Location and Tracking of Mobile Devices

Location and Tracking of Mobile Devices: Überveillance Stalks the Streets

Review Version of 7 October 2012

Published in Computer Law & Security Review 29, 3 (June 2013) 216-228

Katina Michael and Roger Clarke **

© Katina Michael and Xamax Consultancy Pty Ltd, 2012

Available under an AEShareNet  licence or a Creative Commons  licence.

This document is at http://www.rogerclarke.com/DV/LTMD.html

Abstract

During the last decade, location-tracking and monitoring applications have proliferated, in mobile cellular and wireless data networks, and through self-reporting by applications running in smartphones that are equipped with onboard global positioning system (GPS) chipsets. It is now possible to locate a smartphone-user's location not merely to a cell, but to a small area within it. Innovators have been quick to capitalise on these location-based technologies for commercial purposes, and have gained access to a great deal of sensitive personal data in the process. In addition, law enforcement utilise these technologies, can do so inexpensively and hence can track many more people. Moreover, these agencies seek the power to conduct tracking covertly, and without a judicial warrant. This article investigates the dimensions of the problem of people-tracking through the devices that they carry. Location surveillance has very serious negative implications for individuals, yet there are very limited safeguards. It is incumbent on legislatures to address these problems, through both domestic laws and multilateral processes.

Contents

1. Introduction

Personal electronic devices travel with people, are worn by them, and are, or soon will be, inside them. Those devices are increasingly capable of being located, and, by recording the succession of locations, tracked. This creates a variety of opportunities for the people concerned. It also gives rise to a wide range of opportunities for organisations, at least some of which are detrimental to the person's interests.

Commonly, the focus of discussion of this topic falls on mobile phones and tablets. It is intrinsic to the network technologies on which those devices depend that the network operator has at least some knowledge of the location of each handset. In addition, many such devices have onboard global positioning system (GPS) chipsets, and self-report their coordinates to service-providers. The scope of this paper encompasses those already-well-known forms of location and tracking, but it extends beyond them.

The paper begins by outlining the various technologies that enable location and tracking, and identifies those technologies' key attributes. The many forms of surveillance are then reviewed, in order to establish a framework within which applications of location and tracking can be characterised. Applications are described, and their implications summarised. Controls are considered, whereby potential harm to the interests of individuals can be prevented or mitigated.

2. Relevant Technologies

The technologies considered here involve a device that has the following characteristics:

  • it is conveniently portable by a human, and
  • it emits signals that:
    • enable some other device to compute the location of the device (and hence of the person), and
    • are sufficiently distinctive that the device is reliably identifiable at least among those in the vicinity, and hence the device's (and hence the person's) successive locations can be detected, and combined into a trail

The primary form-factors for mobile devices are currently clam-shape (portable PCs), thin rectangles suitable for the hand (mobile phones), and flat forms (tablets). Many other form-factors are also relevant, however. Anklets imposed on dangerous prisoners, and even as conditions of bail, carry RFID tags. Chips are carried in cards of various sizes, particularly the size of credit-cards, and used for tickets for public transport and entertainment venues, aircraft boarding-passes, toll-road payments and in some countries to carry electronic cash. Chips may conduct transactions with other devices by contact-based means, or contactless, using radio-frequency identification (RFID) or its shorter-range version near-field communication (NFC) technologies. These capabilities are in credit and debit cards in many countries. Transactions may occur with the cardholder's knowledge, with their express consent, and with an authentication step to achieve confidence that the person using the card is authorised to do so. In a variety of circumstances, however, some and even all of those safeguards are dispensed with. The electronic versions of passports that are commonly now being issued carry such a chip, and have an autonomous communications capability. The widespread issue of cards with capabilities uncontrolled by, and in many cases unknown to, the cardholder, is causing consternation among segments of the population that have become aware of the schemes.

Such chips can be readily carried in other forms, including jewellery such as finger-rings, and belt-buckles. Endo-prostheses such as replacement hips and knees and heart pacemakers can readily carry chips. A few people have voluntarily embedded chips directly into their bodies for such purposes as automated entry to premises (Michael & Michael 2009).

In order to locate and track such devices, any sufficiently distinctive signals may in principle suffice. See Raper et al. (2007a) and Mautz (2011). In practice, the signals involved are commonly those transmitted by a device in order to take advantage of wireless telecommunications networks. The scope of the relevant technologies therefore also encompasses the signals, devices that detect the signals, and the networks over which the data that the signals contain are transmitted.

In wireless networks, it is generally the case that the base station or router needs to be aware of the identities of devices that are currently within the cell. A key reason for this is to conserve limited transmission capacity by sending messages only when the targeted device is known to be in the cell. This applies to all of:

  • cellular mobile originally designed for voice telephony and extended to data (in particular those using the '3G' standards GSM/GPRS, CDMA2000 and UMTS/HSPA and the '4G' standard LTE)
  • wireless local area networks (WLANs, commonly Wifi / IEEE 802.11x - RE 2010a)
  • wireless wide area networks (WWANs, commonly WiMAX / IEEE 802.16x - RE 2010b).

Devices in such networks are uniquely identified by various means (Clarke & Wigan 2011). In cellular networks, there is generally a clear distinction between the entity (the handset) and the identity it is adopting at any given time (which is determined by the module inserted in it). Depending on the particular standards used, what is commonly referred to as 'the SIM-card' is an R-UIM, a CSIM or a USIM. These modules store an International Mobile Subscriber Identity (IMSI), which constitutes the handset's identifier. Among other things, this enables network operators to determine whether or not to provide service, and what tariff to apply to the traffic. However, cellular network protocols may also involve transmission of a code that distinguishes the handset itself, within which the module is currently inserted. A useful generic term for this is the device 'entifier' (Clarke 2009b). Under the various standards, it may be referred to as an International Mobile Equipment Identity (IMEI), ESN, or MEID.

In Wifi and WiMAX networks, the device entifier may be a processor-id or more commonly a network interface card identifier (NIC Id). In various circumstances, other device-identifiers may be used, such as a phone-number, or an IP-address may be used as a proxy. In addition, the human using the device may be directly identified, e.g. by means of a user-accountname.

A WWAN cell may cover a large area, indicatively of a 50km radius. Telephony cells may have a radius as large as 2-3 km or as little as a hundred metres. WLANs using Wifi technologies have a cell-size of less than 1 hectare, indicatively 50-100 metres radius, but in practice often constrained by environmental factors to only 10-30 metres.

The base-station or router knows the identities of devices that are within its cell, because this is a technically necessary feature of the cell's operation. Mobile devices auto-report their presence 10 times per second. Meanwhile, the locations of base-stations for cellular services are known with considerable accuracy by the telecommunications providers. And, in the case of most private Wifi services, the location of the router is mapped to c. 30-100 metre accuracy by services such as Skyhook and Google Locations, which perform what have been dubbed 'war drives' in order to maintain their databases - in Google's case in probable violation of the telecommunications interception and/or privacy laws of at least a dozen countries (EPIC 2012).

Knowing that a device is within a particular mobile phone, WiMAX or Wifi cell provides only a rough indication of location. In order to generate a more precise estimate, within a cell, several techniques are used (McGuire et al. 2005). These include the following (adapted from Clarke & Wigan 2011. See also Figueiras & Frattasi 2010):

  • directional analysis. A single base-station may comprise multiple receivers at known locations and pointed in known directions, enabling the handset's location within the cell to be reduced to a sector within the cell, and possibly a narrow one, although without information about the distance along the sector;
  • triangulation. This involves multiple base-stations serving a single cell, at known locations some distance apart, and each with directional analysis capabilities. Particularly with three or more stations, this enables an inference that the device's location is within a small area at the intersection of the multiple directional plots;
  • signal analysis. This involves analysis of the characteristics of the signals exchanged between the handset and base-station, in order to infer the distance between them. Relevant signal characteristics include the apparent response-delay (Time Difference of Arrival - TDOA, also referred to as multilateration), and strength (Received Signal Strength Indicator - RSSI), perhaps supplemented by direction (Angle Of Arrival - AOA).

The precision and reliability of these techniques varies greatly, depending on the circumstances prevailing at the time. The variability and unpredictability result in many mutually inconsistent statements by suppliers, in the general media, and even in the technical literature.

Techniques for cellular networks generally provide reasonably reliable estimates of location to within an indicative 50-100m in urban areas and some hundreds of metres elsewhere. Worse performance has been reported in some field-tests, however. For example, Dahunsi & Dwolatzky (2012) found the accuracy of GSM location in Johannesberg to be in the range 200-1400m, and highly variable, with "a huge difference between the predicted and provided accuracies by mobile location providers".

The web-site of the Skyhook Wifi-router positioning service claims 10-metre accuracy, 1-second time-to-first-fix and 99.8% reliability (SHW 2012). On the other hand, tests have resulted in far lower accuracy measures, including an average positional error of 63m in Sydney (Gallagher et al. 2009) and "median values for positional accuracy in [Las Vegas, Miami and San Diego, which] ranged from 43 to 92 metres ... [and] the replicability ... was relatively poor" (Zandbergen 2012, p. 35). Nonetheless, a recent research article suggested the feasibility of "uncooperatively and covertly detecting people 'through the wall' [by means of their WiFi transmissions]" (Chetty et al. 2012).

Another way in which a device's location may become known to other devices is through self-reporting of the device's position, most commonly by means of an inbuilt Global Positioning System (GPS) chip-set. This provides coordinates and altitude based on broadcast signals received from a network of satellites. In any particular instance, the user of the device may or may not be aware that location is being disclosed.

Despite widespread enthusiasm and a moderate level of use, GPS is subject to a number of important limitations. The signals are subject to interference from atmospheric conditions, buildings and trees, and the time to achieve a fix on enough satellites and deliver a location measure may be long. This results in variability in its practical usefulness in different circumstances, and in its accuracy and reliability. Civil-use GPS coordinates are claimed to provide accuracy within a theoretical 7.8m at a 95% confidence level (USGov 2012), but various reports suggest 15m, or 20m, or 30m, but sometimes 100m. It may be affected by radio interference and jamming. The original and still-dominant GPS service operated by the US Government was subject to intentional degradation in the US's national interests. This 'Selective Availability' feature still exists, although subject to a decade-long policy not to use it; and future generations of GPS satellites may no longer support it.

Hybrid schemes exist that use two or more sources in order to generate more accurate location-estimates, or to generate estimates more quickly. In particular, Assisted GPS (A-GPS) utilises data from terrestrial servers accessed over cellular networks in order to more efficiently process satellite-derived data (e.g. RE 2012).

Further categories of location and tracking technologies emerge from time to time. A current example uses means described by the present authors as 'mobile device signatures' (MDS). A device may monitor the signals emanating from a user's mobile device, without being part of the network that the user's device is communicating with. The eavesdropping device may detect particular signal characteristics that distinguish the user's mobile device from others in the vicinity. In addition, it may apply any of the various techniques mentioned above, in order to locate the device. If the signal characteristics are persistent, the eavesdropping device can track the user's mobile device, and hence the person carrying it. No formal literature on MDS has yet been located. The supplier's brief description is at PI (2010b).

The various technologies described in this section are capable of being applied to many purposes. The focus in this paper is on their application to surveillance.

3. Surveillance

The term surveillance refers to the systematic investigation or monitoring of the actions or communications of one or more persons (Clarke 2009c). Until recent times, surveillance was visual, and depended on physical proximity of an observer to the observed. The volume of surveillance conducted was kept in check by the costs involved. Surveillance aids and enhancements emerged, such as binoculars and, later, directional microphones. During the 19th century, the post was intercepted, and telephones were tapped. During the 20th century, cameras enabled transmission of image, video and sound to remote locations, and recording for future use (e.g. Parenti 2003).

With the surge in stored personal data that accompanied the application of computing to administration in the 1970s and 1980s, dataveillance emerged (Clarke 1988). Monitoring people through their digital personae rather than through physical observation of their behaviour is much more economical, and hence many more people can be subjected to it (Clarke 1994). The dataveillance epidemic made it more important than ever to clearly distinguish between personal surveillance - of an identified person who has previously come to attention - and mass surveillance - of many people, not necessarily previously identified, about some or all of whom suspicion could be generated.

Location data is of a very particular nature, and hence it has become necessary to distinguish location surveillance as a sub-set of the general category of dataveillance. There are several categories of location surveillance with different characteristics (Clarke & Wigan 2011):

  • capture of an individual's location at a point in time. Depending on the context, this may support inferences being drawn about an individual's behaviour, purpose, intention and associates
  • real-time monitoring of a succession of locations and hence of the person's direction of movement. This is far richer data, and supports much more confident inferences being drawn about an individual's behaviour, purpose, intention and associates
  • predictive tracking, by extrapolation from the person's direction of movement, enabling inferences to be drawn about near-future behaviour, purpose, intention and associates
  • retrospective tracking, on the basis of the data trail of the person's movements, enabling reconstruction of a person's behaviour, purpose, intention and associates at previous times

Information arising at different times, and from different forms of surveillance, can be combined, in order to offer a more complete picture of a person's activities, and enable yet more inferences to be drawn, and suspicions generated. This is the primary sense in which the term 'überveillance' is applied: "Überveillance has to do with the fundamental who (ID), where (location), and when (time) questions in an attempt to derive why (motivation), what (result), and even how (method/plan/thought). Überveillance can be a predictive mechanism for a person's expected behaviour, traits, likes, or dislikes; or it can be based on historical fact; or it can be something in between ... Überveillance is more than closed circuit television feeds, or cross-agency databases linked to national identity cards, or biometrics and ePassports used for international travel. Überveillance is the sum total of all these types of surveillance and the deliberate integration of an individual's personal data for the continuous tracking and monitoring of identity and location in real time" (Michael & Michael 2010. See also Michael & Michael 2007, Michael et al. 2008, Michael et al. 2010, Clarke 2010).

A comprehensive model of surveillance includes consideration of geographical scope, and of temporal scope. Such a model assists the analyst in answering key questions about surveillance: of what? for whom? by whom? why? how? where? and when? (Clarke 2009c). Distinctions are also needed based on the extent to which the subject has knowledge of surveillance activities. It may be overt or covert. If covert, it may be merely unnotified, or alternatively express measures may be undertaken in order to obfuscate, and achieve secrecy. A further element is the notion of 'sousveillance', whereby the tools of surveillance are applied, by those who are commonly watched, against those who are commonly the watchers (Mann et al. 2003).

These notions are applied in the following sections in order to establish the extent to which location and tracking of mobile devices is changing the game of surveillance, and to demonstrate that location surveillance is intruding more deeply into personal freedoms than previous forms of surveillance.

4. Applications

This section presents a typology of applications of mobile device location, as a means of narrowing down to the kinds of uses that have particularly serious privacy implications. These are commonly referred to as location-based services (LBS). One category of applications provide information services that are for the benefit of the mobile device's user, such as navigation aids, and search and discovery tools for the locations variously of particular, identified organisations, and of organisations that sell particular goods and services. Users of LBS of these kinds can be reasonably assumed to be aware that they are disclosing their location. Depending on the design, the disclosures may also be limited to specific service-providers and specific purposes, and the transmissions may be secured.

Another, very different category of application is use by law enforcement agencies (LEAs). The US E-911 mandate of 1999 was nominally a public safety measure, to enable people needing emergency assistance to be quickly and efficiently located. In practice, the facility also delivered LEAs means for locating and tracking people of interest, through their mobile devices. Personal surveillance may be justified by reasonable grounds for suspicion that the subject is involved in serious crime, and may be specifically authorised by judicial warrant. Many countries have always been very loose in their control over LEAs, however, and many others have drastically weakened their controls since 2001. Hence, in any given jurisdiction and context, each and all of the controls may be lacking.

Yet worse, LEAs use mobile location and tracking for mass surveillance, without any specific grounds for suspicion about any of the many people caught up in what is essentially a dragnet-fishing operation (e.g. Mery 2009). Examples might include monitoring the area adjacent to a meeting-venue watching out for a blacklist of device-identifiers known to have been associated with activists in the past, or collecting device-identifiers for use on future occasions. In addition to netting the kinds of individuals who are of legitimate interest, the 'by-catch' inevitably includes threatened species. There are already extraordinarily wide-ranging (and to a considerable extent uncontrolled) data retention requirements in many countries.

Of further concern is the use of Automated Number Plate Recognition (ANPR) for mass surveillance purposes. This has been out of control in the UK since 2006, and has been proposed or attempted in various other countries as well (Clarke 2009a). Traffic surveillance is expressly used not only for retrospective analysis of the movements of individuals of interest to LEAs, but also as a means of generating suspicions about other people (Lewis 2008).

Beyond LEAs, many government agencies perform social control functions, and may be tempted to conduct location and tracking surveillance. Examples would include benefits-paying organisations tracking the movements of benefits-recipients about whom suspicions have arisen. It is not too far-fetched to anticipate zealous public servants concerned about fraud control imposing location surveillance on all recipients of some particularly valuable benefit, or as a security precaution on every person visiting a sensitive area (e.g. a prison, a power plant, a national park).

Various forms of social control are also exercised by private sector organisations. Some of these organisations, such as placement services for the unemployed, may be performing outsourced public sector functions. Others, such as workers' compensation providers, may be seeking to control personal insurance claimants, and similarly car-hire companies and insurance providers may wish to monitor motor vehicles' distance driven and roads used (Economist 2012).

A further privacy-invasive practice that is already common is the acquisition of location and tracking data by marketing corporations, as a by-product of the provision of location-based services, but with the data then applied to further purposes other than that for which it was intended. Some uses rely on statistical analysis of large holdings ('data mining'). Many uses are, on the other hand, very specific to the individual, and are for such purposes as direct or indirect targeting of advertisements and the sale of goods and services. Some of these applications combine location data with data from other sources, such as consumer profiling agencies, in order to build up such a substantial digital persona that the individual's behaviour is readily influenced. This takes the activity into the realms of überveillance.

All such services raise serious privacy concerns, because the data is intensive and sensitive, and attractive to organisations. Companies may gain rights in relation to the data through market power, or by trickery - such as exploitation of a self-granted right to change the Terms of Service (Clarke 2011). Once captured, the data may be re-purposed by any organisation that gains access to it, because the value is high enough that they may judge the trivial penalties that generally apply to breaches of privacy laws to be well worth the risk.

A recently-emerged, privacy-invasive practice is the application of the mobile device signature (MDS) form of tracking, in such locations as supermarkets. This is claimed by its providers to offer deep observational insights into the behaviour of customers, including dwell-times in front of displays, possibly linked with the purchaser's behaviour. This raises concerns a little different from other categories of location and tracking technologies, and is accordingly considered in greater depth in the following section.

It is noteworthy that an early review identified a wide range of LBS, which the authors classified into mobile guides, transport, gaming, assistive technology and location-based health (Raper et al. 2007b). Yet that work completely failed to notice that a vast array of applications were emergent in surveillance, law enforcement and national security, despite the existence of relevant literature from at least 1999 onwards (Clarke 2001Michael & Masters 2006).

5. Implications

The previous sections have introduced many examples of risks to citizens and consumers arising from location surveillance. This section presents an analysis of the categories and of the degree of seriousness with which they should be viewed. The first topic addressed is the privacy of personal location data. Other dimensions of privacy are then considered, and then the specific case of MDS is examined. The treatment here is complementary to earlier articles that have looked more generally at particular applications such as location-based mobile advertising, e.g. Cleff (2007, 2010) and King & Jessen (2010). See also Art. 29 (2011).

5.1 Locational Privacy

Knowing where someone has been, knowing what they are doing right now, and being able to predict where they might go next is a powerful tool for social control and for chilling behaviour (Abbas 2011). Humans do not move around in a random manner (Song et al. 2010).

One interpretation of 'locational privacy' is that it "is the ability of an individual to move in public space with the expectation that under normal circumstances their location will not be systematically and secretly recorded for later use" (Blumberg & Eckersley 2009). A more concise definition is "the ability to control the extent to which personal location information is ... [accessible and] used by others" (van Loenen et al. 2009). Hence 'tracking privacy' is the interest an individual has in controlling information about their sequence of locations.

Location surveillance is deeply intrusive into data privacy, because it is very rich, and enables a great many inferences to be drawn (Clarke 2001, Dobson & Fisher 2003, Michael et al. 2006aClarke & Wigan 2011). As demonstrated by Raper et al. (2007a, pp. 32-33), most of the technical literature that considers privacy is merely concerned about it as an impediment to deployment and adoption, and how to overcome the barrier rather than how to solve the problem. Few authors adopt a positive approach to privacy-protective location technologies. The same authors' review of applications (Raper et al. 2007b) includes a single mention of privacy, and that is in relation to just one of the scores of sub-categories of application that they catalogue.

Most service-providers are cavalier in their handling of personal data, and extravagant in their claims. For example, Skyhook claims that it "respects the privacy of all users, customers, employees and partners"; but, significantly, it makes no mention of the privacy of the people whose locations, through the locations of their Wifi routers, it collects and stores (Skyhook 2012).

Consent is critical in such LBS as personal location chronicle systems, people-followers and footpath route-tracker systems that systematically collect personal location information from a device they are carrying (Collier 2011c). The data handled by such applications is highly sensitive because it can be used to conduct behavioural profiling of individuals in particular settings. The sensitivity exists even if the individuals remain 'nameless', i.e. if each identifier is a temporary or pseudo-identifier and is not linked to other records. Service-providers, and any other organisations that gain access to the data, achieve the capacity to make judgements on individuals based on their choices of, for example, which retail stores they walk into and which they do not. For example, if a subscriber visits a particular religious bookstore within a shopping mall on a weekly basis, the assumption can be reasonably made that they are in some way affiliated to that religion (Samuel 2008).

It is frequently asserted that individuals cannot have a reasonable expectation of privacy in a public space. Contrary to those assertions, however, privacy expectations always have existed in public places, and continue to exist (VLRC 2010). Tracking the movements of people as they go about their business is a breach of a fundamental expectation that people will be 'let alone'. In policing, for example, in most democratic countries, it is against the law to covertly track an individual or their vehicle without specific, prior approval in the form of a warrant. This principle has, however, been compromised in many countries since 2001. Warrantless tracking using a mobile device generally results in the evidence, which has been obtained without the proper authority, being inadmissible in a court of law (Samuel 2008). Some law enforcement agencies have argued for the abolition of the warrant process because the bureaucracy involved may mean that the suspect cannot be prosecuted for a crime they have likely committed (Ganz 2005). These issues are not new; but far from eliminating a warrant process, the appropriate response is to invest the energy in streamlining this process (Bronitt 2010).

Privacy risks arise not only from locational data of high integrity, but also from data that is or becomes associated with a person and that is inaccurate, misleading, or wrongly attributed to that individual. High levels of inaccuracy and unreliability were noted above in respect of all forms of location and tracking technologies. In the case of MDS services, claims have been made of one-to-two metre locational accuracy. This has yet to be supported by experimental test cases, however, and hence there is uncertainty about the reliability of inferences that the service-provider or the shop-owner draw. If the data is the subject of a warrant or subpoena, the data's inaccuracy could result in false accusations and even a miscarriage of justice, with the 'wrong person' finding themselves in the 'right place' at the 'right time'.

5.2 Privacy More Broadly

Privacy has multiple dimensions. One analysis, in Clarke (2006a), identifies four distinct aspects. Privacy of Personal Data, variously also 'data privacy' and 'information privacy', is the most widely-discussed dimension of the four. Individuals claim that data about themselves should not be automatically available to other individuals and organisations, and that, even where data is possessed by another party, the individual must be able to exercise a substantial degree of control over that data and its use. The last five decades have seen the application of information technologies to a vast array of abuses of data privacy. The degree of privacy-intrusiveness is a function of both the intensity and the richness of the data. Where multiple sources are combined, the impact is particularly likely to chill behaviour. An example is the correlation of video-feeds with mobile device tracking. The previous sub-section addressed that dimension.

Privacy of the Person, or 'bodily privacy', extends from freedom from torture and right to medical treatment, via compulsory immunisation and imposed treatments, to compulsory provision of samples of body fluids and body tissue, and obligations to submit to biometric measurement. Locational surveillance gives rise to concerns about personal safety. Physical privacy is directly threatened where a person who wishes to inflict harm is able to infer the present or near-future location of their target. Dramatic examples include assassins, kidnappers, 'standover merchants' and extortionists. But even people who are neither celebrities nor notorities are subject to stalking and harassment (Fusco et al. 2012).

Privacy of Personal Communications is concerned with the need of individuals for freedom to communicate among themselves, without routine monitoring of their communications by other persons or organisations. Issues include 'mail covers', the use of directional microphones, 'bugs' and telephonic interception, with or without recording apparatus, and third-party access to email-messages. Locational surveillance thereby creates new threats to communications privacy. For example, the equivalent of 'call records' can be generated by combining the locations of two device-identifiers in order to infer that a face-to-face conversation occurred.

Privacy of Personal Behaviour encompasses 'media privacy', but particular concern arises in relation to sensitive matters such as sexual preferences and habits, political activities and religious practices. Some privacy analyses, particularly in Europe, extend this discussion to personal autonomy, liberty and the right of self-determination (e.g. King & Jesson 2010). The notion of 'private space' is vital to economic and social aspects of behaviour, is relevant in 'private places' such as the home and toilet cubicles, but is also relevant and important in 'public places', where systematic observation and the recording of images and sounds are far more intrusive than casual observation by the few people in the vicinity.

Locational surveillance gives rise to rich sets of data about individuals' activities. The knowledge, or even suspicion, that such surveillance is undertaken, chills their behaviour. The chilling factor is vital in the case of political behaviour (Clarke 2008). It is also of consequence in economic behaviour, because the inventors and innovators on whom new developments depend are commonly 'different-thinkers' and even 'deviants', who are liable to come to come to attention in mass surveillance dragnets, with the tendency to chill their behaviour, their interactions and their creativity.

Surveillance that generates accurate data is one form of threat. Surveillance that generates inaccurate data, or wrongly associates data with a particular person, is dangerous as well. Many inferences that arise from inaccurate data will be wrong, of course, but that won't prevent those inferences being drawn, resulting in unjustified behavioural privacy invasiveness, including unjustified association with people who are, perhaps for perfectly good reasons, themselves under suspicion.

In short, all dimensions of privacy are seriously affected by location surveillance. For deeper treatments of the topic, see Michael et al. (2006b) and Clarke & Wigan (2011).

5.3 Locational Privacy and MDS

The recent innovation of tracking by means of mobile device signatures (MDS) gives rise to some issues additional to, or different from, mainstream device-location technologies. This section accordingly considers this particular technique's implications in greater depth. Limited reliable information is currently available, and the analysis is of necessity based on supplier-published sources (PI 2010a, 2010b) and media reports (Collier 2010a, 2010b, 2010c).

A company called Path Intelligence (PI) markets an MDS service to shopping mall-owners, to enable them to better value their floorspace in terms of rental revenues, and to identify points of on-foot traffic congestion to on-sell physical advertising and marketing floorspace (PI 2010a). The company claims to detect each phone (and hence person) that enters a zone, and to capture data, including:

  • how long each device and person stay, including dwell times in front of shop windows;
  • repeat visits by shoppers in varying frequency durations; and
  • typical route and circuit paths taken by shoppers as they go from shop to shop during a given shopping experience.

For malls, PI is able to denote such things as whether or not shoppers who shop at one establishment will also shop at another in the same mall, and whether or not people will go out of their way to visit a particular retail outlet independent of its location. For retailers, PI says it is able to provide information on conversion rates by department or even product line, and even which areas of the store might require more attention by staff during specific times of the day or week (PI 2012).

PI says that it uses "complex algorithms" to denote the geographic position of a mobile, using strategically located "proprietary equipment" in a campus setting (PI 2010a). The company states that it is conducting "data-driven analysis", but is not collecting, or at least that it is is not disclosing, any personal information such as a name, mobile telephone number or contents of a short message service (SMS). It states that it only ever provides aggregated data at varying zone levels to the shopping mall-owners. This is presumably justified on the basis that, using MDS techniques, direct identifiers are unlikely to be available, and a pseudo-identifier needs to be assigned. There is no explicit definition of what constitutes a zone. It is clear, however, that minimally-aggregated data at the highest geographic resolution is available for purchase, and at a higher price than more highly-aggregated data.

Shoppers have no relationship with the company, and it appears unlikely that they would even be aware that data about them is being collected and used. The only disclosure appears to be that "at each of our installations our equipment is clearly visible and labelled with our logo and website address" (PI 2010a), but this is unlikely to be visible to many people, and in any case would not inform anyone who saw it.

In short, the company is generating revenue by monitoring signals from the mobile devices of people who visit a shopping mall for the purchase of goods and services. The data collection is performed without the knowledge of the person concerned (Renegar et al. 2008). The company is covertly collecting personal data and exploiting it for profit. There is no incentive or value proposition for the individual whose mobile is being tracked. No clear statement is provided about collection, storage, retention, use and disclosure of the data (Arnold 2008). Even if privacy were not a human right, this would demand statutory intervention on the public policy grounds of commercial unfairness. The company asserts that the "our privacy approach has been reviewed by the [US Federal Trade Commission] FTC, which determined that they are comfortable with our practices" (PI 20101a). It makes no claims of such 'approval' anywhere else in the world.

The service could be extended beyond a mall and the individual stores within it, to, for example, associated walkways and parking areas, and surrounding areas such as government offices, entertainment zones and shopping-strips. Applications can also be readily envisaged on hospital and university campuses, and in airports and other transport hubs. From prior research, this is likely to expose the individual's place of employment, and even their residence (Michael et al. 2006). Even if only aggregated data is sold to businesses, the individual records remain available to at least the service-provider.

The scope exists to combine this form of locational surveillance with video-surveillance such as in-store CCTV, and indeed this is claimed to be already a feature of the company's offering to retail stores. To the extent that a commonly-used identifier can be established (e.g. through association with the person's payment or loyalty card at a point-of-sale), the full battery of local and externally-acquired customer transaction histories and consolidated 'public records' data can be linked to in-store behaviour (Michael & Michael 2007). Longstanding visual surveillance is intersecting with well-established data surveillance, and being augmented by locational surveillance, giving breath to dataveillance, or what is now being referred to by some as 'smart surveillance' (Wright et al. 2010, IBM 2011).

Surreptitious collection of personal data is (with exemptions and exceptions) largely against the law, even when undertaken by law enforcement personnel. The MDS mechanism also flies in the face of telephonic interception laws. How, then, can it be in any way acceptable for a form of warrantless tracking to be undertaken by or on behalf of corporations or mainstream government agencies, of shoppers in a mall, or travellers in an airport, or commuters in a transport hub? Why should a service-provider have the right to do what a law enforcement agency cannot normally do?

6. Controls

The tenor of the discussion to date has been that location surveillance harbours enormous threats to location privacy, but also to personal safety, the freedom to communicate, freedom of movement, and freedom of behaviour. This section examines the extent to which protections exist, firstly in the form of natural or intrinsic controls, and secondly in the form of legal provisions. The existing safeguards are found to be seriously inadequate, and it is therefore necessary to also examine the prospects for major enhancements to law, in order to achieve essential protections.

6.1 Intrinsic Controls

A variety of forms of safeguard exist against harmful technologies and unreasonable applications of them. The intrinsic economic control has largely evaporated, partly because the tools use electronics and the components are produced in high volumes at low unit cost. Another reason is that the advertising and marketing sectors are highly sophisticated, already hold and exploit vast quantities of personal data, and are readily geared up to exploit yet more data.

Neither the oxymoronic notion of 'business ethics' nor the personal morality of executives in business and government act as any significant brake on the behaviours of corporations and governments, because they are very weak barriers, and they are readily rationalised away in the face of claims of enhanced efficiencies in, for example, marketing communications, fraud control, criminal justice and control over anti-social behaviour.

A further category of intrinsic control is 'self-regulatory' arrangements within relevant industry sectors. In 2010, for example, the Australian Mobile Telecommunications Association (AMTA) released industry guidelines to promote the privacy of people using LBS on mobile devices (AMTA 2010). The guidelines were as follows:

  1. Every LBS must be provided on an opt-in basis with a specific request from a user for the service
  2. Every LBS must comply with all relevant privacy legislation
  3. Every LBS must be designed to guard against consumers being located without their knowledge
  4. Every LBS must allow consumers to maintain full control
  5. Every LBS must enable customers to control who uses their location information and when that is appropriate, and be able to stop or suspend a service easily should they wish

The second point is a matter for parliaments, privacy oversight agencies and law enforcement agencies, and its inclusion in industry guidelines is for-information-only. The remainder, meanwhile, are at best 'aspirational', and at worst mere window-dressing. Codes of this nature are simply ignored by industry members. They are primarily a means to hold off the imposition of actual regulatory measures. Occasional short-term constraints may arise from flurries of media attention, but the 'responsible' organisations escape by suggesting that bad behaviour was limited to a few 'cowboy' organisations or was a one-time error that won't be repeated.

A case study of the industry self-regulation is provided by the Biometrics Code issued by the misleadingly-named Australian industry-and-users association, the Biometrics 'Institute' (BI 2004). During the period 2009-12, the privacy advocacy organisation, the Australian Privacy Foundation (APF), submitted to the Privacy Commissioner on multiple occasions that the Code failed to meet the stipulated requirements and under the Commissioner's own Rules had to be de-registered. The Code never had more than five subscribers (out of a base of well over 100 members - which was itself only a sub-set of organisations active in the area), and had no signatories among the major biometrics vendors or users, because all five subscribers were small organisations or consultants. In addition, none of the subscribers appear to have ever provided a link to the Code on their websites or in their Privacy Policy Statements (APF 2012).

The Commissioner finally ended the farce in April 2012, citing the "low numbers of subscribers", but avoided its responsibilities by permitting the 'Institute' to "request" revocation, over two years after the APF had made the same request (OAIC 2012). The case represents an object lesson in the vacuousness of self-regulation and the business-friendliness of a captive privacy oversight agency.

If economics, morality and industry-sector politics are inadequate, perhaps competition and organisational self-interest might work. On the other hand, repeated proposals that privacy is a strategic factor for corporations and government agencies have fallen on stony ground (Clarke 19962006b).

The public can endeavour to exercise countervailing power against privacy-invasive practices. On the other hand, individuals acting alone are of little or no consequence to organisations that are intent on the application of location surveillance. Moreover, consumer organisations lack funding, professionalism and reach, and only occasionally attract sufficient media attention to force any meaningful responses from organisations deploying surveillance technologies.

Individuals may have direct surveillance countermeasures available to them, but relatively few people have the combination of motivation, technical competence and persistence to overcome lethargy and the natural human desire to believe that the institutions surrounding them are benign. In addition, some government agencies, corporations and (increasingly prevalent) public-private partnerships seek to deny anonymity, pseudonymity and multiple identities, and to impose so-called 'real name' policies, for example as a solution to the imagined epidemics of cyber-bullying, hate speech and child pornography. Individuals who use cryptography and other obfuscation techniques have to overcome the endeavours of business and government to stigmatise them as criminals with 'something to hide'.

6.2 Legal Controls

It is clear that natural or intrinsic controls have been utter failures in privacy matters generally, and will be in locational privacy matters as well. That leaves legal safeguards for personal freedoms as the sole protection. There are enormous differences among domestic laws relating to location surveillance. This section accordingly limits itself to generalities and examples.

Privacy laws are (with some qualifications, mainly in Europe) very weak instruments. Even where public servants and parliaments have an actual intention to protect privacy, rather than merely to overcome public concerns by passing placebo statutes, the draft Bills are countered by strong lobbying by government agencies and industry, to the extent that measures that were originally portrayed as being privacy-protective reach the statute books as authority for privacy breaches and surveillance (Clarke 2000).

Privacy laws, once passed, are continually eroded by exceptions built into subsequent legislation, and by technological capabilities that were not contemplated when the laws were passed. In most countries, location privacy has yet to be specifically addressed in legislation. Even where it is encompassed by human rights and privacy laws, the coverage is generally imprecise and ambiguous. More direct and specific regulation may exist, however. In Australia, for example, the Telecommunications (Interception and Access) Act and the Surveillance Devices Act define and criminalise inappropriate interception and access, use, communication and publication of location information that is obtained from mobile device traffic (AG 2005). On the other hand, when Google Inc. intercepted wi-fi signals and recorded the data that they contained, the Privacy Commissioner absolved the company (Riley 2010), and the Australian Federal Police refused to prosecute despite the action - whether it was intentional, 'inadvertent' or merely plausibly deniable - being a clear breach of the criminal law (Moses 2010).

The European Union determined a decade ago that location data that is identifiable to individuals is to some extent at least subject to existing data protection laws (EU 2002). However, the wording of that so-called 'e-Privacy Directive' countenances the collection of "location data which are more precise than is necessary for the transmission of communications", without clear controls over the justification, proportionality and transparency of that collection (para. 35). In addition, the e-Privacy Directive only applies to telecommunications service providers, not to other organisations that acquire location and tracking data. King & Jessen (2010) discuss various gaps in the protective regimes in Europe.

The EU's Advisory Body (essentially a Committee of European Data Protection Commissioners) has issued an Opinion that mobile location data is generally capable of being associated with a person, and hence is personal data, and hence is subject to the EU Directive of 1995 and national laws that implement that Directive (Art. 29 2011). Consent is considered to be generally necessary, and that consent must be informed, and sufficiently granular (pp. 13-18).

It is unclear, however, to what extent this Opinion has actually caused, and will in the future cause, organisations that collect, store, use and disclose location data to change their practices. This uncertainty exists in respect of national security, law enforcement and social control agencies, which have, or which can arrange, legal authority that overrides data protection laws. It also applies to non-government organisations of all kinds, which can take advantage of exceptions, exemptions, loopholes, non-obviousness, obfuscation, unenforceability within each particular jurisdiction, and extra-jurisdictionality, to operate in ways that are in apparent breach of the Opinion.

Legal authorities for privacy-invasions are in a great many cases vague rather than precise, and in many jurisdictions power in relation to specific decisions is delegated to an LEA (in such forms as self-written 'warrants'), or even a social control agency (in the form of demand-powers), rather than requiring a decision by a judicial officer based on evidence provided by the applicant.

Citizens in many countries are subject to more or less legitimate surveillance of various degrees and orders of granularity, by their government, in the name of law enforcement and national security. However, many Parliaments have granted powers to national security agencies to use location technology to track citizens and to intercept telecommunications. Moreover, many Parliaments have failed the public by permitting a warrant to be signed by a Minister, or even a public servant, rather than a judicial officer (Jay 1999). Worse still, it appears that these already-gross breaches of the principle of a free society are in effect being extended to the authorisation of a private organisation to track mobiles of ordinary citizens because it may lead to better services planning, or more efficient advertising and marketing (Collier 2011a).

Data protection legislation in all countries evidences massive weaknesses. There are manifold exemptions and exceptions, and there are intentional and accidental exclusions, for example through limitations in the definitions of 'identified' and 'personal data'. Even the much-vaunted European laws fail to cope with extra-territoriality and are largely ignored by US-based service-providers. They are also focussed exclusively on data, leaving large gaps in safeguards for physical, communications and behavioural privacy.

Meanwhile, a vast amount of abuse of personal data is achieved through the freedom of corporations and government agencies to pretend that Terms imposed on consumers and citizens without the scope to reject them are somehow the subject of informed and freely-given consent. For example, petrol-stations, supermarkets and many government agencies pretend that walking past signs saying 'area subject to CCTV' represents consent to gather, transmit, record, store, use and disclose data. The same approach is being adopted in relation to highly-sensitive location data, and much-vaunted data protection laws are simply subverted by the mirage of consent.

At least notices such as 'you are now being watched' or 'smile, you are being recorded' inform customers that they are under observation. On the other hand, people are generally oblivious to the fact that their mobile subscriber identity is transmitted from their mobile phone and multilaterated to yield a reasonably precise location in a shopping mall (Collier 2011a, b, c). Further, there is no meaningful sense in which they can be claimed to have consented to providing location data to a third party, in this case a location service-provider with whom they have never had contact. And the emergent combination of MDS with CCTV sources becomes a pervasive view of the person, an 'über' view, providing a set of über-analytics to - at this stage - shopping complex owners and their constituents.

What rights do employees have if such a system were instituted in an employment setting? Are workplace surveillance laws in place that would protect employees from constant monitoring? A similar problem applies to people at airports, or on hospital, university, industrial or government campuses. No social contract has been entered into between the parties, rendering the subscriber powerless.

Since the collapse of the Technology Assessment movement, technological deployment proceeds unimpeded, and public risks are addressed only after they have emerged and the clamour of concern has risen to a crescendo. A reactive force is at play, rather than proactive measures being taken to ensure avoidance or mitigation of potential privacy breaches. In Australia, for example, safeguards for location surveillance exist at best incidentally, in provisions under separate legislative regimes and in separate jurisdictions, and at worst not at all. No overarching framework exists to provide consistency among the laws. This causes confusion and inevitably results in inadequate protections (ALRC 2008).

6.3 Prospective Legal Controls

Various learned studies have been conducted, but gather dust. In Australia, the three major law reform commissions have all reported, and all have been ignored by the legislatures (NSWLRC 2005ALRC 2008VLRC 2010).

One critical need is for the fundamental principle to be recovered, to the effect that the handling of personal data requires either consent or legal authority. Consent is meaningless as a control over unreasonable behaviour, however, unless it satisfies a number of key conditions. It must be informed, it must be freely-given, and it must be sufficiently granular, not bundled (Clarke 2002). In a great many of the circumstances in which organisations are claiming to have consent to gather, store, use and disclose location data, the consumer does not appreciate what the scope of handling is that the service-provider is authorising themselves to perform; the Terms are imposed by the service-provider and may even be varied or completely re-written without consultation, a period of notice or even any notice at all; and consent is bundled rather than the individual being able to construct a pattern of consents and denials that suit their personal needs. Discussions all too frequently focus on the specifically-US notion of 'opt-out' (or 'presumed consent'), with consent debased to 'opt-in', and deprecated as inefficient and business-unfriendly.

Recently, some very weak proposals have been put forward, primarily in the USA. In 2011, for example, two US Senators proposed a Location Privacy Protection Bill (Cheng 2011). An organisation that collected location data from mobile or wireless data devices would have to state explicitly in their privacy policies what was being collected, in plain English. This would represent only a partial implementation of the already very weak 2006 recommendation of the Internet Engineering Task Force for Geographic Location/Privacy (IETF GEOPRIV) working group, which decided that technical systems should include `Fair Information Practices' (FIPs) to defend against harms associated with the use of location technologies (EPIC 2006). FIPs, however, is itself only a highly cut-down version of effective privacy protections, and the Bill proposes only a small fraction of FIPs. It would be close to worthless to consumers, and close to legislative authorisation for highly privacy-invasive actions by organisations.

Two other US senators tabled a GPS Bill, nominally intended to "balance the needs of Americans' privacy protections with the legitimate needs of law enforcement, and maintains emergency exceptions" (Anderson 2011). The scope is very narrow - next would have to come the Wi-Fi Act, the A-GPS Act, etc. That approach is obviously unviable in the longer term as new innovations emerge. Effective legislation must have appropriate generality rather than excessive technology-specificity, and should be based on semantics not syntax. Yet worse, these Bills would provide legal authorisation for grossly privacy-invasive location and tracking. IETF engineers, and now Congressmen, want to compromise human rights and increase the imbalance of power between business and consumers.

7. Conclusions

Mobile device location technologies and their applications are enabling surveillance, and producing an enormous leap in intrusions into data privacy and into privacy of the person, privacy of personal communications, and privacy of personal behaviour.

Existing privacy laws are entirely incapable of protecting consumers and citizens against the onslaught. Even where consent is claimed, it generally fails the tests of being informed, freely-given and granular.

There is an urgent need for outcries from oversight agencies, and responses from legislatures. Individual countries can provide some degree of protection, but the extra-territorial nature of so much of the private sector, and the use of corporate havens, in particular the USA, mean that multilateral action is essential in order to overcome the excesses arising from the US laissez faire traditions.

One approach to the problem would be location privacy protection legislation, although it would need to embody the complete suite of protections rather than the mere notification that the technology breaches privacy. An alternative approach is amendment of the current privacy legislation and other anti-terrorism legislation in order to create appropriate regulatory provisions, and close the gaps that LBS providers are exploiting (Koppel 2010).

The chimeras of self-regulation, and the unenforceability of guidelines, are not safeguards. Sensitive data like location information must be subject to actual, enforced protections, with guidelines and codes no longer used as a substitute, but merely playing a supporting role. Unless substantial protections for personal location information are enacted and enforced, there will be an epidemic of unjustified, disproportionate and covert surveillance, conducted by government and business, and even by citizens (Gillespie 2009, Abbas et al. 2011).

References

Abbas R. (2011) 'The social and behavioural implications of location-based services: An observational study of users' Journal of Location Based Services, 5, 3-4 (December 2011)

Abbas R., Michael K., Michael m.g. & Aloudat A. (2011) 'Emerging forms of covert surveillance using GPS-enabled devices', Journal of Cases on Information Technology, 13, 2 (2011) 19-33

AG (2005) 'What the Government is doing: Surveillance Device Act 2004', 25 May 2005, Australian Government, at http://www.ag.gov.au/agd/www/nationalsecurity.nsf/AllDocs/9B1F97B59105AEE6CA2570C0014CAF5?OpenDocument

ALRC (2008) 'For your information: Australian privacy law and practice (ALRC Report 108)', Australian Government, 2, pp. 1409-10, http://www.alrc.gov.au/publications/report-108

AMTA (2010) 'New mobile telecommunications industry guidelines and consumer tips set benchmark for Location Based Services', Australian Mobile Telecommunications Association, 2010, athttp://www.amta.org.au/articles/New.mobile.telecommunications.industry.guidelines.and.consumer.tips.set.benchmark.for.Location.Based.Services

Anderson N. (2011) 'Bipartisan bill would end government's warrantless GPS tracking', Ars Technica, June 2011, at http://arstechnica.com/tech-policy/news/2011/06/bipartisan-bill-would-end-governments-warrantless-gps-tracking.ars

APF (2012) 'Revocation of the Biometrics Industry Code' Australian Privacy Foundation, March 2012, at http://www.privacy.org.au/Papers/OAIC-BiomCodeRevoc-120321.pdf

Arnold B. (2008) 'Privacy guide', Caslon Analytics, May 2008, at http://www.caslon.com.au/privacyguide19.htm

Art. 29 (2011) 'Opinion 13/2011 on Geolocation services on smart mobile devices' Article 29 Data Protection Working Party , 881/11/EN WP 185, 16 May 2011, at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp185_en.pdf

BI (2004) 'Privacy Code' Biometrics Institute, Sydney, April 2004, at http://web.archive.org/web/20050424120627/http://www.biometricsinstitute.org/displaycommon.cfm?an=1&subarticlenbr=8

Blumberg A.J. & Eckersley P. (2009) 'On locational privacy, and how to avoid losing it forever' Electronic Frontier Foundation, August 2009, at https://www.eff.org/wp/locational-privacy

Bronitt S. (2010) 'Regulating covert policing methods: from reactive to proactive models of admissibility', in S. Bronitt, C. Harfield and K. Michael (eds.), The Social Implications of Covert Policing, 2010, pp. 9-14

Cheng J. (2011) 'Franken's location-privacy bill would close mobile-tracking 'loopholes'', Wired, 17 June 2011, at http://www.wired.com/epicenter/2011/06/franken-location-loopholes/

Chetty K., Smith G.E. & Woodbridge K. (2012) 'Through-the-Wall Sensing of Personnel Using Passive Bistatic WiFi Radar at Standoff Distances' IEEE Transactions on Geoscience and Remote Sensing 50, 4 (Aril 2012) 1218 - 1226

Clarke R. (1988) 'Information technology and dataveillance', Communications of the ACM, 31(5), May 1988, pp498-512, at http://www.rogerclarke.com/DV/CACM88.html

Clarke R. (1994) 'The Digital Persona and its Application to Data Surveillance' The Information Society 10,2 (June 1994) 77-92, at http://www.rogerclarke.com/DV/DigPersona.html

Clarke R. (1996) 'Privacy and Dataveillance, and Organisational Strategy' Proc. I.S. Audit & Control Association (EDPAC'96), Perth, Western Australia, May 1996, athttp://www.rogerclarke.com/DV/PStrat.html

Clarke R. (2000) 'Submission to the Commonwealth Attorney-General re: 'A privacy scheme for the private sector: Release of Key Provisions' of 14 December 1999' Xamax Consultancy Pty Ltd, January 2000, at http://www.anu.edu.au/people/Roger.Clarke/DV/PAPSSub0001.html

Clarke R. (2001) 'Person-Location and Person-Tracking: Technologies, Risks and Policy Implications' Information Technology & People 14, 2 (Summer 2001) 206-231, athttp://www.rogerclarke.com/DV/PLT.html

Clarke R. (2002) 'e-Consent: A Critical Element of Trust in e-Business' Proc. 15th Bled Electronic Commerce Conference, Bled, Slovenia, June 2002, at http://www.rogerclarke.com/EC/eConsent.html

Clarke R. (2006a) 'What's 'Privacy'?' Xamax Consultancy Pty Ltd, August 2006, at http://www.rogerclarke.com/DV/Privacy.html

Clarke R. (2006b) 'Make Privacy a Strategic Factor - The Why and the How' Cutter IT Journal 19, 11 (October 2006), at http://www.rogerclarke.com/DV/APBD-0609.html

Clarke R. (2008) 'Dissidentity: The Political Dimension of Identity and Privacy' Identity in the Information Society 1, 1 (December, 2008) 221-228, at http://www.rogerclarke.com/DV/Dissidentity.html

Clarke R. (2009a) 'The Covert Implementation of Mass Vehicle Surveillance in Australia' Proc 4th Workshop on the Social Implications of National Security: Covert Policing, April 2009, ANU, Canberra, at http://www.rogerclarke.com/DV/ANPR-Surv.html

Clarke R. (2009b) 'A Sufficiently Rich Model of (Id)entity, Authentication and Authorisation' Proc. IDIS 2009 - The 2nd Multidisciplinary Workshop on Identity in the Information Society, LSE, 5 June 2009, at http://www.rogerclarke.com/ID/IdModel-090605.html

Clarke R. (2009c) 'A Framework for Surveillance Analysis' Xamax Consultancy Pty Ltd, August 2009, at http://www.rogerclarke.com/DV/FSA.html

Clarke R. (2010) 'What is Überveillance? (And What Should Be Done About It?)' IEEE Technology and Society 29, 2 (Summer 2010) 17-25, at http://www.rogerclarke.com/DV/RNSA07.html

Clarke R. (2011) 'The Cloudy Future of Consumer Computing' Proc. 24th Bled eConference, June 2011, at http://www.rogerclarke.com/EC/CCC.html

Clarke R. & Wigan M. (2011) 'You are where you've been: The privacy implications of location and tracking technologies' Journal of Location Based Services 5, 3-4 (December 2011) 138-155, PrePrint athttp://www.rogerclarke.com/DV/YAWYB-CWP.html

Cleff E.B. (2007) 'Implementing the legal criteria of meaningful consent in the concept of mobile advertising' Computer Law & Security Review 23,2 (2007) 262-269

Cleff E.B. (2010) 'Effective approaches to regulate mobile advertising: Moving towards a coordinated legal, self-regulatory and technical response' Computer Law & Security Review 26, 2 (2010) 158-169

Collier K. (2011a) 'Stores spy on shoppers', Herald Sun, 12 October 2011, at http://www.heraldsun.com.au/news/more-news/stores-spy-on-shoppers/story-fn7x8me2-1226164244739

Collier K. (2011b) 'Shopping centres' Big Brother plan to track customers', Herald Sun, 14 October 2011, at http://www.heraldsun.com.au/news/more-news/shopping-centres-big-brother-plan-to-track-customers/story-fn7x8me2-1226166191503

Collier K. (2011c) ''Creepy' Path Intelligence retail technology tracks shoppers', news.com.au, 14 October 2011, at http://www.news.com.au/money/creepy-retail-technology-tracks-shoppers/story-e6frfmci-1226166413071

Dahunsi F. & Dwolatzky B. (2012) 'An empirical investigation of the accuracy of location-based services in South Africa' Journal of Location Based Services 6, 1 (March 2012) 22-34

Dobson J. & Fisher P. (2003) 'Geoslavery' IEEE Technology and Society 22 (2003) 47-52, cited in Raper et al. (2007)

Economist (2012) 'Vehicle data recorders - Watching your driving' The Economist' 23 June 2012, at http://www.economist.com/node/21557309

EPIC (2006) 'Privacy and human rights report 2006' Electronic Privacy Information Center, WorldLII, 2006, at http://www.worldlii.org/int/journals/EPICPrivHR/2006/PHR2006-Location.html

EPIC (2012) 'Investigations of Google Street View' Electronic Privacy Information Center, 2012, at http://epic.org/privacy/streetview/

EU (2002) 'Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)' Official Journal L 201 , 31/07/2002 P. 0037 - 0047, European Commission, at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML

Figueiras J. & Frattasi S. (2010) 'Mobile Positioning and Tracking: From Conventional to Cooperative Techniques' Wiley, 2010

Fusco S.J., Abbas R., Michael K. & Aloudat A. (2012) 'Location-Based Social Networking and its Impact on Trust in Relationships' IEEE Technology and Society Magazine 31,2 (Summer 2012) 39-50, athttp://works.bepress.com/cgi/viewcontent.cgi?article=1326&context=kmichael

Gallagher T. et al. (2009) 'Trials of commercial Wi-Fi positioning systems for indoor and urban canyons' Proc. IGNSS Symposium, 1-3 December 2009, Queensland, cited in Zandbergen (2012)

Ganz J.S. (2005) 'It's already public: why federal officers should not need warrants to use GPS vehicle tracking devices', Journal of Criminal Law and Criminology 95, 4 (Summer 2005) 1325-37

Gillespie A.A. (2009) 'Covert surveillance, human rights and the law', Irish Criminal Law Journal, 19, 3 (August 2009) 71-79

IBM (2011) 'IBM Smart Surveillance System (Previous PeopleVision Project)', IBM Research, 30 October 2011, at http://www.research.ibm.com/peoplevision/

Jay D.M. (1999) 'Use of covert surveillance obtained by search warrant', Australian Law Journal, 73, 1 (Jan 1999) 34-36

King N.J. & Jessen P.W. (2010) 'Profiling the mobile customer - Privacy concerns when behavioural advertisers target mobile phones' Computer Law & Security Review 26, 5 (2010) 455-478 and 26, 6 (2010) 595-612

Koppel A. (2010) 'Warranting a warrant: Fourth Amendment concerns raised by law enforcement's warrantless use of GPS and cellular phone tracking', University of Miami Law Review 64, 3 (April 2010) 1061-1089

Lewis P. (2008) 'Fears over privacy as police expand surveillance project' The Guardian, 15 September 2008, at http://www.guardian.co.uk/uk/2008/sep/15/civilliberties.police

McGuire M., Plataniotis K.N. & Venetsanopoulos A.N. (2005) 'Data fusion of power and time measurements for mobile terminal location' IEEE Transaction on Mobile Computing 4 (2005) 142-153, cited in Raper et al. (2007)

Mann S., Nolan J. & Wellman B. (2003) 'Sousveillance: Inventing and Using Wearable Computing Devices for Data Collection in Surveillance Environments' Surveillance & Society 1, 3 (June 2003) 331-355, at http://www.surveillance-and-society.org/articles1(3)/sousveillance.pdf

Mautz R. (2011) 'Overview of Indoor Positioning Technologies' Keynote, Proc. IPIN'2011, Guimaraes, September 2011, at http://www.geometh.ethz.ch/people/.../IPIN_Keynote_Mautz_2011.pdf

Mery D. (2009) 'The mobile phone as self-inflicted surveillance - And if you don't have one, what have you got to hide?' The Register, 10 April 2009, athttp://www.theregister.co.uk/2009/04/10/mobile_phone_tracking/

Michael K. & Michael M.G. (2007) 'From Dataveillance to Überveillance and the Realpolitik of the Transparent Society' University of Wollongong, 2007, at http://works.bepress.com/kmichael/51

Michael K. & Michael M.G. (2009) 'Innovative Automatic Identification and Location-Based Services: From Bar Codes to Chip Implants' IGI Global, 2009

Michael M.G. & Michael K. (2010) 'Towards a state of uberveillance' IEEE Technology and Society Magazine 29, 2 (Summer 2010) 9-16, at http://works.bepress.com/kmichael/187

Michael K., McNamee A., Michael M.G. & Tootell H. (2006a) 'Location-Based Intelligence - Modeling Behavior in Humans using GPS' Proc. Int'l Symposium on Technology and Society, New York, 8-11 June 2006, at http://ro.uow.edu.au/cgi/viewcontent.cgi?article=1384&context=infopapers

Michael K., McNamee A. & Michael M.G. (2006b) 'The Emerging Ethics of Humancentric GPS Tracking and Monitoring' Proc. Int'l Conf. on Mobile Business, Copenhagen, Denmark IEEE Computer Society, 2006, at http://ro.uow.edu.au/cgi/viewcontent.cgi?article=1384&context=infopapers

Michael M.G., Fusco S.J. & Michael K (2008) 'A Research Note on Ethics in the Emerging Age of Uberveillance (Überveillance)' Computer Communications, 31(6), 2008, 1192-119, athttp://works.bepress.com/kmichael/32/

Michael K. & Masters A. (2006) 'Realized Applications of Positioning Technologies in Defense Intelligence' in Hussein Abbass H. & Essam D. (eds.) 'Applications of Information Systems to Homeland Security and Defense' Idea Group Publishing, 2006, at http://works.bepress.com/kmichael/2

Michael K., Roussos G., Huang G.Q., Gadh R., Chattopadhyay A., Prabhu S. & Chu P. (2010) 'Planetary-scale RFID services in an age of uberveillance' Proceedings of the IEEE 98, 9 (2010) 1663-1671

Moses A. (2010) 'Google escapes criminal charges for Wi-Fi snooping', The Sydney Morning Herald, 6 December 2010, at http://www.smh.com.au/technology/security/google-escapes-criminal-charges-for-wifi-snooping-20101206-18lot.html

NSWLRC (2005) 'Surveillance' Report 108 , NSW Law Reform Commission, 2005, at http://www.lawlink.nsw.gov.au/lawlink/lrc/ll_lrc.nsf/pages/LRC_r108toc

OAIC (2012) '' Office of the Australian Information Commissioner, April 2012, at http://www.comlaw.gov.au/Details/F2012L00869/Explanatory%20Statement/Text

Otterberg A.A. (2005) 'Note: GPS tracking technology: The case for revisiting Knotts and shifting the Supreme Court's theory of the public space under the Fourth Amendment', Boston College Law Review 46 (2005) 661-704

Parenti C. (2003) 'The Soft Cage: Surveillance in America From Slavery to the War on Terror'  Basic Books, 2003

PI (2010a) 'Our Commitment to Privacy', Path Intelligence, 2010, heading changed in late 2012 to 'Privacy by design', at http://www.pathintelligence.com/en/products/footpath/privacy

PI (2010b) 'FootPath Technology', Path Intelligance, 2010, at http://www.pathintelligence.com/en/products/footpath/footpath-technology

PI (2012) 'Retail' Path Intelligence, 2012, at http://www.pathintelligence.com/en/industries/retail

Raper J., Gartner G., Karimi H. & Rizos C. (2007a) 'A critical evaluation of location based services and their potential' Journal of Location Based Services 1, 1 (March 2007) 5-45

Raper J., Gartner G., Karimi H. & Rizos C. (2007b) 'Applications of location-based services: a selected review' Journal of Location Based Services 1, 2 (June 2007) 89-111

RE (2010a) 'IEEE 802.11 standards tutorial' Radio-Electronics.com, apparently of 2010, at http://www.radio-electronics.com/info/wireless/wi-fi/ieee-802-11-standards-tutorial.php

RE (2010b) 'WiMAX IEEE 802.16 technology tutorial' Radio-Electronics.com, apparently of 2010, at http://www.radio-electronics.com/info/wireless/wimax/wimax.php

RE (2012) 'Assisted GPS, A-GPS' Radio-Electronics.com, apparently of 2012, at http://www.radio-electronics.com/info/cellulartelecomms/location_services/assisted_gps.php

Renegar B.D., Michael K. & Michael M.G. (2008) 'Privacy, value and control issues in four mobile business applications' Proc. 7th Int'l Conf. on Mobile Business, 2008, pp. 30-40

Riley J. (2010) 'Gov't 'travesty' in Google privacy case', ITWire, Wednesday 3 November 2010, 20:44, at http://www.itwire.com/it-policy-news/regulation/42898-govt-travesty-in-google-privacy-case

Samuel I.J. (2008) 'Warrantless location tracking', New York University Law Review, 83 (2008) 1324-1352

SHW (2012) 'Skyhook Location Performance', at http://www.skyhookwireless.com/location-technology/performance.php

Skyhook (2012) Website Entries, including 'Frequently Asked Questions' at http://www.skyhookwireless.com/whoweare/faq.php, 'Privacy Policy' athttp://www.skyhookwireless.com/whoweare/privacypolicy.php and 'Location Privacy' at http://www.skyhookwireless.com/whoweare/privacy.php,

Song C., Qu Z., Blumm N. & Barabási A.-L. (2010) 'Limits of predictability in human mobility' Science 327, 5968 (2010) 1018-1021

USGov (2012) 'GPS Accuracy' National Coordination Office for Space-Based Positioning, Navigation, and Timing, February 2012, at http://www.gps.gov/systems/gps/performance/accuracy/

van Loenen B., Zevenbergen J. & de Jong J. (2009) 'Balancing Location Privacy with National Security: A Comparative Analysis of Three Countries through the Balancing Framework of the European Court Of Human Rights' Ch. 2 of Patten N.J. et al. 'National Security: Institutional Approaches', Nova Science Publishers, 2009

VLRC (2010) 'Surveillance in Public Spaces' Victorian Law Reform Commission, Final Report 18, March 2010, athttp://www.lawreform.vic.gov.au/wps/wcm/connect/justlib/Law+Reform/resources/3/6/36418680438a4b4eacc0fd34222e6833/Surveillance_final_report.pdf

Wright D., Friedewald M., Gutwirth S., Langheinrich M., Mordini E., Bellanova R., De Hert P., Wadhwa K. & Bigo D. (2010) 'Sorting out smart surveillance' Computer Law & Security Review 26, 4 (2010) 343-354

Zandbergen P.A. (2012) 'Comparison of WiFi positioning on two mobile devices' Journal of Location Based Services 6, 1 (March 2012) 35-50

Acknowledgements

A preliminary version of the analysis presented in this paper appeared in the November 2011 edition of Precedent, the journal of the Lawyers Alliance. The article has been significantly upgraded as a result of comments provided by the referees and editor.

Author Affiliations

Katina Michael is an Associate Professor in the School of Information Systems and Technology at the University of Wollongong. She is the editor in chief of the IEEE Technology and Society Magazine, is on the editorial board of Computers & Security, and is a co-editor of 'Social Implications of Covert Policing' (2010). She is a Board member of the Australian Privacy Foundation and a representative of the Consumer Federation of Australia.

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in theResearch School of Computer Science at the Australian National University. He is currently Chair of the Australian Privacy Foundation, and an Advisory Board member of Privacy International.

Location and tracking of mobile devices: Uberveillance stalks the streets

Abstract

During the last decade, location-tracking and monitoring applications have proliferated, in mobile cellular and wireless data networks, and through self-reporting by applications running in smartphones that are equipped with onboard global positioning system (GPS) chipsets. It is now possible to locate a smartphone user's location not merely to a cell, but to a small area within it. Innovators have been quick to capitalise on these location-based technologies for commercial purposes, and have gained access to a great deal of sensitive personal data in the process. In addition, law enforcement utilises these technologies, can do so inexpensively and hence can track many more people. Moreover, these agencies seek the power to conduct tracking covertly, and without a judicial warrant. This article investigates the dimensions of the problem of people-tracking through the devices that they carry. Location surveillance has very serious negative implications for individuals, yet there are very limited safeguards. It is incumbent on legislatures to address these problems, through both domestic laws and multilateral processes.

1. Introduction

Personal electronic devices travel with people, are worn by them, and are, or soon will be, inside them. Those devices are increasingly capable of being located, and, by recording the succession of locations, tracked. This creates a variety of opportunities for the people concerned. It also gives rise to a wide range of opportunities for organisations, at least some of which are detrimental to the person's interests.

Commonly, the focus of discussion of this topic falls on mobile phones and tablets. It is intrinsic to the network technologies on which those devices depend that the network operator has at least some knowledge of the location of each handset. In addition, many such devices have onboard global positioning system (GPS) chipsets, and self-report their coordinates to service-providers. The scope of this paper encompasses those already well-known forms of location and tracking, but it extends beyond them.

The paper begins by outlining the various technologies that enable location and tracking, and identifies those technologies' key attributes. The many forms of surveillance are then reviewed, in order to establish a framework within which applications of location and tracking can be characterised. Applications are described, and their implications summarised. Controls are considered, whereby potential harm to the interests of individuals can be prevented or mitigated.

2. Relevant technologies

The technologies considered here involve a device that has the following characteristics:

• it is conveniently portable by a human, and

• it emits signals that:

• enable some other device to compute the location of the device (and hence of the person), and

• are sufficiently distinctive that the device is reliably identifiable at least among those in the vicinity, and hence the device's (and hence the person's) successive locations can be detected, and combined into a trail

The primary form-factors for mobile devices are currently clam-shape (portable PCs), thin rectangles suitable for the hand (mobile phones), and flat forms (tablets). Many other form-factors are also relevant, however. Anklets imposed on dangerous prisoners, and even as conditions of bail, carry RFID tags. Chips are carried in cards of various sizes, particularly the size of credit-cards, and used for tickets for public transport and entertainment venues, aircraft boarding-passes, toll-road payments and in some countries to carry electronic cash. Chips may conduct transactions with other devices by contact-based means, or contactless, using radio-frequency identification (RFID) or its shorter-range version near-field communication (NFC) technologies. These capabilities are in credit and debit cards in many countries. Transactions may occur with the cardholder's knowledge, with their express consent, and with an authentication step to achieve confidence that the person using the card is authorised to do so. In a variety of circumstances, however, some and even all of those safeguards are dispensed with. The electronic versions of passports that are commonly now being issued carry such a chip, and have an autonomous communications capability. The widespread issue of cards with capabilities uncontrolled by, and in many cases unknown to, the cardholder, is causing consternation among segments of the population that have become aware of the schemes.

Such chips can be readily carried in other forms, including jewellery such as finger-rings, and belt-buckles. Endo-prostheses such as replacement hips and knees and heart pacemakers can readily carry chips. A few people have voluntarily embedded chips directly into their bodies for such purposes as automated entry to premises (Michael and Michael, 2009).

In order to locate and track such devices, any sufficiently distinctive signals may in principle suffice. See Raper et al. (2007a) and Mautz (2011). In practice, the signals involved are commonly those transmitted by a device in order to take advantage of wireless telecommunications networks. The scope of the relevant technologies therefore also encompasses the signals, devices that detect the signals, and the networks over which the data that the signals contain are transmitted.

In wireless networks, it is generally the case that the base-station or router needs to be aware of the identities of devices that are currently within the cell. A key reason for this is to conserve limited transmission capacity by sending messages only when the targeted device is known to be in the cell. This applies to all of:

• cellular mobile originally designed for voice telephony and extended to data (in particular those using the ‘3G’ standards GSM/GPRS, CDMA2000 and UMTS/HSPA and the ‘4G’ standard LTE)

• wireless local area networks (WLANs, commonly Wifi/IEEE 802.11x – RE, 2010a)

• wireless wide area networks (WWANs, commonly WiMAX/IEEE 802.16x – RE, 2010b).

Devices in such networks are uniquely identified by various means (Clarke and Wigan, 2011). In cellular networks, there is generally a clear distinction between the entity (the handset) and the identity it is adopting at any given time (which is determined by the module inserted in it). Depending on the particular standards used, what is commonly referred to as ‘the SIM-card’ is an R-UIM, a CSIM or a USIM. These modules store an International Mobile Subscriber Identity (IMSI), which constitutes the handset's identifier. Among other things, this enables network operators to determine whether or not to provide service, and what tariff to apply to the traffic. However, cellular network protocols may also involve transmission of a code that distinguishes the handset itself, within which the module is currently inserted. A useful generic term for this is the device ‘entifier’ (Clarke, 2009b). Under the various standards, it may be referred to as an International Mobile Equipment Identity (IMEI), ESN, or MEID.

Vendor-specific solutions also may provide additional functionality to a handset unbeknown to the end-user. For example, every mobile device manufactured by Apple has a 40-character Unique Device Identifier (UDID). This enables Apple to track its users. Not only Apple itself, but also marketers, were able to use the UDID to track devices. It has also been alleged that data emanating from these devices is routinely accessible to law enforcement agencies. Since late 2012, Apple has prevented marketers from using the UDID, but has added an Identifier for Advertisers (IFA or IDFA). This is temporary, and it can be blocked; but it is by default open for tracking, and turning it off is difficult, and is likely to result in reduced services (Edwards, 2012). In short, Apple devices are specifically designed to enable tracking of consumers by Apple, by any government agency that has authority to gain access to the data, and by all consumer-marketing corporations, although in the last case with a low-grade option available to the user to suppress tracking.

In Wifi and WiMAX networks, the device entifier may be a processor-id or more commonly a network interface card identifier (NIC Id). In various circumstances, other device-identifiers may be used, such as a phone number, or an IP-address may be used as a proxy. In addition, the human using the device may be directly identified, e.g. by means of a user-account name.

A WWAN cell may cover a large area, indicatively of a 50 km radius. Telephony cells may have a radius as large as 2–3 km or as little as a hundred metres. WLANs using Wifi technologies have a cell-size of less than 1 ha, indicatively 50–100 m radius, but in practice often constrained by environmental factors to only 10–30 m.

The base-station or router knows the identities of devices that are within its cell, because this is a technically necessary feature of the cell's operation. Mobile devices auto-report their presence 10 times per second. Meanwhile, the locations of base-stations for cellular services are known with considerable accuracy by the telecommunications providers. And, in the case of most private Wifi services, the location of the router is mapped to c. 30–100 m accuracy by services such as Skyhook and Google Locations, which perform what have been dubbed ‘war drives’ in order to maintain their databases – in Google's case in probable violation of the telecommunications interception and/or privacy laws of at least a dozen countries (EPIC, 2012).

Knowing that a device is within a particular mobile phone, WiMAX or Wifi cell provides only a rough indication of location. In order to generate a more precise estimate, within a cell, several techniques are used (McGuire et al., 2005). These include the following (adapted from Clarke and Wigan, 2011; see also Figueiras and Frattasi, 2010):

• directional analysis. A single base-station may comprise multiple receivers at known locations and pointed in known directions, enabling the handset's location within the cell to be reduced to a sector within the cell, and possibly a narrow one, although without information about the distance along the sector;

• triangulation. This involves multiple base-stations serving a single cell, at known locations some distance apart, and each with directional analysis capabilities. Particularly with three or more stations, this enables an inference that the device's location is within a small area at the intersection of the multiple directional plots;

• signal analysis. This involves analysis of the characteristics of the signals exchanged between the handset and base-station, in order to infer the distance between them. Relevant signal characteristics include the apparent response-delay (Time Difference of Arrival – TDOA, also referred to as multilateration), and strength (Received Signal Strength Indicator – RSSI), perhaps supplemented by direction (Angle Of Arrival – AOA).

The precision and reliability of these techniques varies greatly, depending on the circumstances prevailing at the time. The variability and unpredictability result in many mutually inconsistent statements by suppliers, in the general media, and even in the technical literature.

Techniques for cellular networks generally provide reasonably reliable estimates of location to within an indicative 50–100 m in urban areas and some hundreds of metres elsewhere. Worse performance has been reported in some field-tests, however. For example, Dahunsi and Dwolatzky (2012) found the accuracy of GSM location in Johannesburg to be in the range 200–1400 m, and highly variable, with “a huge difference between the predicted and provided accuracies by mobile location providers”.

The website of the Skyhook Wifi-router positioning service claims 10-m accuracy, 1-s time-to-first-fix and 99.8% reliability (SHW, 2012). On the other hand, tests have resulted in far lower accuracy measures, including an average positional error of 63 m in Sydney (Gallagher et al., 2009) and “median values for positional accuracy in [Las Vegas, Miami and San Diego, which] ranged from 43 to 92 metres… [and] the replicability… was relatively poor” (Zandbergen, 2012, p. 35). Nonetheless, a recent research article suggested the feasibility of “uncooperatively and covertly detecting people ‘through the wall’ [by means of their WiFi transmissions]” (Chetty et al., 2012).

Another way in which a device's location may become known to other devices is through self-reporting of the device's position, most commonly by means of an inbuilt Global Positioning System (GPS) chipset. This provides coordinates and altitude based on broadcast signals received from a network of satellites. In any particular instance, the user of the device may or may not be aware that location is being disclosed.

Despite widespread enthusiasm and a moderate level of use, GPS is subject to a number of important limitations. The signals are subject to interference from atmospheric conditions, buildings and trees, and the time to achieve a fix on enough satellites and deliver a location measure may be long. This results in variability in its practical usefulness in different circumstances, and in its accuracy and reliability. Civil-use GPS coordinates are claimed to provide accuracy within a theoretical 7.8 m at a 95% confidence level (USGov, 2012), but various reports suggest 15 m, or 20 m, or 30 m, but sometimes 100 m. It may be affected by radio interference and jamming. The original and still-dominant GPS service operated by the US Government was subject to intentional degradation in the US's national interests. This ‘Selective Availability’ feature still exists, although subject to a decade-long policy not to use it; and future generations of GPS satellites may no longer support it.

Hybrid schemes exist that use two or more sources in order to generate more accurate location-estimates, or to generate estimates more quickly. In particular, Assisted GPS (A-GPS) utilises data from terrestrial servers accessed over cellular networks in order to more efficiently process satellite-derived data (e.g. RE, 2012).

Further categories of location and tracking technologies emerge from time to time. A current example uses means described by the present authors as ‘mobile device signatures’ (MDS). A device may monitor the signals emanating from a user's mobile device, without being part of the network that the user's device is communicating with. The eavesdropping device may detect particular signal characteristics that distinguish the user's mobile device from others in the vicinity. In addition, it may apply any of the various techniques mentioned above, in order to locate the device. If the signal characteristics are persistent, the eavesdropping device can track the user's mobile device, and hence the person carrying it. No formal literature on MDS has yet been located. The supplier's brief description is at PI (2010b).

The various technologies described in this section are capable of being applied to many purposes. The focus in this paper is on their application to surveillance.

3. Surveillance

The term surveillance refers to the systematic investigation or monitoring of the actions or communications of one or more persons (Clarke, 2009c). Until recent times, surveillance was visual, and depended on physical proximity of an observer to the observed. The volume of surveillance conducted was kept in check by the costs involved. Surveillance aids and enhancements emerged, such as binoculars and, later, directional microphones. During the 19th century, the post was intercepted, and telephones were tapped. During the 20th century, cameras enabled transmission of image, video and sound to remote locations, and recording for future use (e.g. Parenti, 2003).

With the surge in stored personal data that accompanied the application of computing to administration in the 1970s and 1980s, dataveillance emerged (Clarke, 1988). Monitoring people through their digital personae rather than through physical observation of their behaviour is much more economical, and hence many more people can be subjected to it (Clarke, 1994). The dataveillance epidemic made it more important than ever to clearly distinguish between personal surveillance – of an identified person who has previously come to attention – and mass surveillance – of many people, not necessarily previously identified, about some or all of whom suspicion could be generated.

Location data is of a very particular nature, and hence it has become necessary to distinguish location surveillance as a sub-set of the general category of dataveillance. There are several categories of location surveillance with different characteristics (Clarke and Wigan, 2011):

• capture of an individual's location at a point in time. Depending on the context, this may support inferences being drawn about an individual's behaviour, purpose, intention and associates

• real-time monitoring of a succession of locations and hence of the person's direction of movement. This is far richer data, and supports much more confident inferences being drawn about an individual's behaviour, purpose, intention and associates

• predictive tracking, by extrapolation from the person's direction of movement, enabling inferences to be drawn about near-future behaviour, purpose, intention and associates

• retrospective tracking, on the basis of the data trail of the person's movements, enabling reconstruction of a person's behaviour, purpose, intention and associates at previous times

Information arising at different times, and from different forms of surveillance, can be combined, in order to offer a more complete picture of a person's activities, and enable yet more inferences to be drawn, and suspicions generated. This is the primary sense in which the term ‘überveillance’ is applied: “Überveillance has to do with the fundamental who (ID), where (location), and when (time) questions in an attempt to derive why (motivation), what (result), and even how (method/plan/thought). Überveillance can be a predictive mechanism for a person's expected behaviour, traits, likes, or dislikes; or it can be based on historical fact; or it can be something in between… Überveillance is more than closed circuit television feeds, or cross-agency databases linked to national identity cards, or biometrics and ePassports used for international travel. Überveillance is the sum total of all these types of surveillance and the deliberate integration of an individual's personal data for the continuous tracking and monitoring of identity and location in real time” (Michael and Michael, 2010. See also Michael and Michael, 2007Michael et al., 20082010Clarke, 2010).

A comprehensive model of surveillance includes consideration of geographical scope, and of temporal scope. Such a model assists the analyst in answering key questions about surveillance: of what? for whom? by whom? why? how? where? and when? (Clarke, 2009c). Distinctions are also needed based on the extent to which the subject has knowledge of surveillance activities. It may be overt or covert. If covert, it may be merely unnotified, or alternatively express measures may be undertaken in order to obfuscate, and achieve secrecy. A further element is the notion of ‘sousveillance’, whereby the tools of surveillance are applied, by those who are commonly watched, against those who are commonly the watchers (Mann et al., 2003).

These notions are applied in the following sections in order to establish the extent to which location and tracking of mobile devices is changing the game of surveillance, and to demonstrate that location surveillance is intruding more deeply into personal freedoms than previous forms of surveillance.

4. Applications

This section presents a typology of applications of mobile device location, as a means of narrowing down to the kinds of uses that have particularly serious privacy implications. These are commonly referred to as location-based services (LBS). One category of applications provide information services that are for the benefit of the mobile device's user, such as navigation aids, and search and discovery tools for the locations variously of particular, identified organisations, and of organisations that sell particular goods and services. Users of LBS of these kinds can be reasonably assumed to be aware that they are disclosing their location. Depending on the design, the disclosures may also be limited to specific service-providers and specific purposes, and the transmissions may be secured.

Another, very different category of application is use by law enforcement agencies (LEAs). The US E-911 mandate of 1999 was nominally a public safety measure, to enable people needing emergency assistance to be quickly and efficiently located. In practice, the facility also delivered LEAs means for locating and tracking people of interest, through their mobile devices. Personal surveillance may be justified by reasonable grounds for suspicion that the subject is involved in serious crime, and may be specifically authorised by judicial warrant. Many countries have always been very loose in their control over LEAs, however, and many others have drastically weakened their controls since 2001. Hence, in any given jurisdiction and context, each and all of the controls may be lacking.

Yet worse, LEAs use mobile location and tracking for mass surveillance, without any specific grounds for suspicion about any of the many people caught up in what is essentially a dragnet-fishing operation (e.g. Mery, 2009). Examples might include monitoring the area adjacent to a meeting-venue watching out for a blacklist of device-identifiers known to have been associated with activists in the past, or collecting device-identifiers for use on future occasions. In addition to netting the kinds of individuals who are of legitimate interest, the ‘by-catch’ inevitably includes threatened species. There are already extraordinarily wide-ranging (and to a considerable extent uncontrolled) data retention requirements in many countries.

Of further concern is the use of Automated Number Plate Recognition (ANPR) for mass surveillance purposes. This has been out of control in the UK since 2006, and has been proposed or attempted in various other countries as well (Clarke, 2009a). Traffic surveillance is expressly used not only for retrospective analysis of the movements of individuals of interest to LEAs, but also as a means of generating suspicions about other people (Lewis, 2008).

Beyond LEAs, many government agencies perform social control functions, and may be tempted to conduct location and tracking surveillance. Examples would include benefits-paying organisations tracking the movements of benefits-recipients about whom suspicions have arisen. It is not too far-fetched to anticipate zealous public servants concerned about fraud control imposing location surveillance on all recipients of some particularly valuable benefit, or as a security precaution on every person visiting a sensitive area (e.g. a prison, a power plant, a national park).

Various forms of social control are also exercised by private sector organisations. Some of these organisations, such as placement services for the unemployed, may be performing outsourced public sector functions. Others, such as workers' compensation providers, may be seeking to control personal insurance claimants, and similarly car-hire companies and insurance providers may wish to monitor motor vehicles' distance driven and roads used (Economist, 2012Michael et al., 2006b).

A further privacy-invasive practice that is already common is the acquisition of location and tracking data by marketing corporations, as a by-product of the provision of location-based services, but with the data then applied to further purposes other than that for which it was intended. Some uses rely on statistical analysis of large holdings (‘data mining’). Many uses are, on the other hand, very specific to the individual, and are for such purposes as direct or indirect targeting of advertisements and the sale of goods and services. Some of these applications combine location data with data from other sources, such as consumer profiling agencies, in order to build up such a substantial digital persona that the individual's behaviour is readily influenced. This takes the activity into the realms of überveillance.

All such services raise serious privacy concerns, because the data is intensive and sensitive, and attractive to organisations. Companies may gain rights in relation to the data through market power, or by trickery – such as exploitation of a self-granted right to change the Terms of Service (Clarke, 2011). Once captured, the data may be re-purposed by any organisation that gains access to it, because the value is high enough that they may judge the trivial penalties that generally apply to breaches of privacy laws to be well worth the risk.

A recently-emerged, privacy-invasive practice is the application of the mobile device signature (MDS) form of tracking, in such locations as supermarkets. This is claimed by its providers to offer deep observational insights into the behaviour of customers, including dwell times in front of displays, possibly linked with the purchaser's behaviour. This raises concerns a little different from other categories of location and tracking technologies, and is accordingly considered in greater depth in the following section.

It is noteworthy that an early review identified a wide range of LBS, which the authors classified into mobile guides, transport, gaming, assistive technology and location-based health (Raper et al., 2007b). Yet that work completely failed to notice that a vast array of applications were emergent in surveillance, law enforcement and national security, despite the existence of relevant literature from at least 1999 onwards (Clarke, 2001Michael and Masters, 2006).

5. Implications

The previous sections have introduced many examples of risks to citizens and consumers arising from location surveillance. This section presents an analysis of the categories and of the degree of seriousness with which they should be viewed. The first topic addressed is the privacy of personal location data. Other dimensions of privacy are then considered, and then the specific case of MDS is examined. The treatment here is complementary to earlier articles that have looked more generally at particular applications such as location-based mobile advertising, e.g. Cleff (20072010) and King and Jessen (2010). See also Art. 29 (2011).

5.1. Locational privacy

Knowing where someone has been, knowing what they are doing right now, and being able to predict where they might go next is a powerful tool for social control and for chilling behaviour (Abbas, 2011). Humans do not move around in a random manner (Song et al., 2010).

One interpretation of ‘locational privacy’ is that it “is the ability of an individual to move in public space with the expectation that under normal circumstances their location will not be systematically and secretly recorded for later use” (Blumberg and Eckersley, 2009). A more concise definition is “the ability to control the extent to which personal location information is… [accessible and] used by others” (van Loenen et al., 2009). Hence ‘tracking privacy’ is the interest an individual has in controlling information about their sequence of locations.

Location surveillance is deeply intrusive into data privacy, because it is very rich, and enables a great many inferences to be drawn (Clarke, 2001Dobson and Fisher, 2003Michael et al., 2006aClarke and Wigan, 2011). As demonstrated by Raper et al. (2007a, p. 32–3), most of the technical literature that considers privacy is merely concerned about it as an impediment to deployment and adoption, and how to overcome the barrier rather than how to solve the problem. Few authors adopt a positive approach to privacy-protective location technologies. The same authors' review of applications (Raper et al., 2007b) includes a single mention of privacy, and that is in relation to just one of the scores of sub-categories of application that they catalogue.

Most service-providers are cavalier in their handling of personal data, and extravagant in their claims. For example, Skyhook claims that it “respects the privacy of all users, customers, employees and partners”; but, significantly, it makes no mention of the privacy of the people whose locations, through the locations of their Wifi routers, it collects and stores (Skyhook, 2012).

Consent is critical in such LBS as personal location chronicle systems, people-followers and footpath route-tracker systems that systematically collect personal location information from a device they are carrying (Collier, 2011c). The data handled by such applications is highly sensitive because it can be used to conduct behavioural profiling of individuals in particular settings. The sensitivity exists even if the individuals remain ‘nameless’, i.e. if each identifier is a temporary or pseudo-identifier and is not linked to other records. Service-providers, and any other organisations that gain access to the data, achieve the capacity to make judgements on individuals based on their choices of, for example, which retail stores they walk into and which they do not. For example, if a subscriber visits a particular religious bookstore within a shopping mall on a weekly basis, the assumption can be reasonably made that they are in some way affiliated to that religion (Samuel, 2008).

It is frequently asserted that individuals cannot have a reasonable expectation of privacy in a public space (Otterberg, 2005). Contrary to those assertions, however, privacy expectations always have existed in public places, and continue to exist (VLRC, 2010). Tracking the movements of people as they go about their business is a breach of a fundamental expectation that people will be ‘let alone’. In policing, for example, in most democratic countries, it is against the law to covertly track an individual or their vehicle without specific, prior approval in the form of a warrant. This principle has, however, been compromised in many countries since 2001. Warrantless tracking using a mobile device generally results in the evidence, which has been obtained without the proper authority, being inadmissible in a court of law (Samuel, 2008). Some law enforcement agencies have argued for the abolition of the warrant process because the bureaucracy involved may mean that the suspect cannot be prosecuted for a crime they have likely committed (Ganz, 2005). These issues are not new; but far from eliminating a warrant process, the appropriate response is to invest the energy in streamlining this process (Bronitt, 2010).

Privacy risks arise not only from locational data of high integrity, but also from data that is or becomes associated with a person and that is inaccurate, misleading, or wrongly attributed to that individual. High levels of inaccuracy and unreliability were noted above in respect of all forms of location and tracking technologies. In the case of MDS services, claims have been made of 1–2 m locational accuracy. This has yet to be supported by experimental test cases however, and hence there is uncertainty about the reliability of inferences that the service-provider or the shop owner draw. If the data is the subject of a warrant or subpoena, the data's inaccuracy could result in false accusations and even a miscarriage of justice, with the ‘wrong person’ finding themselves in the ‘right place’ at the ‘right time’.

5.2. Privacy more broadly

Privacy has multiple dimensions. One analysis, in Clarke (2006a), identifies four distinct aspects. Privacy of Personal Data, variously also ‘data privacy’ and ‘information privacy’, is the most widely discussed dimension of the four. Individuals claim that data about themselves should not be automatically available to other individuals and organisations, and that, even where data is possessed by another party, the individual must be able to exercise a substantial degree of control over that data and its use. The last five decades have seen the application of information technologies to a vast array of abuses of data privacy. The degree of privacy intrusiveness is a function of both the intensity and the richness of the data. Where multiple sources are combined, the impact is particularly likely to chill behaviour. An example is the correlation of video-feeds with mobile device tracking. The previous sub-section addressed that dimension.

Privacy of the Person, or ‘bodily privacy’, extends from freedom from torture and right to medical treatment, via compulsory immunisation and imposed treatments, to compulsory provision of samples of body fluids and body tissue, and obligations to submit to biometric measurement. Locational surveillance gives rise to concerns about personal safety. Physical privacy is directly threatened where a person who wishes to inflict harm is able to infer the present or near-future location of their target. Dramatic examples include assassins, kidnappers, ‘standover merchants’ and extortionists. But even people who are neither celebrities nor notorieties are subject to stalking and harassment (Fusco et al., 2012).

Privacy of Personal Communications is concerned with the need of individuals for freedom to communicate among themselves, without routine monitoring of their communications by other persons or organisations. Issues include ‘mail covers’, the use of directional microphones, ‘bugs’ and telephonic interception, with or without recording apparatus, and third-party access to email-messages. Locational surveillance thereby creates new threats to communications privacy. For example, the equivalent of ‘call records’ can be generated by combining the locations of two device-identifiers in order to infer that a face-to-face conversation occurred.

Privacy of Personal Behaviour encompasses ‘media privacy’, but particular concern arises in relation to sensitive matters such as sexual preferences and habits, political activities and religious practices. Some privacy analyses, particularly in Europe, extend this discussion to personal autonomy, liberty and the right of self-determination (e.g. King and Jessen, 2010). The notion of ‘private space’ is vital to economic and social aspects of behaviour, is relevant in ‘private places’ such as the home and toilet cubicles, but is also relevant and important in ‘public places’, where systematic observation and the recording of images and sounds are far more intrusive than casual observation by the few people in the vicinity.

Locational surveillance gives rise to rich sets of data about individuals' activities. The knowledge, or even suspicion, that such surveillance is undertaken, chills their behaviour. The chilling factor is vital in the case of political behaviour (Clarke, 2008). It is also of consequence in economic behaviour, because the inventors and innovators on whom new developments depend are commonly ‘different-thinkers’ and even ‘deviants’, who are liable to come to come to attention in mass surveillance dragnets, with the tendency to chill their behaviour, their interactions and their creativity.

Surveillance that generates accurate data is one form of threat. Surveillance that generates inaccurate data, or wrongly associates data with a particular person, is dangerous as well. Many inferences that arise from inaccurate data will be wrong, of course, but that won't prevent those inferences being drawn, resulting in unjustified behavioural privacy invasiveness, including unjustified association with people who are, perhaps for perfectly good reasons, themselves under suspicion.

In short, all dimensions of privacy are seriously affected by location surveillance. For deeper treatments of the topic, see Michael et al. (2006b) and Clarke and Wigan (2011).

5.3. Locational privacy and MDS

The recent innovation of tracking by means of mobile device signatures (MDS) gives rise to some issues additional to, or different from, mainstream device location technologies. This section accordingly considers this particular technique's implications in greater depth. Limited reliable information is currently available, and the analysis is of necessity based on supplier-published sources (PI, 2010a2010b) and media reports (Collier, 2011a,b,c).

Path Intelligence (PI) markets an MDS service to shopping mall-owners, to enable them to better value their floor space in terms of rental revenues, and to identify points of on-foot traffic congestion to on-sell physical advertising and marketing floor space (PI, 2010a). The company claims to detect each phone (and hence person) that enters a zone, and to capture data, including:

• how long each device and person stay, including dwell times in front of shop windows;

• repeat visits by shoppers in varying frequency durations; and

• typical route and circuit paths taken by shoppers as they go from shop to shop during a given shopping experience.

For malls, PI is able to denote such things as whether or not shoppers who shop at one establishment will also shop at another in the same mall, and whether or not people will go out of their way to visit a particular retail outlet independent of its location. For retailers, PI says it is able to provide information on conversion rates by department or even product line, and even which areas of the store might require more attention by staff during specific times of the day or week (PI, 2012).

PI says that it uses “complex algorithms” to denote the geographic position of a mobile phone, using strategically located “proprietary equipment” in a campus setting (PI, 2010a). The company states that it is conducting “data-driven analysis”, but is not collecting, or at least that it is not disclosing, any personal information such as a name, mobile telephone number or contents of a short message service (SMS). It states that it only ever provides aggregated data at varying zone levels to the shopping mall-owners. This is presumably justified on the basis that, using MDS techniques, direct identifiers are unlikely to be available, and a pseudo-identifier needs to be assigned. There is no explicit definition of what constitutes a zone. It is clear, however, that minimally-aggregated data at the highest geographic resolution is available for purchase, and at a higher price than more highly-aggregated data.

Shoppers have no relationship with the company, and it appears unlikely that they would even be aware that data about them is being collected and used. The only disclosure appears to be that “at each of our installations our equipment is clearly visible and labelled with our logo and website address” (PI, 2010a), but this is unlikely to be visible to many people, and in any case would not inform anyone who saw it.

In short, the company is generating revenue by monitoring signals from the mobile devices of people who visit a shopping mall for the purchase of goods and services. The data collection is performed without the knowledge of the person concerned (Renegar et al., 2008). The company is covertly collecting personal data and exploiting it for profit. There is no incentive or value proposition for the individual whose mobile is being tracked. No clear statement is provided about collection, storage, retention, use and disclosure of the data (Arnold, 2008). Even if privacy were not a human right, this would demand statutory intervention on the public policy grounds of commercial unfairness. The company asserts that “our privacy approach has been reviewed by the [US Federal Trade Commission] FTC, which determined that they are comfortable with our practices” (PI, 2010a). It makes no claims of such ‘approval’ anywhere else in the world.

The service could be extended beyond a mall and the individual stores within it, to for example, associated walkways and parking areas, and surrounding areas such as government offices, entertainment zones and shopping-strips. Applications can also be readily envisaged on hospital and university campuses, and in airports and other transport hubs. From prior research, this is likely to expose the individual's place of employment, and even their residence (Michael et al., 2006a,b). Even if only aggregated data is sold to businesses, the individual records remain available to at least the service-provider.

The scope exists to combine this form of locational surveillance with video-surveillance such as in-store CCTV, and indeed this is claimed to be already a feature of the company's offering to retail stores. To the extent that a commonly-used identifier can be established (e.g. through association with the person's payment or loyalty card at a point-of-sale), the full battery of local and externally acquired customer transaction histories and consolidated ‘public records’ data can be linked to in-store behaviour (Michael and Michael, 2007). Longstanding visual surveillance is intersecting with well-established data surveillance, and being augmented by locational surveillance, giving breath to dataveillance, or what is now being referred to by some as ‘smart surveillance’ (Wright et al., 2010IBM, 2011).

Surreptitious collection of personal data is (with exemptions and exceptions) largely against the law, even when undertaken by law enforcement personnel. The MDS mechanism also flies in the face of telephonic interception laws. How, then, can it be in any way acceptable for a form of warrantless tracking to be undertaken by or on behalf of corporations or mainstream government agencies, of shoppers in a mall, or travellers in an airport, or commuters in a transport hub? Why should a service-provider have the right to do what a law enforcement agency cannot normally do?

6. Controls

The tenor of the discussion to date has been that location surveillance harbours enormous threats to location privacy, but also to personal safety, the freedom to communicate, freedom of movement, and freedom of behaviour. This section examines the extent to which protections exist, firstly in the form of natural or intrinsic controls, and secondly in the form of legal provisions. The existing safeguards are found to be seriously inadequate, and it is therefore necessary to also examine the prospects for major enhancements to law, in order to achieve essential protections.

6.1. Intrinsic controls

A variety of forms of safeguard exist against harmful technologies and unreasonable applications of them. The intrinsic economic control has largely evaporated, partly because the tools use electronics and the components are produced in high volumes at low unit cost. Another reason is that the advertising and marketing sectors are highly sophisticated, already hold and exploit vast quantities of personal data, and are readily geared up to exploit yet more data.

Neither the oxymoronic notion of ‘business ethics’ nor the personal morality of executives in business and government act as any significant brake on the behaviours of corporations and governments, because they are very weak barriers, and they are readily rationalised away in the face of claims of enhanced efficiencies in, for example, marketing communications, fraud control, criminal justice and control over anti-social behaviour.

A further category of intrinsic control is ‘self-regulatory’ arrangements within relevant industry sectors. In 2010, for example, the Australian Mobile Telecommunications Association (AMTA) released industry guidelines to promote the privacy of people using LBS on mobile devices (AMTA, 2010). The guidelines were as follows:

1. Every LBS must be provided on an opt-in basis with a specific request from a user for the service

2. Every LBS must comply with all relevant privacy legislation

3. Every LBS must be designed to guard against consumers being located without their knowledge

4. Every LBS must allow consumers to maintain full control

5. Every LBS must enable customers to control who uses their location information and when that is appropriate, and be able to stop or suspend a service easily should they wish

The second point is a matter for parliaments, privacy oversight agencies and law enforcement agencies, and its inclusion in industry guidelines is for information only. The remainder, meanwhile, are at best ‘aspirational’, and at worst mere window-dressing. Codes of this nature are simply ignored by industry members. They are primarily a means to hold off the imposition of actual regulatory measures. Occasional short-term constraints may arise from flurries of media attention, but the ‘responsible’ organisations escape by suggesting that bad behaviour was limited to a few ‘cowboy’ organisations or was a one-time error that will not be repeated.

A case study of the industry self-regulation is provided by the Biometrics Code issued by the misleadingly named Australian industry-and-users association, the Biometrics ‘Institute’ (BI, 2004). During the period 2009–2012, the privacy advocacy organisation, the Australian Privacy Foundation (APF), submitted to the Privacy Commissioner on multiple occasions that the Code failed to meet the stipulated requirements and under the Commissioner's own Rules had to be de-registered. The Code never had more than five subscribers (out of a base of well over 100 members – which was itself only a sub-set of organisations active in the area), and had no signatories among the major biometrics vendors or users, because all five subscribers were small organisations or consultants. In addition, none of the subscribers appear to have ever provided a link to the Code on their websites or in their Privacy Policy Statements (APF, 2012).

The Commissioner finally ended the farce in April 2012, citing the “low numbers of subscribers”, but avoided its responsibilities by permitting the ‘Institute’ to “request” revocation, over two years after the APF had made the same request (OAIC, 2012). The case represents an object lesson in the vacuousness of self-regulation and the business friendliness of a captive privacy oversight agency.

If economics, morality and industry sector politics are inadequate, perhaps competition and organisational self-interest might work. On the other hand, repeated proposals that privacy is a strategic factor for corporations and government agencies have fallen on stony ground (Clarke, 19962006b).

The public can endeavour to exercise countervailing power against privacy-invasive practices. On the other hand, individuals acting alone are of little or no consequence to organisations that are intent on the application of location surveillance. Moreover, consumer organisations lack funding, professionalism and reach, and only occasionally attract sufficient media attention to force any meaningful responses from organisations deploying surveillance technologies.

Individuals may have direct surveillance countermeasures available to them, but relatively few people have the combination of motivation, technical competence and persistence to overcome lethargy and the natural human desire to believe that the institutions surrounding them are benign. In addition, some government agencies, corporations and (increasingly prevalent) public–private partnerships seek to deny anonymity, pseudonymity and multiple identities, and to impose so-called ‘real name’ policies, for example as a solution to the imagined epidemics of cyber-bullying, hate speech and child pornography. Individuals who use cryptography and other obfuscation techniques have to overcome the endeavours of business and government to stigmatise them as criminals with ‘something to hide’.

6.2. Legal controls

It is clear that natural or intrinsic controls have been utter failures in privacy matters generally, and will be in locational privacy matters as well. That leaves legal safeguards for personal freedoms as the sole protection. There are enormous differences among domestic laws relating to location surveillance. This section accordingly limits itself to generalities and examples.

Privacy laws are (with some qualifications, mainly in Europe) very weak instruments. Even where public servants and parliaments have an actual intention to protect privacy, rather than merely to overcome public concerns by passing placebo statutes, the draft Bills are countered by strong lobbying by government agencies and industry, to the extent that measures that were originally portrayed as being privacy-protective reach the statute books as authority for privacy breaches and surveillance (Clarke, 2000).

Privacy laws, once passed, are continually eroded by exceptions built into subsequent legislation, and by technological capabilities that were not contemplated when the laws were passed. In most countries, location privacy has yet to be specifically addressed in legislation. Even where it is encompassed by human rights and privacy laws, the coverage is generally imprecise and ambiguous. More direct and specific regulation may exist, however. In Australia, for example, the Telecommunications (Interception and Access) Act and the Surveillance Devices Act define and criminalise inappropriate interception and access, use, communication and publication of location information that is obtained from mobile device traffic (AG, 2005). On the other hand, when Google Inc. intercepted wi-fi signals and recorded the data that they contained, the Privacy Commissioner absolved the company (Riley, 2010), and the Australian Federal Police refused to prosecute despite the action – whether it was intentional, ‘inadvertent’ or merely plausibly deniable – being a clear breach of the criminal law (Moses, 2010Stilgherrian, 2012).

The European Union determined a decade ago that location data that is identifiable to individuals is to some extent at least subject to existing data protection laws (EU, 2002). However, the wording of that so-called ‘e-Privacy Directive’ countenances the collection of “location data which are more precise than is necessary for the transmission of communications”, without clear controls over the justification, proportionality and transparency of that collection (para. 35). In addition, the e-Privacy Directive only applies to telecommunications service-providers, not to other organisations that acquire location and tracking data. King and Jessen (2010) discuss various gaps in the protective regimes in Europe.

The EU's Advisory Body (essentially a Committee of European Data Protection Commissioners) has issued an Opinion that mobile location data is generally capable of being associated with a person, and hence is personal data, and hence is subject to the EU Directive of 1995 and national laws that implement that Directive (Art. 29, 2011). Consent is considered to be generally necessary, and that consent must be informed, and sufficiently granular (p. 13–8).

It is unclear, however, to what extent this Opinion has actually caused, and will in the future cause, organisations that collect, store, use and disclose location data to change their practices. This uncertainty exists in respect of national security, law enforcement and social control agencies, which have, or which can arrange, legal authority that overrides data protection laws. It also applies to non-government organisations of all kinds, which can take advantage of exceptions, exemptions, loopholes, non-obviousness, obfuscation, unenforceability within each particular jurisdiction, and extra-jurisdictionality, to operate in ways that are in apparent breach of the Opinion.

Legal authorities for privacy-invasions are in a great many cases vague rather than precise, and in many jurisdictions power in relation to specific decisions is delegated to a LEA (in such forms as self-written ‘warrants’), or even a social control agency (in the form of demand-powers), rather than requiring a decision by a judicial officer based on evidence provided by the applicant.

Citizens in many countries are subject to more or less legitimate surveillance of various degrees and orders of granularity, by their government, in the name of law enforcement and national security. However, many Parliaments have granted powers to national security agencies to use location technology to track citizens and to intercept telecommunications. Moreover, many Parliaments have failed the public by permitting a warrant to be signed by a Minister, or even a public servant, rather than a judicial officer (Jay, 1999). Worse still, it appears that these already gross breaches of the principle of a free society are in effect being extended to the authorisation of a private organisation to track mobiles of ordinary citizens because it may lead to better services planning, or more efficient advertising and marketing (Collier, 2011a).

Data protection legislation in all countries evidences massive weaknesses. There are manifold exemptions and exceptions, and there are intentional and accidental exclusions, for example through limitations in the definitions of ‘identified’ and ‘personal data’. Even the much vaunted European laws fail to cope with extraterritoriality and are largely ignored by US-based service-providers. They are also focused exclusively on data, leaving large gaps in safeguards for physical, communications and behavioural privacy.

Meanwhile, a vast amount of abuse of personal data is achieved through the freedom of corporations and government agencies to pretend that Terms imposed on consumers and citizens without the scope to reject them are somehow the subject of informed and freely given consent. For example, petrol stations, supermarkets and many government agencies pretend that walking past signs saying ‘area subject to CCTV’ represents consent to gather, transmit, record, store, use and disclose data. The same approach is being adopted in relation to highly sensitive location data, and much vaunted data protection laws are simply subverted by the mirage of consent.

At least notices such as ‘you are now being watched’ or ‘smile, you are being recorded’ inform customers that they are under observation. On the other hand, people are generally oblivious to the fact that their mobile subscriber identity is transmitted from their mobile phone and multilaterated to yield a reasonably precise location in a shopping mall (Collier, 2011a,b,c). Further, there is no meaningful sense in which they can be claimed to have consented to providing location data to a third party, in this case a location service-provider with whom they have never had contact. And the emergent combination of MDS with CCTV sources becomes a pervasive view of the person, an ‘über’ view, providing a set of über-analytics to – at this stage – shopping complex owners and their constituents.

What rights do employees have if such a system were instituted in an employment setting (Michael and Rose, 2007, p. 252–3)? Are workplace surveillance laws in place that would protect employees from constant monitoring (Stern, 2007)? A similar problem applies to people at airports, or on hospital, university, industrial or government campuses. No social contract has been entered into between the parties, rendering the subscriber powerless.

Since the collapse of the Technology Assessment movement, technological deployment proceeds unimpeded, and public risks are addressed only after they have emerged and the clamour of concern has risen to a crescendo. A reactive force is at play, rather than proactive measures being taken to ensure avoidance or mitigation of potential privacy breaches (Michael et al., 2011). In Australia, for example, safeguards for location surveillance exist at best incidentally, in provisions under separate legislative regimes and in separate jurisdictions, and at worst not at all. No overarching framework exists to provide consistency among the laws. This causes confusion and inevitably results in inadequate protections (ALRC, 2008).

6.3. Prospective legal controls

Various learned studies have been conducted, but gather dust. In Australia, the three major law reform commissions have all reported, and all have been ignored by the legislatures (NSWLRC, 2005ALRC, 2008VLRC, 2010).

One critical need is for the fundamental principle to be recovered, to the effect that the handling of personal data requires either consent or legal authority. Consent is meaningless as a control over unreasonable behaviour, however, unless it satisfies a number of key conditions. It must be informed, it must be freely given, and it must be sufficiently granular, not bundled (Clarke, 2002). In a great many of the circumstances in which organisations are claiming to have consent to gather, store, use and disclose location data, the consumer does not appreciate what the scope of handling is that the service-provider is authorising themselves to perform; the Terms are imposed by the service-provider and may even be varied or completely re-written without consultation, a period of notice or even any notice at all; and consent is bundled rather than the individual being able to construct a pattern of consents and denials that suit their personal needs. Discussions all too frequently focus on the specifically-US notion of ‘opt-out’ (or ‘presumed consent’), with consent debased to ‘opt-in’, and deprecated as inefficient and business-unfriendly.

Recently, some very weak proposals have been put forward, primarily in the USA. In 2011, for example, two US Senators proposed a Location Privacy Protection Bill (Cheng, 2011). An organisation that collected location data from mobile or wireless data devices would have to state explicitly in their privacy policies what was being collected, in plain English. This would represent only a partial implementation of the already very weak 2006 recommendation of the Internet Engineering Task Force for Geographic Location/Privacy (IETF GEOPRIV) working group, which decided that technical systems should include ‘Fair Information Practices’ (FIPs) to defend against harms associated with the use of location technologies (EPIC, 2006). FIPs, however, is itself only a highly cut-down version of effective privacy protections, and the Bill proposes only a small fraction of FIPs. It would be close to worthless to consumers, and close to legislative authorisation for highly privacy-invasive actions by organisations.

Two other US senators tabled a GPS Bill, nominally intended to “balance the needs of Americans' privacy protections with the legitimate needs of law enforcement, and maintains emergency exceptions” (Anderson, 2011). The scope is very narrow – next would have to come the Wi-Fi Act, the A-GPS Act, etc. That approach is obviously unviable in the longer term as new innovations emerge. Effective legislation must have appropriate generality rather than excessive technology-specificity, and should be based on semantics not syntax. Yet worse, these Bills would provide legal authorisation for grossly privacy-invasive location and tracking. IETF engineers, and now Congressmen, want to compromise human rights and increase the imbalance of power between business and consumers.

7. Conclusions

Mobile device location technologies and their applications are enabling surveillance, and producing an enormous leap in intrusions into data privacy and into privacy of the person, privacy of personal communications, and privacy of personal behaviour.

Existing privacy laws are entirely incapable of protecting consumers and citizens against the onslaught. Even where consent is claimed, it generally fails the tests of being informed, freely given and granular.

There is an urgent need for outcries from oversight agencies, and responses from legislatures. Individual countries can provide some degree of protection, but the extra-territorial nature of so much of the private sector, and the use of corporate havens, in particular the USA, mean that multilateral action is essential in order to overcome the excesses arising from the US laissez fairetraditions.

One approach to the problem would be location privacy protection legislation, although it would need to embody the complete suite of protections rather than the mere notification that the technology breaches privacy. An alternative approach is amendment of the current privacy legislation and other anti-terrorism legislation in order to create appropriate regulatory provisions, and close the gaps that LBS providers are exploiting (Koppel, 2010).

The chimeras of self-regulation, and the unenforceability of guidelines, are not safeguards. Sensitive data like location information must be subject to actual, enforced protections, with guidelines and codes no longer used as a substitute, but merely playing a supporting role. Unless substantial protections for personal location information are enacted and enforced, there will be an epidemic of unjustified, disproportionate and covert surveillance, conducted by government and business, and even by citizens (Gillespie, 2009Abbas et al., 2011).

Acknowledgements

A preliminary version of the analysis presented in this paper appeared in the November 2011 edition of Precedent, the journal of the Lawyers Alliance. The article has been significantly updated as a result of comments provided by the referees and editor.

References

R. Abbas, The social and behavioural implications of location-based services: an observational study of users, Journal of Location Based Services, 5 (December 2011), pp. 3-4

R. Abbas, K. Michael, M.G. Michael, A. Aloudat, Emerging forms of covert surveillance using GPS-enabled devices, Journal of Cases on Information Technology, 13 (2) (2011), pp. 19-33

AG, What the government is doing: Surveillance Device Act 2004, Australian Government (25 May 2005) at http://www.ag.gov.au/agd/www/nationalsecurity.nsf/AllDocs/9B1F97B59105AEE6CA25700C0014CAF5?OpenDocument

ALRC, For your information: Australian privacy law and practice, (ALRC report 108), Australian Government (2008), 2, p. 1409–10, http://www.alrc.gov.au.ezproxy.uow.edu.au/publications/report-108

AMTA, New mobile telecommunications industry guidelines and consumer tips set benchmark for location based services, Australian Mobile Telecommunications Association (2010) at http://www.amta.org.au/articles/New.mobile.telecommunications.industry.guidelines.and.consumer.tips.set.benchmark.for.Location.Based.Services

N. Anderson, Bipartisan bill would end government's warrantless GPS tracking, Ars Technica (June 2011) at http://arstechnica.com/tech-policy/news/2011/06/bipartisan-bill-would-end-governments-warrantless-gps-tracking.ars

APF Revocation of the biometrics industry code, Australian Privacy Foundation (March 2012) at http://www.privacy.org.au/Papers/OAIC-BiomCodeRevoc-120321.pdf

B. Arnold, Privacy guide, Caslon Analytics (May 2008), at http://www.caslon.com.au/privacyguide19.htm

Art. 29, Opinion 13/2011 on geolocation services on smart mobile devices, Article 29 Data Protection Working Party, 881/11/EN WP 185, at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp185_en.pdf (16 May 2011)

BI Privacy code, Biometrics Institute, Sydney (April 2004) at http://web.archive.org/web/20050424120627/http://www.biometricsinstitute.org/displaycommon.cfm?an=1&subarticlenbr=8

A.J. Blumberg, P. EckersleyOn locational privacy, and how to avoid losing it forever, Electronic Frontier Foundation (August 2009), at https://www.eff.org/wp/locational-privacy

S. Bronitt, Regulating covert policing methods: from reactive to proactive models of admissibility, S. Bronitt, C. Harfield, K. Michael (Eds.), The social implications of covert policing (2010), pp. 9-14

J. Cheng, Franken's location-privacy bill would close mobile-tracking ‘loopholes’, Wired (17 June 2011), at http://www.wired.com/epicenter/2011/06/franken-location-loopholes/

K. Chetty, G.E. Smith, K. Woodbridge, Through-the-wall sensing of personnel using passive bistatic WiFi radar at standoff distances, IEEE Transactions on Geoscience and Remote Sensing, 50 (4) (April 2012), pp. 1218-1226

R. Clarke, Information technology and dataveillance, Communications of the ACM, 31 (5) (May 1988), pp. 498-512, at http://www.rogerclarke.com/DV/CACM88.html

R. Clarke, The digital persona and its application to data surveillance, The Information Society, 10 (2) (June 1994), pp. 77-92, at http://www.rogerclarke.com/DV/DigPersona.html

Clarke R. Privacy and dataveillance, and organisational strategy. In: Proc. I.S. Audit & Control Association (EDPAC'96), Perth, Western Australia; May 1996, at http://www.rogerclarke.com/DV/PStrat.html.

R. Clarke, Submission to the Commonwealth Attorney-General re: ‘a privacy scheme for the private sector: release of key provisions’ of 14 December 1999, Xamax Consultancy Pty Ltd (January 2000) at http://www.anu.edu.au/people/Roger.Clarke/DV/PAPSSub0001.html

R. Clarke, Person-location and person-tracking: technologies, risks and policy implications, Information Technology & People, 14 (2) (Summer 2001), pp. 206-231, at http://www.rogerclarke.com/DV/PLT.html

Clarke R. e-Consent: a critical element of trust in e-business. In: Proc. 15th Bled electronic commerce conference, Bled, Slovenia; June 2002, at http://www.rogerclarke.com/EC/eConsent.html.

R. Clarke, What's ‘privacy’? Xamax Consultancy Pty Ltd (2006), August 2006, at http://www.rogerclarke.com/DV/Privacy.html

R. Clarke, Make privacy a strategic factor – the why and the how, Cutter IT Journal, 19 (11) (2006), at http://www.rogerclarke.com/DV/APBD-0609.html

R. Clarke, Dissidentity: the political dimension of identity and privacy, Identity in the Information Society, 1 (1) (December 2008), pp. 221-228, at http://www.rogerclarke.com/DV/Dissidentity.html

Clarke R. The covert implementation of mass vehicle surveillance in Australia. In: Proc 4th workshop on the social implications of national security: covert policing, April 2009, ANU, Canberra; 2009a, at http://www.rogerclarke.com/DV/ANPR-Surv.html.

Clarke R. A sufficiently rich model of (id)entity, authentication and authorisation. In: Proc. IDIS 2009 – the 2nd multidisciplinary workshop on identity in the Information Society, LSE, 5 June 2009; 2009b, at http://www.rogerclarke.com/ID/IdModel-090605.html.

R. Clarke, A framework for surveillance analysis, Xamax Consultancy Pty Ltd (2009), August 2009, at http://www.rogerclarke.com/DV/FSA.html

R. Clarke, What is überveillance? (And what should be done about it?) IEEE Technology and Society, 29 (2) (Summer 2010), pp. 17-25, at http://www.rogerclarke.com/DV/RNSA07.html

Clarke R. The cloudy future of consumer computing. In: Proc. 24th Bled eConference; June 2011, at http://www.rogerclarke.com/EC/CCC.html.

R. Clarke, M. Wigan, You are where you've been: the privacy implications of location and tracking technologies, Journal of Location Based Services, 5 (3–4) (December 2011), pp. 138-155, http://www.rogerclarke.com/DV/YAWYB-CWP.html

E.B. Cleff, Implementing the legal criteria of meaningful consent in the concept of mobile advertising, Computer Law & Security Review, 23 (2) (2007), pp. 262-269

E.B. Cleff, Effective approaches to regulate mobile advertising: moving towards a coordinated legal, self-regulatory and technical response, Computer Law & Security Review, 26 (2) (2010), pp. 158-169

K. Collier, Stores spy on shoppers, Herald Sun (2011), 12 October 2011, at http://www.heraldsun.com.au/news/more-news/stores-spy-on-shoppers/story-fn7x8me2-1226164244739

K. Collier, Shopping centres' Big Brother plan to track customers, Herald Sun (2011), 14 October 2011, at http://www.heraldsun.com.au/news/more-news/shopping-centres-big-brother-plan-to-track-customers/story-fn7x8me2-1226166191503

K. Collier, ‘Creepy’ path intelligence retail technology tracks shoppers, news.com.au (2011), 14 October 2011, at http://www.news.com.au/money/creepy-retail-technology-tracks-shoppers/story-e6frfmci-1226166413071

F. Dahunsi, B. Dwolatzky, An empirical investigation of the accuracy of location-based services in South Africa, Journal of Location Based Services, 6 (1) (March 2012), pp. 22-34

J. Dobson, P. Fisher, Geoslavery, IEEE Technology and Society, 22 (2003), pp. 47-52, cited in Raper et al. (2007)

Economist, Vehicle data recorders – watching your driving, The Economist (23 June 2012), at http://www.economist.com/node/21557309

J. Edwards, Apple has quietly started tracking iphone users again, and it's tricky to opt out, Business Insider (11 October 2012) at http://www.businessinsider.com/ifa-apples-iphone-tracking-in-ios-6-2012-10

EPIC, Privacy and human rights report 2006, Electronic Privacy Information Center, WorldLII (2006) at http://www.worldlii.org.ezproxy.uow.edu.au/int/journals/EPICPrivHR/2006/PHR2006-Location.html

EPIC, Investigations of Google street view, Electronic Privacy Information Center (2012), at http://epic.org/privacy/streetview/

EU Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

Official Journal, L 201 (2002), 31/07/2002 P. 0037-0047, European Commission, at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML

J. Figueiras, S. Frattasi, Mobile positioning and tracking: from conventional to cooperative techniques, Wiley (2010)

S.J. Fusco, R. Abbas, K. Michael, A. Aloudat, Location-based social networking and its impact on trust in relationships, IEEE Technology and Society Magazine, 31 (2) (Summer 2012), pp. 39-50, at http://works.bepress.com.ezproxy.uow.edu.au/cgi/viewcontent.cgi?article=1326&context=kmichael

Gallagher T et al. Trials of commercial Wi-Fi positioning systems for indoor and urban canyons. In: Proc. IGNSS symposium, Queensland; 1–3 December 2009, cited in Zandbergen (2012).

J.S. Ganz, It's already public: why federal officers should not need warrants to use GPS vehicle tracking devices, Journal of Criminal Law and Criminology, 95 (4) (Summer 2005), pp. 1325-1337

A.A. Gillespie, Covert surveillance, human rights and the law, Irish Criminal Law Journal, 19 (3) (August 2009), pp. 71-79

IBM, IBM smart surveillance system (previous PeopleVision project, IBM Research (30 October 2011), at http://www.research.ibm.com.ezproxy.uow.edu.au/peoplevision/

D.M. Jay, Use of covert surveillance obtained by search warrant, Australian Law Journal, 73 (1) (Jan 1999), pp. 34-36

N.J. King, P.W. Jessen, Profiling the mobile customer – privacy concerns when behavioural advertisers target mobile phones, Computer Law & Security Review, 26 (5) (2010), pp. 455-478, and 2010; 26(6): 595–612

A. Koppel, Warranting a warrant: fourth amendment concerns raised by law enforcement's warrantless use of GPS and cellular phone tracking, University of Miami Law Review, 64 (3) (April 2010), pp. 1061-1089

P. Lewis, Fears over privacy as police expand surveillance project, The Guardian (15 September 2008) at http://www.guardian.co.uk/uk/2008/sep/15/civilliberties.police

B. van Loenen, J. Zevenbergen, J. de JongBalancing location privacy with national security: a comparative analysis of three countries through the balancing framework of the European court of human rights, N.J. Patten, et al. (Eds.), National security: institutional approaches, Nova Science Publishers (2009), [chapter 2]

M. McGuire, K.N. Plataniotis, A.N. Venetsanopoulos, Data fusion of power and time measurements for mobile terminal location, IEEE Transaction on Mobile Computing, 4 (2005), pp. 142-153, cited in Raper et al. (2007)

S. Mann, J. Nolan, B. Wellman, Sousveillance: inventing and using wearable computing devices for data collection in surveillance environments, Surveillance & Society, 1 (3) (June 2003), pp. 331-355, at http://www.surveillance-and-society.org/articles1(3)/sousveillance.pdf

Mautz R. Overview of indoor positioning technologies. Keynote. In: Proc. IPIN'2011, Guimaraes; September 2011, at http://www.geometh.ethz.ch/people/.../IPIN_Keynote_Mautz_2011.pdf.

D. Mery, The mobile phone as self-inflicted surveillance – and if you don't have one, what have you got to hide? The Register (10 April 2009) at http://www.theregister.co.uk/2009/04/10/mobile_phone_tracking/

Michael and Michael, 2007, K. Michael, M.G. Michael, From dataveillance to überveillance and the Realpolitik of the Transparent Society, University of Wollongong (2007) at http://works.bepress.com.ezproxy.uow.edu.au/kmichael/51

K. Michael, M.G. Michael, Innovative automatic identification and location-based services: from bar codes to chip implants, IGI Global (2009)

M.G. Michael, K. Michael, Towards a state of uberveillance, IEEE Technology and Society Magazine, 29 (2) (Summer 2010), pp. 9-16, at, http://works.bepress.com.ezproxy.uow.edu.au/kmichael/187

Michael K, McNamee A, Michael MG, Tootell H., Location-based intelligence – modeling behavior in humans using GPS. In: Proc. int'l symposium on technology and society, New York, 8–11 June 2006; 2006a, at http://ro.uow.edu.au/cgi/viewcontent.cgi?article=1384&context=infopapers.

Michael K, McNamee A, Michael MG. The emerging ethics of humancentric GPS tracking and monitoring. In: Proc. int'l conf. on mobile business, Copenhagen, Denmark. IEEE Computer Society; 2006b, at http://ro.uow.edu.au/cgi/viewcontent.cgi?article=1384&context=infopapers.

M.G. Michael, S.J. Fusco, K. Michael, A research note on ethics in the emerging age of uberveillance, Computer Communications, 31 (6) (2008), pp. 1192-1199, at http://works.bepress.com.ezproxy.uow.edu.au/kmichael/32/

Michael and Masters, 2006, K. Michael, A. Masters, Realized applications of positioning technologies in defense intelligence, H. Hussein Abbass, D. Essam (Eds.), Applications of information systems to homeland security and defense, Idea Group Publishing (2006), at http://works.bepress.com.ezproxy.uow.edu.au/kmichael/2

K. Michael, G. Rose, Human tracking technology in mutual legal assistance and police inter-state cooperation in international crimes, K. Michael, M.G. Michael (Eds.), From dataveillance to überveillance and the realpolitik of the transparent society. 1st ed, University of Wollongong, Wollongong (2007), pp. 241-256.

K. Michael, G. Roussos, G.Q. Huang, R. Gadh, A. Chattopadhyay, S.Prabhu, et al.Planetary-scale RFID services in an age of uberveillance, Proceedings of the IEEE, 98 (9) (2010), pp. 1663-1671

K. Michael, M.G. Michael, R. Abbas, The importance of scenarios in the prediction of the social implications of emerging technologies and services, Journal of Cases on Information Technology (JCIT) 13.2 (2011), pp. i-vii

A. Moses, Google escapes criminal charges for Wi-Fi snooping, The Sydney Morning Herald (6 December 2010) at http://www.smh.com.au/technology/security/google-escapes-criminal-charges-for-wifi-snooping-20101206-18lot.html

NSWLRC Surveillance, Report 108, NSW Law Reform Commission (2005) at http://www.lawlink.nsw.gov.au/lawlink/lrc/ll_lrc.nsf/pages/LRC_r108toc

OAIC. Office of the Australian Information Commissioner; April 2012, at http://www.comlaw.gov.au/Details/F2012L00869/Explanatory%20Statement/Text.

A.A. Otterberg, Note: GPS tracking technology: the case for revisiting Knotts and shifting the Supreme Court's theory of the public space under the fourth amendment, Boston College Law Review, 46 (2005) (2005), pp. 661-704

C. Parenti, The soft cage: surveillance in America from slavery to the war on terror, Basic Books (2003)

PI, Our commitment to privacy, Path Intelligence (2010), heading changed in late 2012 to ‘privacy by design’, at http://www.pathintelligence.com/en/products/footpath/privacy

PI, FootPath technology, Path Intelligence (2010) at http://www.pathintelligence.com/en/products/footpath/footpath-technology

PI Retail, Path Intelligence (2012), at http://www.pathintelligence.com/en/industries/retail

J. Raper, G. Gartner, H. Karimi, C. Rizos, A critical evaluation of location based services and their potential, Journal of Location Based Services, 1 (1) (2007), pp. 5-45

J. Raper, G. Gartner, H. Karimi, C. Rizos, Applications of location-based services: a selected review, Journal of Location Based Services, 1 (2) (2007), pp. 89-111

RE IEEE 802.11 standards tutorial, Radio-Electronics.com (2010), apparently of 2010, at http://www.radio-electronics.com/info/wireless/wi-fi/ieee-802-11-standards-tutorial.php

RE WiMAX IEEE 802.16 technology tutorial, Radio-Electronics.com (2010), apparently of 2010, at http://www.radio-electronics.com/info/wireless/wimax/wimax.php

RE Assisted GPS, A-GPS, Radio-Electronics.com (2012) apparently of 2012, at http://www.radio-electronics.com/info/cellulartelecomms/location_services/assisted_gps.php

Renegar BD, Michael K, Michael MG. Privacy, value and control issues in four mobile business applications. In: Proc. 7th int'l conf. on mobile business; 2008. p. 30–40.

J. Riley, Gov't ‘travesty’ in Google privacy case, ITWire, 20 (Wednesday 3 November 2010), p. 44, at http://www.itwire.com/it-policy-news/regulation/42898-govt-travesty-in-google-privacy-case

I.J. Samuel, Warrantless location tracking, New York University Law Review, 83 (2008), pp. 1324-1352

SHW Skyhook location performance at http://www.skyhookwireless.com/location-technology/performance.php (2012)

Skyhook. (2012). Website entries, including ‘frequently asked questions’ at http://www.skyhookwireless.com/whoweare/faq.php, ‘privacy policy’ at http://www.skyhookwireless.com/whoweare/privacypolicy.php and ‘location privacy’ at http://www.skyhookwireless.com/whoweare/privacy.php.

C. Song, Z. Qu, N. Blumm, A.-L. Barabási, Limits of predictability in human mobility, Science, 327 (5968) (2010), pp. 1018-1021.

A. Stern, Man fired thanks to GPS tracking, Center Networks (31 August 2007), at http://www.centernetworks.com/man-fired-thanks-to-gps-tracking

Stilgherrian, Forget government data retention, Google has you wired, Crikey (2 October 2012), at http://www.crikey.com.au/2012/10/02/forget-government-data-retention-google-has-you-wired/

USGovGPS accuracy, National Coordination Office for Space-Based Positioning, Navigation, and Timing(February 2012), at http://www.gps.gov/systems/gps/performance/accuracy/

VLRC, Surveillance in public spaces, Victorian Law Reform Commission (March 2010), Final report 18, at http://www.lawreform.vic.gov.au/wps/wcm/connect/justlib/Law+Reform/resources/3/6/36418680438a4b4eacc0fd34222e6833/Surveillance_final_report.pdf

D. Wright, M. Friedewald, S. Gutwirth, M. Langheinrich, E. Mordini, R.Bellanova, et al.Sorting out smart surveillance, Computer Law & Security Review, 26 (4) (2010), pp. 343-354

P.A. Zandbergen, Comparison of WiFi positioning on two mobile devices, Journal of Location Based Services, 6 (1) (March 2012), pp. 35-50

Keywords: Location-based systems (LBS), Cellular mobile, Wireless LAN, GPS, Mobile device signatures (MDS), Privacy, Surveillance, Überveillance

Citation: Katina Michael and Roger Clarke, "Location and tracking of mobile devices: Überveillance stalks the streets", Computer Law & Security Review, Vol. 29, No. 3, June 2013, pp. 216-228, DOI: https://doi.org/10.1016/j.clsr.2013.03.004

Heaven and Hell: Visions for Pervasive Adaptation

Abstract

With everyday objects becoming increasingly smart and the “info-sphere” being enriched with nano-sensors and networked to computationally-enabled devices and services, the way we interact with our environment has changed significantly, and will continue to change rapidly in the next few years. Being user-centric, novel systems will tune their behaviour to individuals, taking into account users’ personal characteristics and preferences. But having a pervasive adaptive environment that understands and supports us “behaving naturally” with all its tempting charm and usability, may also bring latent risks, as we seamlessly give up our privacy (and also personal control) to a pervasive world of business-oriented goals of which we simply may be unaware.

1. Visions of pervasive adaptive technologies

This session considered some implications for the future, inviting participants to evaluate alternative utopian/dystopian visions of pervasive adaptive technologies. It was designed to appeal to anyone interested in the personal, social, economic and political impacts of pervasive, ubiquitous and adaptive computing.

The session was sponsored by projects from the FET Proactive Initiative on Pervasive Adaptation (PerAda), which targets technologies and design methodologies for pervasive information and communication systems capable of autonomously adapting in dynamic environments. The session was based on themes from the PerAda book entitled “This Pervasive Day”, to be published in 2011 by Imperial College Press, which includes several authors from the PerAda projects, who are technology experts in artificial intelligence, adaptive systems, ambient environments, and pervasive computing. The book offers visions of “user heaven” and “user hell”, describing technological benefits and useful applications of pervasive adaptation, but also potential threats of technology. For example, positive advances in sensor networks, affective computing and the ability to improve user-behaviour modeling using predictive analytics could be offset by results that ensure that neither our behaviour, nor our preferences, nor even our feelings will be exempt from being sensed, digitised, stored, shared, and even sold. Other potentially undesirable outcomes to privacy, basic freedoms (of expression, representation, demonstration etc.), and even human rights could emerge.

One of the major challenges, therefore, is how to improve pervasive technology (still in its immature phase) in order to optimise benefits and reduce the risks of negative effects. Increasingly FET research projects are asked to focus on the social and economic impacts of science and technology, and this session aimed to engage scientists in wider issues, and consider some of the less attractive effects as well as the benefits from pervasive adaptation. Future and emerging technology research should focus on the social and economic impacts of practical applications. The prospect of intelligent services increasingly usurping user preferences as well as a certain measure of human control creates challenges across a wide range of fields.

2. Format

The networking session took the form of a live debate, primed by several short “starter” talks by “This Pervasive Day” authors who each outlined “heaven and hell” scenarios. The session was chaired by Ben Paechter, Edinburgh Napier University, and coordinator of the PerAda coordination action. The other speakers were as follows:

Pervasive Adaptation and Design Contractualism.

Jeremy Pitt, Imperial College London, UK, editor of “This Pervasive Day”.

This presentation described some of the new channels, applications and affordances for pervasive computing and stressed the need to revisit the user-centric viewpoint of the domain of Human-Computer Interaction. In dealing with the issues of security and trust in such complex systems, capable of widespread data gathering and storage, Pitt suggested that there is a requirement for Design Contractualism, where the designer makes moral and ethical judgments and encodes them in the system. No privacy or security model is of any value if the system developers will not respect the implicit social contract on which the model depends.

Micro-chipping People, The Risk vs Reward Debate

Katina Michael, University of Wollongong, Australia

Michael discussed the rise of RFID chip implantation in people as a surveillance mechanism, making comparisons with the CCTV cameras that are becoming commonplace in streets and buildings worldwide. These devices are heralding in an age of “Uberveillance”, she claims, with corporations, governments and individuals being increasingly tempted to read and record the biometric and locative data of other individuals. This constant tracking of location and monitoring of physical condition raises serious questions concerning security and privacy that researchers will have to face in the near future.

Who is more adaptive: the technology or ourselves?

Nikola Serbedzija, Fraunhofer FIRST, Germany

Serbedzija discussed how today's widespread information technologies may be affecting how we are as humans. We are now entering a world where information is replacing materiality, and where control over our individual data allows us to construct ourselves as we wish to be seen by others. Serbedzija then presented examples of research into ethically critical systems, including a reflective approach to designing empathetic systems that use our personal, physical data to assist us in our activities, for example as vehicle co-driving situations.

3. Conclusion

Following the presentations, the discussion was opened out and panellists answered questions from conference delegates. This was augmented by the use of a “tweet wall” which was open to delegates to send comments and opinions using a Twitter account. This was displayed on screen during the discussion session.

Keywords: Pervasive adaptation, ubiquitous computing, sensor networks, affective computing, privacy, security

Citation: Ben Paechter, Jeremy Pitt, Nikola Serbedzija, Katina Michael, Jennifer Willies, Ingi Helgasona, 2011, "Heaven and Hell: Visions for Pervasive Adaptation", Procedia Computer Science: The European Future Technologies Conference and Exhibition 2011, Vol. 7, pp. 81-82, DOI: https://doi.org/10.1016/j.procs.2011.12.025

The Emerging Ethics of Humancentric GPS Tracking and Monitoring

Abstract

The Global Positioning System (GPS) is increasingly being adopted by private and public enterprise to track and monitor humans for location-based services (LBS). Some of these applications include personal locators for children, the elderly or those suffering from Alzheimer's or memory loss, and the monitoring of parolees for law enforcement, security or personal protection purposes. The continual miniaturization of the GPS chipset means that receivers can take the form of wristwatches, mini mobiles and bracelets, with the ability to pinpoint the longitude and latitude of a subject 24/7/365. This paper employs usability context analyses to draw out the emerging ethical concerns facing current humancentric GPS applications. The outcome of the study is the classification of current state GPS applications into the contexts of control, convenience, and care; and a preliminary ethical framework for considering the viability of GPS location-based services emphasizing privacy, accuracy, property and accessibility.

Section I

Introduction

GPS has the ability to calculate the position, time, and velocity of any GPS receiver. It does so using a process of triangulation, which works on the premise that you can find any position if the distance from three other locations is also known. Originally conceived by the U.S. Air Force for military purposes in the 1960s, it was commercially released in 1995. In 2000, selective availability was turned off, providing consumers the same level of accuracy as the U.S. military. Since that time, mobile business applications based on GPS and cellular network technologies have proliferated. The rate of innovation has been high, and the level of adoption has been steadily increasing, showing a great deal of promise for the small start-up companies which are targeting GPS solutions at families, enterprises, and security-related government initiatives. This paper is significant because in the not-to-distant future, mobile devices will have GPS chipsets on board. Yet, the growth in the number of commercial offerings–while approved by government regulatory bodies–have not been faced with the commensurate ethical discourse which includes legalities and ownership. The aim of this paper is to explore current commercial services based on GPS technology, with a view to identifying emerging ethical concerns and developing an ethical framework.

Section II

Background

The concept of tracking and monitoring using GPS technologies is far from novel [1].Numerous studies and experiments have investigated the potential of GPS to record a person's movements [2], [3]. However, very few studies have attempted to explore the ethical problems of GPS tracking. The question of ethics in precise location services has been gathering traction within the research community, much of this provoked by Wal-Mart's announcement to implement radio-frequency identification (RFID) for itemized inventory tracking using the EPCglobal standard. More recently a whole issue of the Communications of the ACM was dedicated to RFID privacy and security concerns, while other location technologies were largely ignored. The work of Dobson and Fischer [4], Garfinkel et al. [5], Michael and Michael [6], Perusco and Michael [7], Kaupins and Minch [8], Perakslis and Wolk [9] and Stajano [10] have all indicated the need for a deeper understanding of ethics in location services. In addition the foreseeable power of GPS working in tandem with RFID and wireless local area networks (WLANs), will bring with it a new suite of pressing concerns.

2.1. Unanswered questions

Many questions remain unanswered. Who is liable for providing an incorrect geographic reference location for an emergency services call? Does a private enterprise require the consent of an individual subscriber to track a vehicle that has been rented and is mounted with a GPS receiver? Does a government agency or the police force have the right to location information for a given subscriber when they suspect illegal activity? Do refugees or illegal immigrants have the right to refuse a government-imposed tracking device? Is the 24/7/365 monitoring of a parolee's location information ethical? What rights does a mentally ill person have to their location data and does a caregiver have the right to impose certain geographic constraints on that subscriber? And how do caregiver relationships differ from guardian/parent-to-child, or husband-to-wife contexts? And what of employer work-related location monitoring of employees? Who owns location data–the individual subscriber, the service provider, or a third party that stores the information? The answers to these questions are complex and highlight the urgent need for the development of an ethical framework and other industry guidelines.

Section III

Usability Context Analyses and Ethics

Table 1. Ethics-based conceptual approach

Table 1. Ethics-based conceptual approach

Ethics is defined as “[a] system of moral principles, by which human actions and proposals may be judged good or bad or right or wrong” (Macquarie Dictionary). Moral is concerned with “right conduct or the distinction between right or wrong.” This study is aimed at exploring whether the real-time tracking and monitoring of people is morally right or wrong. It is an attempt to formulate an ethical framework by considering principles of moral behavior–something that “has always been a necessary feature of human cultures” [11], [12]. The conceptual approach used toward the building of an ethical framework is based on four main aspects: principles, purpose, morality and justice (Table 1).

When one conducts a usability context analysis, they are not focused on a traditional case study but on a specific product innovation area. The unit of analysis is thus any interactive system or device which supports a user's task. This approach has been used successfully in the past to study controversial chip implant applications [13]. Three usability contexts will be analyzed–care, control and convenience. Each context will focus on uses of GPS tracking and monitoring applications. There is synergy between a usability context analysis methodology and an ethics-based conceptual approach, as one looks at the use, and the other at the implications of the use value.

Section IV

Control

Most ethical issues are connected to the control aspect of GPS tracking, as it imposes an intrusive method of supervision. For the purposes of control GPS has been used for law enforcement, parolees and sex offenders, suspected terrorists and employee monitoring.

4.1. Law enforcement

U.S. law specifies that a court can issue a warrant for the installation of a mobile “tracking device” if a person is suspected of committing a crime [14]. See also House Bill 115 currently being deliberated in the U.S. The term “tracking device” covers a broad spectrum of technologies but the popularity and simplicity of GPS makes it an obvious choice. Gabriel Technologies is one company which is seeking to be the supplier of choice for the federal and homeland security markets [15]. GPSs are even being used to track gang members in U.S. cities, strapped to parolees [16].

There are documented cases in the U.S. of police discreetly planting GPS devices on suspected criminals. The William Jackson case was the first to rule that placing a GPS device on a person or their vehicle does not require a warrant as it is the same as following them around [17]. In 2000, Jackson was found guilty of murdering his daughter after the GPS device placed on his truck found that he had returned to his daughter's crime scene. In another case in New York the judge ruled that police do not need a warrant to track a person on a public street stating that the defendant: “… had no expectation of privacy in the whereabouts of his vehicle on a public roadway” [18].In San Francisco, Scott Peterson had a GPS tracking device placed on his car after being suspected of murdering his pregnant wife in 2002 [19]. His suspicious behavior led to a legal trial involving much speculation over the use of the GPS antenna (even though police had a warrant), and the accuracy of the collected data [20]. However, the judge ruled that the technology was “generally accepted and fundamentally valid” [21].

4.2. Parolees and sex offenders

Today many parolees are fitted with a small tamperproof GPS tracker worn as a bracelet or anklet. The ankle device is in the shape of a rigid plastic ring, accompanied by a small tracking box that can fit in a pocket [22]. Companies such as iSECUREtrac, design GPS monitoring systems to track parolees and sex offenders ensuring they do not commit any crimes, alert authorities if they enter certain locations, (e.g. schools, parks), and prevent them from leaving their homes, if that is prohibited [23]. Some GPS units can also offer the added capability of knowing how much alcohol a person has consumed by measuring perspiration levels every hour. Parolee and pedophile tracking is widespread in the United States with an estimated 120,000 tracked parolees in 28 states [24]. However, there are over 50,000 convicted sex offenders in the US that are not tracked at all [25].

Australian states have been trialing GPS systems and there are proposed schemes for NSW, Western Australia and Victoria [26]. In NSW there are 1,900 offenders on the Child Protection Register but officials say it is too costly and difficult to track all of them [27]. Queensland's corrective services minister, Judy Spence, reviewed a New Zealand trial and found that for the GPS scheme to be cost-effective in Australia, their would need to be quite a lot more prisoners. It is interesting to note, that the question of ethics was not addressed: “the cost of monitoring someone using GPS technology [is] about 1,000 cheaper than keeping them in prison [28].However, in Florida (USA), the estimated cost of placing tracking devices on all sex offenders is 56 million USD per annum [25]. Accounting for each person individually would cost about 100 if they were physically in prison [24]. One disadvantage of the parolee tracking process is its labor intensive nature. A U.S. parolee officer in Georgia who monitors the movements of 17 parolees has said: “… the amount of information is overwhelming … I could easily spend an hour every morning on each offender to go over the information that's there. For some of them, it's necessary. For some of them, it's not” [29]. The amount of data generated has some advantages, such as in the event that parolees are falsely accused of committing crimes at particular locations and evidence suggests otherwise. The message from the police is clear, “[w]e know where you are, and we are watching” [30].

4.3. Suspected terrorists

A number of national laws stipulate the use of a tracking device affixed to any person suspected of “activities prejudicial to security” (e.g. ASIO Act 1979). Previously, the maximum period of time a suspected terrorist could be tracked was 6 months, however, during the Council of Australian Government (COAG) meeting on counter-terrorism it was planned to increase this period to 12 months [31].

4.4. Employee monitoring

Employees that are tracked using GPS usually travel in vehicles over long distances. Tracked workers include couriers, and bus and truck drivers. The motivation for tracking employees is linked to improving company productivity. Automated Waste Disposal Incorporated uses GPS to ensure their truck drivers do not speed and are on track to meet their delivery schedule. The company imposed GPS tracking on its employees to reduce overtime and labor costs. After implementing the GPS tracking system the number of overtime hours dropped from 300 to 70 hours on average per week [32].

Section V

Convenience

Although GPS tracking may not be widely used for the purposes of convenience today, there are a number of commercial uses. For example, Satellite Security Systems (S3), offer vehicle tracking services to a variety of customers, including parents and suspicious spouses [33]. Clients carry a GPS device with them which transmits location data to S3 computers for further analysis. S3 tracks so many vehicles that even homeland security officials sometimes turn to them for support. GPS systems are also becoming important in delivering key business processes such as real-time sales force automation. Norwich Union uses GPS to track their 18 to 21 year old customers, charging their car insurance premiums based on the time of day they drive. The company induces a tariff at peak times when there is a greater chance of having an accident [34]. Companies like Disney are riding on their family brand, targeting up to 30 million children that they classify as “tweens” (8–12 year olds), with location-based family-centric services [35]. But this idea is not new, Japanese school children have for some years been tracked by their parents, wearing transmitters in their school backpacks, uniforms, or shoes [36]. BuddyFinder systems have also been around for some time, allowing friends and family to catch up based on their whereabouts. On another level, there are even golf GPS devices which display the layout of each hole and player locations on the course [37].

Section VI

Care

GPS satellite tracking can assist people who are responsible for the health and wellbeing of others. Two such applications include GPS for tracking dementia sufferers, and parents tracking their children.

6.1. Dementia wandering

Dementia is a symptom of a number of diseases. However, the most common forms are Alzheimer's disease, vascular dementia and dementia with Lewy bodies [38]. It currently affects five per cent of people aged over 65 years and twenty per cent of people aged over 80 years. Dementia becomes a serious problem when a patient begins to wander. Due to his/her mental state a dementia sufferer may get lost easily and may even be injured or killed [39]. Since it is difficult to keep constant watch over a dementia sufferer, a caregiver can employ a variety of assistive technologies which notify family members automatically by phone or email if problems arise [3].Proponents of this application emphasize that the technology grants dementia sufferers more independence and freedom, allowing them a better quality of life [40].

6.2. Parents tracking children

There are a number of GPS products available today which allow parents to track their children. One of the more popular products is Wherifone created by WherifyWireless. The device is about the size of a credit card and has a feature which alerts emergency services. Previously, the company offered a wristwatch tracker but discontinued production because customers wanted to be able to call their children [41]. Users can find the location of their child by logging onto the company website and viewing data on a map. Gilson's AlwaysFind GPS trackers are an alternative [42]. Another GPS tracking system provided by TAA GPS, supports The Teen Arrive Alive program in the U.S., dedicated to addressing teenager driving safety. Parents can find the location of their teenage child, for $19.99 USD a month by using the Internet or calling the locator hotline [43]. Locations are updated every two minutes so parents can keep a constant eye on their child's activities. Further on the theme of driving, the application Ezitrack allows parents in Australia to immobilize a car while it is moving. Even though the device gives a ninety second warning before the car shuts down, officials are still concerned saying it is dangerous, causes inconvenience, and “puts (policing) in the hands of the individual” [44]. A South Australian primary school is also using a GPS tracking system on their school bus, to monitor the speed and keep track of where children get off the bus [45].

Section VII

Towards an Ethical Framework

In each usability context analysis, several GPS tracking applications were presented, raising questions about the potential ethical implications of the technology. Yet the “acceptable use” of GPS is currently #ff0000. Can information generated by a receiver, be treated the same as just any other piece of information? Can data generated by a GPS for one purpose, be used for another? For example, can vehicle tracking be used to track an employee, and to convict the driver of speeding?

Table 2. Ethical framework

Table 2. Ethical framework

The most significant ethical issue facing GPS tracking is that of privacy (Table 2). It can be claimed that products that have the ability to track their subjects are automatically impinging the rights of the individual, even if they themselves have elected to carry the device. Legal jurisdictional issues also apply, as do acts which often seemingly contradict one another. For instance, there is precedence that indicates that a person can be found guilty of a crime based on GPS generated information [46]. In one such case, the judge ruled that there was “no Fourth Amendment implications in the use of the GPS device.” A framework has been devised to encapsulate the ethical issues related to GPS tracking and monitoring. This framework is based on the information technology (IT) ethical issues framework created by Mason [47], and later updated by Turban [48]. The four main ethical issues are categorized into privacy, accuracy, property and accessibility.

7.1. Privacy

The greatest concern of GPS tracking is the amount of information that can be deduced from the analysis of a person's movements.

7.1.1. What location-specific information should an individual require to reveal to others?

In many cases a person's location does not need to be known unless he/she does something unexpected. Parents only need to know if their child is not at school when they should be or is speeding in a vehicle. Similarly, caregivers should only be notified if a dementia patient is wandering, and parole officers only need to know if a parolee ventures outside his/her home zone. Employers too can be alerted when one of their vehicles has made an unnecessary detour.

7.1.2. What kind of surveillance can a parent use on a child?

Using a GPS device to track a child's location is becoming more and more popular. If a child is lost or kidnapped he or she has a better chance of being found. But does the child have a right to determine whether or not they are to be tracked, and until what age or length of time? [49] Another question is how children actually feel about being tracked? [50] Are parents replacing trust with technology, [41] and developing an unhealthy relationship with their children? [51] Christy Buchanan, an associate professor of psychology believes that: “[p]arents shouldn't fool themselves into thinking that they can keep their kids from making mistakes, which is a part of growing up and learning” [52]. Simon Davies of Privacy International believes parents may even become obsessed with tracking their children [51]. On the other hand, parents who have experienced the loss of a child, see GPS as a life-saving technology, especially those who have lost children to drink-driving accidents. These parents point out that tracking is for safety, not for spying.

7.1.3. What kind of surveillance can employers use on employees?

Employers usually track their employees to reduce costs, especially labor costs and costs related to unnecessary product shrinkage. In this context, employers attempt to protect their business interests, and employees attempt to protect their privacy? [53] The two positions are in contrast, as the power is obviously in the hands of the employer. Some workers however have objected to the technology due to privacy concerns [54]. Galen Monroe, a truck driver from Chicago USA, voices his concern: “[t[hese systems could be used to unfairly discipline drivers, for counting every minute that they might or might not be on or off duty and holding that against them” [32]. Lewis Maltby, president of the National Workrights Institute in New Jersey, said that the exchange of privacy for security would affect employee morale and that the next steps would probably be implants [55]. Managers, on the other hand, are more concerned that workers are doing what they are paid to do. Yet this is a shocking development when one considers that there are few, if any, laws governing workplace surveillance in countries like the U.S. and Australia [56].

7.1.4. Do police need a warrant to track a suspected criminal or terrorist?

Several cases have ruled that tracking a person with a GPS device is the same as following them on the street. However, GPS tracking is much more pervasive. First, a person is usually more aware of a person following them, than if a small tracking device were attached to their vehicle. Additionally, a GPS tracker can find a person's location anywhere at anytime even when trailing is not possible. Furthermore, since a tracked person's location is digitized it can be instantly analyzed to make inferences, in ways that simple observations cannot [57]. If the issuing of warrants is not compulsory there will be no barriers for police or security personnel to place tracking devices on any individual. Warrants are essential to ensure GPS tracking devices are used justly and ethically.

7.2. Accuracy

GPS can give error readings in particular conditions. Dense forest, tall buildings, cloud cover and moisture produce inaccuracies in readings but these are considered negligible when compared to the potential for inaccuracies in resultant information processing.

7.2.1. Who is responsible for the authenticity, fidelity and accuracy of information collected?

In the event of GPS failure or enforced shut down by the U.S. government, companies whose mission-critical applications rely on GPS technology would incur heavy losses.The U.S. government has already released plans to shut down parts of the network in a “national crisis” to prevent terrorists from using the network [58]. Consider the implications for those organizations and customers that have become reliant on the technology, for example, criminals serving their sentence from home. And who is responsible for accuracy? The U.S. government created the system but they are under no obligation to ensure accuracy. Another concern is that sixteen of the twenty-eight GPS satellites currently in orbit are beyond their design life and are likely to fail in the near future [59]. At least two satellites are failing each year and launches of new satellites are barely keeping up. This poses problems for the users of the GPS system in the longer term which is why the more accurate European Galileo initiative is critical.

7.2.2. Who is to be held accountable for errors in information, and how is the injured party compensated?

Private companies who offer GPS tracking services avoid liability by introducing product descriptions, warranties and disclaimers [60]. In California several rental car companies were wrongly fining customers for breaking their rental agreement for allegedly leaving the state. Customers were asked to pay $3000 USD for something they did not do. As a result California became the first U.S. state to prohibit the use of GPS receivers by car rental companies to track their customers [33].

7.2.3. Is GPS an appropriate tracking technology for dementia wandering?

The Project Life Saver Organisation helps locate and return wandering dementia sufferers. They believe that GPS is not suitable for tracking persons with dementia, recognizing that GPS lacks four fundamental attributes of an assistive technology: reliability, responsiveness, practicality and affordability [39].

7.2.4. How can we ensure that errors in databases, data transmissions and data processing are accidental and not intentional?

Software used to store tracking data makes it possible to edit data points in order to create false evidence. Effectively a person can be accused of a crime he or she did not commit. For this reason it is imperative that extensive validation checks are enforced to ensure data has not been tampered. There is also the concern with the intentional and non-intentional jamming of GPS signals. Safeguards and laws restricting GPS jamming need to be advocated.

7.3. Property

7.3.1. Who owns the information?

Table 3. The ethical possibilities

Table 3. The ethical possibilities

The U.S. government owns the physical satellite system but who owns the information once it is collected? If a company collects and stores location information on a person who commits a crime, are they obliged to hand it over to the police?

7.3.2. What are the just and fair prices for exchange?

It is theoretically free to access GPS, as long as you have a receiver. Free service however, does not equate to commercial satisfaction. GPS-based voice service providers incur a cost for ‘priority access’, and therefore pass this cost onto their subscribers.

7.4. Accessibility

7.4.1. Who is allowed to use the GPS service?

One of the objectives set out by the GPS policy is the provision of worldwide “positioning, navigation, and timing services” [61]. However, the GPS policy also indicates that the GPS system can be shut down in certain areas “under only the most remarkable circumstances,” like in the event of a terrorist attack [62].

7.4.2. How much should be charged for permitting accessibility to information?

US policy proclaims that the GPS service is and will continue to be “free of direct user fees” [62]. However, private companies are billing customers to use services [63]. Costs may include payment for equipment and data transmission among other fees. There is also the possibility that information can be accessed illegally by a third party for sinister purposes.

7.4.3. Who will be provided with equipment needed for accessing information?

Parolee tracking is more cost-effective than detainment but it is impossible to have all parolees and sex offenders tracked. So who will be tracked and who will not? In previous cases less aggressive criminals have GPS tracking devices attached first. Where radio tag tracking methods have been used, parolees have had to pay for their own tracking devices [24].

7.4.4. Is the tracking of parolees and sex offenders justified?

The three most apparent reasons for parolees and sex offenders to be tracked appear to be: to save costs, deter further crimes and for controlled rehabilitation. The cost of tracking a person is much lower than incarceration. Tracking may deter some criminals from committing a similar offence but if they are tracked at length they may lose awareness of their GPS device. In examining New Zealand's Bill of Rights (sec 21), the N.Z. Law Society (NZLS) found that authorities had the power to impose electronic monitoring on people who had already completed their sentences. NZLS argued that extended supervision equated to “two punishments for the same crime” but the government argued that the main purpose of the extended supervision was preventive not punitive [64]. Others believe that tracking parolees grants them the opportunity to spend more time with family, acting to fast-track the rehabilitation process (Table 3).

Section VIII

Conclusion

Molnar and Wagner [65] ask the definitive question “[i]s the cost of privacy and security ‘worth it’?” Stajano [10] answers by reminding us that, “[t]he benefits for consumers remain largely hypothetical, while the privacy-invading threats are real.” Indeed, when we add to privacy concerns the unknown longterm health impacts, the potential changes to cultural, social and political interactions, the circumvention of religious and philosophical ideals, and a potential mandatory deployment, then the disadvantages of the technology might seem almost burdensome. For the present, proponents of emerging LBS applications rebuke any negatives “under the aegis of personal and national security, enhanced working standards, reduced medical risks, protection of personal assets, and overall ease-of-living” [9]. Unless there are stringent ethical safeguards however, there is a potential for enhanced national security to come at the cost of freedom, or for enhanced working standards to devalue the importance of employee satisfaction. The innovative nature of the technology should not be cause to excuse it from the same “judicial or procedural constraints which limit the extent to which traditional surveillance technologies are permitted to infringe privacy” [56]. The aim of this present research is to understand the ethical implications of current LBS applications, with a view to emphasising the need for future innovators to ethically integrate these technologies into society.

References

1. B.W. Martin, "WatchIt: A Fully Supervised Identification, Location and Tracking System", Proceedings of the IEEE International Carnahan Conference on Security Technology, 1995, pp. 306-310.

2. D. Ashbrook and T. Starner, "Using GPS to Learn Significant Locations and Predict Movement Across Multiple Users", Personal and Ubiquitous Computing, 7, 2003, pp. 275-286.

3. K. Shimizu et al., "Location System for Dementia Wandering", Proceedings of the 22nd Annual International Conference of the IEEE Engineering in Medicine and Biology Society, 2, 2000, pp. 1556-1559.

4. J.E. Dobson and P.F. Fisher, "Geoslavery", IEEE Technology and Society Magazine, 22(1), 2003, pp. 47-52.

5. S.L. Garfinkel et al., "RFID Privacy: An Overview of Problem and Proposed Solutions", IEEE Security and Privacy Magazine, 3(3), 2005, pp. 38-43.

6. K. Michael and M.G. Michael, "Microchipping People: the Rise of the Electrophorus", Quadrant, March, 2005, pp. 22-33.

7. L. Perusco and K. Michael, "Humancentric Applications of Precise Location-Based Services", IEEE Conference on e-Business Engineering, IEEE Computer Society, Beijing, 2005, pp. 409-418.

8. G. Kaupins and R. Minch, "Legal and Ethical Implications of Employee Location Monitoring", Proceedings of the 38th Hawaii International Conference on System Sciences, http://csdl2.computer.org/comp/proceedings/ hicss/2005/2268/05/22680133a.pdf, 2005.

9. C. Perakslis and R. Wolk, "Social Acceptance of RFID as a Biometric Security Method", Proceedings of the IEEE Symposium on Technology and Society, 2005, pp. 79-87.

10. F. Stajano, "Viewpoint: RFID Is X-ray Vision", Communications of the ACM, 48(9), 2005, pp. 31-33.

11. Honderich, T. (ed.), The Oxford Companion to Philosophy, Oxford University Press, Oxford, 1995, p. 596.

12. J. Blom et al., "Contextual and Cultural Challenges for User Mobility Research", Communications of the ACM, 48(7), 2005, pp. 37-41.

13. A. Masters and K. Michael, "Humancentric Applications of RFID Implants: the Usability Contexts of Control, Convenience and Care", The Second IEEE International Workshop on Mobile Commerce and Services, IEEE Computer Society, Munich, 19th July, 2005, pp. 32-41.

14. Legal Information Institute, http://www4.law.cornell.edu/uscode/search/ index.html, 3 August, 2005.

15. MNP, "Gabriel Technologies Corp- Teams with Jefferson Consulting to Target Federal Homeland Security Markets", Market News Publishing, 6 April, 2006.

16. Reuters, "California Gang Members to be Tracked by GPS", Reuters, 17 March, 2006.

17. K. George, "Court Will Decide If Police Need Warrant for GPS 'Tracking'" http://seattlepi.nwsource.com/local/121572_gps12.html, Seattle PI, 12 May, 2003.

18. D. McCullagh, "Snooping by Satellite", CNET News, http://news.com.com/Snooping+by+satellite/2100-1028_3-5533560.html?tag=sas. email,12 January, 2005.

19. R. Dornin, "Judge Allows GPS Evidence in Peterson Case", CNN.com, http://www.cnn.com/2004/LAW/02/17/peterson.trial/, 17 February, 2004.

20. S. Finz and M. Taylor, "Peterson Tracking Device Called Flawed- Defense Wants GPS Evidence Shut Out of Trial", San Francisco Chronicle, http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2004/02/12/ BAG7P4V69B1.DTL, 12 February, 2004.

21. MSNBC.com, "Jurors: Peterson's Stoicism Was the Final Straw", Associated Press, http://msnbc.msn.com/id/6711259/, 14 December, 2004.

22. C. Parker, "GPS Tracking: the High-Tech Ball and Chain- System Lets Authorities Monitor Offenders and Helps Free Up Jail Space, The Morning Call, 17 April, 2006.

23. Monmonier, M. Spying with Maps: Surveillance Technologies and the Future of Privacy, University of Chicago Press, USA, 2002.

24. W. Saletan, "Call My Cell", http://slate.msn.com/id/2118117/, 6 May, 2005.

25. Scarborough Country, "Tracking Sex Offenders", http://www.msnbc.msn.com/id/7589426/, 21 April, 2005.

26. M. Murphy, "Satellite Tracking Plan for Pedophiles", The Age, http://www.theage.com.au/news/national/satellite-tracking-plan-for- pedophiles/2005/08/28/1125167554234.html?oneclick=true, 29 August, 2005.

27. T. Vermeer, "Satellite Tracking for Child Abusers", http://www.sundaytelegraph.news.com.austory0,9353,16406008-28778,00.html, 28 August, 2005.

28. AAP, "Qld: Minister Rules Out GPS Tracking of Sexual Offenders", Australian Associated Press General News, 10 April, 2006.

29. C. Campos, "Georgia Tracks Parolee by GPS", The Atlanta Journal-Constitution, http://www.ajc.com/metro/content/metro/1204/0101gps. html, 1 January, 2005.

30. J. Stockweel, "Checking Regularly On Sex Offenders; Home Visits By Police Seen As 'Proactive', Washington Post, 10 April, 2006.

31. C. Banham and M. Wilkinson, "Track and Tag - The New War On Terrorism", Sydney Morning Herald, http://www.smh.com.au/news/ national/track-and-tag-the-new-war-on-terrorism/2005/09/08/1125772641058.html, 9 September, 2005.

32. A. Geller, "Bosses Use GPS to Keep Sharp Eye On Mobile Workers", Detroit News, http://www.detnews.com/2005/technology/0501/ 01/technology46929.htm, 1 January, 2005.

33. A.E. Cha, "Satellite Tracking Finds Daily Uses", Detroit News, http://www.detnews.com/2005/technology/0501/23/A09-67089.htm, 23 January, 2005.

34. Anonymous, "Off-Peak Car Insurance Launched", The Guardian, http://www.guardian.co.uk/business/story/0,3604,1388623,00.html, 12 January, 2005.

35. L. Turner, "Disney Unveils 'Family' Mobile Service", Total Telecom, 6 April, 2006.

36. D. White, "Privacy Group: GPS Tracking of Kids is Bad", http://www.mobilemag.com/content/100/350/C7512/, 20 April, 2006.

37. StarCaddy.com, "StarCaddy Handheld GPS Yardage Tool for Golfers", http://www.starcaddy.com/index, cfm, 2005.

38. Alzheimer's Society, "Alzheimer's Society Information Sheet Assistive Technology", http://www.alzheimers.org.uk/After_diagnosis/PDF/ 437_assistivetechnolgy.pdf, August, 2005.

39. G. Saunders, "GPS and Wandering: More Questions Than Answers", http://www.projectlifesaver.org/advisories.htm, August, 2005.

40. J. Loh et al., "Technology Applied to Address Difficulties of Alzheimer Patients and Their Partners", Proceedings of the Conference on Dutch Directions in Human Computer Interaction, 18, 2005.

41. Y. Yeebo, "Spyed Kids", Newsweek, http://www.msnbc.msn. eom/id/9135838/site/newsweek/, 1 September, 2005.

42. B. Grady, "Uses for GPS Devices Branching Out", The Oaklands Tribune, 20 March, 2006.

43. ENP, "Cyber Tracker Featured on Television News Reports on Teen Driving", ENP Newswire, 23 March, 2006.

44. M. Benns, "Parent-Controlled Car Immobilizer Risky, Says Costa", The Sun-Herald, 29 May, 2005, p. 19.

45. Anonymous, "School Bus of the Future", ABC Riverland SA, http://www.abc.net.au/riverland/stories/s1449899.htm, 31 August, 2005.

46. H. Bray, "GPS Spying May Prove Irresistible to Police", Boston.com, http://vww.boston.com/business/technology/articles/2005/01/ 17/gps_spying_may_prove_irresistible_to_police/, January, 2005.

47. R.O. Mason, "Four Ethical Issues of the Information Age", MIS Quarterly, 1986, pp. 4-12.

48. Turban, E. et al., Electronic Commerce 2002: A Managerial Perspective, Prentice Hall, New Jersey.

49. S.N. Roberts, "Tracking Your Children with GPS: Do You Have the Right?", Wireless Business and Technology, http://wireless.sys-con. com/read/41433.htm, 3(12), 2003.

50. M. Williams et al., "Wearable Computing and the Geographies of Urban Childhood- Working with Children to Explore the Potential of New Technology", Proceeding of the 2003 Conference on Interaction Design and Children, 2003, pp. 111-116.

51. BBC, "Concerns over GPS Child Tracking", BBC News Online, 20 April, 2006.

52. Anonymous, "Big Mother (or Father) is Watching", Sydney Morning Herald, http://www.smh.com.au/news/technology/big-mother-or-father- is-watching/2005/09/08/1125772632570.html, 9 September, 2005.

53. J. Weckert, "Trust and Monitoring in the Workplace", IEEE International Symposium on Technology and Society, 2000, pp. 245-250.

54. T. Lepeska, "GPS Would Pinpoint Workers Too", The Commercial Appeal, 4 April, 2006.

55. P. Kitchen, "They're Watching You- Employer Surveillance of Workers and Property Extends Further Than You Think", Pittsburgh Post-Gazette, 12 March, 2006.

56. I-E. Papasliotis, "Information Technology: Mining for Data and Personal Privacy: Reflections on an Impasse", Proceedings of the 4th International Symposium on Information and Communication Technologies, 2004, pp. 50-56.

57. A. Burak and T. Sharon, "Analysing Usage of Location Based Services", CHI 2003: New Horizons, Florida, 5-10 April, 2003, pp. 970-971.

58. T. Bridis, "Bush Prepares for Possible Shutdown of GPS Network in National Crisis", Detroit News, http://www.detnews.com/2004/ technology/0412/16/technology-34633.htm, 16 December, 2004.

59. L. Bingley, "GPS Users Must Plan for Outages", IT Week, http://www.itweek.co.uk/itweek/news/2142864/gps-users-plan-outages, 27 September, 2005.

60. D. R. Sovocool, "Legal Issues For Manufacturers, System Integrators, Vendors and Service Providers", Thelen Reid & Priest LLP, http://www.thelenreid.com/articles/article/art_37_idx.htm, 17 April, 2000.

61. OSTP, "US Global Positioning System Policy", Office of Science and Technology Policy, http://www.ostp.gov/NSTC/html/pdd6.html, 29 March, 1996.

62. Spacetoday, "White House releases GPS policy", spacetoday.net, http://www.spacetoday.net/Summary/2704, 16 December, 2004.

63. D. Taggart, "Usage of Commercial Satellite Systems for Homeland Security Communications, IEEE Aerospace Conference, 2, 2003, pp. 1155-1165.

64. R. Palmer, "Safety or Liberty?", Dominion Post, 1 April, 2006.

65. D. Molnar and D. Wagner, "Privacy: Privacy and Security in Library RFID: Issues, Practices, and Architectures", Proceedings of the 11th ACM Conference on Computer and Communications Security, 2004, pp. 210-219.

Citation: Michael, K.; McNamee, A.; Michael, M.G. 2006. ICMB '06. International Conference on Mobile Business, Date: 26-27 June 2006, pp. 34 - 34, DOI: 10.1109/ICMB.2006.43

IEEE Keywords: Ethics, Global Positioning System, Monitoring, Humans, Senior citizens, Law enforcement, Security,Protection, Usability, Context-aware services

INSPEC: Global Positioning System, ethical aspects, law enforcement, ethics, humancentric GPS tracking, location-based services, memory loss

Location-based intelligence - modeling behavior in humans

SECTION 1. Introduction

This paper considers the specific data elements that can be gathered by service providers about telecommunications customers subscribed to location-based service (LBS) applications. Increasingly private companies are investing in location-based technologies for asset, animal and people tracking. Depending on the type of technology in use, the level of accuracy in terms of identifying the outdoor position of the subscriber can vary from cell-based identification to nearest landmark, to the pinpoint longitude and latitude coordinates of an object or subject. The application context is also important-is information being gathered about employees by an employer or is the use of the technology a voluntary option for the subscriber or their caretaker. Till now, there have been only a few cases which have ended in litigation over the accuracy of a location fix, but as the number of LBS adopters sets to grow for niche application areas, it is predicted that a greater number of conflicts may arise between the end-user and stakeholders. Liability is a key issue here, as is privacy [1].

SECTION 2. Location-based surveillance

2.1 Tracking people

“Mobility is a basic and indispensable human activity that is essential for us to be able to lead independent lives on a daily basis” [2]. Someone who is moving can be tracked manually or digitally. The information being gathered as the end-user moves around can be considered a type of “electronic chronicle” [3]. To allow oneself to be tracked can be a voluntary act, but in most cases it is imposed by a third party who has some control over the end-user. Tracking is critical in the process “of people motion capture, people behavior control and indoor video surveillance” [4]. In this paper we do not consider location information gathered using indoor tracking techniques such as knowledge representation or models of temporal correlation, although these techniques could be complementary to outdoor GPS tracking. There are also other techniques for tracking humans based on Assisted-GPS (A-GPS) [5], Wi-Fi technology such as the ‘Human Tracking and Following’ system [6], or embedded technologies [7] which all may become used in the future as a replacement or contingency technique to GPS. The Wi-Fi tracking approach employs an obtrusive technique requiring the end-user to employ active beacons on their body, as opposed to vision systems which are generally unobtrusive. In like manner, a GPS receiver in the form of a watch or handheld device clipped to a belt can be considered obtrusive [8].

2.2 Storing tracking data

Tracking data gathered by a GPS, such as route or point information, can be spatially represented in a geographic information system (GIS). The GIS may contain multiple layers of information, from civic data to administrative political data, statistical information and even non-earth unit data. The GIS can store trajectory data that is based on assumptions related to the end-user's historical speed and direction data, and static road/path segment information. Related to this idea is the notion of “digital trail libraries”, in effect the study of overlapping GPS trails and their digital storage [9]. Morris et al. explain that GPS track logs, are sequences of precise locations created by dropping a breadcrumb. While Morris' paper focuses on GPS for recreational activity, there is the potential for “private” track logs to be compared in order to find originating and terminating points of interaction between people. The outcomes of such an analysis fall into the category of location-based intelligence. Consider the potential for “collision” alerts of persons of interest. Access to the tracking data of an end-user's records requires strict policing. Hengartner and Steenkiste (2005) reaffirm that “[1] ocation is a sensitive piece of information” and that “releasing it to random entities might pose security and privacy risks” [10]. They emphasize the need for individual and institutional policies and the importance of formal models of trust.

SECTION 3. Methodology

One way to deduce some of the unforeseen consequences of GPS-based human tracking is to experience the process first hand. In this pilot study, a civilian participant tracked themselves for a period of 2 weeks using a GPS 24/7. Participant observation is where the observer “seeks to become some kind of member of the observed group” [11]. For the purposes of this study the participant represents individuals who would have their movements tracked and monitored by a third party. Measures need to be taken to ensure the participant's normal activities are not impacted in any way by carrying the GPS.

Two sets of data are to be gathered throughout this observational study: geographical co-ordinates and diary logs (table 1). The geographical coordinates will be collected through the means of a GPS device as quantitative data. However, in order to interpret this data, GIS software will be used to transform co-ordinates into comprehensible geolocations. The daily diary logs will be collected as complementary qualitative data. Each day during the study the participant will record any thoughts and opinions they may have with respect to being tracked.

3.1 Set-up

The following guidelines were used in the pilot study:

  • Daily activities–at the start of each day the GPS device is turned on as soon as the participant leaves their place of residence. At the end of each day the device is switched off.

  • Carrying the GPS device–the device is carried in the participant's bag or pocket while walking. When driving, the device is placed securely in a dock.

  • Tracking node limitation–the device is only capable of collecting 2000 tracking nodes at a time. While this is more than enough for a single day of tracking it is not enough for more than one day. Care must be taken to ensure that track data is erased at the end of each day so there will be enough memory the following day.

  • Getting a signal–it takes about one minute to get a signal, so when the device is first turned on the user will have to wait until a signal is detected.

  • Indoors–the device looses its signal when indoors so when the signal is lost at a certain location it will be assumed that the user is indoors.

  • Battery life–the manual indicates that the device can get up to 14 hours of usage on two AA batteries. Rechargeable batteries do not have enough power to keep the GPS device running throughout an entire day. Non-rechargeable batteries will be replaced when they are running low.

Table 1  Observational Instruments

Table 1 Observational Instruments

SECTION 4. Observational study

4.1 Digital breadcrumb

Figure 1  —Participant with Magellan GPS Device

Figure 1 —Participant with Magellan GPS Device

An observational study was carried out to gain knowledge about the sensitivity of location information. This study involved a civilian participant who had their daily movements tracked from Monday 15th August 2005 to Sunday 28th August 2005. The participant is a 21 year old university student who works part-time and owns a vehicle. Each day during the two weeks of the study the participant carried a Magellan Meridian Gold handheld device either in a carry bag or pocket (see figure 1). The GPS device was setup to collect location data every three seconds. At the end of each day this data was uploaded into GIS software “DiscoverAus Streets & Tracks” which was used to save and analyze the data. Throughout the entire study the observer stayed in the area of Wollongong, NSW, Australia.

A great deal of information was found out about the observer by tracking them over an extended period of time. From data coordinates it is easy to deduce information such as where the participant is located at a given point in time and the speed at which they are traveling. However, more invasive personal data, such as where the participant lives, his workplace and social activities can also be found. It is also possible to create detailed profiles about the participant based on his daily travel routines. For instance, the speed at which the participant is traveling can indicate the form of transport they are using. How long they spend at a location can determine the type of activities the participant is also engaged in.

Figure 2 shows the participant's movements on day 10 of the study (24th August 2005). On this day the participant traveled from their home to the University of Wollongong, and then to their place of work. This day is typical of other weekdays in the study as the most common locations traveled were to the participant's home, University and workplace. The user's daily track movements are indicated by the thicker lines (two closed loops connected by a highway). With the GIS software it is possible to play the participant's movements in real time, to get a step-by-step and magnified view of their whereabouts. Roads, highways, train tracks and trails are clearly presented in the map. Key locations, street names and suburb names are also shown on the map. Even more data could be gathered manually or purchased to overlay onto the current details. It would be interesting also to show intersecting trails of other members of the family during the same study period. Different types of “families” or “groups” would have different types of profiles, some lending themselves to greater location movement than others, with communities-of-interest (CoI) varying widely from local, national and international travel.

Figure 2 —Participant Track Data for the Study Period

4.2 Graphical travel logs

Graphical analysis of track data also gives indications of a person's travel habits and behavior, providing that all the data is accurate and free from errors. The following graphs (figures 3–6) are meaningful representations of speed, time, distance, and elevation data collected by the GPS.

Figure 3  Time/Speed Graph: indicates speed at a specific time, when a person is traveling from one place to another, and how long the person spends at a given location.

Figure 3 Time/Speed Graph: indicates speed at a specific time, when a person is traveling from one place to another, and how long the person spends at a given location.

Figure 4:  Distance/Speed Graph indicates speed at a specific point in a journey, and whether a person is in a vehicle or walking (i.e. form of transport).

Figure 4: Distance/Speed Graph indicates speed at a specific point in a journey, and whether a person is in a vehicle or walking (i.e. form of transport).

Figure 5:  Time/Distance Graph indicates the length of time a person stays at a location, the length of time a person is on the move, and the number of places a person travels to.

Figure 5: Time/Distance Graph indicates the length of time a person stays at a location, the length of time a person is on the move, and the number of places a person travels to.

Figure 6:  Distance/Elevation Graph indicates a person's location by comparing the elevation patterns with other data.

Figure 6: Distance/Elevation Graph indicates a person's location by comparing the elevation patterns with other data.

 

SECTION 5. GPS tracking issues

5.1 Accuracy

Although not perfect in terms of accuracy of a given location fix, the GPS is generally perceived by civilians as being close to perfect. However, on several occasions in the observational study substantial errors occurred. Over the two weeks of the observational study there were six significant signal dropouts. During a signal dropout a person's location is not known. All of these dropouts occurred while the participant was traveling by car. It is likely that the GPS receiver was not positioned well enough to gain an accurate signal or traditional natural/physical factors affected the device. This kind of signal dropout could be costly in a real life scenario if a person's location was mandatory. There were also five significant speed miscalculations during the study. Speed is found by calculating the distance traveled between two points within a given time period. For example, on day 13 of the observational study the tracking information indicated a speed of 600 km/h whilst in a moving vehicle. This was found by calculating the time and location differences between two subsequent tracking points. The collected GPS data indicated the participant had traveled 0.0479884332997 kilometres in 5 seconds.

Table 3  Summary of Geolocation Trail Data

Table 3 Summary of Geolocation Trail Data

5.2 Editing track data

The GPS device used to collect location data stored tracking nodes which recorded location and time data every 3 seconds. GIS software was then used to create an entire track by joining each tracking node. However, the software also grants the user the option to add and edit tracking nodes. This feature is included to assist in navigation but could be used for other covert reasons. The use of GPS location data is surprisingly considered legitimate evidence in legal trials [12]. It is possible to convict an innocent man of a crime they did not commit by editing track data to falsify evidence. Stringent security and validation checks need to be set in place if authorities plan to use GPS track data as valid evidence in a court trial.

5.3 User travel behavior

An analysis of the track data has shown that the participants' daily movements are quite similar each week (compare figures 7 and 8, 9 and 10) and is a reflection of their daily routines and behavior. The observer took the exact same travel route whenever they traveled to a known location, like home or work, even though there are alternate routes-reflecting how habitual some humans are. The track data also reflects the participant's behavior when they are running late for a meeting or deadline (i.e. the participant accelerated their speed while walking/driving). This kind of information can be used to create intelligent systems which can observe what a person is doing and then alert systems when their behavior is out of the ordinary.

Figure 7:  Time/Speed Graph (17 August 2005)

Figure 7: Time/Speed Graph (17 August 2005)

Figure 8:  Time/Speed Graph (24 August 2005)

Figure 8: Time/Speed Graph (24 August 2005)

Figure 9:  Distance/Speed Graph (17 August 2005)

Figure 9: Distance/Speed Graph (17 August 2005)

Figure 10:  Distance/Speed Graph (24 August 2005)

Figure 10: Distance/Speed Graph (24 August 2005)

Substantial similarities can be seen between like graphs, one week to the next. Both sets of time/speed graphs indicate the participant traveled on four occasions during the same day of the week, in consecutive weeks. The distance/speed graph shows similar patterns of traveling speed. In fact, the graphs of every single weekday were almost identical one week to the next, typical of a university student pattern of behavior. The weekends did not vary that much either- an opportunity to go to work, take a break for some socializing, and return home for further study.

5.4 Detail of GIS

The GIS software used, provided details on the roads, highways and the location of major landmarks but did not show any building data. There are however, databases like MapInfo's MapMarker or the Australian Geographical National Address File (G-NAF) that could be coupled with a telemarketing list to provide a rich background layer. In this project, little could be deduced from the user's location at certain longitude and latitude coordinates (apart from what the user provided) because the supporting database was absent. The level of detail in a GIS could be made scalable to correspond with its application context. In applications which require high resolution detail, the GIS could be setup to display roads, buildings and landmarks. Conversely, if little detail is needed it could show the user's location in relation to important landmarks.

5.5 User awareness

Several days into the study the user indicated that it was easy to forget about the fact they were being tracked or observed (see section 6). Any activity that is carried out at length could easily become routine. By the end of the study the user was not concerned about being tracked but was more concerned about having to carry the device around. If GPS were to be enforced on parolees as a deterrent to crime, the participant felt it might lose effectiveness as a tool in the longer term.

5.6 Outcomes of the observational pilot study

This pilot study provided a practical perspective to the process of GPS tracking and proved that it can be accomplished with relative ease. The evidence suggests that tracking a person over an extended period of time is an invasion of privacy as GPS applications can track every detail of a person's movements. The probability of inaccuracies and the possibility of editing data poses questions about the reliability of such information. The effectiveness of GPS tracking in deterring crime may not be as great as first thought because the user may become blasé about its presence.

SECTION 6. Participant diary entries-narrative

This section is taken verbatim from the participant's diaries made between Monday 15th August 2005 and Sunday 28th August 2005. It is important to highlight some of the end-user perceptions and attitudes towards the basic GPS tracking application.

Day 1: Monday 15th August 2005

Today was the first day of tracking. Throughout the day I was very conscious of the device I was carrying. Every time I left for a new location I would check if the device was working and if I was getting an accurate reading. A person being tracked would not be too concerned whether their receiver was working or not. Although a parolee with a faulty tracking device may face immediate repercussions.

Day 2: Tuesday 16th August 2005

It would seem that my primary objective is to simply carry the device, not to track my movements. I rarely think what someone else would think. In fact, I am in a different state of mind when I am downloading and looking over the waypoints I collected that particular day. Most of the time when I am traveling from place to place I am concerned about whether the device is working, how much battery life I have left, if a signal has been picked up.

Day 3: Wednesday 17th August 2005

Running late for a meeting today I noticed that I was traveling faster than normal. Not just when I was driving but my walking pace was very fast. This behavior was projected through my physical movements which were picked up in the GPS receiver. From this experience it could be possible to create user profiles on a person being tracked. For example, analyzing the walking speed can reveal an approximate walking span and from that the approximate height of the person can be deduced. This idea may seem farfetched and outlandish but it would be an interesting experiment to conduct one day.

Day 4: Thursday 18th August 2005

A thought occurred to me while I was driving to the RTA to do my driving test for my full license. What if all cars carried a GPS or similar LBS device on board and two cars were involved in a car accident. The Driver Qualification Handbook indicates that three most common types of crashes by new drivers involve two cars in rear-end collisions, adjacent collision when turning corners and opposite collisions when turning corners. A GPS could be used to reveal what exactly happened in an accident like which person hit first and which person was traveling the fastest. If cars were being tracked there could be rules set out to provide automated emergency responses. For example, if the speed of a vehicle decelerated at an alarming rate, e.g., from 100 km/h to 0 km/h in less than a few seconds, it would be fair to say that the vehicle was involved in an accident.

Day 5: Friday 19th August 2005

While analyzing today's tracking data I have noticed that the device sometimes loses a signal when I am driving. This is most likely due to the poor placement of the receiver. If a GPS device was used to track a person, the placement of the receiver would be very important. Parolees often have GPS devices placed around their ankles leaving it very low on the body and unable to get the best signal. I think receivers need to be placed higher up on the body to ensure continuous and accurate readings.

Day 6: Saturday 20th August 2005

The mapping software I used to download my tracking data gives the option to add and edit way points or tracking nodes. It would be easy to frame a person by editing the location data and disproving any alibi they may have. I wonder about the reliability of location data collected from GPS devices alone.

Day 7: Sunday 21st August 2005

After a week of tracking I have voluntarily decided to extend the study period of personal tracking so that I will have more data to analyze. I am not concerned about tracking my movements for another week. In fact, I am eager to continue this study to get more data and to make weekly profile comparisons possible.

Day 8: Monday 22nd August 2005

I am beginning the second week of tracking today and my awareness level of the tracking of my own movements has dulled. Throughout the day I do not consciously think of myself as being tracked. At times I may check if the device is working correctly but I am not concerned about the data the device is collecting about me. I can now say that after eight days of tracking, I am used to the process, even though it is such an abnormal activity.

Day 9: Tuesday 23rd August 2005

After replacing the batteries in the device with a fresh set I have noticed the device picks up a signal much quicker than it did with a used set of batteries. This makes sense to me; the more power the device has the better it will work. However, this has ramifications for people being tracked, especially prisoners on parole who have to recharge the batteries each day.

Day 10: Wednesday 24th August 2005

It has occurred to me that the pervasiveness of GPS tracking depends on the complexity and detail of the GIS being used. The more information being displayed on a GIS such as landmarks, roads, side streets, the more information about the person's movements are available. When I analyze my own movements at the end of the day, I find myself sequentially and systematically recollecting where I went, and reevaluating my motives for being there.

Day 11: Thursday 25th August 2005

I have noticed that so far my data is fairly ‘static’, based on my weekly and daily routines. For example, I regularly travel to University and my workplace at the same time and day each week. I could also make the assumption that many people have stringent daily routines, especially people that are currently being tracked using GPS. Intelligent systems could be developed to monitor these movements automatically. The system could analyze a person's movements over a week or two and develop a personalized information system that would create user profile based on their activities.

Day 12: Friday 26th August 2005

No entry.

Day 13: Saturday 27th August 2005

The entire process of tracking my movements has become a habit. I can imagine it would be similar for any person who has to have their movements tracked. I am relieved the entire process is drawing to a close mainly because I do not have to carry around the GPS device anymore. This is not on account of the bulkiness or weight of the device (it only weighs 233 grams)- but my relief comes from the knowledge that I do not have to worry about being attached to this gadget both physically and mentally.

Day 14: Sunday 28th August 2005

Today is the final day of this study. I did not track my movements today because I stayed at home. Looking back at the previous weeks I did make an effort to travel a lot so I would have a substantial amount of data to analyze. I wonder if this will have an opposite effect on a person being tracked by a second party. Would they travel less? Would a teenager being tracked still visit places his/her parents thought of disapprovingly?

SECTION 7. Towards überveillance

Dataveillance is defined as the “systematic use of personal data systems in the investigation or monitoring of the actions of one or more persons” [13]. M. G. Michael [14] has spoken of an emerging-überveillance-above and beyond almost omnipresent 24/7 surveillance. The problem, he has gone on to say, is that in human terms at least, “omnipresence will not always equate with omniscience, hence the real concern for misinformation, misinterpretation, and information manipulation.” In the case of the civilian participant observed in this study we cannot assume everything based on his/her location. Being located in the bounds of the “home” does not mean that the participant has gone to sleep or is inactive; while he/she is at “university” it does not mean they are studying or in class; going to “work” (which happens to be a gymnasium) does not mean the civilian is working out; visiting the location of the “unibar” does not mean the civilian was drinking anything but cola; a “signal dropout” does not presume the civilian did not take a detour from their normal route; and a “speed miscalculation” does not necessarily mean the civilian was not speeding, they may have been in an alternate mode of transportation like an airplane, train or speedboat. Thus while location can be revealing, it can also be misleading. It is important that end-users of location based services, save for law enforcement, be able to “opt-out” of being tracked, rendering themselves “untraceable” for whatever reason. Being untraceable does not mean that one is doing something wrong, it is one's right to be “left alone”, and LBS policies need to ensure these safeguards are built in to their applications. Being tracked by multiple “live” devices will also become an issue for the future. What is the true location of a person who is tracked by more than one device-the notion of moving and stationary association confidences is important here [15].

SECTION 8. Conclusion

Tracking is very invasive so care must be taken to ensure that only essential information about that person is revealed. Levels of privacy can be controlled by incorporating intelligent systems and customizing the amount of detail in a given geographic information system. If these types of measures are enforced GPS tracking can be used in an ethical manner which is beneficial to the person being tracked, not detrimental.

GPS is an effective technology and it can potentially save lives, however many current applications are not suited to it. Many groups of people rely heavily on the technology even though it is prone to inaccuracies and unreliable at times. Technological convergence may correct some of these issues but a real problem is posed if the GPS network is solely relied upon. It should be remembered that as we build more and more mission-critical applications that rely upon GPS, that the US government can shut down parts of the system in times of crisis, in addition to having already existing problems maintaining their satellites. When using any form of GPS tracking device, backup systems need to be implemented, and a Murphy's Law type mentality needs to be encouraged: If the GPS can fail, it will fail!

These findings apply to all parties which track the movements of others. These groups include police responsible for law enforcement, parole officers, caretakers of dementia patients, parents who want to track their children and employers who track their employees. These groups need to ensure that the tracking of people is done in a just and ethical fashion. It is up to the trackers to ensure that the tracking of another human is done in a way which is beneficial to the person involved and the wider community.

SECTION 9. Further research

The next phase in this research is to carry out a group observational study. The observational study in this paper was limited to a single participant but it would be interesting to track the movements of a group of people. A study like this could be used to investigate whether detailed portfolios can be created from anonymous participants based on their travel patterns. Another aim could be to create an intelligent system that would collect and analyze the movements of people automatically. In addition to an observational study several people who have had GPS tracking imposed on them could be interviewed to ascertain the emotional and psychological consequences of having a GPS tracking device attached 24/7 for long periods of time.

References

1. S. Dur, M. Gruteser, X. Liu et al., "Context and Location: Framework for Security and Privacy in Automotive Telematics", Proceedings of the 2nd International Workshop on Mobile Commerce, pp. 25-32, 2002.
2. K. Kayama, I.E. Yairi, S. Igi, "Semi-Autonomous Outdoor Mobility Support System for Elderly and Disabled People", International Conference on Intelligent Robots and Systems, pp. 2606-2611, 2003.
3. Pingali, R. Jain, "Electronic Chronicles: Empowering Individuals Groups and Organisations", IEEE International Conference on Multimedia and Expo, pp. 1540-1544, 2005.
4. R. Cucchiara, C. Grana, G. Tardini, "Track-based and Object-based Occlusion for People Tracking Refinement in Indoor Surveillance", Proceedings of the ACM 2nd International Workshop on Video Surveillance & Sensor Networks, pp. 81-87, 2004.
5. G.M. Djuknic, R.E. Richton, "Geolocation and Assisted GPS" in , IEEE Computer, pp. 123-125, 2001.
6. A. Arora, A. Ferworn, "Pocket PC Beacons: Wi-Fi based Human Tracking and Following", Proceedings of the 2005 ACM Symposium on Applied Computing SAC'05, pp. 970-974, 2005.
7. H-C Wang, J-C Lin et al., "Proactive Health Care Underpinned by Embedded and Mobile Technologies", Proceedings of the Fourth Annual ACIS International Conference on Computer and Information Service, pp. 453-460, 2005.
8. A. Applewhite, "What Knows Where You Are? Personal Safety in the Early Days of Wireless" in Pervasive Computing, IEEE, pp. 4-8, 2002.
9. S. Morris, A. Morris, K. Barnard, "Digital Trail Libraries", Joint ACM/IEEE Conference on Digital Libraries, pp. 63-71, 2004.
10. U. Hengartner, P. Steenkiste, "Access Control to People Location Information", ACM Transactions on Information and System Security, vol. 8, no. 4, pp. 424-456, 2005.
11. C. Robson, Real world research, Melbourne:Blackwell Publishing, 2002.
12. K. Michael, A. McNamee, M.G. Michael et al., "The Emerging Ethics of Humancentric GPS Tracking and Monitoring", International Conference on Mobile Business, 2006.
13. R.A. Clarke, "Information Technology and Dataveillance", Communications of the ACM, vol. 31, no. 5, pp. 498-512, 1988.
14. M.G. Michael, "Consequences of Innovation" in IACT 405/905 Information Technology and Innovation, NSW, Australia:University of Wollongong, 2006.
15. J. Myllymaki, S. Edlund, "Location Aggregation from Multiple Sources", The International Conference on Mobile Management, pp. 131-138, 2002

Keywords

Humans, Global Positioning System, Geographic Information Systems, Computer science, Monitoring, Business, Credit cards, Data privacy, Surveillance, Tracking, artificial intelligence, monitoring, object monitoring, location-based intelligence, GPS, object tracking
 

Citation: Katina Michael, Andrew McNamee, M.G. Michael, Holly Tootell, "Location-based intelligence - modeling behavior in humans",  ISTAS 2006. IEEE International Symposium on Technology and Society, 8-10 June, 2006, USA.

The Auto-ID Trajectory - Abstract

Traditionally the approach used to analyse technological innovation focused on the application of the techno-economic paradigm with the production function as its foundation. This thesis explores the rise of the evolutionary paradigm as a more suitable conceptual approach to investigating complex innovations like automatic identification (auto-ID) devices. Collecting and analysing data for five auto-ID case studies, (bar codes, magnetic-stripe cards, smart cards, biometrics and RF/ID transponders), it became evident that a process of migration, integration and convergence is happening within the auto-ID technology system (TS). The evolution of auto-ID is characterised by a new cluster of innovations, primarily emerging through the recombination of existing knowledge. Using the systems of innovation (SI) framework this study explores the dynamics of auto-ID innovation, including organisational, institutional, economic, regulatory, social and technical dimensions. The results indicate that for a given auto-ID innovation to be successful there must be interaction between the various stakeholders within each dimension. The findings also suggest, that the popular idea that several technologies are superseded by one dominant technology in a given selection environment, does not hold true in the auto-ID industry. 

Read More

The Auto-ID Trajectory - Chapter Seven: Ten Cases in the Selection and Application of Auto-ID

The overall purpose of this chapter is to present the auto-ID selection environment by exploring ten embedded case studies. The cases will act to illustrate the pervasiveness of each auto-ID technology within vertical sectors which are synonymous with the technology’s take up. The focus will now shift from the technology provider as the central actor to innovation (as was highlighted in ch. 6) to the service provider stakeholder who adopts a particular technology on behalf of its members and end users. It will be shown that new commercial applications do act to drive incremental innovations which shape a technology’s long-term trajectory. The four levels of analysis that will be conducted can be seen in exhibit 7.1 below, with three examples to help the reader understand the format of the forthcoming micro-inquiry. This chapter dedicates equal space to each case and for the first time will show that coexistence between auto-ID technologies is not only possible but happening presently, and very likely to continue into the future.

Read More

Internet Commerce: Digital Models for Business - The Automatic Identification Trajectory

Most consumers would accept implants for life-saving and life enriching procedures related to increasing life expectancy. However, it is too early to tell whether or not consumers would adopt implants for such everyday applications as electronic payments, citizen identification, driver's licences, social security, ticketing or even retail loyalty schemes. While the adoption of other automatic identification technologies in the past has indicated that consumers are willing to adapt the manner in which they live and conduct business due to technological change, the process takes time. The difference between chip implants and other previous auto-ID devices is that the latter are noninvasive by nature. Bar codes are located on the exterior of goods, magnetic strip cards and smart cards are carried by cardholders and, more recently, biometric systems have required contact with only some external human characteristics such as the fingerprint or palm print for identification. Perhaps what Warwick was demonstrating by using the chip implant for commercial applications was that life could be somewhat simplified if consumers did not have to carry ten different cards in their wallet for a multiplicity of applications. In fact, the number of microchip implant patents has increased rapidly since the late 1990s.

Read More