only is regulation necessary for ensuring legitimacy in control-type applications, it is also needed to prevent the perversion of convenience and care-related uses. For example, many of those implanted with RFID transponders today might consider them to be life-saving devices and the service-oriented nature of these applications means they must clearly remain voluntary (Table 2). If the data collected by the device was also to be used for law enforcement or government surveillance purposes however, users may think twice about employing the technology. In regulating then we do not want to allow unrestricted deployment and unparalleled capabilities for commercial data mining, but nor should we allow a doomsday scenario where all citizens are monitored in a techno-totalitarian state [61]. Any scope for such design of regulations must be considered in light of the illustrated privacy/security trade-off (Fig. 1). Taking any two vertices of the government – service provider – consumer triangle, privacy or security (which can often be equated with ‘control’) will always be traded in relation to the third vertex. For example, where we combine government and service providers in terms of security regulations and the protection of national interests, the consumer is guaranteed to forgo certain amounts of privacy. Similarly, where we combine government and the consumer as a means of ensuring privacy for the individual, the service provider becomes limited in the control it holds over information gathered (if indeed it is still allowed to gather information).

Table 2. Mapping contexts to the environment

9. Conclusion

In the current state of humancentric development, stand-alone applications exist for control, convenience and care purposes, but as control is the dominant context its effects can be seen in other application areas. Applications are also influenced by power and processing confines, and as such, many functions have simple bases in identification or monitoring. Application usage is made more complex however, as a need for peripherals (including readers and information storage systems) is restrained by a lack of industry standards for interoperability. Though the technology has been deemed feasible in both research and commercially approved contexts, the market for humancentric applications of RFID is still evolving. Initial adoption of the technology has met with some success but, as research continues into humancentric applications of RFID, the market is still too niche for truly low-cost, high-quality application services. Any real assessment of the industry is further prejudiced by commercial monopoly and limited research into the long-term effects of use. Coupled with security and privacy concerns, then the long-term commercial viability for humancentric applications of RFID is questionable. In the short- to medium-term, adoption of humancentric RFID technology and use of related applications will be hindered by a lack of infrastructure, a lack of standards, not only as to interoperability but also as to support for service and transponder placement, and the lack of response from developers and regulators to mounting ethical dilemmas.

References

[1] D. Icke, Has the old ID card had its chips? Soldier Magazine (2001)

[2] Applied Digital Solutions, Applied Digital Solutions Announces Working Prototype of Subdermal GPS Personal Location Device, Press Release, April 13, 2003.

[3] P. Eng, I Chip? ABC News.com, March 1, 2002.

[4] C. Murray, Injectable chip opens door to human bar code, EETimes, January 7, 2002. Available from: <http://www.eetimes.com/story/OEG20020104S0044>.

[5] J. Wilson, Girl to get tracker implant to ease parents’ fears, the guardian. Available from: <http://www.guardian.co.uk/Print/0,3858,4493297,00.html>.

[6] J. Sanchez-Klein, And Now For Something Completely Different, PC World Online, August 27, 1998. Available from: ProQuest.

[7] S. Witt, Professor Warwick Chips In, Computerworld, 33 (2) (1999), pp. 89-90

[8] K. Warwick, Cyborg 1.0, Wired Magazine 8.02, February 2000. Available from: <http://www.wired.com/wired/archive/8.02/warwick.html>.

[9] R. Woolnaugh, A man with a chip in his shoulder, Computer Weekly [Online], June 29, 2000. Available from: Expanded Academic Index.

[10] C. Holden, Hello Mr Chip, Science [Online], March 23. 2001. Available from: ProQuest.

[11] G. Vogel, Part Man, Part Computer, Science [Online], 295 (5557), February 8, 2002, p. 1020. Available from: Expanded Academic Index.

[12] R. Kobetic et al., Implanted functional electrical simulation system for mobility in paraplegia: a follow-up case report, IEEE Transactions on Rehabilitation Engineering [Online], December, 1999. Available from: ProQuest.

[13] C. Murray, Prodigy seeks out high-tech frontiers, Electronic Engineering Times [Online], February 25, 2002. Available from: ProQuest.

[14] J. Black, Roll up your sleeve – for a chip implant, Business Week Magazine [Online], March 21, 2002. Available from: <http://www.businessweek.com/bwdaily/dnflash/mar2002/nf20020321_1025.htm>.

[15] L. Grossman, Meet The Chipsons, Time New York, 159 (10) (2002), pp. 56-57

[16] B. Gengler, Chip implants become part of you, The Australian, September 10, 2002.

[17] K. Michael, The technological trajectory of the automatic identification industry, Ph.D. Thesis, School of Information Technology and Computer Science, University of Wollongong, Australia, 2003.

[18] A. Masters, Humancentric applications of RFID, BInfoTech (Hons) Thesis, School of Information Technology and Computer Science, University of Wollongong, Australia, 2003.

[19] K. Michael, M.G. Michael, Microchipping people: the rise of the electrophorus Quadrant, 414 (2005), pp. 22-33

[20] L. Perusco, K. Michael, Humancentric Applications of Precise Location-Based Services, IEEE Conference on e-Business Engineering, IEEE Computer Society, Washington (2005), pp. 409–418

[21] K. Johnston, RFID transponder implants: a content analysis and survey, BInfoTech (Hons) Thesis, School of Information Technology and Computer Science, University of Wollongong, Australia, 2005.

[22] C. Perakslis, R. Wolk, Social acceptance of RFID as a biometric security method, in: Proceedings of the IEEE Symposium on Technology and Society, 2005, pp. 79–87.

[23] J. Gerdeman, Radio frequency identification application 2000, North Carolina, USA, 1995.

[24] K. Finkinzeller, RFID Handbook: Radio-Frequency Identification Fundamentals and Applications, England, 2001.

[25] R. Geers et al., Electronic Identification, Monitoring and Tracking of Animals, United Kingdom, 1997.

[26] R. Yin, The case study method as a tool for doing evaluation, Current Sociology, 40 (1) (1998), p. 123

[27] C. Thomas, N. Bevan, Usability Context Analysis: A Practical Guide, Middlesex, UK, 1996.

[28] Vxceed Technologies, RFID Technology, 2003. Available from: <http://www.vxceed.com/developers/rfid.asp>.

[29] Automatic ID News, Radio Frequency Identification (RF/ID), 1998. Available from: <http://www.autoidenews.com/technologies/concepts/rfdcintro.htm>.

[30] K. Hall, Students tagged in bid to keep them safe, The Japan Times, 2004. Available from: <http://search.japantimes.co.jp/print/news/nn10-2004/nn20041014f2.htm>.

[31] M. Wood, RFID: Bring It On, CNET.com, 2005. Available from: <http://www.cnet.com/4520-6033_1-6223038.html>.

[32] M. Hawthorne, Refugees meeting hears proposal to register every human in the world, Sydney Morning Herald [Online], 2001. Available from: <http://www.iahf.com/other/20011219.html>.

[33] D.B. Kitsz, Promises and problems of RF identification, in: R. Ames (Ed.), Perspectives on Radio Frequency Identification: What is it, Where is it going, Should I be Involved? Van Nostrand Reinhold, New York, pp. 1-19–1-27.

[34] R. Want, et al.The Active Badge Location System, ACM Transactions on Information Systems, 10 (1) (1992), pp. 91-102

[35] W. Saletan, Call my cell, Slate Magazine, May, 2005. Available from: http://slate.msn.com/id/2118117.

[36] J. Scheeres, Politician wants to get chipped, Wired News, February 15, 2002. Available from: <http://www.wired.com/news/print/0,1294,50435,00.html>.

[37] Applied Digital Solutions, Protected by VeriChip™ – Awareness Campaign Continues – VeriChip To Exhibit At Airport Security Expo in Las Vegas, Press Release, July 2, 2002.

[38] K. Michael, A. Masters, Realised applications of positioning technologies in defense intelligence, in: H. Abbass, D. Essam (Eds.), Applications of Information Systems to Homeland Security and Defense, IDG Press, pp. 167–195.

[39] L. Nadile, Call Waiting: A Cell Phone ATM, Wired News. Available from: <http://www.wired.com/news/business/0,1367,41023,00.html>.

[40] J.C. Ramo, The Big Bank Theory and what it says about the future of money, Time, April 27, 1998, pp. 46–55.

[41] S. Dennis, UK Professor Implants Chip, Turns Himself Into Cyborg, Newsbytes, 1998. Available from: <http://www.newsbytes.com/pubNews/110782.html>.

[42] Texas Instruments, Loyally Yours, TIRIS News, 1997. Available from: <http://www.ti.com/tiris/docs/manuals/RFIDNews/Tiris_NL17>.

[43] K. Warwick, Project Cyborg 2.0. Available from: <http://www.rdg.ac.uk/KevinWarwick/html/project_ cyborg_2_0.html>.

[44] W. Underhill, Merging Man and Machine, Newsweek [Online], October 14, 2002. Available from: Expanded Academic Index.

[45] T. Seneadza, Biosensors – A Nearly Invisible Sentinel, Technically Speaking, July 21, 2003. Available from: <http://tonytalkstech.com/archives/000231.php>.

[46] P.L. Harrison, The Body Binary, Popular Science, October, 1994. Available from: <http://www.newciv.org/nanomius/tech/implants>.

[47] M-Biotech: Biosensor Technology. M-Biotech Salt Lake City, 2003. Available from: <http://www.m-biotech.com/technology1.html>.

[48] IEEE, Biomimetic Systems: Implantable, Sophisticated, and Effective. IEEE Engineering in Medicine and Biology 24(5) Sept/Oct (2005).

[49] Cochlear, Nucleus 24 Cochlear Implant, 1999. Available from: <http://www.Cochlear.com/euro/nucleussystems/ci24m.html>.

[50] Sun-Sentinel, The Smart Pill, Sun-Sentinel News: The Edge, 2003. Available from: <http://www.sun-sentinel.com/graphics/news/smartpill>.

[51] J. Rizzo, J. WyattProspects for a visual prosthesis, The Neuroscientist, 3 (4) (1997) Available from: http://rleweb.mit.edu/retina/a2.page1.html

[52] G.T.A. Kovacs, The nerve chip: technology development for a chronic neural interface, Stanford University, 1997. Available from <http://guide.stanford.edu.ezproxy.uow.edu.au/publications/dev4.html>.

[53] K. Michael, A. Masters, Applications of human transponder implants in mobile commerce, in: Proceedings of the Eighth World Multiconference on Systemics, Cybernetics and Informatics, Florida, vol. 5, 2004, pp. 505–512.

[54] Applied Digital Solutions, Press Release VeriChip™ Subdermal Personal Verification Microchip To Be Featured At IDTechex Smart Tagging In Healthcare, Conference in London, April 28–29, 2003.

[55] RFID News, International Standards Organization Returns RFID Standard For Animal Use To Working Group For Major Revisions, RFID News, 2002. Available from: <http://www.rfidnews.com/returns.html>.

[56] J. Kumagi, S. CherrySensors and sensibility, IEEE Spectrum, 41 (7) (2004), pp. 22-26, 28

[57] V. StanfordPervasive computing goes that last hundred feet with RFID Systems, IEEE Pervasive Computing, 2 (2) (2003), pp. 9-14

[58] I.-E. Papasliotis, Information technology: mining for data and personal privacy: reflections on an impasse, in: Proceedings of the 4th International Symposium on Information and Communication Technologies, 2004, pp. 50–56.

[59] O. Günther, S. Spiekermann, Tagging the world: RFID and the perception of control Communications of the ACM, 48 (9) (2005), p. 74

[60] X. Gao, et al.An approach to security and privacy of RFID system for supply chain, IEEE International Ecommerce Technology for Dynamic e-Business. (2004), pp. 164-168

[61] S.L. Garfinkel, A. Juels, R. Pappu, RFID privacy: an overview of problem and proposed solutions, IEEE Security and Privacy Magazine, 3 (3) (2005), pp. 38-43

[62]J.D. Woodward, Biometrics: privacy’s foe or privacy’s friend? Proceedings of the IEEE, 85 (9) (1997), pp. 1480-1492

[63] D. Molnar, D. Wagner, Privacy: privacy and security in library RFID: issues, practices, and architectures, in: Proceedings of the 11th ACM Conference on Computer and Communications Security, 2004, p. 218.

[64] F. Stajano, Viewpoint: RFID is X-ray vision, Communications of the ACM, 48 (9) (2005), p. 31

[65] J.E. Dobson, P.F. Fisher, Geoslavery, IEEE Technology and Society Magazine, 22 (1) (2003), p. 47

Keywords: Radio-frequency identification, Transponders, Chip implants, Humancentric applications, Usability context analysis, Location tracking, Personal privacy, Data security, Ethics

Citation: Amelia Masters and Katina Michael, "Lend me your arms: The use and implications of humancentric RFID, Electronic Commerce Research and Applications, Vol. 6, No. 1, Spring 2007, Pages 29-39, DOI: https://doi.org/10.1016/j.elerap.2006.04.008