Be Vigilant: There Are Limits to Veillance

The Computer After Me: Awareness and Self-Awareness in Autonomic Systems

Chapter 13: Be Vigilant: There Are Limits to Veillance

This image was taken from the BioShock video game series or from websites created and owned by 2K Games, the copyright of which is held by Take-Two Interactive Software, Inc.

Katina Michael, M. G. Michael, Christine Perakslis

The following sections are included:

  • Introduction

  • From Fixed to Mobile Sensors

  • People as Sensors

  • Enter the Veillances

    • Surveillance

    • Dataveillance

    • Sousveillance

    • Überveillance

  • Colliding Principles

    • From ‘drone view’ to ‘person view’

    • Transparency and open data

    • Surveillance, listening devices and the law

    • Ethics and values

    • The unintended side effects of lifelogging

    • Pebbles and shells

    • When bad is good

    • Censorship

  • Summary and Conclusions: Mind/Body Distinction

13.1 Introduction

Be vigilant; we implore the reader. Yet, vigilance requires hard mental work (Warm et al., 2008). Humans have repeatedly shown evidence of poor performance relative to vigilance, especially when we are facing such factors as complex or novel data, time pressure, and information overload (Ware, 2000). For years, researchers have investigated the effect of vigilance, from the positive impact of it upon the survival of the ground squirrel in Africa to its decrement resulting in the poor performance of air traffic controllers. Scholars seem to agree: fatigue has a negative bearing on vigilance.

In our society, we have become increasingly fatigued, both physically and cognitively. It has been widely documented that employees are in­creasingly faced with time starvation, and that consequently self-imposed sleep deprivation is one of the primary reasons for increasing fatigue, as employees forego sleep in order to complete more work (see, for example, the online publications by the Society of Human Resources1 and the Na­tional Sleep Foundation2). Widespread access to technology exacerbates the problem, by making it possible to stay busy round the clock.

Our information-rich world which leads to information overload and novel data, as well as the 24/7/365 connectivity which leads to time pressure, both contribute to fatigue and so work against vigilance. However, the lack of vigilance, or the failure to accurately perceive, identify, or an­alyze bona fide threats, can lead to serious negative consequences, even a life-threatening state of affairs (Capurro, 2013).

This phenomenon, which can be termed vigilance fatigue, can be brought about by four factors:

·       Prolonged exposure to ambiguous, unspecified, and ubiquitous threat information.

·       Information overload.

·       Overwhelming pressure to maintain exceptional, error-free per­formance.

·       Faulty strategies for structuring informed decision-making under con­ditions of uncertainty and stress.

Therefore, as we are asking the reader to be vigilant in this transformative – and potentially disruptive transition toward – the ‘computer after me’, we feel obligated to articulate clearly the potential threats associated with veillance. We believe we must ask the challenging and unpopular questions now. We must disclose and discuss the existence of risk, the values at stake, and the possibility of harm related to veillance. We owe it to the reader in this world of increasing vigilance fatigue to provide unambiguous, specified threat information and to bring it to their attention.

13.2 From Fixed to Mobile Sensors

Embedded sensors have provided us with a range of benefits and conve­niences that many of us take for granted in our everyday life. We now find commonplace the auto-flushing lavatory and the auto-dispensing of soap and water for hand washing. Many of these practices are not only conve­nient but help to maintain health and hygiene. We even have embedded sensors in lamp-posts that can detect on-coming vehicles and are so energy efficient that they turn on as they detect movement, and then turn off again to conserve resources. However, these fixtures are static; they form basic infrastructure that often has ‘eyes’ (e.g. an image and/or motion sensor), but does not have ‘legs’.

What happens when these sensors – for identification, location, condi­tion monitoring, point-of-view (POV) and more – become embeddable in mobile objects and begin to follow and track us everywhere we go? Our vehicles, tablets, smart phones, and even contactless smart cards are equipped to capture, synthesize, and communicate a plethora of information about our behaviors, traits, likes and dislikes, as we lug them around everywhere we go. Automatic licence plate scanners are mounted not only in street­lights or on bridges, but now also on patrol cars. These scanners snap photos of automobiles passing and store such data as plate numbers, times, and locations within massive databases (Clarke, 2009). Stores are combin­ing the use of static fixtures with mobile devices to better understand the psychographics and demographics of their shoppers (Michael and Clarke, 2013). The combination of these monitoring tools is powerful. Cell phone identifiers are used to track the movements of the customers (even if the customer is not connected to the store’s WiFi network), with the surveillance cameras collecting biometric analytics to analyze facial expressions and moods. Along with an augmented capability to customize and person­alize marketing efforts, the stores can identify how long one tarries in an aisle, the customer’s reaction to a sale item, the age of the shopper, and even who did or did not walk by a certain display.

The human has now become an extension (voluntarily or involuntarily) of these location-based and affect-based technological breakthroughs; we the end-users are in fact the end-point of a complex network of net­works. The devices we carry take on a life of their own, sending binary data up and down stream in the name of better connectivity, awareness, and ambient intelligence. ‘I am here’, the device continuously signals to the nearest access node, handshaking a more accurate location fix, as well as providing key behavioral indicators which can easily become predictors of future behaviors. However, it seems as if we, as a society, are rapidly in de­mand of more and more communications technology – or so that is the idea we are being sold. Technology has its many benefits: few people are out of reach now, and communication becomes easier, more personalized, and much more flexible. Through connectivity, people’s input is garnered and responses can be felt immediately. Yet, just as Newton’s action–reaction law comes into play in the physical realm, there are reactions to consider for the human not only in the physical realms, but also in the mental, emo­tional, and spiritual realms (Loehr and Schwartz, 2001), when we live our lives not only in the ordinary world, but also within the digital world.

Claims have been made that our life has become so busy today that we are grasping to gain back seconds in our day. It could be asked: why should we waste time and effort by manually entering all these now-necessary pass­words, when a tattoo or pill could transmit an 18-bit authentication signal for automatic logon from within our bodies? We are led to believe that individuals are demanding uninterrupted connectivity; however, research has shown that some yearn to have the freedom to ‘live off the grid’, even if for only a short span of time (Pearce and Gretzel, 2012).

A recent front cover of a US business magazine Fast Company read “Unplug. My life was crazy. So I disconnected for 25 days. You should too”. The content within the publication includes coping mechanisms of senior-level professionals who are working to mitigate the consequences of perpetual connectivity through technology. One article reveals the digital dilemmas we now face (e.g. how much should I connect?); another article provides tips on how to do a digital detox (e.g. disconnecting because of the price we pay); and yet another article outlines how to bring sanity to your crazy, wired life with eight ways the busiest connectors give themselves a break (e.g. taking time each day to exercise in a way that makes it impossi­ble to check your phone; ditching the phone to ensure undivided attention is given to colleagues; or establishing a company ‘Shabbat’ in which it is acceptable to unplug one day a week). Baratunde Thurston, CEO and co­founder of Cultivated Wit (and considered by some to be the world’s most connected man), wrote:

I love my devices and my digital services, I love being connected to the global hive mind – but I am more aware of the price we pay: lack of depth, reduced accuracy, lower quality, impatience, selfishness, and mental exhaustion, to name but a few. In choosing to digitally enhance lives, we risk not living them.
— (Thurston, 2013, p. 77)

13.3 People as Sensors

Enter Google Glass, Autographer, Memoto, TrackStick, Fitbit, and other wearable devices that are worn like spectacles, apparel, or tied round the neck. The more pervasive innovations such as electronic tattoos, nanopatches, smart pills, and ICT implants seamlessly become a ‘part’ of the body once attached, swallowed, embedded, or injected. These technolo­gies are purported to be lifestyle choices that can provide a myriad of con­veniences and productivity gains, as well as improved health and well-being functionality. Wearables are believed to have such benefits as enhancements to self-awareness, communication, memory, sensing, recognition, and logis­tical skills. Common experiences can be augmented, for example when a theme park character (apparently) knows your child’s name because of a wrist strap that acts as an admissions ticket, wallet, and ID.

Gone are the days when there was a stigma around electronic bracelets being used to track those on parole; these devices are now becoming much like a fashion statement and a desirable method not only for safety and security, but also for convenience and enhanced experiences. However, one must consider that an innocuous method for convenience may prove to create ‘people as sensors’ in which information is collected from the envi­ronment using unobtrusive measures, but with the wearer – as well as those around the wearer – possibly unaware of the extent of the data collection. In addition to issues around privacy, other questions must be asked such as: what will be done with the data now and well into the future?

The metaphor of ‘people as sensors’, also referred to as Citizens as Sen­sors (Goodchild, 2007), is being espoused, as on-board chipsets allow an individual to look out toward another object or subject (e.g. using an im­age sensor), or to look inward toward oneself (e.g. measuring physiological characteristics with embedded surveillance devices). As optional prosthetic devices are incorporated into users, devices are recognized by some as be­coming an extension of the person’s mind and body. New developments in ‘smart skin’ offer even more solutions. The skin can become a function of the user’s habits, personality, mood, or behavior. For example, when inserted into a shoe, the smart skin can analyze and improve the technical skill of an athlete, factors associated with body stresses related to activity, or even health issues that may result from the wearer’s use of high-heeled shoes (Papakostas et al., 2002). Simply put, human beings who function in analog are able to communicate digitally through the devices that they wear or bear. This is quite a different proposition from the typical surveil­lance camera that is bolted onto a wall overlooking the streetscape or mall and has a pre-defined field of view.

Fig. 13.1 People as sensors: from surveillance to uberveillance

‘People as sensors’ is far more pervasive than dash-cams used in police vehicles, and can be likened to the putting on of body-worn devices by law enforcement agencies to collect real-time data from the field (see Fig­ure 13.1). When everyday citizens are wearing and bearing these devices, they form a collective network by contributing individual subjective (and personal) observations of themselves and their surroundings. There are advantages; the community is believed to benefit with relevant, real-time information on such issues as public safety, street damage, weather obser­vations, traffic patterns, and even public health (cf. Chapter 12). People, using their everyday devices, can enter information into a data warehouse, which could also reduce the cost of intensive physical networks that oth­erwise need to be deployed. Although murky, there is vulnerability; such as the risk of U-VGI (Un-Volunteered Geographical Information) with the tracking of mass movements in a cell phone network to ascertain traffic distribution (Resch, 2013).

Consider it a type of warwalking on foot rather than wardriving.3 It seems that opt-in and opt-out features are not deemed necessary, perhaps due to the perceived anonymity of individual user identifiers. The ability to ‘switch off’, ‘turn off’, ‘unplug’, or select the ‘I do not consent’ feature in a practical way, is a question that many have pondered, but with arguably a limited number of pragmatic solutions, if any.

With ‘citizens as sensors’ there is an opt-in for those subscribing, but issues need to be considered for those in the vicinity of the bearer who did not consent to subscribe or to be recorded. Researchers contend that even the bearer must be better educated on the potential privacy issues (Daskala, 2011). For example, user-generated information yields longitude and lat­itude coordinates, time and date stamps, and speed and elevation details which tell us significant aspects about a person’s everyday life leading to insight about current and predictive behavioral patterns. Data could also be routinely intercepted (and stored indefinitely), as has been alleged in the recent National Security Agency (NSA) scandal. Even greater concerns arise from the potential use of dragnet electronic surveillance to be mined for information (now or in the future) to extract and synthesize rich het­erogeneous data containing personal visual records and ‘friends lists’ of the new media. Call detail records (CDRs) may just be the tip of the iceberg.

The quantified-self movement, which incorporates data, taking into ac­count many inputs of a person’s daily life, is being used for self-tracking and community building so individuals can work toward improving their daily functioning (e.g. how you look, feel, and live). Because devices can look inward toward oneself, one can mine very personal data (e.g. body mass index and heart rate) which can then be combined with the outward (e.g. the vital role of your community support network) to yield such quantifiers as a higi score defining a person with a cumulative grade (e.g. your score today out of a possible 999 points).4

Wearables, together with other technologies, assist in the process of tak­ing in multiple and varied data points to synthesize the person’s mental and physical performance (e.g. sleep quality), psychological states such as moods and stimulation levels (e.g. excitement), and other inputs such as food, air quality, location, and human interactions. Neurologically, information is addictive; yet, humans may make worse decisions when more information is at hand. Humans also are believed to overestimate the value of missing data which may lead to an endless pursuit, or perhaps an overvaluing of useless information (Bastardi and Shafir, 1998). Even more consequential, it is even possible that too much introspection can also reduce the quality of decisions of individuals.

13.4 Enter the Veillances

Katina Michael and M. G. Michael (2009) made a presentation that, for the first time at a public gathering, considered surveillance, dataveillance, sousveillance and überveillance all together. As a specialist term, veillance was first used in an important blogpost exploring equiveillance by Ian Kerr and Steve Mann (2006) in which the ‘valences of veillance’ were briefly described. But in contrast to Kerr and Mann, Michael and Michael were pondering on the intensification of a state of überveillance through increasingly pervasive technologies, which can provide details from the big picture view right down to the miniscule personal details.

But what does veillance mean? And how is it understood in different contexts? What does it mean to be watched by a CCTV camera, to have one’s personal details deeply scrutinized, to watch another, to watch one­self? And so we continue by defining the four types of veillances that have received attention in recognized peer reviewed journal publications and the wider corpus of literature.

13.4.1 Surveillance

First, the much embraced idea of surveillance recognized in the early nine­teenth century from the French sur meaning ‘over’ and veiller meaning ‘to watch’. According to the Oxford English Dictionary, veiller stems from the Latin vigilare, which means ‘to keep watch’.

13.4.2 Dataveillance

Dataveillance was conceived by Clarke (1988a) as “the systematic use of personal data systems in the investigation or monitoring of the actions or communications of one or more persons” (although in the Oxford English Dictionary it is now defined as “the practice of monitoring the online ac­tivity of a person or group”). The term was introduced in response to government agency data matching initiatives linking taxation records and social security benefits, among other commercial data mining practices. At the time it was a powerful response to the proposed Australia Card pro­posal in 1987 (Clarke, 1988b), which was never implemented by the Hawke Government, while the Howard Government’s attempts to introduce an Access Card almost two decades later in 2005 were also unsuccessful. It is remarkable that same issues ensue today, only on a greater magnitude with more consequences and advanced capabilities in analytics, data storage, and converging systems.

13.4.3 Sousveillance

Sousveillance was defined by Steve Mann in 2002, but practiced since 1995 as “the recording of an activity from the perspective of a participant in the activity” . 5 However, its initial introduction into the literature came in the inaugural Surveillance and Society journal in 2003 with a meaning of ‘in­verse surveillance’ as a counter to organizational surveillance (Mann et al., 2003). Mann prefers to interpret sousveillance as under-sight, which main­tains integrity, contra to surveillance as over-sight (Mann, 2004a), which reduces to hypocrisy if governments responsible for surveillance pass laws to make sousveillance illegal.

Whereas dataveillance is the systematic use of personal data systems in the monitoring of people, sousveillance is the inverse of monitoring people; it is the continuous capture of personal experience (Mann, 2004b). For ex­ample, dataveillance might include the linking of someone’s tax file number with their bank account details and communications data. Sousveillance on the other hand, is a voluntary act of logging what people might see as they move through the world. Surveillance is thus considered watch­ing from above, whereas sousveillance is considered watching from below. In contrast, dataveillance is the monitoring of a person’s activities which presents the individual with numerous social dangers (Clarke, 1988a).

13.4.4 Uberveillance

¨Uberveillance conceived by M. G. Michael in 2006, is defined in the Aus­tralian Law Dictionary as: “ubiquitous or pervasive electronic surveillance that is not only ‘always on’ but ‘always with you’, ultimately in the form of bodily invasive surveillance”. The Macquarie Dictionary of Australia entered the term officially in 2008 as “an omnipresent electronic surveil­lance facilitated by technology that makes it possible to embed surveil­lance devices in the human body”. Michael and Michael (2007) defined überveillance as having “to do with the fundamental who (ID), where (loca­tion), and when (time) questions in an attempt to derive why (motivation), what (result), and even how (method/plan/thought)”.

¨Uberveillance is a compound word, conjoining the German über mean­ing ‘over’ or ‘above’ with the French veillance. The concept is very much linked to Friedrich Nietzsche’s vision of the übermensch, who is a man with powers beyond those of an ordinary human being, like a super-man with amplified abilities (Michael and Michael, 2010). ¨Uberveillance is analogous to big brother on the inside looking out. For example, heart, pulse, and temperature sensor readings emanating from the body in binary bits wire­lessly, or even through amplified eyes such as inserted contact lens ‘glass’ that might provide visual display and access to the Internet or social net­working applications.

¨Uberveillance brings together all forms of watching from above and from below, from machines that move to those that stand still, from animals and from people, acquired involuntarily or voluntarily using obtrusive or unob­trusive devices (Michael et al., 2010). The network infrastructure underlies the ability to collect data direct from the sensor devices worn by the individ­ual and big data analytics ensures an interpretation of the unique behavioral traits of the individual, implying more than just predicted movement, but intent and thought (Michael and Miller, 2013).

It has been said that überveillance is that part of the veillance puz­zle that brings together the sur, data, and sous to an intersecting point (Stephan et al., 2012). In überveillance, there is the ‘watching’ from above component (sur), there is the ‘collecting’ of personal data and public data for mining (data), and there is the watching from below (sous), which can draw together social networks and strangers, all coming together via wear­able and implantable devices on/in the human body. ¨Uberveillance can be used for good in the practice of health for instance, but we contend that, independent of its application for non-medical purposes, it will always have an underlying control factor (Masters and Michael, 2006).

13.5 Colliding Principles

13.5.1 From ‘drone view’ to ‘person view’

It can be argued that, because a CCTV camera is monitoring activities from above, we should have the ‘counter-right’ to monitor the world around us from below. It therefore follows, if Google can record ‘street views’, then the average citizen should also be able to engage in that same act, which we may call ‘person view’. Our laws as a rule do not forbid recording the world around us (or even each other for that matter), so long as we are not encroaching on someone else’s well-being or privacy (e.g. stalking, or making material public without expressed consent). While we have Street View today, it will only be a matter of time before we have ‘drones as a service’ (DaaS) products that systematically provide even better high res­olution imagery than ‘satellite views’. We can make ‘drone view’ available on Google Maps, as we could probably also make ‘person view’ available. Want to look up not only a street, but a person if they are logged in and registered? Then search ‘John Doe’ and find the nearest camera pointing toward him, and/or emanating from him. Call it a triangulation of sorts.

13.5.2 Transparency and open data

The benefits of this kind of transparency, argue numerous scholars, are that not only will we have a perfect source of open data to work with, but that there will be less crime as people consider the repercussions of being caught doing wrong in real-time. However, this is quite an idealistic paradigm and ethically flawed. Criminals, and non-criminals for that mat­ter, find ways around all secure processes, no matter how technologically foolproof. At that point, the technical elite might well be systematically hiding or erasing their recorded misdemeanours but no doubt keeping the innocent person under 24/7/365 watch. There are, however, varying de­grees to transparency, and most of these have to do with economies of scale and/or are context-based; they have to be. In short, transparency needs to be context related.

13.5.3 Surveillance, listening devices and the law

At what point do we actually believe that in a public space our privacy is not invaded by such incremental innovations as little wearable cameras, half the size of a matchbox, worn as lifelogging devices? One could speculate that the sheer size of these devices makes them unobtrusive and not easily detectable to the naked eye, meaning that they are covert in nature and blatantly break the law in some jurisdictions where they are worn and operational (Abbas et al., 2011). Some of these devices not only capture images every 30 seconds, but also record audio, making them potentially a form of unauthorized surveillance. It is also not always apparent when these devices are on or off. We must consider that the “unrestricted freedom of some may endanger the well-being, privacy, or safety of others” (Rodota and Capurro, 2005, p. 23). Where are the distinctions between the wearer’s right to capture his or her own personal experiences on the one hand (i.e. the unrestricted freedom of some), and intrusion into another’s private sphere in which he or she does not want to be recorded, and is perhaps even disturbed by the prospect of losing control over his or her privacy (i.e. endangering the well-being or privacy of others)?

13.5.4 Ethics and values

Enter ethics and values. Ethics in this debate are greatly important. They have been dangerously pushed aside, for it is ethics that determine the degree of importance, that is the value, we place on the levels of our decision-making. When is it right to take photographs and record another individual (even in a public space), and when is it wrong? Do I physically remove my wearable device when I enter a washroom, a leisure centre, a hospital, a funeral, someone else’s home, a bedroom? Do I need to ask express permis­sion from someone to record them, even if I am a participant in a shared activity? What about unobtrusive devices that blur the line between wear­ables and implantables, such as miniature recording devices embedded in spectacle frames or eye sockets and possibly in the future embedded in con­tact lenses? Do I have to tell my future partner or prospective employer? Should I declare these during the immigration process before I enter the secure zone?

At the same time, independent of how much crowdsourced evidence is gathered for a given event, wearables and implantables are not infallible, their sensors can easily misrepresent reality through inaccurate or incom­plete readings and data can be even further misconstrued post capture (Michael and Michael, 2007). This is the limitation of an überveillance so­ciety – devices are equipped with a myriad of sensors; they are celebrated as achieving near omnipresence, but the reality is that they will never be able to achieve omniscience. Finite knowledge and imperfect awareness create much potential for inadequate or incomplete interpretations.

Some technologists believe that they need to rewrite the books on meta­physics and ontology, as a result of old and outmoded definitions in the traditional humanities. We must be wary of our increasing ‘technicized’ environment however, and continue to test ourselves on the values we hold as canonical, which go towards defining a free and autonomous human be­ing. The protection of personal data has been deemed by the EU as an autonomous individual right.

Yet, with such pervasive data collection, how will we protect “the right of informational self-determination on each individual – including the right to remain master of the data concerning him or her” (Rodota and Capurro, 2005, p. 17)? If we rely on bio-data to drive our next move based on what our own wearable sensors tells some computer application is the right thing to do, we very well may lose a great part of our freedom and the life-force of improvization and spontaneity. By allowing this data to drive our decisions, we make ourselves prone to algorithmic faults in software programs among other significant problems.

13.5.5 The unintended side effects of lifelogging

Lifelogging captures continuous first-person recordings of a person’s life and can now be dynamically integrated into social networking and other appli­cations. If lifelogging is recording your daily life with technical tools, many are unintentionally participating in a form of lifelogging by recording their lives through social networks. Although, technically, data capture in social media happens in bursts (e.g. the upload of a photograph) compared with continuous recording of first-person recordings (e.g. glogger.mobi) (Daskala, 2011). Lifelogging is believed to have such benefits as affecting how we re­member, increasing productivity, reducing an individual’s sense of isolation, building social bonds, capturing memories, and enhancing communication.

Governing bodies could also derive benefit through lifelogging appli­cations data to better understanding public opinion or forecast emerging health issues for society. However, memories gathered by lifelogs can have side effects. Not every image, and not every recording you will take will be a happy one. Replaying these and other moments might be detrimental to our well-being. For example, history shows ‘looking back’ may become traumatic, such as Marina Lutz’s experience of having most of her life ei­ther recorded or photographed in the first 16 years of her life by her father (see the short film The Marina Experience).

Researchers have discovered that personality development and mental health could also be negatively impacted by lifelogging applications. Vul­nerabilities include high influence potential by others, suggestibility, weak perception of self, and a resulting low self-esteem (Daskala, 2011). There is also risk that wearers may also post undesirable or personal expressions of another person, which cause the person emotional harm due to a neg­ative perception of himself or herself among third parties (Daskala, 2011). We have already witnessed such events in other social forums with tragic consequences such as suicides.

Lifelogging data may also create unhealthy competition, for example in gamification programs that use higi scores to compare your quality of life to others. Studies report psychological harm among those who perceive they do not meet peer expectations (Daskala, 2011); how much more so when intimate data about one’s physical, emotional, psychological, and so­cial network is integrated, measured, and calculated to sum up quality of life in a three-digit score (Michael and Michael, 2011). Even the effect of sharing positive lifelogging data should be reconsidered. Various reports have claimed that watching other people’s lives can develop into an obsession and can incite envy, feelings of inadequacy, or feeling as if one is not accomplished enough, especially when comparing oneself to others.

13.5.6 Pebbles and shells

Perhaps lifelogs could have the opposite effect of their intended purpose, without ever denying the numerous positives. We may become wrapped up in the self, rather than in the common good, playing to a theater, and not allowing ourselves to flourish in other ways lest we are perceived as anything but normal. Such logging posted onto public Internet archival stores might well serve to promote a conflicting identity of the self, constant validation through page ranks, hit counts and likes, and other forms of electronic exhibitionism. Researchers purport that lifelogging activities are likely to lead to an over-reliance and excessive dependency on electronic devices and systems with emotionally concerning, on-going cognitive reflections as messages are posted or seen, and this could be at the expense of more important aspects of life (Daskala, 2011).

Isaac Newton gave us much to consider when he said, “I was like a boy playing on the sea-shore, and diverting myself now and then find­ing a smoother pebble or a prettier shell than ordinary, whilst the great ocean of truth lay all undiscovered before me” (Brewster, 2001). Society at large must question if the measurements of Google hits, higi scores, clicks, votes, recordings, and analysis of data to quantify ‘the self’, could become a dangerously distracting exercise if left unbalanced. The aforementioned measurements, which are multi-varied and enormously insightful, may be of value – and of great enjoyment and fascination – much like Newton’s peb­bles and shells. However, what is the ocean we may overlook – or ignore – as we scour the beach for pebbles and shells?

13.5.7 When bad is good

Data collection and analysis systems, such as lifelogging, may not appro­priately allow for individuals to progress in self-awareness and personal development upon tempered reflection. How do we aptly measure the con­tradictory aspects of life such as the healing that often comes through tears, or the expending of energy (exercise) to gain energy (physical health), or the unique wonder that is realized only through the pain of self-sacrifice (e.g. veritable altruistic acts)? Harvard researchers Loehr and Schwartz (2001) provide us with further evidence of how the bad (or the unpleasant) can be good relative to personal development, through an investigation in which a key participant went by the name of ‘Richard’.

Richard was an individual progressing in self-awareness as documented during an investigation in which researchers were working to determine how executives could achieve peak performance leading to increased capacity for endurance, determination, strength, flexibility, self-control, and focus. The researchers found that executives who perform to full potential, for the long­term, tap into energy at all levels of the ‘pyramid of performance’ which has four ascending levels of progressive capacities: physical, emotional, mental, and spiritual.

The tip of the pyramid was identified as spiritual capacity, defined by the researchers as “an energy that is released by tapping into one’s deepest values and defining a strong sense of purpose” (Loehr and Schwartz, 2001, p. 127). The spiritual capacity, above all else, was found to be the sustenance – or the fuel – of the ideal performance state (IPS); the state in which individuals ‘bring their talent and skills to full ignition and to sustain high performance over time’ (op. cit., p. 122). However, as Richard worked to realize his spiritual capacity, he experienced significant pain during a two-year period. He reported being overcome by emotion, consumed with grief, and filled with longing as he learned to affirm what mattered most in his life. The two-year battle resulted in Richard ‘tapping into a deeper sense of purpose with a new source of energy’ (op. cit., p. 128); however, one must question if technology would have properly quantified the bad as the ultimate good for Richard. Spiritual reflections on the trajectory of technology (certainly since it has now been plainly linked to teleology) are not out of place nor should they be discouraged.

13.5.8 Censorship

Beyond the veillance (the ‘watching’) of oneself, i.e. the inward gaze, is the outward veillance and watching of the other. But this point of eye (PoE), does not necessarily mean a point of view (PoV), or even wider angle field of view (FoV). Particularly in the context of ‘glass’. Our gaze too is subjective, and who or what will connote this censorship at the time when it really matters? The outward watching too may not tell the full story, despite its rich media capability to gather both audio and video. Audio-visual accounts have their own pitfalls. We have long known how vitally important eye gaze is for all of the social primates, and particularly for humans; there will be consequences to any artificial tampering of this basic natural instinct. Hans Holbein’s famous painting The Ambassadors (1533), with its patent reference to anamorphosis, speaks volumes of the critical distinction between PoE and PoV. Take a look, if you are not already familiar with this double portrait and still life. Can you see the skull? The secret lies in the perspective and in the tilt of the head.

13.6 Summary and Conclusions: Mind/Body Distinction

In the future, corporate marketing may hire professional lifeloggers (or mo­bile robotic contraptions) to log other people’s lives with commercial de­vices. Unfortunately, because of inadequate privacy policies or a lack of harmonized legislation, we, as consumers, may find no laws that would pre­clude companies from this sort of ‘live to life’ hire if we do not pull the reins on the obsession to auto-photograph and audio record everything in sight. And this needs to happen right now. We have already fallen behind and are playing a risky game of catch-up. Ethics is not the overriding issue for technology companies or developers; innovation is their primary focus because, in large part, they have a fiduciary responsibility to turn a profit. We must in turn, as an informed and socially responsive community, forge together to dutifully consider the risks. At what point will we leap from tracking the mundane, which is of the body (e.g. location of GPS coordi­nates), toward the tracking of the mind by bringing all of these separate components together using ¨uber-analytics and an ¨uber-view? We must ask the hard questions now. We must disclose and discuss the existence of risk, the values at stake, and the possibility of harm.

It is significant that as researchers we are once more, at least in some places, speaking on the importance of the Cartesian mind/body distinction and of the catastrophic consequences should they continue to be confused when it comes to etymological implications and ontological categories. The mind and the body are not identical even if we are to argue from Leibniz’s Law of Identity that two things can only be identical if they at the same time share exactly the same qualities. Here as well, vigilance is enormously important that we might not disremember the real distinction between machine and human.

References

Abbas, R., Michael, K., Michael, M. G., & Aloudat, A. (2011). Emerging Forms of Covert Surveillance Using GPS-Enabled Devices. Journal of Cases on Information Technology, 13(2), 19-33.

ACLU. (2013). You Are Being Tracked: How License Plate Readers Are Being Used to Record Americans' Movements. from http://www.aclu.org/technology-and-liberty/you-are-being-tracked-how-license-plate-readers-are-being-used-record

Adler, I. (2013). How Our Digital Devices Are Affecting Our Personal Relationships. 90.9 WBUR.

ALD (Ed.). (2010). Uberveillance: Oxford University Press.

Australian Privacy Foundation. (2005). Human Services Card.   Retrieved 6 June 2013, from http://www.privacy.org.au/Campaigns/ID_cards/HSCard.html

Bastardi, A., & Shafir, E. (1998). On the Pursuit and Misuse of Useless Information. Journal of Personality and Social Psychology, 75(1), 19-32.

Brewster, D. (2001). Memoirs of the Life, Writings, and Discoveries of Sir Isaac Newton (1855) Volume II. Ch. 27: Adamant Media Corporation.

Capurro, R. (2013). Medicine in the information and knowledge society. Paper presented at the Conference Name|. Retrieved Access Date|. from URL|.

Carpenter, L. (2011). Marina Lutz interview: The sins of my father. The Observer   Retrieved 20 April 2013, from http://www.guardian.co.uk/artanddesign/2011/apr/17/photography-children

Clarke, R. (1988a). Information Technology and Dataveillance. Communications of the ACM, 31(5), 498-512.

Clarke, R. (1988b). Just another piece of plastic in your wallet: the `Australian card' scheme. ACM SIGCAS Computers and Society, 18(1), 7-21.

Clarke, R. (2009, 7 April 2009). The Covert Implementation of Mass Vehicle Surveillance in Australia. Paper presented at the Fourth Workshop on the Social Implications of National Security: Covert Policing, Canberra, Australia.

Clifford, S., & Hardy, Q. (2013). Attention, Shoppers: Store Is Tracking Your Cell.   Retrieved 14 July, from http://www.nytimes.com/2013/07/15/business/attention-shopper-stores-are-tracking-your-cell.html?pagewanted=all

Collins, L. (2008). Annals of Crime. Friend Game. Behind the online hoax that led to a girl’s suicide. The New Yorker.

DailyMail. (2013). Stores now tracking your behavior and moods through cameras.   Retrieved 6 August, from http://www.dailymail.co.uk/news/article-2364753/Stores-tracking-behavior-moods-cameras-cell-phones.html?ito=feeds-newsxml

ENISA. (2011). To log or not to log?: Risks and benefits of emerging life-logging applications. European Network and Information Security Agency   Retrieved 6 July 2013, from http://www.enisa.europa.eu/activities/risk-management/emerging-and-future-risk/deliverables/life-logging-risk-assessment/to-log-or-not-to-log-risks-and-benefits-of-emerging-life-logging-applications

FastCompany. (2013). #Unplug. Fast Company, July/August(177).

Frankel, T. C. (2012, 20 October). Megan Meier's mom is still fighting bullying. stltoday.com   Retrieved 4 November 2012

Friedman, R. (2012). Why Too Much Data Disables Your Decision Making. Psychology Today: Glue   Retrieved December 4, 2012, from http://www.psychologytoday.com/blog/glue/201212/why-too-much-data-disables-your-decision-making

Goodchild, M. F. (2007). Citizens as sensors: the world of volunteered geography. GeoJournal, 69, 211–221.

Greenwald, G. (2013). NSA collecting phone records of millions of Verizon customers daily. The Guardian   Retrieved 10 August 2013, from http://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-court-order

Hans Holbein the Younger. (1533). The Ambassadors.

Hayes, A. (2010). Uberveillance (Triquetra).   Retrieved 6 May 2013, from http://archive.org/details/Uberveillancetriquetra

HIGI. (2013). Your Score for Life.   Retrieved 29 June 2013, from https://higi.com/about/score

Intellitix. (2013). Reshaping the Event Horizon.   Retrieved 6 July 2013, from http://www.intellitix.com/intellitix/home/

Kerr, I., & Mann, S. (2006). Exploring Equiveillance. ID TRAIL MIX.

Krause. (2012). Vigilance Fatigue in Policing.   Retrieved 22 July, from http://www.fbi.gov/stats-services/publications/law-enforcement-bulletin/december-2012/vigilance-fatigue-in-policing

Levin, A. (2013). Waiting for Public Outrage. Paper presented at the IEEE International Symposium on Technology and Society, Toronto, Canada.

Loehr, J., & Schwartz, T. (2001). The Making of a Corporate Athlete. Harvard Business Review, January, 120-129.

Lutz, M. (2012). The Marina Experiment.   Retrieved 29 May 2013, from www.themarinaexperiment.com

Macquarie (Ed.). (2009). Uberveillance: Sydney University.

Magid, L. (2013). Wearables and Sensors Big Topics at All Things D. Forbes.

Mann, S. (2004a). Continuous lifelong capture of personal experience with EyeTap. Paper presented at the ACM International Multimedia Conference, Proceedings of the 1st ACM workshop on Continuous archival and retrieval of personal experiences (CARPE 2004), New York.

Mann, S. (2004b). Sousveillance: inverse surveillance in multimedia imaging. Paper presented at the Proceedings of the 12th annual ACM international conference on Multimedia, New York, NY, USA.

Mann, S., Nolan, J., & Wellman, B. (2003). Sousveillance: Inventing and Using Wearable Computing Devices for Data Collection in Surveillance Environments. Surveillance and Society, 1(3), 331-355.

Masters, A., & Michael, K. (2006). Lend me your arms: the use and implications of humancentric RFID. Electronic Commerce Research and Applications, 6(1), 29-39.

Michael, K. (2010). Stop social network pitfalls. Illawarra Mercury.

Michael, K. (2013a). Big Data and the Dangers of Over-Quantifying Oneself. Computer Magazine (Multimedia)   Retrieved June 7, 2013, from http://www.youtube.com/watch?v=mn_9YHV2RGQ&list=PLHJB2bhmgB7cbB-oafjt68XbzyPV46szi&index=7

Michael, K. (2013b). Snowden's Revelations Just the Tip of the Iceberg.   Retrieved 6 July 2013, from http://uberveillance.com/blog/2013/7/23/snowdens-revelations-just-the-tip-of-the-iceberg

Michael, K. (2013c). Social Implications of Wearable Computing and Augmediated Reality in Every Day Life (IEEE Symposium on Technology and Society, ISTAS13). Toronto: IEEE.

Michael, K. (2013d). Wearable computers challenge human rights. ABC Science Online.

Michael, K., & Clarke, R. (2013). Location and tracking of mobile devices: Überveillance stalks the streets. Computer Law & Security Review, 29(3), 216-228.

Michael, K., & Michael, M. G. (2009). Teaching Ethics in Wearable Computing:  the Social Implications of the New ‘Veillance’. EduPOV   Retrieved June 18, from http://www.slideshare.net/alexanderhayes/2009-aupov-main-presentation?from_search=3

Michael, K., & Michael, M. G. (2012). Converging and coexisting systems towards smart surveillance. Awareness Magazine: Self-awareness in autonomic systems, June.

Michael, K., & Michael, M. G. (Eds.). (2007). From Dataveillance to Überveillance and the Realpolitik of the Transparent Society. Wollongong, NSW, Australia.

Michael, K., & Miller, K. W. (2013). Big Data: New Opportunities and New Challenges. IEEE Computer, 46(6), 22-24.

Michael, K., Roussos, G., Huang, G. Q., Gadh, R., Chattopadhyay, A., Prabhu, S., et al. (2010). Planetary-scale RFID Services in an Age of Uberveillance. Proceedings of the IEEE, 98(9), 1663-1671.

Michael, M. G., & Michael, K. (2007). Uberveillance. Paper presented at the 29th International Conference of Data Protection and Privacy Commissioners. Privacy Horizons: Terra Incognita, Location Based Tracking Workshop, Montreal, Canada.

Michael, M. G., & Michael, K. (2010). Towards a State of Uberveillance. IEEE Technology and Society Magazine, 29(2), 9-16.

Michael, M. G., & Michael, K. (2011). The Fall-Out from Emerging Technologies: on Matters of Surveillance, Social Networks and Suicide. IEEE Technology and Society Magazine, 30(3), 15-18.

mX. (2013). Hard to Swallow.   Retrieved 6 August 2013, from http://www.mxnet.com.au/story/hard-to-swallow/story-fnh38q9o-1226659271059

Orcutt, M. (2013). Electronic “Skin” Emits Light When Pressed. MIT Tech Review.

Oxford Dictionary. (2013). Dataveillance.   Retrieved 6 May 2013, from http://oxforddictionaries.com/definition/english/surveillance

OxfordDictionary. (2013). Surveillance.   Retrieved 6 May 2013, from http://oxforddictionaries.com/definition/english/surveillance

Papakostas, T. V., Lima, J., & Lowe, M. (2002). 5:3 A Large Area Force Sensor for Smart Skin Applications. Sensors; Proceedings of IEEE, 5(3).

Pearce, P., & Gretzel, U. (2012). Tourism in technology dead zones: documenting experiential dimensions. International Journal of Tourism Sciences, 12(2), 1-20.

Pivtohead. (2013). Wearable Imaging: True point of view.   Retrieved 22 June 2013, from http://pivothead.com/#

Pokin, S. (2007). MySpace' hoax ends with suicide of Dardenne Prairie teen. St. Louis Post-Dispatch.

Resch, B. (2013). People as Sensors and Collective Sensing-Contextual Observations Complementing Geo-Sensor Network Measurements. Paper presented at the Progress in Location-Based Services, Lecture Notes in Geoinformation and Cartography.

Roberts, P. (1984). Information Visualization for Stock Market Ticks: Toward a New Trading Interface. Massachusetts Institute of Technology, Boston.

Rodota, S., & Capurro, R. (2005). Ethical Aspects of ICT Implants in the Human Body. The European Group on Ethics in Science and New Technologies (EGE)   Retrieved June 3, 2006, from http://ec.europa.eu/bepa/european-group-ethics/docs/avis20_en.pdf

SHRM. (2011). from http://www.shrm.org/publications/hrnews/pages/fatiguefactors.aspx

Spence, R. (2009). Eyeborg.   Retrieved 22 June 2010, from http://eyeborg.blogspot.com.au/

Stephan, K. D., Michael, K., Michael, M. G., Jacob, L., & Anesta, E. (2012). Social Implications of Technology: Past, Present, and Future. Proceedings of the IEEE, 100(13), 1752-1781.

SXSchedule. (2013). Better Measure: Health Engagement & higi Score.   Retrieved 29 June 2013, from http://schedule.sxsw.com/2013/events/event_IAP4888

Thurston, B. (2013). I have left the internet. Fast Company, July/August(177), 66-78, 104-105.

Ware, C. (2000). Information Visualization: Perception for Design. San Francisco, CA: Morgan Kaufmann.

Warm, J. S., Parasuraman, R., & Matthews, G. (2008). Vigilance Requires Hard Mental Work and Is Stressful. Human Factors, 433-441.

Williams, R. B. (2012). Is Facebook Good Or Bad For Your Self-Esteem? Psychology Today: Wired for Success.

Wordnik. (2013). Sousveillance.   Retrieved 6 June 2013, from http://www.wordnik.com/words/sousveillance

Endnotes

1 http://www.shrm.org/

2 www.sleepfoundation.org 

3 Someone searching for a WiFi wireless network connection using a mobile device in a moving vehicle.

4 http://higi.com/about/score; http://schedule.sxsw.com

5 http://www.wordnik.com/words/sousveillance

Citation: Katina Michael, M. G. Michael, and Christine Perakslis (2014) Be Vigilant: There Are Limits to Veillance. The Computer After Me: pp. 189-204. DOI: https://doi-org.ezproxy.uow.edu.au/10.1142/9781783264186_0013 

Location and Tracking of Mobile Devices

Location and Tracking of Mobile Devices: Überveillance Stalks the Streets

Review Version of 7 October 2012

Published in Computer Law & Security Review 29, 3 (June 2013) 216-228

Katina Michael and Roger Clarke **

© Katina Michael and Xamax Consultancy Pty Ltd, 2012

Available under an AEShareNet  licence or a Creative Commons  licence.

This document is at http://www.rogerclarke.com/DV/LTMD.html

Abstract

During the last decade, location-tracking and monitoring applications have proliferated, in mobile cellular and wireless data networks, and through self-reporting by applications running in smartphones that are equipped with onboard global positioning system (GPS) chipsets. It is now possible to locate a smartphone-user's location not merely to a cell, but to a small area within it. Innovators have been quick to capitalise on these location-based technologies for commercial purposes, and have gained access to a great deal of sensitive personal data in the process. In addition, law enforcement utilise these technologies, can do so inexpensively and hence can track many more people. Moreover, these agencies seek the power to conduct tracking covertly, and without a judicial warrant. This article investigates the dimensions of the problem of people-tracking through the devices that they carry. Location surveillance has very serious negative implications for individuals, yet there are very limited safeguards. It is incumbent on legislatures to address these problems, through both domestic laws and multilateral processes.

Contents

1. Introduction

Personal electronic devices travel with people, are worn by them, and are, or soon will be, inside them. Those devices are increasingly capable of being located, and, by recording the succession of locations, tracked. This creates a variety of opportunities for the people concerned. It also gives rise to a wide range of opportunities for organisations, at least some of which are detrimental to the person's interests.

Commonly, the focus of discussion of this topic falls on mobile phones and tablets. It is intrinsic to the network technologies on which those devices depend that the network operator has at least some knowledge of the location of each handset. In addition, many such devices have onboard global positioning system (GPS) chipsets, and self-report their coordinates to service-providers. The scope of this paper encompasses those already-well-known forms of location and tracking, but it extends beyond them.

The paper begins by outlining the various technologies that enable location and tracking, and identifies those technologies' key attributes. The many forms of surveillance are then reviewed, in order to establish a framework within which applications of location and tracking can be characterised. Applications are described, and their implications summarised. Controls are considered, whereby potential harm to the interests of individuals can be prevented or mitigated.

2. Relevant Technologies

The technologies considered here involve a device that has the following characteristics:

  • it is conveniently portable by a human, and
  • it emits signals that:
    • enable some other device to compute the location of the device (and hence of the person), and
    • are sufficiently distinctive that the device is reliably identifiable at least among those in the vicinity, and hence the device's (and hence the person's) successive locations can be detected, and combined into a trail

The primary form-factors for mobile devices are currently clam-shape (portable PCs), thin rectangles suitable for the hand (mobile phones), and flat forms (tablets). Many other form-factors are also relevant, however. Anklets imposed on dangerous prisoners, and even as conditions of bail, carry RFID tags. Chips are carried in cards of various sizes, particularly the size of credit-cards, and used for tickets for public transport and entertainment venues, aircraft boarding-passes, toll-road payments and in some countries to carry electronic cash. Chips may conduct transactions with other devices by contact-based means, or contactless, using radio-frequency identification (RFID) or its shorter-range version near-field communication (NFC) technologies. These capabilities are in credit and debit cards in many countries. Transactions may occur with the cardholder's knowledge, with their express consent, and with an authentication step to achieve confidence that the person using the card is authorised to do so. In a variety of circumstances, however, some and even all of those safeguards are dispensed with. The electronic versions of passports that are commonly now being issued carry such a chip, and have an autonomous communications capability. The widespread issue of cards with capabilities uncontrolled by, and in many cases unknown to, the cardholder, is causing consternation among segments of the population that have become aware of the schemes.

Such chips can be readily carried in other forms, including jewellery such as finger-rings, and belt-buckles. Endo-prostheses such as replacement hips and knees and heart pacemakers can readily carry chips. A few people have voluntarily embedded chips directly into their bodies for such purposes as automated entry to premises (Michael & Michael 2009).

In order to locate and track such devices, any sufficiently distinctive signals may in principle suffice. See Raper et al. (2007a) and Mautz (2011). In practice, the signals involved are commonly those transmitted by a device in order to take advantage of wireless telecommunications networks. The scope of the relevant technologies therefore also encompasses the signals, devices that detect the signals, and the networks over which the data that the signals contain are transmitted.

In wireless networks, it is generally the case that the base station or router needs to be aware of the identities of devices that are currently within the cell. A key reason for this is to conserve limited transmission capacity by sending messages only when the targeted device is known to be in the cell. This applies to all of:

  • cellular mobile originally designed for voice telephony and extended to data (in particular those using the '3G' standards GSM/GPRS, CDMA2000 and UMTS/HSPA and the '4G' standard LTE)
  • wireless local area networks (WLANs, commonly Wifi / IEEE 802.11x - RE 2010a)
  • wireless wide area networks (WWANs, commonly WiMAX / IEEE 802.16x - RE 2010b).

Devices in such networks are uniquely identified by various means (Clarke & Wigan 2011). In cellular networks, there is generally a clear distinction between the entity (the handset) and the identity it is adopting at any given time (which is determined by the module inserted in it). Depending on the particular standards used, what is commonly referred to as 'the SIM-card' is an R-UIM, a CSIM or a USIM. These modules store an International Mobile Subscriber Identity (IMSI), which constitutes the handset's identifier. Among other things, this enables network operators to determine whether or not to provide service, and what tariff to apply to the traffic. However, cellular network protocols may also involve transmission of a code that distinguishes the handset itself, within which the module is currently inserted. A useful generic term for this is the device 'entifier' (Clarke 2009b). Under the various standards, it may be referred to as an International Mobile Equipment Identity (IMEI), ESN, or MEID.

In Wifi and WiMAX networks, the device entifier may be a processor-id or more commonly a network interface card identifier (NIC Id). In various circumstances, other device-identifiers may be used, such as a phone-number, or an IP-address may be used as a proxy. In addition, the human using the device may be directly identified, e.g. by means of a user-accountname.

A WWAN cell may cover a large area, indicatively of a 50km radius. Telephony cells may have a radius as large as 2-3 km or as little as a hundred metres. WLANs using Wifi technologies have a cell-size of less than 1 hectare, indicatively 50-100 metres radius, but in practice often constrained by environmental factors to only 10-30 metres.

The base-station or router knows the identities of devices that are within its cell, because this is a technically necessary feature of the cell's operation. Mobile devices auto-report their presence 10 times per second. Meanwhile, the locations of base-stations for cellular services are known with considerable accuracy by the telecommunications providers. And, in the case of most private Wifi services, the location of the router is mapped to c. 30-100 metre accuracy by services such as Skyhook and Google Locations, which perform what have been dubbed 'war drives' in order to maintain their databases - in Google's case in probable violation of the telecommunications interception and/or privacy laws of at least a dozen countries (EPIC 2012).

Knowing that a device is within a particular mobile phone, WiMAX or Wifi cell provides only a rough indication of location. In order to generate a more precise estimate, within a cell, several techniques are used (McGuire et al. 2005). These include the following (adapted from Clarke & Wigan 2011. See also Figueiras & Frattasi 2010):

  • directional analysis. A single base-station may comprise multiple receivers at known locations and pointed in known directions, enabling the handset's location within the cell to be reduced to a sector within the cell, and possibly a narrow one, although without information about the distance along the sector;
  • triangulation. This involves multiple base-stations serving a single cell, at known locations some distance apart, and each with directional analysis capabilities. Particularly with three or more stations, this enables an inference that the device's location is within a small area at the intersection of the multiple directional plots;
  • signal analysis. This involves analysis of the characteristics of the signals exchanged between the handset and base-station, in order to infer the distance between them. Relevant signal characteristics include the apparent response-delay (Time Difference of Arrival - TDOA, also referred to as multilateration), and strength (Received Signal Strength Indicator - RSSI), perhaps supplemented by direction (Angle Of Arrival - AOA).

The precision and reliability of these techniques varies greatly, depending on the circumstances prevailing at the time. The variability and unpredictability result in many mutually inconsistent statements by suppliers, in the general media, and even in the technical literature.

Techniques for cellular networks generally provide reasonably reliable estimates of location to within an indicative 50-100m in urban areas and some hundreds of metres elsewhere. Worse performance has been reported in some field-tests, however. For example, Dahunsi & Dwolatzky (2012) found the accuracy of GSM location in Johannesberg to be in the range 200-1400m, and highly variable, with "a huge difference between the predicted and provided accuracies by mobile location providers".

The web-site of the Skyhook Wifi-router positioning service claims 10-metre accuracy, 1-second time-to-first-fix and 99.8% reliability (SHW 2012). On the other hand, tests have resulted in far lower accuracy measures, including an average positional error of 63m in Sydney (Gallagher et al. 2009) and "median values for positional accuracy in [Las Vegas, Miami and San Diego, which] ranged from 43 to 92 metres ... [and] the replicability ... was relatively poor" (Zandbergen 2012, p. 35). Nonetheless, a recent research article suggested the feasibility of "uncooperatively and covertly detecting people 'through the wall' [by means of their WiFi transmissions]" (Chetty et al. 2012).

Another way in which a device's location may become known to other devices is through self-reporting of the device's position, most commonly by means of an inbuilt Global Positioning System (GPS) chip-set. This provides coordinates and altitude based on broadcast signals received from a network of satellites. In any particular instance, the user of the device may or may not be aware that location is being disclosed.

Despite widespread enthusiasm and a moderate level of use, GPS is subject to a number of important limitations. The signals are subject to interference from atmospheric conditions, buildings and trees, and the time to achieve a fix on enough satellites and deliver a location measure may be long. This results in variability in its practical usefulness in different circumstances, and in its accuracy and reliability. Civil-use GPS coordinates are claimed to provide accuracy within a theoretical 7.8m at a 95% confidence level (USGov 2012), but various reports suggest 15m, or 20m, or 30m, but sometimes 100m. It may be affected by radio interference and jamming. The original and still-dominant GPS service operated by the US Government was subject to intentional degradation in the US's national interests. This 'Selective Availability' feature still exists, although subject to a decade-long policy not to use it; and future generations of GPS satellites may no longer support it.

Hybrid schemes exist that use two or more sources in order to generate more accurate location-estimates, or to generate estimates more quickly. In particular, Assisted GPS (A-GPS) utilises data from terrestrial servers accessed over cellular networks in order to more efficiently process satellite-derived data (e.g. RE 2012).

Further categories of location and tracking technologies emerge from time to time. A current example uses means described by the present authors as 'mobile device signatures' (MDS). A device may monitor the signals emanating from a user's mobile device, without being part of the network that the user's device is communicating with. The eavesdropping device may detect particular signal characteristics that distinguish the user's mobile device from others in the vicinity. In addition, it may apply any of the various techniques mentioned above, in order to locate the device. If the signal characteristics are persistent, the eavesdropping device can track the user's mobile device, and hence the person carrying it. No formal literature on MDS has yet been located. The supplier's brief description is at PI (2010b).

The various technologies described in this section are capable of being applied to many purposes. The focus in this paper is on their application to surveillance.

3. Surveillance

The term surveillance refers to the systematic investigation or monitoring of the actions or communications of one or more persons (Clarke 2009c). Until recent times, surveillance was visual, and depended on physical proximity of an observer to the observed. The volume of surveillance conducted was kept in check by the costs involved. Surveillance aids and enhancements emerged, such as binoculars and, later, directional microphones. During the 19th century, the post was intercepted, and telephones were tapped. During the 20th century, cameras enabled transmission of image, video and sound to remote locations, and recording for future use (e.g. Parenti 2003).

With the surge in stored personal data that accompanied the application of computing to administration in the 1970s and 1980s, dataveillance emerged (Clarke 1988). Monitoring people through their digital personae rather than through physical observation of their behaviour is much more economical, and hence many more people can be subjected to it (Clarke 1994). The dataveillance epidemic made it more important than ever to clearly distinguish between personal surveillance - of an identified person who has previously come to attention - and mass surveillance - of many people, not necessarily previously identified, about some or all of whom suspicion could be generated.

Location data is of a very particular nature, and hence it has become necessary to distinguish location surveillance as a sub-set of the general category of dataveillance. There are several categories of location surveillance with different characteristics (Clarke & Wigan 2011):

  • capture of an individual's location at a point in time. Depending on the context, this may support inferences being drawn about an individual's behaviour, purpose, intention and associates
  • real-time monitoring of a succession of locations and hence of the person's direction of movement. This is far richer data, and supports much more confident inferences being drawn about an individual's behaviour, purpose, intention and associates
  • predictive tracking, by extrapolation from the person's direction of movement, enabling inferences to be drawn about near-future behaviour, purpose, intention and associates
  • retrospective tracking, on the basis of the data trail of the person's movements, enabling reconstruction of a person's behaviour, purpose, intention and associates at previous times

Information arising at different times, and from different forms of surveillance, can be combined, in order to offer a more complete picture of a person's activities, and enable yet more inferences to be drawn, and suspicions generated. This is the primary sense in which the term 'überveillance' is applied: "Überveillance has to do with the fundamental who (ID), where (location), and when (time) questions in an attempt to derive why (motivation), what (result), and even how (method/plan/thought). Überveillance can be a predictive mechanism for a person's expected behaviour, traits, likes, or dislikes; or it can be based on historical fact; or it can be something in between ... Überveillance is more than closed circuit television feeds, or cross-agency databases linked to national identity cards, or biometrics and ePassports used for international travel. Überveillance is the sum total of all these types of surveillance and the deliberate integration of an individual's personal data for the continuous tracking and monitoring of identity and location in real time" (Michael & Michael 2010. See also Michael & Michael 2007, Michael et al. 2008, Michael et al. 2010, Clarke 2010).

A comprehensive model of surveillance includes consideration of geographical scope, and of temporal scope. Such a model assists the analyst in answering key questions about surveillance: of what? for whom? by whom? why? how? where? and when? (Clarke 2009c). Distinctions are also needed based on the extent to which the subject has knowledge of surveillance activities. It may be overt or covert. If covert, it may be merely unnotified, or alternatively express measures may be undertaken in order to obfuscate, and achieve secrecy. A further element is the notion of 'sousveillance', whereby the tools of surveillance are applied, by those who are commonly watched, against those who are commonly the watchers (Mann et al. 2003).

These notions are applied in the following sections in order to establish the extent to which location and tracking of mobile devices is changing the game of surveillance, and to demonstrate that location surveillance is intruding more deeply into personal freedoms than previous forms of surveillance.

4. Applications

This section presents a typology of applications of mobile device location, as a means of narrowing down to the kinds of uses that have particularly serious privacy implications. These are commonly referred to as location-based services (LBS). One category of applications provide information services that are for the benefit of the mobile device's user, such as navigation aids, and search and discovery tools for the locations variously of particular, identified organisations, and of organisations that sell particular goods and services. Users of LBS of these kinds can be reasonably assumed to be aware that they are disclosing their location. Depending on the design, the disclosures may also be limited to specific service-providers and specific purposes, and the transmissions may be secured.

Another, very different category of application is use by law enforcement agencies (LEAs). The US E-911 mandate of 1999 was nominally a public safety measure, to enable people needing emergency assistance to be quickly and efficiently located. In practice, the facility also delivered LEAs means for locating and tracking people of interest, through their mobile devices. Personal surveillance may be justified by reasonable grounds for suspicion that the subject is involved in serious crime, and may be specifically authorised by judicial warrant. Many countries have always been very loose in their control over LEAs, however, and many others have drastically weakened their controls since 2001. Hence, in any given jurisdiction and context, each and all of the controls may be lacking.

Yet worse, LEAs use mobile location and tracking for mass surveillance, without any specific grounds for suspicion about any of the many people caught up in what is essentially a dragnet-fishing operation (e.g. Mery 2009). Examples might include monitoring the area adjacent to a meeting-venue watching out for a blacklist of device-identifiers known to have been associated with activists in the past, or collecting device-identifiers for use on future occasions. In addition to netting the kinds of individuals who are of legitimate interest, the 'by-catch' inevitably includes threatened species. There are already extraordinarily wide-ranging (and to a considerable extent uncontrolled) data retention requirements in many countries.

Of further concern is the use of Automated Number Plate Recognition (ANPR) for mass surveillance purposes. This has been out of control in the UK since 2006, and has been proposed or attempted in various other countries as well (Clarke 2009a). Traffic surveillance is expressly used not only for retrospective analysis of the movements of individuals of interest to LEAs, but also as a means of generating suspicions about other people (Lewis 2008).

Beyond LEAs, many government agencies perform social control functions, and may be tempted to conduct location and tracking surveillance. Examples would include benefits-paying organisations tracking the movements of benefits-recipients about whom suspicions have arisen. It is not too far-fetched to anticipate zealous public servants concerned about fraud control imposing location surveillance on all recipients of some particularly valuable benefit, or as a security precaution on every person visiting a sensitive area (e.g. a prison, a power plant, a national park).

Various forms of social control are also exercised by private sector organisations. Some of these organisations, such as placement services for the unemployed, may be performing outsourced public sector functions. Others, such as workers' compensation providers, may be seeking to control personal insurance claimants, and similarly car-hire companies and insurance providers may wish to monitor motor vehicles' distance driven and roads used (Economist 2012).

A further privacy-invasive practice that is already common is the acquisition of location and tracking data by marketing corporations, as a by-product of the provision of location-based services, but with the data then applied to further purposes other than that for which it was intended. Some uses rely on statistical analysis of large holdings ('data mining'). Many uses are, on the other hand, very specific to the individual, and are for such purposes as direct or indirect targeting of advertisements and the sale of goods and services. Some of these applications combine location data with data from other sources, such as consumer profiling agencies, in order to build up such a substantial digital persona that the individual's behaviour is readily influenced. This takes the activity into the realms of überveillance.

All such services raise serious privacy concerns, because the data is intensive and sensitive, and attractive to organisations. Companies may gain rights in relation to the data through market power, or by trickery - such as exploitation of a self-granted right to change the Terms of Service (Clarke 2011). Once captured, the data may be re-purposed by any organisation that gains access to it, because the value is high enough that they may judge the trivial penalties that generally apply to breaches of privacy laws to be well worth the risk.

A recently-emerged, privacy-invasive practice is the application of the mobile device signature (MDS) form of tracking, in such locations as supermarkets. This is claimed by its providers to offer deep observational insights into the behaviour of customers, including dwell-times in front of displays, possibly linked with the purchaser's behaviour. This raises concerns a little different from other categories of location and tracking technologies, and is accordingly considered in greater depth in the following section.

It is noteworthy that an early review identified a wide range of LBS, which the authors classified into mobile guides, transport, gaming, assistive technology and location-based health (Raper et al. 2007b). Yet that work completely failed to notice that a vast array of applications were emergent in surveillance, law enforcement and national security, despite the existence of relevant literature from at least 1999 onwards (Clarke 2001Michael & Masters 2006).

5. Implications

The previous sections have introduced many examples of risks to citizens and consumers arising from location surveillance. This section presents an analysis of the categories and of the degree of seriousness with which they should be viewed. The first topic addressed is the privacy of personal location data. Other dimensions of privacy are then considered, and then the specific case of MDS is examined. The treatment here is complementary to earlier articles that have looked more generally at particular applications such as location-based mobile advertising, e.g. Cleff (2007, 2010) and King & Jessen (2010). See also Art. 29 (2011).

5.1 Locational Privacy

Knowing where someone has been, knowing what they are doing right now, and being able to predict where they might go next is a powerful tool for social control and for chilling behaviour (Abbas 2011). Humans do not move around in a random manner (Song et al. 2010).

One interpretation of 'locational privacy' is that it "is the ability of an individual to move in public space with the expectation that under normal circumstances their location will not be systematically and secretly recorded for later use" (Blumberg & Eckersley 2009). A more concise definition is "the ability to control the extent to which personal location information is ... [accessible and] used by others" (van Loenen et al. 2009). Hence 'tracking privacy' is the interest an individual has in controlling information about their sequence of locations.

Location surveillance is deeply intrusive into data privacy, because it is very rich, and enables a great many inferences to be drawn (Clarke 2001, Dobson & Fisher 2003, Michael et al. 2006aClarke & Wigan 2011). As demonstrated by Raper et al. (2007a, pp. 32-33), most of the technical literature that considers privacy is merely concerned about it as an impediment to deployment and adoption, and how to overcome the barrier rather than how to solve the problem. Few authors adopt a positive approach to privacy-protective location technologies. The same authors' review of applications (Raper et al. 2007b) includes a single mention of privacy, and that is in relation to just one of the scores of sub-categories of application that they catalogue.

Most service-providers are cavalier in their handling of personal data, and extravagant in their claims. For example, Skyhook claims that it "respects the privacy of all users, customers, employees and partners"; but, significantly, it makes no mention of the privacy of the people whose locations, through the locations of their Wifi routers, it collects and stores (Skyhook 2012).

Consent is critical in such LBS as personal location chronicle systems, people-followers and footpath route-tracker systems that systematically collect personal location information from a device they are carrying (Collier 2011c). The data handled by such applications is highly sensitive because it can be used to conduct behavioural profiling of individuals in particular settings. The sensitivity exists even if the individuals remain 'nameless', i.e. if each identifier is a temporary or pseudo-identifier and is not linked to other records. Service-providers, and any other organisations that gain access to the data, achieve the capacity to make judgements on individuals based on their choices of, for example, which retail stores they walk into and which they do not. For example, if a subscriber visits a particular religious bookstore within a shopping mall on a weekly basis, the assumption can be reasonably made that they are in some way affiliated to that religion (Samuel 2008).

It is frequently asserted that individuals cannot have a reasonable expectation of privacy in a public space. Contrary to those assertions, however, privacy expectations always have existed in public places, and continue to exist (VLRC 2010). Tracking the movements of people as they go about their business is a breach of a fundamental expectation that people will be 'let alone'. In policing, for example, in most democratic countries, it is against the law to covertly track an individual or their vehicle without specific, prior approval in the form of a warrant. This principle has, however, been compromised in many countries since 2001. Warrantless tracking using a mobile device generally results in the evidence, which has been obtained without the proper authority, being inadmissible in a court of law (Samuel 2008). Some law enforcement agencies have argued for the abolition of the warrant process because the bureaucracy involved may mean that the suspect cannot be prosecuted for a crime they have likely committed (Ganz 2005). These issues are not new; but far from eliminating a warrant process, the appropriate response is to invest the energy in streamlining this process (Bronitt 2010).

Privacy risks arise not only from locational data of high integrity, but also from data that is or becomes associated with a person and that is inaccurate, misleading, or wrongly attributed to that individual. High levels of inaccuracy and unreliability were noted above in respect of all forms of location and tracking technologies. In the case of MDS services, claims have been made of one-to-two metre locational accuracy. This has yet to be supported by experimental test cases, however, and hence there is uncertainty about the reliability of inferences that the service-provider or the shop-owner draw. If the data is the subject of a warrant or subpoena, the data's inaccuracy could result in false accusations and even a miscarriage of justice, with the 'wrong person' finding themselves in the 'right place' at the 'right time'.

5.2 Privacy More Broadly

Privacy has multiple dimensions. One analysis, in Clarke (2006a), identifies four distinct aspects. Privacy of Personal Data, variously also 'data privacy' and 'information privacy', is the most widely-discussed dimension of the four. Individuals claim that data about themselves should not be automatically available to other individuals and organisations, and that, even where data is possessed by another party, the individual must be able to exercise a substantial degree of control over that data and its use. The last five decades have seen the application of information technologies to a vast array of abuses of data privacy. The degree of privacy-intrusiveness is a function of both the intensity and the richness of the data. Where multiple sources are combined, the impact is particularly likely to chill behaviour. An example is the correlation of video-feeds with mobile device tracking. The previous sub-section addressed that dimension.

Privacy of the Person, or 'bodily privacy', extends from freedom from torture and right to medical treatment, via compulsory immunisation and imposed treatments, to compulsory provision of samples of body fluids and body tissue, and obligations to submit to biometric measurement. Locational surveillance gives rise to concerns about personal safety. Physical privacy is directly threatened where a person who wishes to inflict harm is able to infer the present or near-future location of their target. Dramatic examples include assassins, kidnappers, 'standover merchants' and extortionists. But even people who are neither celebrities nor notorities are subject to stalking and harassment (Fusco et al. 2012).

Privacy of Personal Communications is concerned with the need of individuals for freedom to communicate among themselves, without routine monitoring of their communications by other persons or organisations. Issues include 'mail covers', the use of directional microphones, 'bugs' and telephonic interception, with or without recording apparatus, and third-party access to email-messages. Locational surveillance thereby creates new threats to communications privacy. For example, the equivalent of 'call records' can be generated by combining the locations of two device-identifiers in order to infer that a face-to-face conversation occurred.

Privacy of Personal Behaviour encompasses 'media privacy', but particular concern arises in relation to sensitive matters such as sexual preferences and habits, political activities and religious practices. Some privacy analyses, particularly in Europe, extend this discussion to personal autonomy, liberty and the right of self-determination (e.g. King & Jesson 2010). The notion of 'private space' is vital to economic and social aspects of behaviour, is relevant in 'private places' such as the home and toilet cubicles, but is also relevant and important in 'public places', where systematic observation and the recording of images and sounds are far more intrusive than casual observation by the few people in the vicinity.

Locational surveillance gives rise to rich sets of data about individuals' activities. The knowledge, or even suspicion, that such surveillance is undertaken, chills their behaviour. The chilling factor is vital in the case of political behaviour (Clarke 2008). It is also of consequence in economic behaviour, because the inventors and innovators on whom new developments depend are commonly 'different-thinkers' and even 'deviants', who are liable to come to come to attention in mass surveillance dragnets, with the tendency to chill their behaviour, their interactions and their creativity.

Surveillance that generates accurate data is one form of threat. Surveillance that generates inaccurate data, or wrongly associates data with a particular person, is dangerous as well. Many inferences that arise from inaccurate data will be wrong, of course, but that won't prevent those inferences being drawn, resulting in unjustified behavioural privacy invasiveness, including unjustified association with people who are, perhaps for perfectly good reasons, themselves under suspicion.

In short, all dimensions of privacy are seriously affected by location surveillance. For deeper treatments of the topic, see Michael et al. (2006b) and Clarke & Wigan (2011).

5.3 Locational Privacy and MDS

The recent innovation of tracking by means of mobile device signatures (MDS) gives rise to some issues additional to, or different from, mainstream device-location technologies. This section accordingly considers this particular technique's implications in greater depth. Limited reliable information is currently available, and the analysis is of necessity based on supplier-published sources (PI 2010a, 2010b) and media reports (Collier 2010a, 2010b, 2010c).

A company called Path Intelligence (PI) markets an MDS service to shopping mall-owners, to enable them to better value their floorspace in terms of rental revenues, and to identify points of on-foot traffic congestion to on-sell physical advertising and marketing floorspace (PI 2010a). The company claims to detect each phone (and hence person) that enters a zone, and to capture data, including:

  • how long each device and person stay, including dwell times in front of shop windows;
  • repeat visits by shoppers in varying frequency durations; and
  • typical route and circuit paths taken by shoppers as they go from shop to shop during a given shopping experience.

For malls, PI is able to denote such things as whether or not shoppers who shop at one establishment will also shop at another in the same mall, and whether or not people will go out of their way to visit a particular retail outlet independent of its location. For retailers, PI says it is able to provide information on conversion rates by department or even product line, and even which areas of the store might require more attention by staff during specific times of the day or week (PI 2012).

PI says that it uses "complex algorithms" to denote the geographic position of a mobile, using strategically located "proprietary equipment" in a campus setting (PI 2010a). The company states that it is conducting "data-driven analysis", but is not collecting, or at least that it is is not disclosing, any personal information such as a name, mobile telephone number or contents of a short message service (SMS). It states that it only ever provides aggregated data at varying zone levels to the shopping mall-owners. This is presumably justified on the basis that, using MDS techniques, direct identifiers are unlikely to be available, and a pseudo-identifier needs to be assigned. There is no explicit definition of what constitutes a zone. It is clear, however, that minimally-aggregated data at the highest geographic resolution is available for purchase, and at a higher price than more highly-aggregated data.

Shoppers have no relationship with the company, and it appears unlikely that they would even be aware that data about them is being collected and used. The only disclosure appears to be that "at each of our installations our equipment is clearly visible and labelled with our logo and website address" (PI 2010a), but this is unlikely to be visible to many people, and in any case would not inform anyone who saw it.

In short, the company is generating revenue by monitoring signals from the mobile devices of people who visit a shopping mall for the purchase of goods and services. The data collection is performed without the knowledge of the person concerned (Renegar et al. 2008). The company is covertly collecting personal data and exploiting it for profit. There is no incentive or value proposition for the individual whose mobile is being tracked. No clear statement is provided about collection, storage, retention, use and disclosure of the data (Arnold 2008). Even if privacy were not a human right, this would demand statutory intervention on the public policy grounds of commercial unfairness. The company asserts that the "our privacy approach has been reviewed by the [US Federal Trade Commission] FTC, which determined that they are comfortable with our practices" (PI 20101a). It makes no claims of such 'approval' anywhere else in the world.

The service could be extended beyond a mall and the individual stores within it, to, for example, associated walkways and parking areas, and surrounding areas such as government offices, entertainment zones and shopping-strips. Applications can also be readily envisaged on hospital and university campuses, and in airports and other transport hubs. From prior research, this is likely to expose the individual's place of employment, and even their residence (Michael et al. 2006). Even if only aggregated data is sold to businesses, the individual records remain available to at least the service-provider.

The scope exists to combine this form of locational surveillance with video-surveillance such as in-store CCTV, and indeed this is claimed to be already a feature of the company's offering to retail stores. To the extent that a commonly-used identifier can be established (e.g. through association with the person's payment or loyalty card at a point-of-sale), the full battery of local and externally-acquired customer transaction histories and consolidated 'public records' data can be linked to in-store behaviour (Michael & Michael 2007). Longstanding visual surveillance is intersecting with well-established data surveillance, and being augmented by locational surveillance, giving breath to dataveillance, or what is now being referred to by some as 'smart surveillance' (Wright et al. 2010, IBM 2011).

Surreptitious collection of personal data is (with exemptions and exceptions) largely against the law, even when undertaken by law enforcement personnel. The MDS mechanism also flies in the face of telephonic interception laws. How, then, can it be in any way acceptable for a form of warrantless tracking to be undertaken by or on behalf of corporations or mainstream government agencies, of shoppers in a mall, or travellers in an airport, or commuters in a transport hub? Why should a service-provider have the right to do what a law enforcement agency cannot normally do?

6. Controls

The tenor of the discussion to date has been that location surveillance harbours enormous threats to location privacy, but also to personal safety, the freedom to communicate, freedom of movement, and freedom of behaviour. This section examines the extent to which protections exist, firstly in the form of natural or intrinsic controls, and secondly in the form of legal provisions. The existing safeguards are found to be seriously inadequate, and it is therefore necessary to also examine the prospects for major enhancements to law, in order to achieve essential protections.

6.1 Intrinsic Controls

A variety of forms of safeguard exist against harmful technologies and unreasonable applications of them. The intrinsic economic control has largely evaporated, partly because the tools use electronics and the components are produced in high volumes at low unit cost. Another reason is that the advertising and marketing sectors are highly sophisticated, already hold and exploit vast quantities of personal data, and are readily geared up to exploit yet more data.

Neither the oxymoronic notion of 'business ethics' nor the personal morality of executives in business and government act as any significant brake on the behaviours of corporations and governments, because they are very weak barriers, and they are readily rationalised away in the face of claims of enhanced efficiencies in, for example, marketing communications, fraud control, criminal justice and control over anti-social behaviour.

A further category of intrinsic control is 'self-regulatory' arrangements within relevant industry sectors. In 2010, for example, the Australian Mobile Telecommunications Association (AMTA) released industry guidelines to promote the privacy of people using LBS on mobile devices (AMTA 2010). The guidelines were as follows:

  1. Every LBS must be provided on an opt-in basis with a specific request from a user for the service
  2. Every LBS must comply with all relevant privacy legislation
  3. Every LBS must be designed to guard against consumers being located without their knowledge
  4. Every LBS must allow consumers to maintain full control
  5. Every LBS must enable customers to control who uses their location information and when that is appropriate, and be able to stop or suspend a service easily should they wish

The second point is a matter for parliaments, privacy oversight agencies and law enforcement agencies, and its inclusion in industry guidelines is for-information-only. The remainder, meanwhile, are at best 'aspirational', and at worst mere window-dressing. Codes of this nature are simply ignored by industry members. They are primarily a means to hold off the imposition of actual regulatory measures. Occasional short-term constraints may arise from flurries of media attention, but the 'responsible' organisations escape by suggesting that bad behaviour was limited to a few 'cowboy' organisations or was a one-time error that won't be repeated.

A case study of the industry self-regulation is provided by the Biometrics Code issued by the misleadingly-named Australian industry-and-users association, the Biometrics 'Institute' (BI 2004). During the period 2009-12, the privacy advocacy organisation, the Australian Privacy Foundation (APF), submitted to the Privacy Commissioner on multiple occasions that the Code failed to meet the stipulated requirements and under the Commissioner's own Rules had to be de-registered. The Code never had more than five subscribers (out of a base of well over 100 members - which was itself only a sub-set of organisations active in the area), and had no signatories among the major biometrics vendors or users, because all five subscribers were small organisations or consultants. In addition, none of the subscribers appear to have ever provided a link to the Code on their websites or in their Privacy Policy Statements (APF 2012).

The Commissioner finally ended the farce in April 2012, citing the "low numbers of subscribers", but avoided its responsibilities by permitting the 'Institute' to "request" revocation, over two years after the APF had made the same request (OAIC 2012). The case represents an object lesson in the vacuousness of self-regulation and the business-friendliness of a captive privacy oversight agency.

If economics, morality and industry-sector politics are inadequate, perhaps competition and organisational self-interest might work. On the other hand, repeated proposals that privacy is a strategic factor for corporations and government agencies have fallen on stony ground (Clarke 19962006b).

The public can endeavour to exercise countervailing power against privacy-invasive practices. On the other hand, individuals acting alone are of little or no consequence to organisations that are intent on the application of location surveillance. Moreover, consumer organisations lack funding, professionalism and reach, and only occasionally attract sufficient media attention to force any meaningful responses from organisations deploying surveillance technologies.

Individuals may have direct surveillance countermeasures available to them, but relatively few people have the combination of motivation, technical competence and persistence to overcome lethargy and the natural human desire to believe that the institutions surrounding them are benign. In addition, some government agencies, corporations and (increasingly prevalent) public-private partnerships seek to deny anonymity, pseudonymity and multiple identities, and to impose so-called 'real name' policies, for example as a solution to the imagined epidemics of cyber-bullying, hate speech and child pornography. Individuals who use cryptography and other obfuscation techniques have to overcome the endeavours of business and government to stigmatise them as criminals with 'something to hide'.

6.2 Legal Controls

It is clear that natural or intrinsic controls have been utter failures in privacy matters generally, and will be in locational privacy matters as well. That leaves legal safeguards for personal freedoms as the sole protection. There are enormous differences among domestic laws relating to location surveillance. This section accordingly limits itself to generalities and examples.

Privacy laws are (with some qualifications, mainly in Europe) very weak instruments. Even where public servants and parliaments have an actual intention to protect privacy, rather than merely to overcome public concerns by passing placebo statutes, the draft Bills are countered by strong lobbying by government agencies and industry, to the extent that measures that were originally portrayed as being privacy-protective reach the statute books as authority for privacy breaches and surveillance (Clarke 2000).

Privacy laws, once passed, are continually eroded by exceptions built into subsequent legislation, and by technological capabilities that were not contemplated when the laws were passed. In most countries, location privacy has yet to be specifically addressed in legislation. Even where it is encompassed by human rights and privacy laws, the coverage is generally imprecise and ambiguous. More direct and specific regulation may exist, however. In Australia, for example, the Telecommunications (Interception and Access) Act and the Surveillance Devices Act define and criminalise inappropriate interception and access, use, communication and publication of location information that is obtained from mobile device traffic (AG 2005). On the other hand, when Google Inc. intercepted wi-fi signals and recorded the data that they contained, the Privacy Commissioner absolved the company (Riley 2010), and the Australian Federal Police refused to prosecute despite the action - whether it was intentional, 'inadvertent' or merely plausibly deniable - being a clear breach of the criminal law (Moses 2010).

The European Union determined a decade ago that location data that is identifiable to individuals is to some extent at least subject to existing data protection laws (EU 2002). However, the wording of that so-called 'e-Privacy Directive' countenances the collection of "location data which are more precise than is necessary for the transmission of communications", without clear controls over the justification, proportionality and transparency of that collection (para. 35). In addition, the e-Privacy Directive only applies to telecommunications service providers, not to other organisations that acquire location and tracking data. King & Jessen (2010) discuss various gaps in the protective regimes in Europe.

The EU's Advisory Body (essentially a Committee of European Data Protection Commissioners) has issued an Opinion that mobile location data is generally capable of being associated with a person, and hence is personal data, and hence is subject to the EU Directive of 1995 and national laws that implement that Directive (Art. 29 2011). Consent is considered to be generally necessary, and that consent must be informed, and sufficiently granular (pp. 13-18).

It is unclear, however, to what extent this Opinion has actually caused, and will in the future cause, organisations that collect, store, use and disclose location data to change their practices. This uncertainty exists in respect of national security, law enforcement and social control agencies, which have, or which can arrange, legal authority that overrides data protection laws. It also applies to non-government organisations of all kinds, which can take advantage of exceptions, exemptions, loopholes, non-obviousness, obfuscation, unenforceability within each particular jurisdiction, and extra-jurisdictionality, to operate in ways that are in apparent breach of the Opinion.

Legal authorities for privacy-invasions are in a great many cases vague rather than precise, and in many jurisdictions power in relation to specific decisions is delegated to an LEA (in such forms as self-written 'warrants'), or even a social control agency (in the form of demand-powers), rather than requiring a decision by a judicial officer based on evidence provided by the applicant.

Citizens in many countries are subject to more or less legitimate surveillance of various degrees and orders of granularity, by their government, in the name of law enforcement and national security. However, many Parliaments have granted powers to national security agencies to use location technology to track citizens and to intercept telecommunications. Moreover, many Parliaments have failed the public by permitting a warrant to be signed by a Minister, or even a public servant, rather than a judicial officer (Jay 1999). Worse still, it appears that these already-gross breaches of the principle of a free society are in effect being extended to the authorisation of a private organisation to track mobiles of ordinary citizens because it may lead to better services planning, or more efficient advertising and marketing (Collier 2011a).

Data protection legislation in all countries evidences massive weaknesses. There are manifold exemptions and exceptions, and there are intentional and accidental exclusions, for example through limitations in the definitions of 'identified' and 'personal data'. Even the much-vaunted European laws fail to cope with extra-territoriality and are largely ignored by US-based service-providers. They are also focussed exclusively on data, leaving large gaps in safeguards for physical, communications and behavioural privacy.

Meanwhile, a vast amount of abuse of personal data is achieved through the freedom of corporations and government agencies to pretend that Terms imposed on consumers and citizens without the scope to reject them are somehow the subject of informed and freely-given consent. For example, petrol-stations, supermarkets and many government agencies pretend that walking past signs saying 'area subject to CCTV' represents consent to gather, transmit, record, store, use and disclose data. The same approach is being adopted in relation to highly-sensitive location data, and much-vaunted data protection laws are simply subverted by the mirage of consent.

At least notices such as 'you are now being watched' or 'smile, you are being recorded' inform customers that they are under observation. On the other hand, people are generally oblivious to the fact that their mobile subscriber identity is transmitted from their mobile phone and multilaterated to yield a reasonably precise location in a shopping mall (Collier 2011a, b, c). Further, there is no meaningful sense in which they can be claimed to have consented to providing location data to a third party, in this case a location service-provider with whom they have never had contact. And the emergent combination of MDS with CCTV sources becomes a pervasive view of the person, an 'über' view, providing a set of über-analytics to - at this stage - shopping complex owners and their constituents.

What rights do employees have if such a system were instituted in an employment setting? Are workplace surveillance laws in place that would protect employees from constant monitoring? A similar problem applies to people at airports, or on hospital, university, industrial or government campuses. No social contract has been entered into between the parties, rendering the subscriber powerless.

Since the collapse of the Technology Assessment movement, technological deployment proceeds unimpeded, and public risks are addressed only after they have emerged and the clamour of concern has risen to a crescendo. A reactive force is at play, rather than proactive measures being taken to ensure avoidance or mitigation of potential privacy breaches. In Australia, for example, safeguards for location surveillance exist at best incidentally, in provisions under separate legislative regimes and in separate jurisdictions, and at worst not at all. No overarching framework exists to provide consistency among the laws. This causes confusion and inevitably results in inadequate protections (ALRC 2008).

6.3 Prospective Legal Controls

Various learned studies have been conducted, but gather dust. In Australia, the three major law reform commissions have all reported, and all have been ignored by the legislatures (NSWLRC 2005ALRC 2008VLRC 2010).

One critical need is for the fundamental principle to be recovered, to the effect that the handling of personal data requires either consent or legal authority. Consent is meaningless as a control over unreasonable behaviour, however, unless it satisfies a number of key conditions. It must be informed, it must be freely-given, and it must be sufficiently granular, not bundled (Clarke 2002). In a great many of the circumstances in which organisations are claiming to have consent to gather, store, use and disclose location data, the consumer does not appreciate what the scope of handling is that the service-provider is authorising themselves to perform; the Terms are imposed by the service-provider and may even be varied or completely re-written without consultation, a period of notice or even any notice at all; and consent is bundled rather than the individual being able to construct a pattern of consents and denials that suit their personal needs. Discussions all too frequently focus on the specifically-US notion of 'opt-out' (or 'presumed consent'), with consent debased to 'opt-in', and deprecated as inefficient and business-unfriendly.

Recently, some very weak proposals have been put forward, primarily in the USA. In 2011, for example, two US Senators proposed a Location Privacy Protection Bill (Cheng 2011). An organisation that collected location data from mobile or wireless data devices would have to state explicitly in their privacy policies what was being collected, in plain English. This would represent only a partial implementation of the already very weak 2006 recommendation of the Internet Engineering Task Force for Geographic Location/Privacy (IETF GEOPRIV) working group, which decided that technical systems should include `Fair Information Practices' (FIPs) to defend against harms associated with the use of location technologies (EPIC 2006). FIPs, however, is itself only a highly cut-down version of effective privacy protections, and the Bill proposes only a small fraction of FIPs. It would be close to worthless to consumers, and close to legislative authorisation for highly privacy-invasive actions by organisations.

Two other US senators tabled a GPS Bill, nominally intended to "balance the needs of Americans' privacy protections with the legitimate needs of law enforcement, and maintains emergency exceptions" (Anderson 2011). The scope is very narrow - next would have to come the Wi-Fi Act, the A-GPS Act, etc. That approach is obviously unviable in the longer term as new innovations emerge. Effective legislation must have appropriate generality rather than excessive technology-specificity, and should be based on semantics not syntax. Yet worse, these Bills would provide legal authorisation for grossly privacy-invasive location and tracking. IETF engineers, and now Congressmen, want to compromise human rights and increase the imbalance of power between business and consumers.

7. Conclusions

Mobile device location technologies and their applications are enabling surveillance, and producing an enormous leap in intrusions into data privacy and into privacy of the person, privacy of personal communications, and privacy of personal behaviour.

Existing privacy laws are entirely incapable of protecting consumers and citizens against the onslaught. Even where consent is claimed, it generally fails the tests of being informed, freely-given and granular.

There is an urgent need for outcries from oversight agencies, and responses from legislatures. Individual countries can provide some degree of protection, but the extra-territorial nature of so much of the private sector, and the use of corporate havens, in particular the USA, mean that multilateral action is essential in order to overcome the excesses arising from the US laissez faire traditions.

One approach to the problem would be location privacy protection legislation, although it would need to embody the complete suite of protections rather than the mere notification that the technology breaches privacy. An alternative approach is amendment of the current privacy legislation and other anti-terrorism legislation in order to create appropriate regulatory provisions, and close the gaps that LBS providers are exploiting (Koppel 2010).

The chimeras of self-regulation, and the unenforceability of guidelines, are not safeguards. Sensitive data like location information must be subject to actual, enforced protections, with guidelines and codes no longer used as a substitute, but merely playing a supporting role. Unless substantial protections for personal location information are enacted and enforced, there will be an epidemic of unjustified, disproportionate and covert surveillance, conducted by government and business, and even by citizens (Gillespie 2009, Abbas et al. 2011).

References

Abbas R. (2011) 'The social and behavioural implications of location-based services: An observational study of users' Journal of Location Based Services, 5, 3-4 (December 2011)

Abbas R., Michael K., Michael m.g. & Aloudat A. (2011) 'Emerging forms of covert surveillance using GPS-enabled devices', Journal of Cases on Information Technology, 13, 2 (2011) 19-33

AG (2005) 'What the Government is doing: Surveillance Device Act 2004', 25 May 2005, Australian Government, at http://www.ag.gov.au/agd/www/nationalsecurity.nsf/AllDocs/9B1F97B59105AEE6CA2570C0014CAF5?OpenDocument

ALRC (2008) 'For your information: Australian privacy law and practice (ALRC Report 108)', Australian Government, 2, pp. 1409-10, http://www.alrc.gov.au/publications/report-108

AMTA (2010) 'New mobile telecommunications industry guidelines and consumer tips set benchmark for Location Based Services', Australian Mobile Telecommunications Association, 2010, athttp://www.amta.org.au/articles/New.mobile.telecommunications.industry.guidelines.and.consumer.tips.set.benchmark.for.Location.Based.Services

Anderson N. (2011) 'Bipartisan bill would end government's warrantless GPS tracking', Ars Technica, June 2011, at http://arstechnica.com/tech-policy/news/2011/06/bipartisan-bill-would-end-governments-warrantless-gps-tracking.ars

APF (2012) 'Revocation of the Biometrics Industry Code' Australian Privacy Foundation, March 2012, at http://www.privacy.org.au/Papers/OAIC-BiomCodeRevoc-120321.pdf

Arnold B. (2008) 'Privacy guide', Caslon Analytics, May 2008, at http://www.caslon.com.au/privacyguide19.htm

Art. 29 (2011) 'Opinion 13/2011 on Geolocation services on smart mobile devices' Article 29 Data Protection Working Party , 881/11/EN WP 185, 16 May 2011, at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp185_en.pdf

BI (2004) 'Privacy Code' Biometrics Institute, Sydney, April 2004, at http://web.archive.org/web/20050424120627/http://www.biometricsinstitute.org/displaycommon.cfm?an=1&subarticlenbr=8

Blumberg A.J. & Eckersley P. (2009) 'On locational privacy, and how to avoid losing it forever' Electronic Frontier Foundation, August 2009, at https://www.eff.org/wp/locational-privacy

Bronitt S. (2010) 'Regulating covert policing methods: from reactive to proactive models of admissibility', in S. Bronitt, C. Harfield and K. Michael (eds.), The Social Implications of Covert Policing, 2010, pp. 9-14

Cheng J. (2011) 'Franken's location-privacy bill would close mobile-tracking 'loopholes'', Wired, 17 June 2011, at http://www.wired.com/epicenter/2011/06/franken-location-loopholes/

Chetty K., Smith G.E. & Woodbridge K. (2012) 'Through-the-Wall Sensing of Personnel Using Passive Bistatic WiFi Radar at Standoff Distances' IEEE Transactions on Geoscience and Remote Sensing 50, 4 (Aril 2012) 1218 - 1226

Clarke R. (1988) 'Information technology and dataveillance', Communications of the ACM, 31(5), May 1988, pp498-512, at http://www.rogerclarke.com/DV/CACM88.html

Clarke R. (1994) 'The Digital Persona and its Application to Data Surveillance' The Information Society 10,2 (June 1994) 77-92, at http://www.rogerclarke.com/DV/DigPersona.html

Clarke R. (1996) 'Privacy and Dataveillance, and Organisational Strategy' Proc. I.S. Audit & Control Association (EDPAC'96), Perth, Western Australia, May 1996, athttp://www.rogerclarke.com/DV/PStrat.html

Clarke R. (2000) 'Submission to the Commonwealth Attorney-General re: 'A privacy scheme for the private sector: Release of Key Provisions' of 14 December 1999' Xamax Consultancy Pty Ltd, January 2000, at http://www.anu.edu.au/people/Roger.Clarke/DV/PAPSSub0001.html

Clarke R. (2001) 'Person-Location and Person-Tracking: Technologies, Risks and Policy Implications' Information Technology & People 14, 2 (Summer 2001) 206-231, athttp://www.rogerclarke.com/DV/PLT.html

Clarke R. (2002) 'e-Consent: A Critical Element of Trust in e-Business' Proc. 15th Bled Electronic Commerce Conference, Bled, Slovenia, June 2002, at http://www.rogerclarke.com/EC/eConsent.html

Clarke R. (2006a) 'What's 'Privacy'?' Xamax Consultancy Pty Ltd, August 2006, at http://www.rogerclarke.com/DV/Privacy.html

Clarke R. (2006b) 'Make Privacy a Strategic Factor - The Why and the How' Cutter IT Journal 19, 11 (October 2006), at http://www.rogerclarke.com/DV/APBD-0609.html

Clarke R. (2008) 'Dissidentity: The Political Dimension of Identity and Privacy' Identity in the Information Society 1, 1 (December, 2008) 221-228, at http://www.rogerclarke.com/DV/Dissidentity.html

Clarke R. (2009a) 'The Covert Implementation of Mass Vehicle Surveillance in Australia' Proc 4th Workshop on the Social Implications of National Security: Covert Policing, April 2009, ANU, Canberra, at http://www.rogerclarke.com/DV/ANPR-Surv.html

Clarke R. (2009b) 'A Sufficiently Rich Model of (Id)entity, Authentication and Authorisation' Proc. IDIS 2009 - The 2nd Multidisciplinary Workshop on Identity in the Information Society, LSE, 5 June 2009, at http://www.rogerclarke.com/ID/IdModel-090605.html

Clarke R. (2009c) 'A Framework for Surveillance Analysis' Xamax Consultancy Pty Ltd, August 2009, at http://www.rogerclarke.com/DV/FSA.html

Clarke R. (2010) 'What is Überveillance? (And What Should Be Done About It?)' IEEE Technology and Society 29, 2 (Summer 2010) 17-25, at http://www.rogerclarke.com/DV/RNSA07.html

Clarke R. (2011) 'The Cloudy Future of Consumer Computing' Proc. 24th Bled eConference, June 2011, at http://www.rogerclarke.com/EC/CCC.html

Clarke R. & Wigan M. (2011) 'You are where you've been: The privacy implications of location and tracking technologies' Journal of Location Based Services 5, 3-4 (December 2011) 138-155, PrePrint athttp://www.rogerclarke.com/DV/YAWYB-CWP.html

Cleff E.B. (2007) 'Implementing the legal criteria of meaningful consent in the concept of mobile advertising' Computer Law & Security Review 23,2 (2007) 262-269

Cleff E.B. (2010) 'Effective approaches to regulate mobile advertising: Moving towards a coordinated legal, self-regulatory and technical response' Computer Law & Security Review 26, 2 (2010) 158-169

Collier K. (2011a) 'Stores spy on shoppers', Herald Sun, 12 October 2011, at http://www.heraldsun.com.au/news/more-news/stores-spy-on-shoppers/story-fn7x8me2-1226164244739

Collier K. (2011b) 'Shopping centres' Big Brother plan to track customers', Herald Sun, 14 October 2011, at http://www.heraldsun.com.au/news/more-news/shopping-centres-big-brother-plan-to-track-customers/story-fn7x8me2-1226166191503

Collier K. (2011c) ''Creepy' Path Intelligence retail technology tracks shoppers', news.com.au, 14 October 2011, at http://www.news.com.au/money/creepy-retail-technology-tracks-shoppers/story-e6frfmci-1226166413071

Dahunsi F. & Dwolatzky B. (2012) 'An empirical investigation of the accuracy of location-based services in South Africa' Journal of Location Based Services 6, 1 (March 2012) 22-34

Dobson J. & Fisher P. (2003) 'Geoslavery' IEEE Technology and Society 22 (2003) 47-52, cited in Raper et al. (2007)

Economist (2012) 'Vehicle data recorders - Watching your driving' The Economist' 23 June 2012, at http://www.economist.com/node/21557309

EPIC (2006) 'Privacy and human rights report 2006' Electronic Privacy Information Center, WorldLII, 2006, at http://www.worldlii.org/int/journals/EPICPrivHR/2006/PHR2006-Location.html

EPIC (2012) 'Investigations of Google Street View' Electronic Privacy Information Center, 2012, at http://epic.org/privacy/streetview/

EU (2002) 'Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)' Official Journal L 201 , 31/07/2002 P. 0037 - 0047, European Commission, at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML

Figueiras J. & Frattasi S. (2010) 'Mobile Positioning and Tracking: From Conventional to Cooperative Techniques' Wiley, 2010

Fusco S.J., Abbas R., Michael K. & Aloudat A. (2012) 'Location-Based Social Networking and its Impact on Trust in Relationships' IEEE Technology and Society Magazine 31,2 (Summer 2012) 39-50, athttp://works.bepress.com/cgi/viewcontent.cgi?article=1326&context=kmichael

Gallagher T. et al. (2009) 'Trials of commercial Wi-Fi positioning systems for indoor and urban canyons' Proc. IGNSS Symposium, 1-3 December 2009, Queensland, cited in Zandbergen (2012)

Ganz J.S. (2005) 'It's already public: why federal officers should not need warrants to use GPS vehicle tracking devices', Journal of Criminal Law and Criminology 95, 4 (Summer 2005) 1325-37

Gillespie A.A. (2009) 'Covert surveillance, human rights and the law', Irish Criminal Law Journal, 19, 3 (August 2009) 71-79

IBM (2011) 'IBM Smart Surveillance System (Previous PeopleVision Project)', IBM Research, 30 October 2011, at http://www.research.ibm.com/peoplevision/

Jay D.M. (1999) 'Use of covert surveillance obtained by search warrant', Australian Law Journal, 73, 1 (Jan 1999) 34-36

King N.J. & Jessen P.W. (2010) 'Profiling the mobile customer - Privacy concerns when behavioural advertisers target mobile phones' Computer Law & Security Review 26, 5 (2010) 455-478 and 26, 6 (2010) 595-612

Koppel A. (2010) 'Warranting a warrant: Fourth Amendment concerns raised by law enforcement's warrantless use of GPS and cellular phone tracking', University of Miami Law Review 64, 3 (April 2010) 1061-1089

Lewis P. (2008) 'Fears over privacy as police expand surveillance project' The Guardian, 15 September 2008, at http://www.guardian.co.uk/uk/2008/sep/15/civilliberties.police

McGuire M., Plataniotis K.N. & Venetsanopoulos A.N. (2005) 'Data fusion of power and time measurements for mobile terminal location' IEEE Transaction on Mobile Computing 4 (2005) 142-153, cited in Raper et al. (2007)

Mann S., Nolan J. & Wellman B. (2003) 'Sousveillance: Inventing and Using Wearable Computing Devices for Data Collection in Surveillance Environments' Surveillance & Society 1, 3 (June 2003) 331-355, at http://www.surveillance-and-society.org/articles1(3)/sousveillance.pdf

Mautz R. (2011) 'Overview of Indoor Positioning Technologies' Keynote, Proc. IPIN'2011, Guimaraes, September 2011, at http://www.geometh.ethz.ch/people/.../IPIN_Keynote_Mautz_2011.pdf

Mery D. (2009) 'The mobile phone as self-inflicted surveillance - And if you don't have one, what have you got to hide?' The Register, 10 April 2009, athttp://www.theregister.co.uk/2009/04/10/mobile_phone_tracking/

Michael K. & Michael M.G. (2007) 'From Dataveillance to Überveillance and the Realpolitik of the Transparent Society' University of Wollongong, 2007, at http://works.bepress.com/kmichael/51

Michael K. & Michael M.G. (2009) 'Innovative Automatic Identification and Location-Based Services: From Bar Codes to Chip Implants' IGI Global, 2009

Michael M.G. & Michael K. (2010) 'Towards a state of uberveillance' IEEE Technology and Society Magazine 29, 2 (Summer 2010) 9-16, at http://works.bepress.com/kmichael/187

Michael K., McNamee A., Michael M.G. & Tootell H. (2006a) 'Location-Based Intelligence - Modeling Behavior in Humans using GPS' Proc. Int'l Symposium on Technology and Society, New York, 8-11 June 2006, at http://ro.uow.edu.au/cgi/viewcontent.cgi?article=1384&context=infopapers

Michael K., McNamee A. & Michael M.G. (2006b) 'The Emerging Ethics of Humancentric GPS Tracking and Monitoring' Proc. Int'l Conf. on Mobile Business, Copenhagen, Denmark IEEE Computer Society, 2006, at http://ro.uow.edu.au/cgi/viewcontent.cgi?article=1384&context=infopapers

Michael M.G., Fusco S.J. & Michael K (2008) 'A Research Note on Ethics in the Emerging Age of Uberveillance (Überveillance)' Computer Communications, 31(6), 2008, 1192-119, athttp://works.bepress.com/kmichael/32/

Michael K. & Masters A. (2006) 'Realized Applications of Positioning Technologies in Defense Intelligence' in Hussein Abbass H. & Essam D. (eds.) 'Applications of Information Systems to Homeland Security and Defense' Idea Group Publishing, 2006, at http://works.bepress.com/kmichael/2

Michael K., Roussos G., Huang G.Q., Gadh R., Chattopadhyay A., Prabhu S. & Chu P. (2010) 'Planetary-scale RFID services in an age of uberveillance' Proceedings of the IEEE 98, 9 (2010) 1663-1671

Moses A. (2010) 'Google escapes criminal charges for Wi-Fi snooping', The Sydney Morning Herald, 6 December 2010, at http://www.smh.com.au/technology/security/google-escapes-criminal-charges-for-wifi-snooping-20101206-18lot.html

NSWLRC (2005) 'Surveillance' Report 108 , NSW Law Reform Commission, 2005, at http://www.lawlink.nsw.gov.au/lawlink/lrc/ll_lrc.nsf/pages/LRC_r108toc

OAIC (2012) '' Office of the Australian Information Commissioner, April 2012, at http://www.comlaw.gov.au/Details/F2012L00869/Explanatory%20Statement/Text

Otterberg A.A. (2005) 'Note: GPS tracking technology: The case for revisiting Knotts and shifting the Supreme Court's theory of the public space under the Fourth Amendment', Boston College Law Review 46 (2005) 661-704

Parenti C. (2003) 'The Soft Cage: Surveillance in America From Slavery to the War on Terror'  Basic Books, 2003

PI (2010a) 'Our Commitment to Privacy', Path Intelligence, 2010, heading changed in late 2012 to 'Privacy by design', at http://www.pathintelligence.com/en/products/footpath/privacy

PI (2010b) 'FootPath Technology', Path Intelligance, 2010, at http://www.pathintelligence.com/en/products/footpath/footpath-technology

PI (2012) 'Retail' Path Intelligence, 2012, at http://www.pathintelligence.com/en/industries/retail

Raper J., Gartner G., Karimi H. & Rizos C. (2007a) 'A critical evaluation of location based services and their potential' Journal of Location Based Services 1, 1 (March 2007) 5-45

Raper J., Gartner G., Karimi H. & Rizos C. (2007b) 'Applications of location-based services: a selected review' Journal of Location Based Services 1, 2 (June 2007) 89-111

RE (2010a) 'IEEE 802.11 standards tutorial' Radio-Electronics.com, apparently of 2010, at http://www.radio-electronics.com/info/wireless/wi-fi/ieee-802-11-standards-tutorial.php

RE (2010b) 'WiMAX IEEE 802.16 technology tutorial' Radio-Electronics.com, apparently of 2010, at http://www.radio-electronics.com/info/wireless/wimax/wimax.php

RE (2012) 'Assisted GPS, A-GPS' Radio-Electronics.com, apparently of 2012, at http://www.radio-electronics.com/info/cellulartelecomms/location_services/assisted_gps.php

Renegar B.D., Michael K. & Michael M.G. (2008) 'Privacy, value and control issues in four mobile business applications' Proc. 7th Int'l Conf. on Mobile Business, 2008, pp. 30-40

Riley J. (2010) 'Gov't 'travesty' in Google privacy case', ITWire, Wednesday 3 November 2010, 20:44, at http://www.itwire.com/it-policy-news/regulation/42898-govt-travesty-in-google-privacy-case

Samuel I.J. (2008) 'Warrantless location tracking', New York University Law Review, 83 (2008) 1324-1352

SHW (2012) 'Skyhook Location Performance', at http://www.skyhookwireless.com/location-technology/performance.php

Skyhook (2012) Website Entries, including 'Frequently Asked Questions' at http://www.skyhookwireless.com/whoweare/faq.php, 'Privacy Policy' athttp://www.skyhookwireless.com/whoweare/privacypolicy.php and 'Location Privacy' at http://www.skyhookwireless.com/whoweare/privacy.php,

Song C., Qu Z., Blumm N. & Barabási A.-L. (2010) 'Limits of predictability in human mobility' Science 327, 5968 (2010) 1018-1021

USGov (2012) 'GPS Accuracy' National Coordination Office for Space-Based Positioning, Navigation, and Timing, February 2012, at http://www.gps.gov/systems/gps/performance/accuracy/

van Loenen B., Zevenbergen J. & de Jong J. (2009) 'Balancing Location Privacy with National Security: A Comparative Analysis of Three Countries through the Balancing Framework of the European Court Of Human Rights' Ch. 2 of Patten N.J. et al. 'National Security: Institutional Approaches', Nova Science Publishers, 2009

VLRC (2010) 'Surveillance in Public Spaces' Victorian Law Reform Commission, Final Report 18, March 2010, athttp://www.lawreform.vic.gov.au/wps/wcm/connect/justlib/Law+Reform/resources/3/6/36418680438a4b4eacc0fd34222e6833/Surveillance_final_report.pdf

Wright D., Friedewald M., Gutwirth S., Langheinrich M., Mordini E., Bellanova R., De Hert P., Wadhwa K. & Bigo D. (2010) 'Sorting out smart surveillance' Computer Law & Security Review 26, 4 (2010) 343-354

Zandbergen P.A. (2012) 'Comparison of WiFi positioning on two mobile devices' Journal of Location Based Services 6, 1 (March 2012) 35-50

Acknowledgements

A preliminary version of the analysis presented in this paper appeared in the November 2011 edition of Precedent, the journal of the Lawyers Alliance. The article has been significantly upgraded as a result of comments provided by the referees and editor.

Author Affiliations

Katina Michael is an Associate Professor in the School of Information Systems and Technology at the University of Wollongong. She is the editor in chief of the IEEE Technology and Society Magazine, is on the editorial board of Computers & Security, and is a co-editor of 'Social Implications of Covert Policing' (2010). She is a Board member of the Australian Privacy Foundation and a representative of the Consumer Federation of Australia.

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in theResearch School of Computer Science at the Australian National University. He is currently Chair of the Australian Privacy Foundation, and an Advisory Board member of Privacy International.

The Social Implications of Location Based Social Networking

Abstract

images.jpg

Location based social networking (LBSN) applications are part of a new suite of emerging social networking tools that run on the Web 2.0 platform. LBSN is the convergence between location based services (LBS) and online social networking (OSN). LBSN applications offer users the ability to look up the location of another “friend” remotely using a smart phone, desktop or other device, anytime and anywhere. Users invite their friends to participate in LBSN and there is a process of consent that follows. Friends have the ability to alter their privacy settings to allow their location to be monitored by another at differing levels of accuracy (e.g. suburb, pinpoint at the street address level, or manual location entry). This paper explores the impact of LBSN upon society, especially upon trust between friends. The study used focus groups to collect data, and a qualitative approach towards analysis. The paper concludes that while there are a great many positive uses of LBSN, there are some significant problems with current applications, and that better design is required to ensure that these technologies are not exploited against a user to commit harm.

Section I. Introduction

Location Based Social Networking (LBSN) applications such as Google Latitude, Loopt and BrightKite enhance our ability to perform social surveillance. These applications enable users to view and share real time location information with their “friends”. With the emergence of this technology it is crucial to consider that “technology alone, even good technology alone is not sufficient to create social or economic value” [1]. Further to not contributing “sufficient” economic or social value, Kling and other scholars have identified that technologies can have negative impacts on society [2].

As location based social networking technologies are used between “friends” they have the potential to impact friendships, which are integral not only to the operation of society but also to the individual's well being [3]. By enabling real-time location tracking of “friends” LBSN puts LBS technologies in the hands of “friends” while also enhancing the experience of online social networking (OSN). In essence it meshes together the positives and negatives of OSN and LBS creating a unique domain of enquiry, forcing researchers to ask new questions. The purpose of this paper is to explore the implication of location based social networking upon “friendships”, with a particular focus on the impact upon trust.

Section II. Social Informatics

Social informatics aims to “explore, explain and theorize about the social technical contexts of information communication technologies” [4] with a view to developing “reliable knowledge about information technology and social change based on systematic empirical research, in order to inform both public policy issues and professional practice” [5]. In this way social informatics looks at the broader picture of the implementation of information communication technologies (ICT), to understand their operation, use and implications. By undertaking research on location based services from a social informatics perspective, the credible threats of the technology, and the circumstances they arise within and their severity can be identified. One of the key concepts underlying the approach of social informatics is that “information technology are not designed or used in social or technological isolation. From this standpoint, the social context of IT influences their development, uses and consequences” [6]. Social informatics takes a nuanced approach to investigating technologies and explores the bidirectional shaping between context and ICT design, implementation and use [4] as is depicted in Figure 1.

 

Figure 1. Bidirectional Shaping between Context and ICT Design

This approach, which combines the social aspects and the technical aspects of technology, has been found to be useful for understanding the social shaping and consequences of information communication technologies [7]. Examples of social informatics research include the vitality of electronic journals [8], the adoption and use of Lotus Notes within organizations [9], public access to information via the internet [10], and many other studies which employ a nuanced perspective of technology in order to understand the social shaping and consequences of ICT. Social informatics research also investigates new social phenomenon that materialize when people use technology, for example, the unintended effects of behavioral control in virtual teams [11]. Social informatics is not described as a theory, but as a “large and growing federation of scholars focused on common problems”, with no single theory or theoretical notion being pursued [4]. What social informatics does provide is a framework for conducting research. The framework of social informatics research is that it is problem orientated, empirical, and interdisciplinary with a focus on informatics.

Social informatics research in the area of LBS and OSN has highlighted the implications of using these technologies, including the concepts of trust, control, privacy and security. In addition OSN studies have exposed the ability of these technologies to alter and impact upon social relations. These studies provide a guide for concepts of interest to study in terms of the emergent technology of LBSN. Studies on LBSN however have not investigated the implications of the use of sophisticated LBSN applications, as are currently available. This research aims to address this gap by engaging in a social informatics based investigation of the implications of LBSN.

The problem addressed by this research is: under what conditions do location based social networking technologies enhance or reduce trust between “friends”? This research is concerned with the formulation of the socio-technical landscape that location based social networking applications exist within. The purpose of which is to understand the bidirectional relationship of society and technology and discover the circumstances within which trust will be negatively affected by the use of the technology. The nature of social informatics warns against a simplistic cause and effect approach to technology [12]. As such this research topic does not contain simple propositions that A causes B, rather it is developed upon a set of questions that reflect the interrelated social and technical aspects of the research.

  • Who are the users of the technology?

  • What is the technology used/misused for?

  • What relationships will it be utilized within?

  • How is trust categorized in these relationships?

  • What circumstance(s)/ context will it be used for?

  • What are the technological capabilities?

Section III. Focus Groups

A focus group is a “research technique that collects data through group interaction on a topic determined by the researcher” [13]. A key characteristic of focus groups is the insight and data produced by the interaction of the participants [14]. Focus groups are primarily used within preliminary or exploratory stages of a study [15]. This study uses focus groups to explore and discuss the use and implications of LBSN with the aim of generating a nuanced understanding of the socio-technical framework that LBSN operate within. The unit of analysis for the study was both at the individual and group level [16]. Focus groups enable individuals to express their “attitudes, beliefs and feelings” and the interaction between participants enables these views to be explored on a group level.

A. Design

Five focus groups were conducted for this study. This is justified on the basis that data becomes “saturated” with very little new content emerging after the first few sessions are conducted. The focus groups were conducted with students enrolled in a third year core subject covering professional practice and ethics, in the information technology and computer science curriculum at the University of Wollongong in the first week of May 2009. The background of these students means that it can be assumed that they are technology literate and able to grasp and understand (if not already using) emerging technologies. The focus groups were run in the tenth week of session, when it could be assumed that students were equipped with refined analytical skills to identify ethical and social aspects of technology. A further benefit in utilizing tutorial classes for the study is that the groups were pre-existing and therefore group members were able to easily relate, and also comment upon incidents which they shared in their daily lives [17].

Large focus groups can consist of between 15 to 20 participants and are appropriate for topics that are not emotionally charged. Larger groups are renowned for containing “a wide range of potential responses on topics where each participant has a low level of involvement” [13]. It should be noted that each focus group in this study had on average 15 active participants. The majority of participants were aged between 18 to 22 years old with several mature age students aged between 30 to 45 years old in each class. There was an approximate 60/40 mix of domestic and international students in each of the focus groups. The majority of international students came from China and Singapore.

B. Questions and Stimulus Material

Two moderators were used to conduct the focus groups. In order to maintain consistency between moderators and encourage a neutral approach to the focus group discussion a Question and Stimulus pack was created. The moderators played an active but neutral role, facilitating discussion and probing the participants in order to engage a deeper discussion of the issues. The purpose of developing the focus group questions and stimulus material was threefold; firstly to ensure conformity and standardization across all focus groups, secondly to provide direction and stimulus for the discussion and thirdly to provide participants with knowledge relevant to the focus group discussion. Furthermore the questions and stimulus material enabled the focus group to be structured into three sections of enquiry as demonstrated in figure 2.

 

Figure 2. Focus Group Sections

The purpose of the focus group questions was to obtain an understanding of the socio-technical framework of LBSN. In order to develop the questions the researcher reviewed the literature on LBS, LBSN, OSN and Trust, along with general media, including blogs and web articles on LBSN and Google Latitude. The questions developed focused upon:

  • Whether participants would use LBSN

  • Why would/(not) participants use LBSN

  • Who they would allow to see their location

  • Who they would like to know the location of

  • What issues surround the use of LBSN

  • The use of LBSN in relationships generally

  • The use of LBSN in relationships focusing on trust

In order to facilitate discussion, open-ended questions were used.

C. Data Analysis

The first stage of the data analysis is the transcription of the focus groups. The data was then analyzed by drawing “together and comparing discussions of similar themes … [to] examine how these relate[d] to the variables within the sample population” [17]. The method of analysis was manual qualitative content analysis. Qualitative methods are constructivist in approach [18]. They take an “interpretive, naturalistic approach to [their] subject matter” and explore things in “their natural setting attempting to make sense of, or interpret phenomena in terms of meaning people bring to them” [19]. In most cases, qualitative research results in the discovery of themes and relationships. Qualitative content analysis is concerned with capturing the richness and describing the unique complexities of data and as such provides understanding. This method allows the researcher to position, relate and ultimately understand the abstractly inferred content from a higher level processing of text and interaction.

Section IV. Results

A. Propensity to Adopt LBSN

There were three categories of response to the question would you use LBSN: adoption, non-adoption and those who had already adopted. Within each of these categories there was a spectrum of responses with participants identifying conditions of adoption or non-adoption to qualify their position. Overall most participants were in favor of non-adoption. Each of these categories of response is explored below.

1) Participants who had Adopted LBSN

Two participants had already adopted a LBSN application. In both cases the LBSN chosen was Google Latitude. One of the participants had ceased using Latitude while the other still had it installed. The participant who no longer used Latitude stated: “I got it and got rid of it because it was just weird”. When the participant was asked why it was “weird” they responded: “because it was like running in the background and you could either sign in and then it kept logging in all the time and I didn't want my brother knowing where I was all the time.” The only person who this respondent had listed as a “friend” on Latitude was his brother as at the time, Latitude was fairly new and the respondent did not think that many people used it.

The second participant who had adopted LBSN, and was still using it was doing so without any “friends”. This participant noted that Latitude: “really wears the battery down fast. I'll exit Google Latitude and it will ask- ‘would you like to continue sharing your location’ and I'll do that but then I'll have no battery left. So it is kind of useless. I still have it. Every now and then I'll log in and update my location. There is not a lot of point.” This second participant observed that without updating your location automatically there is “not a lot of point” to the application. The barrier to allowing automatic updates in the second participant's view was not the “weird” feelings it generated, but the battery power requirement. However this user had “no friends” registered to share their location with.

2) Participants who would Adopt LBSN in the Future

Of the participants who responded that they would adopt a LBSN like Google Latitude, most set out conditions of use to qualify their position while others identified availability of technology to support Latitude as a barrier to adoption. Some focus group participants were indifferent while others identified that they were open to adopting the technology without imposing any specific conditions. The conditions of use that participants specified were the accuracy of the device/application, the level of control over the visibility of their location and when the application would be used.

The condition of adoption based upon the accuracy of the device was expressed in terms of both high and low accuracy. In terms of low accuracy one participant expressed: “Participant: Depends how accurate. [Moderator: Accurate down to street level. |Participant: I think that would be kind of weird, I wouldn't like that.” This participant perceived street level accuracy as “weird”, and stated they would not adopt LBSN if it had such a high degree of accuracy. In terms of high precision accuracy one participant said that they would use a LBSN but “it would have to have a high quality network.” This participant had used LBSN before in China but experienced problems with it and after a “one day test … I didn't go ahead because the feasibility and reliability was not good, it had nothing to do with the privacy problems.”

Several participants would use LBSN upon the condition that they would be able to control the visibility of their location. Visibility was expressed in terms of controlling the level of location information (no information or street, suburb and state level) displayed, as well as control over who had access to the location information. In terms of visibility one participant commented that they would use it if they could specify: “[d]ifferent levels of visibility. Gaming friends at the state level; family — no problem because you trust them; girlfriend — no problem. Obviously the level of relationship trust would be the determining factor in how much access each person would be able to have.” This participant identified that the level of location information disclosed correlated to the different level of trust in each relationship. Other participants simply desired the ability to “easily block your location at all times” or “deactivate” the device.

In relation to who has access to location information one participant indicated that they would use it: “only on family. … Or if children are alone [and] I want to know where they are. But not with friends because if friends know where I am maybe they wonder why I am there and they ask and I have to answer like small, small details…” Identifying that some people do not want to disclose information about themselves to friends as it would open up a Pandora's box of questions about where they were and what they were doing and who they were with and so on. Another participant stated they would use LBSN but “confine it to a restricted group like … close family”, while another would use it if they had kids: “[i]fI have kids I will put it on their phone”.

Participants identified that they would only use LBSN in certain situations for example one participant said they would only use it if they were traveling stating: “[t]he only use I see in it is if I was traveling. I went on a holiday in Tasmania and my mum was worried about where I was because I wouldn't contact her and stuff. And with this she would be able to know where I am constantly, and if I am lost somewhere they would know the last place I was at.” Another participant identified that: “[t]his thing comes in really handy in unforeseen situations, maybe you are in a car and you cannot call a person to come along. So those are a few situations where it can be helpful but for security and privacy. If I can find myself in the database and I can only be seen by my close family that will be really good.” This demonstrated that there were situations within which the utility of LBSN would motivate individuals to adopt the technology although there were some concerns about security and privacy by some participants.

Finally there were three responses which did not identify conditions upon adoption. The first response was by a participant who would adopt LBSN however, they did not have the requisite device. They reflected: “the technology that I have will not let me [conduct LBSN] because I have an older phone. I tried using it but it wouldn't work.” The second response identified that they would use it without conditions and that it did not pose any privacy concerns for them. I'd “use it but I'd stop using from boredom more than anything else, it wouldn't be because of privacy. There doesn't seem like there is a point to it. It is not a privacy thing.” The final response to mention in this section is by a participant who was open to the adoption of LBSN. “I reserve judgment until I see it in action. The general idea is pretty useful I guess. I am open to it. If you have someone's email address you can find out where they live and you can find out anything you want about them… I'm not too worried about it at this point because I think it is probably too late to start worrying about how much protection … you know… your identity and your location, it's all out there.” This participant drew upon the idea that identity and location information is already available on the Internet or in caller detail records or direct marketing material, concluding that it is therefore “probably too late to start worrying about how much protection” we place on further exposure of location information.

3) Participants who would Never Adopt LBSN

The majority of participants indicated that they would not adopt LBSN. Participants gave the following reasons; it is unnecessary or a hassle, it raises ethical concerns, segregates from human contact, or they did not want to disclose their location. The participants who identified that it was unnecessary or a hassle included the following responses: “I don't have time”  “Would be a hassle I don't use stuff like that”  “Unnecessary, I don't care exactly where my friends are. I wouldn't use it to find them whether or not they would use it to find me”  “If you are a close enough friend then would you not just call them?”  “There are other ways of getting in contact, so do we need this location based networking to get in contact. Phone calls are easy enough to make. I am saying you can have it, it is just social networking, whatever, if you just want to keep in contact with friends and that but you can also do that in other ways as well.” All these responses indicate the view of some participants that LBSN is not a necessity, and that existing technologies can be used or should be used- “would you not just call them?” A side note to observe from the latter three responses above is that these participants regarded the existing technologies, which do not allow for unobtrusive observation of location, should be used in preference to LBSN.

Participants identified a range of ethical concerns from using LBSN to prank people “because they trust it”, such as LBSN being used by “serial killers” or for the purpose of “stalking”. More detailed ethical concerns were discussed in responses to “Why would/(not) participants use LBSN?” In addition to the ethical concerns one participant commented that LBSN would change the dynamics of communication with the effect of segregating users from human contact. “It segregates people from human contact. Instead of calling them up and asking them what they are doing, you will just search thlem and see what they are doing without them knowing. It is like stalking.”

A large proportion of the participants who would not use LBSN explained their view on the basis that they did not want to share their location information. Some of the remarks included that LBSN was “[a]nother layer of what people already know about you”  “I don't like people knowing where I am half the time”  “I wouldn't use it. I just don't want everyone knowing where I am 24/7. Even if like you have the option to turn it off or whatever, I would still feel like even when it is off it is kind of … I don't know I'd still feel unsure about it”  “like you may forget to turn it off and not want people to know where you are like, if you are cheating on your girlfriend. And if she goes on and sees that you are at another girl's place”  “If you have it on 24/7 and then there are brief stints where it is off then people are like “he is up to something” or “what is he doing now”. Even if they don't know what you are doing, they might think that you are doing something suspect because this is the time that it is off”  “People like to do that — they like to think ‘Oh he could be doing something suspect, lets find out what it is’.”

Two key ideas emerge from these responses. Firstly, that some people are concerned about revealing too much information about themselves like “I don't want everyone knowing where I am 24/7”. Secondly that revealing location can be dangerous-not in and of itself-but because of what people do with that information. As the latter two responses illustrated, people's curiosity and desire for gossip can lead them to use location information for the wrong purposes and infer “suspect” scenarios.

B. Reasons Why Participants Would/Would Not Use LBSN

The second discussion question was why or why not participants would use LBSN. Some participants provided reasons for their position in response to the first question, however this second question required the respondents to expand upon that discussion and identify specific purposes for using and not using LBSN regardless of their response to the first question. The participants’ responses are summarized in Table I with a discussion of the responses in the two following sections.

1) Reasons Why Participants Would Use LBSN

The reasons that participants stated they would use LBSN included the ability to keep track of or monitor children, employees or friends, store a travel journal for themselves and others to view, to provide parents or carers with peace of mind while they were traveling or for fun. Following are excerpts of some of the responses provided by the participants.

TABLE I. Reasons to use/not use LBSN

Reasons to use LBSN

• Monitoring or tracking of children, employees, friends

• Travel journal

• Parents peace of mind while traveling

 

Reasons not to use LBSN

• Intrusion into peoples’ lives

• Impact upon trust

• Drain the batteries in device

• Privacy

• No one uses it

In relation to monitoring or tracking participants expressed: “[t]he only reason that I would use it is if I wanted to know where someone was and they weren't telling me where they were”  “Well if you were one of those people who always had to know where someone was then it would be useful because then you wouldn't be always calling them [saying] ‘where are you, where are you?’”  “If I had a business I would use it on my employees, especially if they had their own vehicles, so I would know where the employees are going.”

Participants also expressed that they would use LBSN if they were traveling: “[t]he only use I see in it is if I was traveling”  “Used for traveling, when you want your friends back at home to keep track of where you are”  “If you are traveling from location to location so you can see where you are and also for people who want to see where you are and who want to know what time to expect you. So they can see how long it will take before you arrive.”

And finally one participant noted that “maybe I would use this just for fun. Like, ‘where are you?’ for fun. If I don't want to use it, I'll just turn it off”.

2) Reasons Why Participants Would Not Use LBSN

Participants gave several reasons why not to use LBSN including that it would present an intrusion into peoples’ lives, impact upon trust, drain the batteries in the device, present privacy concerns and because no one else uses it. Following are some excerpts to clarify and expand upon these reasons.

Participants who identified that LBSN presents an intrusion into peoples’ lives made the following comments: “[c]omes across more as a tool for surveillance rather than a social networking tool” “Parents putting it on their children's phone — negative use for it. Good for the parents but I don't think the child will like it”  “It is just an intrusion into your kid's life, that really shouldn't be there — too much of an intrusion and not enough freedom for when you are getting older and everything, and deserve more freedom” I “Coming home from work and going to the bar but saying to your wife that you are stuck in traffic- ‘oh really but it says you're at the bar, honey’… That kind of problem would come up because people have a tendency to be doing things that they are not supposed to be doing.” These comments illustrate how LBSN can stand in the way of the human desire for freedom and autonomy with the ability to stray from plans.

Participants merely stated that privacy, trust and battery life were reasons for non-use. The participants however elaborated more upon the reason that no one else uses LBSN stating that: “I probably would not use it because no one else uses it so why would I have it. Like it might not be popular now so that is a reason for now, but in the future when everyone else has it, it might not be a reason. So its popularity might affect whether or not I would use it.” In response to this remark another participant commented that: “But when things become more popular, like MS Windows, then people decide to hack MS Windows because it is the same thing that everyone uses. So if everyone started using this, someone out there might find a way to hack it and take advantage of it.”

C. Viewing and Disclosing Location

Participants were asked “Who would you allow to see your location?” and “Who do you want to view the location of?” More responses were elicited from the first question, demonstrating that participants are more concerned with who is able to see their location rather then who they can see. Table II below summarizes the participants’ responses.

TABLE II. Viewing and Disclosing Location Information

People who can View

• No one

• Family/close friends/trusted people

• Friends

• Anyone

• Everyone

People to View

• Everyone

• Friends

• Prime Minister Kevin Rudd

• Parents (depending on the circumstances)

The majority of participants would allow their “family’ or “close friends” to view their location or specified people that they considered to be “really really trusted”. Many participants would allow “family” or “close friends” but not both categories. One participant specified that they “would not request [to use LBSN with] any family member [but] … I might accept it if they add me but I would never actually ask this from my family”. Another participant would add a sibling but not parents and when asked why not stated that: “I tell them a lot but I just don't want them to know absolutely everything. There is this thing where you want to be your own person, have your own space, you don't want to be like trapped. Because you act differently because you think ‘oh shit my parents are always going to be watching what I am doing and where I am’ and that is not good, I don't like that.”

Some participants would add their friends, however specified that it would not be just an acquaintance or “some mate you just bumped into on the road”. However other participants would add everyone or anyone: “Everyone — who would really want to know where I am? … unless I win the lotto” “I'd let anyone. But I would turn it off if I was doing something that I didn't want people to know about”  “If you were doing something and you wanted privacy you would turn it off. But otherwise if people want to enjoy laughing at where I am then I don't really mind.” Although these participants did identify that they would allow anyone or everyone, they did impose some conditions upon their answer. The participants were not as specific about who they would view the location of. Many suggested that they would want to track everyone, even Prime Minister Kevin Rudd, or just their friends.

Section V. Issues surrounding the use of LBSN

The focus group participants were asked what they thought were the potential issues with the use of LBSN. Figure 3 represents the broad categories of responses provided by the participants. The shade of color provides an indication of the number of times each issue came up within the focus groups; the darker the shade, the greater the frequency the issue arose. Security was the premier concern, followed by privacy and trust. Social relations, control, and technological issues were also important to participants.

Figure 3. Issues Surrounding LBSN

A. Security

The focus groups drew out three main issues in relation to security; security of self, security of information and security of others. In relation to security of self, participants commented that LBSN could be: “used as a bullying thing … if you see someone in an area and there is no one else really around that area then bullies could go and use it to get that person”. Another participant identified that “I can watch you on Google Latitude — if you update it every three or four hours and know where you are and build a profile”. Other participants mentioned that it could be used for “stalking” or “pedophile tracking.” One participant commented that it could be used for covert tracking: “I think that if the location is set to continuous tracking there won't be any notification sent from Google Latitude. So if anyone gets a hold of your mobile and sets it to continuous tracking they can follow you around.” The scenario depicted by this participant however, is not entirely accurate, as Latitude does provide notification that it is running in the background, however this notification is only given once a month for the first few months and then once every three months. Therefore covert tracking with latitude would be possible for at least one month or in other cases a few weeks. There are some other LBSN applications that are now entering the market, however, that provide no notification whatsoever.

Participants questioned the security of information retained by the service provider, questioning whether Google would “share our information”, or third party hackers who would “hack into the system [and then] would be able to find whoever, whenever”. In relation to security of others one participant noted that “[my friend's] location and activities  are secured to me, as long as I have my cell phone. If I lose it, and another person finds it … they can easily see the location of my friends”. Therefore having the ability to access a friend's location information can pose a potential threat to the other person's security if the device is lost, stolen, or given to a third person not authorized to view the location information.

B. Privacy

Participants identified privacy as an issue, as LBSN applications primarily involved sharing personal information. The main issue, which emerged, was the intrusion into personal life caused by LBSN. Example remarks included: “[s]omeone can track you and see whether you have gone to a medical centre, so if you wanted to be tested on something and you didn't want anyone to know about it because you would be rejected by society”  “random things like being at the doctor's surgery and having the phone in your pocket and you don't want everyone prying into your life”  “if you were doing anything — not necessarily a crime — but something you wanted to keep secret.” An additional issue was questioning the privacy policy of Google Latitude (and therefore Google) and whether that would “override” the legislation of some jurisdictions to allow for law enforcement authorities who have a warrant to obtain detailed records of one's location.

C. Trust

Participants identified three ways that LBSN could affect trust. Firstly, LBSN users could use the application to “lie” or “hide things”, taking advantage of the trust other users place in the device and creating situations of false trust. Secondly, that LBSN could cause people to “start losing trust — losing trust between everyone, between your closest friends, your boyfriends, girlfriends”, and would make people “start questioning everything and everyone and get bitter and old and grey and home alone”. Therefore LBSN would discourage trust and create distrust between individuals. Finally, participants identified that LBSN would provide people with the ability to look “too deep, watching who is where and who is near, and infer little schemes or soap operas”, and contribute to “random social problems when someone looks up their boyfriend and there is some other person at their house”. Both the latter two comments, present scenarios where the user places greater trust in the device than the individual being monitored, and this shift in trust is the cause of the social problem.

D. Control

Participants commented that “lovers” or “parents” could use LBSN as a method of exerting control. In both proposed scenarios, the control was seen as a pre-existing element of the relationship, and LBSN as a tool for exercising control. Some control-related comments which were representative in the use of LBSN included: “control by a crazy lover”  “it is not about the children it is about having access to the children. About control.” One participant, as noted earlier, spoke about control with respect to owning one's space, and therefore owning one's personhood. This participant noted parental control in this context was a form of indirect control. They might not be telling you what to do, but they are keeping tabs on you.

E. Social Relations

Participants also commented on the effect of LBSN upon social relations. “It takes away from the social part of social networking; we are not communicating with each other we are… just viewing it and it is more of a pervasive thing or voyeuristic thing than a social thing” I “People might use it to avoid certain people as well.” It was noted by another participant however, that at the same time, LBSN could also be used to generate discussion.

F. Technological

Technological issues identified were related to perceived battery consumption, and whether the location tracking/monitoring technology would work indoors. Reliability and accuracy were also important factors discussed, as was whether all new mobile devices now had the feature built in and whether data charges applied to usage.

G. No Issues

Some participants commented that there were no issues with LBSN: “[t]he Google Latitude application is great, if you don't like the system you can deactivate it,” and “[n]o issues, if your friends location is secured to you, so long as you have the phone.”

Section VI. Discussion

People and relationships form the backbone of society. Pahl [20] describes friendship as a “social glue” that provides the fulfillment of the “need for belonging and ‘reliable alliance’ — that is, for a bond that can be trusted to be there for you when you need it” [3]. Research on social networking applications, shows that new technologies can have potential negative implications upon social relationships [21] and privacy [22]. Additionally, location based services (LBS) have social ethical implications [23]. Social networking applications have the potential to become an engrained and integral part of social interactions causing those who do not have the technology to be either excluded or succumb to the adoption of the technology [22]. A bad experience with a LBSN may not only impact an individual, but one's relationships, and more broadly one's ability to trust in others and in society more generally. One might ponder that having knowledge of where someone is all the time should in fact enhance trust, that there is certain predictability behind where a loved one physically is located or where they say they are located. However, technology is not perfect, it is not always accurate, it does not always work as it should, and there is no such thing as a perfect “location” system. Humans also require their autonomy, their freedom, an ability to make every-day mistakes without prying eyes [24].

A. Theoretical Importance

This research provided an investigation of the sociotechnical context of location based social networking technologies and applications in terms of “trust” and “friendship”. Such an investigation has several theoretical contributions. Firstly, it provides an understanding of the concepts of trust, friends and friendship within the context of information communication technologies, and social networking in particular. Secondly, it adds to the scholarship in the area of social informatics, providing an example of how social informatics as a theoretical framework can be employed to arrive at a holistic contextualized understanding of the operation of ICTs. Thirdly, it contributes to the limited scholarship on location based social networking with the view to continue the scholarly dialogue on the design, use and implementation as well as implications of the technology and ICTs in general.

B. Practical Importance

Trust and friendship are important aspects of society, and as such the implications of the use of technology upon these concepts are important from a practical as well as a theoretical perspective. The outcomes of this research can be utilized to inform the creation of policy, guidelines or legislation designed to curb the negative implications of the technology upon society. A recent paper by Grimmelmann [25] argued that although “policy makers cannot make Facebook completely safe… they can help people use it safely”, similarly this applies to the emergent technology of LBSN. The outcomes can also be used to educate individuals, and provide stimulus for a dialogue within the broader community about the implications and benefits of social networking and location-based services. Additionally, the designers of the technology can utilize this research by incorporating concerns or user requirements in new or existing applications.

Section VII. Conclusion

LBSN applications provide users with the ability to conduct real time social surveillance upon their friends, including the acts of real-time tracking and monitoring. This study, through the conduct of a social informatics investigation into LBSN, has identified the potential implications of use of LBSN upon relationships, including its critical effect upon trust. The potential implications can be summarized as security, privacy, trust, control, and an impact on societal relationships. The results from the focus group provided a broad view of the use, design, implementation and context of LBSN, and insight into the possible implications of use. The conclusion to be drawn from this study is the nuanced understanding of the operation of LBSN and its implications as well as the circumstances within which it will have a negative impact upon trust. In addition, this research identified that LBSN did present a credible threat to trust between “friends” and that LBSN applications need to be more robustly designed and implemented to reduce the evident potential for an individual user to suffer harm at the hands of another.

References

1. R. Kling, "What is social informatics and why does it matter?", The Information Society, vol. 23, no. 4, pp. 205-220, 2007.

2. K. Robert, K. Sara, "Internet paradox revisited", Journal of Social Issues, vol. 58, no. 1, pp. 49-74, 2002.

3. B. Misztal, Trust in Modern Societies-The Search for the Bases of Social Order, Cambridge:Blackwell, 1998.

4. S. Sawyer, K. Eschenfelder, "Social informatics: perspectives examples and trends", Annual Review of Information Science and Technology, vol. 36, no. 1, pp. 427-465, 2002.

5. R. Kling, "Learning about information technologies and social change: the contribution of social informatics", The Information Society, vol. 16, no. 3, pp. 217-232, 2000.

6. R. Kling, "Social informatics", Encyclopaedia of Library and Information Science, pp. 2656-2661, 2003.

7. R. Kling, "Social informatics: a new perspective on social research about information and communication technologies", Prometheus, vol. 18, no. 3, pp. 245-264, 2000.

8. R. Kling, L. Covi, "Electronic journals and legitimate media in the systems of scholarly communication", The Information Society, vol. 11, no. 4, pp. 261-71, 1995.

9. W. Orlikowski, "Learning from notes: organizational issues in GroupWare implementation", The Information Society, vol. 9, no. 3, pp. 237-50, 1993.

10. B. Kahin, J. Keller, Public Access to the Internet, Cambridge, MA:MIT Press, 1995.

11. G. Piccoli, B. Ives, "Trust and the unintended effects of behvaior control in virtual teams", MIS Quarterly, vol. 27, no. 3, pp. 365-395, 2003.

12. D. Mackenzie, "Introductory essay" in The Social Shaping of Technology, Philadelphia:Open University Press, pp. 2-27, 1999.

13. D. Morgan, Focus Groups as Qualitative Research, California:Sage Publications, 1996.

14. A. Gibbs, "Focus group research", Social Research Update, vol. 19, pp. 1-4, 1997.

15. R. Krueger, M. Casey, Focus Groups: A Practical Guide for Applied Research, California:Sage Publications, 2000.

16. P.S. Kidd, M. B. Parshall, "Getting the focus and the group: enhancing analytical rigor in focus group research", Qualitative Health Research, vol. 10, no. 3, pp. 293-308, 2000.

17. J. Kitzinger, "Qualitative research: introducing focus groups", British Medical Journal, vol. 311, no. 7000, pp. 299-302, 1995.

18. D. Druckman, Doing Research: Methods of Inquiry for Conflict Analysis, California:Sage Publications, 2005.

19. M.D. Gall, W.R. Borg, J.P. Gall, Educational Research: An Introduction, New York:, 1996.

20. R.E. Pahl, On Friendship, Wiley-Blackwell, 2000.

21. R. Gross, A. Acquisti, "Information revelation and privacy in online social networks", Workshop on Privacy in Electronic Society, 2005.

22. D. Boyd, N. Ellison, "Social network sites: definition history and scholarship", Journal of Computer-Mediated Communication, vol. 13, no. 1, pp. 210-230, 2008.

23. M.G. Michael, S.J. Fusco, K. Michael, "A research note on ethics in the emerging age of überveillance", Computer Communications, vol. 31, no. 6, pp. 1192-1199, 2008.

24. M.G. Michael, K. Michael, "Uberveillance: microchipping people and the assault on privacy", Quadrant, vol. 53, no. 3, pp. 85-89, 2009.

25.J. Grimmelmann, "Saving Facebook: privacy on social network sites", Iowa Law Review, vol. 94, no. 4, pp. 1137-1170, 2009.

Keywords

Informatics, Social network services, Privacy, Accuracy, Context, Google, Batteries
social networking (online), Internet, mobile computing, social aspects of automation
qualitative approach, social implications, location based social networking, perceived positive impacts, perceived negative impacts, Web 2.0 platform, location based services, online social networking, focus groups, implications, location based services, online social networking, location based social networking,trust, friendship

Citation: Sarah Jean Fusco,  Katina Michael, M.G. Michael, Roba Abbas, "Exploring the Social Implications of Location Based Social Networking: An Inquiry into the Perceived Positive and Negative Impacts of Using LBSN between Friends",  2010 Ninth International Conference on Mobile Business and 2010 Ninth Global Mobility Roundtable (ICMB-GMR), 13-15 June 2010, Athens, Greece, DOI: 10.1109/ICMB-GMR.2010.35

Privacy-value-control harmonization for RFID adoption in retail

Abstract

Privacy concerns have, at least in part, impeded the adoption of radio frequency identification (RFID) in retail. The adoption of other automatic identification (auto-ID) applications shows that consumers often are willing to trade their privacy or their control of personal information against some value afforded by the application. In this paper, the interplay between privacy, value, and control is examined through a literature survey of four auto-ID applications: mobile phone, electronic toll collection, e-passports, and loyalty programs. The consumer value proposition for the use of RFID in retail is investigated through an online survey exploring end-user perceptions. The results of the survey are: 1) the customer value proposition has not been communicated well to customers; 2) privacy concerns are higher than other previously adopted applications despite similar privacy issues; and 3) harmonization of privacy, value, and control is likely to be achieved only after adoption, when customers will be educated through experience with the application.

Introduction

Over the past decade, organizations have aggressively pursued the use of radio frequency identifi- cation (RFID) as a means to better identify, control, and track stock throughout the supply chain. The linking of RFID, an automatic identification (autoID) and data collection technology, to consumer goods has resulted in widespread concern surrounding privacy issues. The mainstream media have been quick to expose these privacy concerns, with most articles focusing purely on the potential of the technology to track consumers without their knowledge or consent. Prior to 2004, this resulted in many major retail organizations around the world temporarily halting their RFID initiatives because of consumer backlash and many more organizations hesitant to proceed further.1 Since that time, a number of U.S.- and European-based large retailers have either adopted RFID or conducted trials.2 Whereas privacy may not be the single biggest issue stifling the deployment of RFID, it has acted to delay uptake in the retail industry.3 This paper explores whether an appropriate harmonization between consumer privacy, value, and perceived control can be established for the use of RFID in retail.

There are three vital considerations in achieving this aim: (1) how consumer awareness influences perceptions, and consequently the development of such a harmony; (2) the balance evident in other, similar, auto-ID technologies and services that have already been adopted successfully; and (3) how an appropriate harmonization between value, privacy, and control can be achieved. In fulfilling the aims of the study, the consumer value proposition for the use of RFID in retail will be explored. Consumer perceptions of RFID and associated privacy issues will also be investigated. Finally, the extent to which education and awareness affect perceptions of value, privacy, and control will be measured.

RFID is best characterized as an auto-ID technology that uses radio waves to identify objects. In the context of this study, the specific RFID technology of interest is passive tags, which are tiny transponders that can be embedded or attached to an object requiring identification. These transponders, as small as a grain of rice, do not have a power source of their own; rather, they use the energy from an incoming radio frequency signal to transmit stored data to the reader. The most important characteristic of RFID technology in relation to the tagging of consumer goods is that it does not require line-ofsight positioning, which is a requirement of bar code systems. For EPC Gen 2 UHF (electronic product code generation 2 ultra high frequency) passive tags, the read range is 3.5 meters and the write range is 2 meters, depending on the RFID system setup and the environmental conditions. It is also possible to achieve reads of up to 8 meters away using these tags. The ability for RFID tags to be read covertly is the main concern among privacy advocates.

The rest of this paper is organized as follows. In the next section, definitions of privacy, value, and control are provided in addition to a survey of related RFID works. Then, the methodology used in the current study is briefly described. In the following section, four widely adopted auto-ID applications are presented using a literature survey to explore the actual privacy, value, and control dynamics that have led to consumer acceptance of these auto-ID technologies. In the next section, the results of an online survey investigating consumer perceptions of RFID in retail are presented and a comparison is made between the qualitative and quantitative findings. In the following section, the principal outcomes of the study are discussed. A brief summary of the material presented concludes the paper.

Previous Works

The classic definition of privacy is provided by Westin, as the ‘‘claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.’’4 This study is primarily focused on information privacy, which is described by Clarke as ‘‘the interest an individual has in controlling, or at least significantly influencing, the handling of data about themselves.’’5 Of primary concern in regard to RFID usage in retail is the collection of personal information that pertains to consumer shopping preferences, actions, and behavior. It is the collection, use, and disclosure of this information, particularly when it may be incorrect or unverified, to identify, track, and monitor individuals without their awareness or express approval, that is commonly recognized as one of the most prominent threats. It is important to understand that Clarke’s definition, along with other definitions of privacy from Altman,6 Schoeman,7 and Margulis,8 all emphasize that privacy is not separate from control; rather, it is ‘‘deeply intertwined with it.’’9

Value in this study will be viewed in terms of the benefits RFID technology affords consumers. It is how an individual prizes a certain outcome against all others.10 The value proposition to consumers for RFID usage in retail is generally phrased in terms of convenience. It is an equation of all the positive factors that interest the individual. It can include cost savings, time reductions, efficiency, personalization, safety, and security, as well as convenience and other tangible and intangible benefits. Therefore, in creating a harmony of privacy, value, and control, it is a harmonization between consumer willingness to lose some degree of privacy versus the strength of the retailer’s value proposition for using the technology.11 The value proposition can essentially be seen as a combination of benefits versus risks that consumers will evaluate in their decisions and perceptions.

Inness12 is clear that in characterizing the function of privacy in terms of control or restricted access there are ramifications for the normative value we accord privacy. For the purpose of this study, control becomes a relevant dimension of RFID acceptance, because it is only through a perceived level of control over their personal information that consumers will feel their privacy is being respected.13 The level of control that is provided either through the technology or by the service provider, whether that be perceived or real, is seen as an important element that, when combined with the value proposition, can affect consumer acceptance.

The consumer acceptance of RFID has been investigated in a number of studies. Some have proposed solutions that protect and enhance privacy and afford consumers a level of control.14–16 These solutions are typically technology-based, legislative, or regulatory in nature. Despite the different privacy solutions, a number of studies critically highlight that consumer perceptions and fear of RFID technology, brought about by a lack of understanding, remain.17,18 Thus, regardless of which privacyenhancing technologies are used, the concerns from the consumer’s perspective are the same.9,19 It is apparent from such studies that the real issue becomes one of fear or other underlying motives, that, when combined with perceptions of privacy and control, motivate a consumer’s acceptance of RFID technology. One quantitative study found that consumers felt a lack of perceived control over the technology as well as a great power distance,20 and another study found that cultural dimensions affected the way in which consumers viewed the privacy threat.21

The privacy debate has developed due to the identification and tracking capabilities inherent in the RFID technology. The argument is that if the tags were to remain active after the consumer has left the store, the technology could provide retailers and manufacturers the ability to track an individual’s movement and behavior in a clandestine manner.22 This is introduced by Roussos,23 who explains the ability of the technology to silently retrieve and record unique identifiers as an important contributing factor toward consumer uneasiness. Garfinkel et al.15 discuss seven key privacy threats that arise from the capabilities of RFID: (1) action threat; (2) association threat; (3) location threat; (4) preference threat; (5) constellation threat; (6) transaction threat; and (7) breadcrumb threat (i.e., leaving a trail of actions). Such threats have given rise to much concern by privacy advocates. In 2005, Eckfeldt24 explained that many major companies around the world had already scrapped RFID plans following consumer backlash. If it were not for the ‘‘haunting cries of privacy running afoul,’’ many more companies would have tested and launched RFID initiatives.1 This can also be seen clearly in the results of a Cap Gemini Ernst & Young consumer perception study of RFID that highlighted privacy concerns as ‘‘the most significant issue among consumers in all countries.’’25

The value proposition for RFID use in retail is an important topic that underscores consumer acceptance of RFID. What is apparent in surveying the literature is that while the benefits of RFID have been clearly defined and expressed for retailers, they have not been so clearly communicated to consumers. Eckfeldt24 makes an important assertion in discussing the value of RFID to consumers: ‘‘... the difference between successful and shunned RFID applications turns on delivery of clear, tangible value to the average consumer.’’ Furthermore he stresses that in assessing consumer benefit, organizations must consider consumers’ interests above their own; otherwise, they will produce a solution that fails to provide a positive balance between risk and reward in the eyes of the consumer. He further highlights that a tangible consumer benefit is pivotal to all these solutions. McGinity1 stresses the key value to consumers: better prices and product selection brought on by better efficiency at the back end, including reduced waste, reduced shrinkage, and improved supply chain processes. However, because the systems have not been widely implemented, assessing or promoting such benefits would appear to be speculative at best.

Balancing the economic interests of business against the privacy interests of consumers is another cornerstone in the privacy debate. Culnan and Bies11 introduce the centrist perspective, whereby corporate access to information should be balanced against the legitimate rights consumers have toward protection of their privacy. In addressing this balance, the notion of second exchange is introduced, whereby consumers make a non-monetary exchange of their personal information in return for improved service, personalization, and benefits.11 Importantly, they highlight that, for both organizations and consumers to realize the benefits, consumers must be willing to disclose their personal information and thus surrender some degree of their privacy. It is proposed, therefore, that people may be willing to accept a loss of privacy as long as there is an acceptable level of risk accompanying the benefits.

This idea of balancing interests is touched on by many authors. Eckfeldt,24 for example, emphasizes the idea of risk again in stating that successful RFID applications over-compensate for any privacy fears. He furthers the idea of risk in proposing that consumers will accept the risks if the application is worth the benefits. Langheinrich’s26 discussion on privacy claims that privacy practices and goals must be balanced with the convenience or inconvenience associated with them. In balancing the interests of consumers against organizations, the important issue that seems to dominate is the balancing of convenience and other terms of value for the consumer against the privacy incursion that is inevitable in providing such applications. It must be underscored that an underlying assumption made in this study by the authors is that privacy incursions, especially in the form of breaches in information privacy, are inevitable in the adoption of any emerging mass-market technology, and even more so if that technology happens to be wireless or mobile.

Methodology

Figure 1 Conceptual framework for the auto-ID application cases

This study used a combination of qualitative and quantitative approaches; a literature survey of four auto-ID applications, and a quantitative analysis of the data collected from an online survey. The literature survey covers the mobile phone, electronic toll collection (ETC), e-passports, and loyalty programs. The online survey analyzed the consumer value proposition for the use of RFID in retail and privacy threats relative to education and awareness. The conceptual framework for the auto-ID application cases is illustrated in Figure 1.

The conceptual framework covers the main dimensions studied in the literature search and their relationships. Harmonization can be derived from the value offering of the RFID technology, some of which is inherent to the technology itself (e.g., contactless operation), and some offered by the provider of the service using the technology (e.g., fast checkout at a supermarket). The privacy threats that the technology exposes, and the degree of control individuals have over their personal information, are also considered.

Harmonization is also affected by how widely the technology is to be used; that is, whether it is for large, high-priced items only, or for mass-market products. It has been seen that the more people use a technology (i.e., the higher the penetration rate), the less individuals question the privacy risks. The balance is also affected by the environment in which the technology is to be adopted, whether that be mandated (as in the case of e-passports), or voluntary. Finally, harmonization is also affected by societal perceptions; for example, the idea of microchips attached to common objects immediately conjures notions of Big Brother, and thus a negative perception of the technology.

Data collection for the case applications used multiple sources, including documents such as books, media reports (e.g., Factiva27), journal articles, white papers, corporate information, and marketing materials. The documents were sourced from libraries (offline), databases (e.g., IEEE Xplore28), online journals (e.g., the Journal of Theoretical and Applied Electronic Commerce Research), and media organizations (e.g., the British Broadcasting Corporation), as well as corporate, governmental, and institutional Web sites. The data collection was an iterative process, starting with a broad search strategy involving the key topics under investigation, with more targeted searches conducted thereafter.

Data collection for the online survey was administered at www.rfidsurvey.org for a period of 75 days, from July 10, 2007, through September 23, 2007. The online survey was openly accessible to all Internet users. In addition, targeted recruitment was undertaken in the form of electronic and physical mailings. The data collected in the online survey was based on 28 questions structured into four separate sections. The first section asked for general demographic information as well as information about the participants’ awareness and education. The second section queried participant perceptions of the consumer value proposition for the use of RFID in retail, asking participants to rank both awareness and importance against a list of suggested RFID benefits. The third section focused on assessing value and privacy in regard to a number of other technologies such as mobile phones, smart cards, loyalty programs, e-passports, GPS car navigation, and electronic toll collection. Four of these technologies are featured in the case study analyses. The final section of the survey asked questions about perceptions of privacy threats due to the use of RFID. Presented with a list of threats, participants were asked to rank awareness and concern of such threats. During the survey, respondents were given several opportunities to reply by way of open comments.

Qualitative content analysis was used to discover similarities between the four auto-ID application cases under investigation. Toward this end, the cases were structured in the same manner, around the themes of privacy, value, and control. The analysis focused on the significance of the technology given its penetration and usage rates, despite the presence of privacy threats, and the outcome is presented in narrative form. The text-mining tool Leximancer29 was used to analyze the documents collected, including the open comments provided by survey respondents. Leximancer assisted in uncovering the main concepts contained within the text and showed how these were interrelated.

The purpose of the statistical survey analysis was to uncover the perceptions held by participants toward RFID in retail, its potential threats, and its potential value given a number of typical usage scenarios. Perceptions of threat and value were also analyzed with regard to a number of other auto-ID technologies. Inferences were drawn on the population being studied by finding correlations using rating scales to reflect the real-world nature of the research. Given the use of the Likert approach, readers should note that the researchers were not working with quantities that provided precise measurements but working with rating scales (correlations of which provide general indications only). Using JMP* Statistical Discovery Software from SAS Institute, Inc., a common score for RFID value and threat, as well as value-and-threat scores for other auto-ID technologies, was determined by aggregating the rankings given by participants to relevant questions. The participants’ awareness of RFID and its potential use was also found in this way, using linear regression analysis.

The significance probability of the test (represented as a p-value) is a measure of how likely or unlikely it is to experience the observed data if the null hypothesis is true. The p-value is the area under the null distribution curve that is in bigger disagreement with the null hypothesis than the observed test statistic. When the p-value is less than 0.05, the result of the test is said to be statistically significant. When the p-value is less than 0.01, the result of the test is said to be highly statistically significant. The relationships between variables that were particularly significant in the data studied are illustrated using bivariate plots.

Auto-ID Applications

This section will present auto-ID application cases that explore the adoption and acceptance of a number of technologies and services within the context of privacy, value, and control.30

Mobile phone

The value proposition of the mobile phone extends from the convenience offered by its inherent mobility. In a study conducted by Hakkila and Chatfield31 regarding perceptions of mobile phone privacy, it was shown that greater than 82 percent of respondents considered their mobile phone a ‘‘private device.’’ The mobile phone presents a number of unique privacy threats, yet such privacy threats are seldom discussed or thought of by end users.32 Many citizens in the U.S., for example, are completely unaware that government authorities can track their movements by monitoring the signals that are emitted from the handset.33 The mobile phone also presents other privacy concerns in regard to the interception of signals by unauthorized persons.34 Theoretically, users can exercise control over other parties tracking their location by simply turning off their phones. However, in doing so, they prevent access to the features of the phone that provide the value in the first place.

Electronic toll collection

The key value proposition that electronic toll collection (ETC) systems offer is convenience and time saving. Such a system eliminates the burden to have cash available to make toll payments and provides individuals and corporations the convenience of an account that can provide better tracking of toll expenditure with more convenient payment options.35 Caldwell36 highlights two privacy concerns with regard to ETC. The first is the illegitimate use of drivers’ personal information related to payments, movement, and driving habits, which could become accessible if electronic records are compromised through a ‘‘cyber break-in.’’ This has been demonstrated on numerous occasions, such as the incident in which programmers were able to view ETC account details for subscribers in several countries, including one of the largest ETC systems in the United States.37 The second concern is the legitimate use of ETC account information by government authorities or private vendors that can use the information to monitor driving patterns and behavior of thousands of motorists. The concern also applies to other potential uses, such as traffic surveillance being used to detect speeding violations or stolen vehicles.38 Court cases in the U.S. have already demonstrated the potential for toll-tracking information to be used to verify an individual’s whereabouts and movements. The states of Delaware, Illinois, Indiana, Maryland, Massachusetts, New York, and Virginia have all released E-ZPass toll records in response to court orders for civil matters such as divorce. The states of Maine, New Hampshire, New Jersey, and Pennsylvania only release electronic toll records for criminal cases.39

e-passports

The greatest value of the e-passport, as stressed by most issuing authorities, is the enhanced security it is purported to provide through the digital storage of passport information.40 Certainly, given the current level of importance placed on national security, governments have been keen to introduce this technology as a means of providing more stringent monitoring of individuals entering and exiting the country.

The privacy concerns surrounding e-passports are primarily related to the ability to access passport information without contact, a capability afforded by the use of RFID to store the data contents of the passport. Juels, Molnar, and Wagner41 identify six key areas of concern: (1) clandestine scanning; (2) clandestine tracking; (3) skimming and cloning; (4) eavesdropping; (5) biometric data leakage; and (6) cryptographic weaknesses. The main issue of the e-passport is that the International Civil Aviation Authority (ICAO) does not require authentication or encryption for communications between the reader system and the e-passport. In locations where passports are frequently open, this could allow for eavesdropping. Theoretically, the unique identifier (ID) stored on the microchip could identify individuals and be used for tracking. Passports could even be cloned, because the digital signatures cannot tie the data to a particular passport. Once a reader has the key, there is no mechanism for revoking access, thus giving the reader the ability to scan the passport in perpetuity. Globally, it is reported that more than 50 million e-passports have been issued, which suggests that despite privacy concerns, the technology has undoubtedly been deployed successfully.42 Some states have mandated that the contactless microchip be shielded by a metal jacket to prevent the chip from being read when the passport is closed.43 If the shield is not provided, a sheet of aluminum foil will equally prevent unauthorized access of personal data on the e-passport.44

The media have been quick to highlight potential failures with the technology, such as the demonstration by a hacker who successfully cloned a U.S. e-passport and then dumped the contents onto an ordinary contactless smart card.45 A further threat was exposed when programmers demonstrated how an explosive device connected to an RFID reader could be triggered when a U.S. citizen carrying an e-passport came within reach of the reader.45 Given the mandatory nature of passports, there is very little individuals can do to avoid using them when traveling abroad. There is also little an individual can do to control how government authorities access and use the information on the passport when they are entering a foreign country.

Loyalty programs

In the case of loyalty programs, the value proposition is critical for encouraging consumer use and for developing the brand loyalty that the programs aim to achieve. A number of factors that determine such value in a loyalty program are described by Yi and Jeon.46 They include: (1) the cash value of rewards; (2) the choice of rewards; (3) the aspirational value of rewards; (4) the likelihood of achieving the rewards; and (5) how easy the loyalty scheme is to use.

The major privacy threat that extends from the use of loyalty programs is the ability to tie purchases of specific products to individual consumers and monitor their purchasing behavior over time. A study conducted by Graeff and Harmon47 found that in regard to loyalty programs, consumer perceptions were typically positive and most consumers did not associate such schemes with the collection and use of personal information. Loyalty programs are the ultimate demonstration of the trade-off consumers make of their privacy in order to gain something of value: benefits, rewards, convenience, or savings.48

A key element of consumer loyalty programs is their opt-in nature. Consumers are also given control over their personal information by government regulations, which in most countries grant consumers the right to know exactly what information retailers are collecting and how it is being used.

Discussion

It would appear, given the widespread use of the four auto-ID applications, that privacy has not been a barrier to their adoption and consequent acceptance by society. While the privacy concerns still exist and indeed, many individuals remain concerned about their privacy in relation to such technologies and services, on the whole it would seem that consumers have accepted each application because either the value proposition or level of control present balances against the privacy issues (mobile phones, ETC, and loyalty programs), or participation (usage) is mandatory and the appropriate safeguards to privacy are in place (e.g., e-passports).

Using Garfinkel et al.’s paradigm,15 action can be inferred by monitoring the mobile phone location, or monitoring tag usage at tollways, or monitoring passport usage, or inferred by the use of loyalty cards or the redemption of rewards. Association is prevalent in being able to identify an end user through the international mobile equipment identity (IMEI) in a mobile phone, through the tag ID or account number for tollways, through the e-passport ID number, and through the membership number on loyalty schemes. In terms of location, a mobile phone can be found through triangulation or using the Global Positioning System (GPS) chipset in the handset. The location of tags in tollways is also collected at each ETC entry and exit gantry. The location of an e-passport is established each time it is read by authorities or a reader device. For loyalty programs, the location can be established each time the card is used.

In the case of preferences, a mobile service provider has a list of features into which the user has opted. There are no preferences for ETC or e-passports. Loyalty programs allow for detailed consumer preferences to be analyzed by monitoring purchases and behavior. Information transactions are recorded by all the auto-ID applications studied. However, the loyalty card program is the only case investigated where transactions carry a value related to a monetary measure or rewards-based points scale. With respect to privacy, the breadcrumb attribute is the most invasive in terms of privacy threats. In the case of a mobile phone, a trail of actions can be inferred by the handset location or subscriber usage patterns. For ETC, a trail of actions can be generated by logging the location of the vehicle at entry and exit readers with timestamps. For the e-passport, each time it is read, the location is recorded. And for loyalty programs, a trail is automatically created of individual purchases at the point of sale. Different auto-ID applications have varying capacity to record location information, from the mobile phone that can be tracked 24-7, to the RFID in ETC that can be read several times per day on average, to the e-passport that is read at border checkpoints.

In the case of the mobile phone, the ubiquity in value terms would explain the lack of concerns consumers have toward their privacy in regard to its usage. For ETC, individuals have embraced the convenience aspects and it would seem that the ease of use of the technology (simply install the tag and forget about it) has again resulted in a general lack of concern about privacy issues. Loyalty programs are also clearly driven by their value to consumers. Of the four case studies discussed, the e-passport is the only one in which usage is almost completely mandatory for those wishing to travel internationally and also where individuals have very little control over how it is used by authorities. A summary of the key elements of value, privacy, and control for each of these technologies is provided in Table 1. For the greater part, the auto-ID technology in question provides value to the consumer by providing increased convenience. Consumers trade this value with the possibility of mobile telephone intercepts by lawful and unlawful parties, the potential to clone a tag, and the provision of personal biometric details. It is consumers’ perceived level of control of their personal information that can influence the value gained by opting in or out of a service. A key outcome that arises from the case studies presented is the varying relationship between three elements (privacy, value, and control). It is clear that in order to gain acceptance, privacy issues must be offset by value and control.

Table 1. Key elements of value, privacy, and control

In the case of mobile phones, it is evident that a somewhat low level of control is acceptable, given the relatively low vulnerability of individual privacy and the medium level of value the technology provides. With ETC, the vulnerability of user privacy is considered to be in the medium range, yet as users can exercise some degree of control over their privacy by removing the tag or opting to use alternative routes or payment methods, control is also depicted as being in the medium range. This medium range in regard to privacy and control is offset by a high level of value evident in the convenience the technology affords. With regard to e-passports, the government provides very little control. Furthermore, the value offered to the individual is, in real terms, also very low. Finally, with loyalty programs, a high vulnerability of individual privacy that arises from the vast amount of personal information collected is offset by a high level of control offered by providers by allowing consumers to freely opt out of such programs. The privacy risk is also further offset by the high level of value that such schemes must offer to encourage consumers to participate.

In the case of mobile phones, ETC, and loyalty programs, it is apparent that acceptance had to be earned through a favorable balance that was offered to consumers. In the case of e-passports, where the balance is unfavorable, acceptance was not generally required, as the technology was made mandatory by government authorities and the ICAO.

 

Analysis of Online Survey Data

The threats listed in the survey are potential threats of RFID (i.e., perceived threats) that have been drawn out from the literature as the major causes for consumer concern over the use of RFID in retail. Awareness refers to the aggregated score of each survey participant’s responses to a number of questions that dealt with perceptions of RFID and other auto-ID technologies. Specifically, the awareness score was calculated by the sum of responses in which participants ranked, using a Likert49 scale of 1 to 5, their knowledge on a list of 12 RFID related topics.

Sample respondents

Figure 2 Relationship between age and consumer awareness of RFID in retail

There were 142 survey responses in the pilot study. The majority (61.1 percent) of surveys were completed by Australians. The U.S. had the second largest number of responses (27.4 percent), with other responses recorded from countries such as Canada, Germany, Spain, and the United Arab Emirates.

Figure 2 aims to demonstrate the role that age plays in determining the level of awareness toward RFID. In analyzing the relationship between age and awareness, there is a highly significant relationship (p ¼ 0.0008) between a respondent’s age and his or her associated level of awareness. The data shows that awareness decreases with age, which is to be expected given that younger respondents are more likely to have been exposed to the technology, or have a heightened awareness of the possibilities and issues such technology represents.

Figure 3 Relationship between consumer awareness and value proposition for RFID in retail

Figure 3 Relationship between consumer awareness and value proposition for RFID in retail

Figure 3 shows the relationship between awareness and the consumer value proposition for RFID as being statistically significant (p ¼ 0.0337). It is seen that as awareness increases, the participants’ rankings of RFID value decreases. This relationship suggests that those individuals who are highly aware of the technology are less likely to embrace the value of technology, as they are at the same time balancing the value against their perception of the privacy threats of the technology. Individuals who are less aware of the technology are more easily swayed by the value the technology provides.

Surprisingly, it would seem that awareness plays little role in an individual’s ability to perceive the privacy threats that the technology could introduce if it were to be implemented. This suggests perhaps that participants, regardless of their awareness of RFID, are able to appreciate the privacy issues based on their previous life experiences, particularly with other technologies presenting similar issues.

Figure 4 Consumer concern over privacy: RFID in retail versus other auto-ID applications

The results also indicate that there is some statistical significance in the relationship between RFID value and privacy threat. The higher an individual ranks the potential value of RFID, the lower they rank the potential privacy threat. It would suggest that elements of consumer value proposition for RFID, such as convenience, may override any potential privacy threats. Thus, presenting a clear value for RFID could be seen as important in countering any potential losses in privacy.

A key element of the survey was the ranking participants provided on both value and privacy concerns in regard to a number of other related technologies that have enjoyed widespread adoption (Figure 4). There was a highly significant relationship (p ¼ 0.0028) found between the perceived privacy threat of these other technologies and RFID usage in retail. In essence, respondents who were concerned about their privacy in relation to the other technologies were just as likely to be concerned about their privacy if RFID were to be adopted in retail.

Analysis of open comments

Analysis of the comments revealed a great range of attitudes, ranging from individuals who were strongly focused on potential privacy issues, to individuals who saw the technology as something quite positive and thus balanced this against the potential privacy issues. There were also many individuals who proposed safeguards that would need to be in place to make the technology acceptable.

In regard to privacy, there were a number of respondents who voiced their concerns. Comments such as, ‘‘I should have my right to privacy,’’ ‘‘... it invades on our personal freedoms,’’ ‘‘It’s too obtrusive,’’ and ‘‘... this technology is a violation of people’s right to privacy’’ clearly express strong feelings toward the potential of RFID to erode privacy of the individual. Many individuals also stressed that while they could see the value, or see the positives, they were not convinced that potential privacy issues would be managed effectively. This is well represented in the comment, ‘‘the benefits ascribed to RFID technology for the retail trade are commendable, but I have zero confidence that they will be achieved, and, instead, consumers will be subjected to more advertising, intrusion, and loss of privacy than ever.’’

Contrarily, there were a number of respondents who clearly valued the technology despite any potential privacy issues. This is illustrated by the comments, ‘‘... only someone trying to hide something or [run] from something would think this system is not a positive thing,’’ ‘‘... the benefits for consumers ... far outweigh the privacy issues that are envisaged,’’ and ‘‘... the privacy issues would sort themselves out in time.’’

A few respondents critically pointed out that indeed, this study assumed RFID technology would replace the bar code at some point. They also stated that the technologies were more complementary to each other, and that the value of placing RFID tags on every item is not justified by the present cost in doing so.

It would seem that the majority of users approach the technology with the idea that control would best balance the value against the privacy issues. The clear majority of comments expressed that the design of RFID systems should incorporate privacy protection from the outset. A common theme is seen in the comment, ‘‘if proper privacy and security architectures were implemented and enforced, the deployment of RFID systems need not be so problematic ... ’’ And again from another respondent, ‘‘if privacy concerns were taken into account and proper privacy-enhancing technologies were implemented and used, we could have the benefits without the drawbacks ... ’’

Regulation and legislation were also pointed out by a number of respondents as important means of providing individuals with control over their privacy. Some consumers noted they would be happy with using the technology provided that ‘‘the technology was adequately regulated... .’’

On the whole, it is apparent that most users are more concerned about the misuse of their information than the actual collection of it. While privacy could be protected by a range of controls, the potential for the technology (as with any technology) to be misused and abused by ‘‘the low integrity sector of society’’ represents the greatest fear.

Figure 5 Overall respondent feelings toward RFID in retail

Figure 5 Overall respondent feelings toward RFID in retail

Together with the open comments, survey participants were also asked to provide a general ranking of RFID technology as it would be used in retail. Surprisingly, given the comments made and also the fact that the mean ranking in regard to privacy threats and RFID was 77 percent, the majority of individuals were neutral to very positive toward the technology (Figure 5). It would seem that most individuals can appreciate the technology, and although the privacy issues exist, they feel that the issues can be overcome, offset, or controlled in some manner.

A number of important outcomes are evident from the statistical analysis presented in this paper. These are summarized below:

  • As awareness of RFID and its associated issues increases, the relative importance of a consumer value proposition for RFID decreases.
  • Awareness of RFID and associated issues does not affect the perception of threat due to RFID.
  • The perceived privacy threat, and value, of RFID in retail is relative to an individual’s feelings toward other technologies and services with issues similar to RFID.

The most important observation in analyzing the results from the survey is the seemingly contradictory responses provided by the respondents. It was not uncommon to find participants who identified RFID as privacy-threatening, yet also stated that they were members of a loyalty program, or that they were mobile phone users.

Survey Results

In comparing the statistical results for the auto-ID application cases, it is evident that concern surrounding the privacy threat due to RFID in retail is considerably greater than the concern participants express for other applications. Where users have little to no concern regarding privacy and technologies, as is the case with the mobile phone and ETC applications and services such as loyalty programs, concern about RFID privacy threats is higher than should be expected. The key outcome that this exposes is the lack of harmonization in the current privacy, value, and control offering that RFID in retail presents.

In the application cases discussed, it was emphasized that appropriate harmonization between value and control could offset privacy issues. This is reflected in the relatively low level of concern participants in this survey placed on such technologies and services. Thus, the high rankings of privacy threats due to RFID in retail demonstrate that more education would be required to convince consumers of the value offered and the control they could exert over RFID usage. It is, however, important to understand that these rankings were given for auto-ID applications that are already widely adopted, whereby individuals have had time to understand and experience them in the context of their own lives. The privacy threat rankings individuals gave RFID, in many cases, show the lack of awareness of RFID. If consumers were actually to experience RFID usage in retail and place it in context with their own activities, it could be seen that rankings of the privacy threats may be significantly different, and perhaps more in line with the other auto-ID applications highlighted.

Therefore, it could be concluded, based on all the key results presented in this paper, that creating a favorable harmony of privacy, value, and control is perhaps an unrealistic notion when the technology has yet to be deployed. When there is such a divergent level of awareness among the greater population, striking a balance that is acceptable to all is an improbable task. It is therefore suggested that acceptance of RFID in retail may ultimately come over time, after adoption, as users become intimately experienced with its usage, or observe other user experiences. Consequently, privacy, value, and control are adjustable measures based on the feedback and behaviors of society in a given context and specific point in time. In that sense, harmonization will eventually occur with RFID in retail, just as it was shown with the auto-ID application cases presented.

The principal outcomes of this study can be summarized as follows:

  • The value proposition for RFID has not been well communicated to consumers.
  • Concerns surrounding RFID in retail were disproportionately higher than other previously adopted auto-ID applications despite similar privacy issues.
  • A harmonization between privacy, value, and control is unrealistic prior to adoption and can only be achieved once consumers can be educated through experience with the technology.

The preliminary findings of this study suggest that the harmonization between privacy, value, and control is largely dependent on individuals and their background (e.g., age), the type of technology being deployed (i.e., level of perceived invasiveness), and the type of provider (i.e., government or commercial entity). The results indicate that the perceived value and privacy threats posed by RFID in retail are commensurate with an individual’s pre-existing feelings toward other, similar, technologies. As was shown, privacy-related issues per se have not been a barrier to widespread adoption of auto-ID applications. On this point, the level of consumer awareness of RFID in retail does not seem to affect perceptions of privacy threats. It does, however, affect perceptions of value. Thus, a favorable harmonization whereby privacy is offset by value and control has been shown to encourage consumer acceptance.

The auto-ID application cases highlighted the importance of a harmonization between privacy, value, and control in influencing consumer acceptance and adoption. The online survey demonstrated the effect awareness has on perceptions and the disproportionately high rankings given for RFID privacy concerns.

The most significant outcome drawn from the combined analysis of the cases and the online survey is that achieving a harmony of privacy, value, and control for RFID adoption in retail is unrealistic at this point in time. With such differing levels of awareness and education, differing expectations, and differing perceptions, achieving a harmony that is favorable to all consumers now would be an improbable task. It is also evident in reviewing the literature that there have already been significant attempts to address privacy issues and provide individuals with a degree of control, yet the privacy concern still remains. This furthers the notion that it is unlikely that privacy concerns can be resolved prior to the technology’s adoption and use by consumers.

Figure 6 Harmonizing value, privacy, and control through the adoption process

RFID in retail can certainly achieve a favorable harmonization, one that offsets privacy risks with significant value and consumer control. It is more realistic, however, for this harmony to be achieved after adoption, when consumers can be educated through their experiences, and whereby society will consequently shape the balance as the impact of the technology becomes more evident. Figure 6 illustrates that to achieve harmonization there must first be a strong value proposition driving adoption in the first place.

Conclusion

In a society where it seems we are increasingly surrounded by technologies, governments, and institutions monitoring every move we make and collecting vast amounts of personal information, privacy has grown to become an ardently debated topic. Each individual living within a civil society has a right to privacy, yet in the wake of technologies that afford us great value, there will always be some loss of privacy. This study has not sought to dismiss privacy concerns, or argue to protect privacy, but rather to address it in the realistic context it plays in an environment of technological innovation driven by society itself. Ultimately, acceptance of a technology with privacy issues will always be a balancing act, a harmonization of privacy, value, and control.

Cited References and Notes

1. M. McGinity, ‘‘RFID: Is This Game of Tag Fair Play?’’ Communications of the ACM 47, 15–18 (2004).

2. J. Whitaker, S. Mithas, and M. S. Krishnan, ‘‘A Field Study of RFID Deployment and Return Expectations,’’ Production and Operations Management 16, No. 5, 599–612 (2007).

3. K. Michael and L. McCathie, ‘‘The Pros and Cons of RFID in Supply Chain Management,’’ Proceedings of the 2005 International Conference on Mobile Business (ICMB 2005), July 11–13, 2005, Sydney, IEEE Computer Society (2005) pp. 623–629.

4. A. F. Westin, Privacy and Freedom, The Bodley Head Ltd. (1970).

5. R. Clarke, ‘‘Information Technology and Dataveillance,’’ Communications of the ACM 31, No. 5, 498–512 (1998).

6. I. Altman, The Environment and Social Behavior: Privacy, Personal Space, Territory, Crowding, Brooks/Cole Publishing, Monterey, CA (1975).

7. F. D. Schoeman, Philosophical Dimensions of Privacy: An Anthology, Cambridge University Press, Cambridge, UK (1984).

8. S. T. Margulis, Contemporary Perspectives on Privacy: Social, Psychological, Political, Blackwell Publishing, London (2003).

9. S. Spiekermann, ‘‘Perceived Control: Scales for Privacy in Ubiquitous Computing Environments,’’ Proceedings of the 10th International Conference on User Modeling, Edinburgh, Scotland (2005).

10. B. D. Renegar and K. Michael, ‘‘The RFID Value Proposition,’’ Proceedings of the Sixth CollECTeR Iberoamerica: Collaborative Electronic Communications and eCommerce Technology Research, June 25–27, 2008, Madrid (2008) pp. 1–10.

11. M. J. Culnan and R. J. Bies, ‘‘Consumer Privacy: Balancing Economic and Justice Considerations,’’ Journal of Social Issues 59, No. 2, 323–342 (2003).

12. J. C. Inness, Privacy, Intimacy and Isolation, Oxford University Press, New York (1996).

13. J. R. Averill, ‘‘Personal Control over Aversive Stimuli and its Relationship to Stress,’’ Psychological Bulletin 80, No. 4, 286–303 (1973).

14. R. Bansal, ‘‘Now You See It and Now You Don’t [RFID Technology],’’ IEEE Microwave Magazine 5, No. 4, 32–34 (2004).

15. S. L. Garfinkel, A. Juels, and R. Pappu, ‘‘RFID Privacy: An Overview of Problems and Proposed Solutions,’’ IEEE Security & Privacy 3, No. 3, 34–43 (2005).

16. L. Hyangjin and K. Jeeyeon, ‘‘Privacy Threats and Issues in Mobile RFID,’’ Proceedings of the First International Conference on Availability, Reliability and Security (ARES 2006), April 20–22 2006, Vienna, IEEE Computer Society (2006), pp. 510–514.

17. G. Roussos and T. Moussouri, ‘‘Consumer Perceptions of Privacy, Security and Trust in Ubiquitous Commerce,’’ Personal and Ubiquitous Computing 8, No. 6, 416–429 (2004).

18. O. Gunther and S. Spiekermann, ‘‘RFID and the Perception of Control: The Consumer’s View,’’ Communications of the ACM 48, No. 9, 73–76 (2005).

19. S. Spiekermann, User Control in Ubiquitous Computing: Design Alternatives and User Acceptance, Shaker Verlag, Aachen, Germany (2008).

20. G. Ng-Kruelle, P. A. Swatman, D. S. Rebne, and J. F. Hampe, ‘‘The Price of Convenience: Privacy and Mobile Commerce,’’ Quarterly Journal of Electronic Commerce 3, No. 3, 273–385 (2002).

21. G. Ng-Kruelle, P. A. Swatman, J. F. Hampe, and D. S. Rebne, ‘‘Biometrics and e-Identity (e-passport) in the European Union: End-user Perspectives on the Adoption of a Controversial Innovation,’’ Journal of Theoretical and Applied Electronic Commerce Research 1, No. 2, 12–35 (2006).

22. B. J. Alfonsi, ‘‘Privacy Debate Centers on Radio Frequency Identification,’’ IEEE Security & Privacy 2, No. 2, 12 (2004).

23. G. Roussos, ‘‘Enabling RFID in Retail,’’ Computer 39, No. 3, 25–30 (2006).

24. B. Eckfeldt, ‘‘What Does RFID Do for the Consumer?’’ Communications of the ACM 48, No. 9, 77–79 (2005).

25. C. Perakslis and R. Wolk, ‘‘Social Acceptance of RFID as a Biometric Security Method,’’ IEEE Technology and Society Magazine 25, No. 3, 34–42 (2006).

26. M. Langheinrich, ‘‘Privacy by Design: Principles of Privacy-Aware Ubiquitous Systems,’’ Proceedings of the 3rd International Conference on Ubiquitous Computing, (Ubicomp 2001), Atlanta, September 30–October 2, 2001, Lecture Notes in Computer Science 2201, Springer (2001), pp. 273–291.

27. Factiva, Dow Jones & Co., http://www.factiva.com/.

28. IEEE Xplore, IEEE, http://ieeexplore.ieee.org/Xplore/ guesthome.jsp.

29. Leximancer (2008), http://www.leximancer.com/.

30. B. D. Renegar, K. Michael, and M. G. Michael, ‘‘Privacy, Value and Control Issues in Four Mobile Business Applications,’’ Proceedings of the Seventh International Conference on Mobile Business, July 7–8, 2008, Barcelona (2008), pp. 30–40.

31. J. Hakkila and C. Chatfield, ‘‘ ‘It’s Like If You Opened Someone Else’s Letter’: User Perceived Privacy and Social Practices with SMS Communication,’’ Proceedings of the 7th International Conference on Human Computer Interaction with Mobile Devices & Services, September 19–22, 2005, Salzburg, Austria, ACM, New York (2005), pp. 219–222.

32. N. Swartz, ‘‘Mobile Phone Tracking Scrutinized,’’ Information Management Journal 40, No. 16 (2006), http:// www.entrepreneur.com/tradejournals/article/ 184698661.html.

33. W. A. Herbert, ‘‘No Direction Home: Will the Law Keep Pace with Human Tracking Technology to Protect Individual Privacy and Stop Geoslavery?’’ I/S: a Journal of Law and Policy for the Information Society 2, No. 2, 409–473 (2007).

34. R. Whitaker, The End of Privacy: How Total Surveillance Is Becoming a Reality, The New Press, New York (1999).

35. P. Hills and P. Blythe, ‘‘Paying Your Way [Road Tolls],’’ The IEE Review 35, No. 10, 377–381 (1989).

36. C. Caldwell, ‘‘A Pass on Privacy?’’ The New York Times, July 17, 2005, http://www.nytimes.com/2005/07/17/ magazine/17WWLN.html?ex¼1279339200&en¼ c1f10d3de06adea6&ei¼5088.

37. A. McCluskey, ‘‘Position Paper: Business Ethics,’’ BT Financial Group 3, 1–5 (2004).

38. IBI Group, ‘‘Background Paper #8: Toll Technology Considerations, Opportunities, and Risks,’’ Washington State Comprehensive Tolling Study: Final Report 2, 1–33 (2006).

39. V. D. Hunt, A. Puglia, and M. Puglia, ‘‘RFID Technology in Homeland Security, Law Enforcement, and Corrections,’’ in V. D. Hunt, RFID: A Guide to Radio Frequency Identification, Technology Research Corp., New York (2007), pp. 67–82.

40. M. Meingast, J. King, and D. K. Mulligan, ‘‘Embedded RFID and Everyday Things: A Case Study of the Security and Privacy Risks of the U.S. e-Passport,’’ IEEE International Conference on RFID, March 26–28, Grapevine, Texas (2007), pp. 7–14.

41. A. Juels, D. Molnar, and D. Wagner, ‘‘Security and Privacy Issues in e-Passports,’’ First International Conference on Security and Privacy for Emerging Areas in Communication Networks, Athens, Greece (2005), pp. 74–88.

42. C. Edwards, ‘‘Borderlands of Confusion [Biometric Passports],’’ The IEE Review 51, No. 11, 34–37 (2005).

43. ‘‘Machine Readable Travel Documents (MRTDs): History, Interoperability, and Implementation,’’ working paper, International Civil Aviation Organization, Montreal (March 23, 2007), http://www.icao.int/icao/en/atb/ sgm/mrtd/TAG_MRTD17/TagMrtd17_WP016.pdf.

44. M. Sirotich, ‘‘ePassport Security Under the Microscope,’’ The Second Workshop on the Social Implications of National Security: From Dataveillance to Uberveillance and the Realpolitik of the Transparent Society 2, K. Michael and M. G. Michael, Eds., University of Wollongong, Wollongong, Australia (2007), pp. 257–280.

45. K. Zetter, ‘‘Hackers Clone E-Passports,’’ Wired News, August 3, 2006, http://www.wired.com/science/ discoveries/news/2006/08/71521?currentPage¼1.

46. Y. Yi and H. Jeon, ‘‘Effects of Loyalty Programs on Value Perception, Program Loyalty, and Brand Loyalty,’’ Journal of the Academy of Marketing Science 31, No. 3, 229–240 (2003).

47. T. R. Graeff and S. Harmon, ‘‘Collecting and Using Personal Data: Consumers’ Awareness and Concerns,’’ Journal of Consumer Marketing 19, No. 4/5, 302–318 (2002).

48. D. H. Nguyen, A. Kobsa, and G. R. Hayes, ‘‘An Empirical Investigation of Concerns of Everyday Tracking and Recording Technologies,’’ Proceedings of the 10th International Conference on Ubiquitous Computing 344, Seoul, Korea, ACM, New York (2008), pp. 182–191.

49. Attitude measurement used in surveys in which, in response to questions, respondents select from a set of typically five values, such as from complete agreement to complete disagreement, with no opinion in the middle.

Benjamin D. Renegar IBM Global Business Services, IBM Centre, 601 Pacific Highway, St. Leonards, NSW, Australia 2065 (brenegar@au1.ibm.com). Ben Renegar is a recent graduate from the University of Wollongong, having completed a Bachelor of Information and Communication Technology degree at the end of 2007 with the award of first-class honors. For this degree program, he completed a thesis on RFID adoption in the retail industry with a focus on the harmonization of value, privacy, and control. He was also awarded the PriceWaterhouseCoopers award for the highest grade in this program. He was employed by IBM as a Graduate Consultant in the Application Innovation Service Delivery organization in 2008.

Katina Michael University of Wollongong, NSW, Australia 2500 (katina@uow.edu.au). Dr. Michael is a Senior Lecturer in the School of Information Systems and Technology in the Faculty of Informatics at the University of Wollongong. She received a Bachelor of Information Technology degree from the University of Technology, Sydney (UTS) in 1996 and a Ph.D. degree in information technology and communications from the University of Wollongong in 2003. Before joining the University of Wollongong in 2002 to teach and conduct research in e-Business, she worked as a senior network and business planner at Nortel Networks. In 2000, Katina received the Nortel top talent award for work completed on 3G mobile networks in Asia. She is a senior member of the IEEE and a Board Member of the Australian Privacy Foundation.