For a few years now I have often talked and made presentations on the theme of “Ambient Location”, the ability of Geospatial applications mostly on our mobile devices to share their location to services in the cloud, which in turn has allowed useful real time information products to be developed.
The most obvious example of Ambient Location’s value is the collection of real time traffic data within Mobile Navigation and Mapping apps, whose users contribute their movement data to allow real time traffic information to be displayed and used in providing directions avoiding congestion.
Until recently less well known was the use of Ambient Location to estimate the busyness of specific locations in Google Maps for example, this has become more visible as the data is used to present mobility data trends as a response to the COVID-19 epidemic .
Clearly the use of this type of information raises important ethical questions as to how this type of information should be created, managed and used. Quite rightly information about our location and movements is highly sensitive and by its very nature has considerable privacy implications many of which may not be initially obvious.
Quite rightly information about our location and movements is highly sensitive and by its very nature has considerable privacy implications many of which may not be initially obvious.
With Ambient Location or widespread location sharing a relatively new technological capability, there is yet a well established understanding of their societal impacts and we therefore need a broader discussion of their ethical use.
With the widespread adoption of Contact Tracing apps in response to the COVID-19 epidemic the need to develop an ethical framework is more urgent, however the ethical use of Geospatial information has a context that extends far beyond contact tracing.
I present below a few talking points that provide a use framework for the ethical use of Geospatial Technology, these are not complete or comprehensive and I would be interested in your comments…
As with anything else I post here these are my personal opinions and not those of any organisation or my current employer !
For as long as I can remember there has been a nightmare scenario of mobile marketing, you walk past a shop and are bombarded by text messages and pushed notifications offering you special offers… The reason this does not happen is that such intrusive advertising would not work and would only annoy potential customers, such a use of ambient location would not produce the results desired, it is an issue of Efficacy – In simple terms would it even work ?
In simple terms would it even work ?
In terms of contact tracing, there is some evidence that tracing apps may work, but there is a reasonable question as to their effectiveness to supplement existing manual tracing techniques.
Approaches to contact tracing have focused on the more limited capability of proximity detection using bluetooth LE as technologies such as GPS/GNSS are not precise enough, and are therefore prone to false positives..
There is context to efficacy of course, you might want to try a technique that is unproven if circumstances are severe, a global pandemic might be such an example? If so would it be acceptable to experiment first to gather data using a time limited application ?
Would an analytical product looking a trends over time deliver timely results to decision makers? In the increasingly real time world, an application collating crowd sourced station congestion data would need to be able to publish that information quickly enough for the data to be useful to potential passengers.
Linked to this would be the efficacy of an application over time, while it might be acceptable to collect information during an emergency, for example monitoring the location of the population during a hurricane evacuation, the location data would and should have no value when the storm has passed.
This level of specificity of use is a general requirement of most data protection legislation, in that data should only be collected for a particular use – so you would be prevented from using the data later for any other purpose..
Transparency in App stores policies and Operating systems notifications helps here, making it clear that your Flash Light application wants access to your location allows the user to make an informed decision about using the App – (hint- Don’t!!)
It’s easy to imagine the development of an application that uses a devices location to validate financial transactions to minimise fraud, transactions will only be valid if the device is at the same location as the retail purchase..
But is it acceptable to expect everyone to have a smartphone with Ambient location technology to be able to make purchases ?
Access to services should not rely on access to expensive sophisticated devices, an alternative needs to be available for those without or unwilling to use smartphones for example.
Access to services should not rely on access to expensive sophisticated devices
Of course it may be the case that the experience from a user perspective may be lower without, for example sharing account information, as is the case with the incognito mode in Google maps – but it is important to offer the user choice.
It’s easy in our tech bubble to forget there are sizeable populations around the world who do not have access to mobile devices or more fundamentally the internet itself, there is also a generational bias to contend with although this may be over estimated.. A teenager buying a book on Amazon the year it was founded could be today in their mid forties !
These are the principles that are most concrete as they result from the design choices made by Application and Service designers. There will of course always be scope for compromises and seldom are choices clearly right or wrong, there must be the ability to use a nuanced approach..
As a designer you need to address the following questions, these are by no means comprehensive but a useful starting point ;
Is the collection and then sharing of Ambient Location information voluntary ?
It should be clear the collection and sharing of location data are different things.
Clearly a ride sharing application needs to be able to access your phones location to arrange the dispatch of the closest car, however the collection of your location data while you are walking about for analytical purposes is not necessary for the operation of the service and you should be able to opt out of this form of collection if you wish.
Is there a mechanism for the user to explicitly consent to the sharing of Ambient Location Information?
Even if the collection and sharing of location data is not optional there should be an explicit notification and on going reaffirmation of the users agreement. This is important particularly if location sharing is a background process with little or no user interface indication that it is happening.
Of course the user should be able to change their mind and temporally or permanently stop sharing at a time of their choosing.
To allow informed consent, is the purpose of data collection and/or sharing explained?
This is a key element of most good data protection regulations, you need to explain clearly why you are collecting location information and how it will (not may) be used. You may share your location information (perhaps proximity) with the Apple Store, so that the Genius will known you have arrived for your appointment for example. Although it might be useful to know the other stores you have visited before Apple, if they don’t state they will use the data for that purpose, they must not use it ! And to be clear they don’t !
Is the purpose of Data Collection/Sharing suitably limited ?
Again a key data protection principle is to only collect the minimum amount of data required, there is no allowable concept of “nice to have in case we need it” . In geospatial terms there is a particular issue with resolution both in terms of time and space, there are very few applications outside of turn by turn navigation that require precise real time location data.
For your hyperlocal weather forecasting app wifi or cell based positioning to within a hundred metres is easily good enough!
At some point I will do a longer post on Differential Privacy, but an element of its use in Geospatial Information is the reduction of data resolution to enhance data privacy.
Is the data kept securely and users’ anonymity preserved?
There needs to be a really, really good reason for Ambient Location information not to be anonymous. Importantly for most of the applications where Ambient Location information is used to “sense” the world, anonymous data is all that is required.
Importantly for most of the applications where Ambient Location information is used to “sense” the world, anonymous data is all that is required.
It might be that some considerable effort, as in differential privacy, must be applied to data to maintain privacy , but there is great risk associated with linking individuals to their location.
The recent debate on different approaches to contact tracing, centralised vs. decentralised is illustrative here, in both cases the data collected is anonymous however there is greater risk in the centralised model that there could be a security compromise and data “could” be identifiable at least theoretically.
The risk comes from storing the data in one location as opposed to distributed on individual devices. Against this risk of course there may be counter arguments that from a perspective of epidemiology it is valuable to be able to view the graph of user interactions only possible with a central repository of data.
Regardless of where Ambient Location data is stored it should be secure, encrypted both “At Rest” e.g. on the device or server but also “In transit” while moving across the network between device and server.
Is the scope of Personally Identifiable Information (PII) Understood?
The data that can be considered to be personally identifiable extends beyond the obvious name, address and telephone number and there are grey areas specifically with types of Geospatial Information.
Any data that, with the favourite legal term of “reasonable effort”, can be used to identify an individual data subject is Personally Identifiable Information. So the IP address of the client using your service is PII, as is any device ID specific to a mobile phone for example such as the IMEI or IMSI code.
These are obvious, but geospatial imagery also brings unique challenges. While satellite imagery and aerial photography can be argued to be not PII as the resolution of imagery and the generally vertical orientation of imagery makes identifying individuals impossible, the same cannot be said for terrestrial imagery.
Because it would be possible to combine an image taken at ground level where an individual could be recognised, with metadata of when the image was acquired it is necessary for services such as Google Maps “Street View” and Apples “Look Around” to blur faces and car registration plates.
Is there a “Break the Glass Protocol?”
There are already provisions within privacy legislation such as GDPR which allow emergency services access to PII and location data for emergency use. The obvious example here is the use of AML to provide accurate handset derived location data when users dial for emergency assistance from their mobile phone.
As I have noted before in the case of the lost backpacker Theo Hayez, who disappeared from an Australian Resort a year ago, there maybe occasions when for the safety of an individual their location should be shared with emergency services without their explicit consent.
This is clearly a complex area, in the case of Theo he was an adult and his family and detectives were able to obtain his location history from Google Maps by using a recovery password on his account. But he had not agreed to this data sharing, and it would also be reasonable to believe this was not justified.
There are of course legal processes which can be used by government agencies to obtain access to location information from service providers but these quite rightly take time.
Perhaps a protocol that users agree to in advance which identifies circumstances or individuals with whom location data may be shared is a way to approach this. Another perhaps better alternative are dedicated emergency applications that users may use to identify use cases where location data sharing is temporarily acceptable, e.g If I don’t return from my evening walk at the expected time, share my location with my partner for the next few hours.
The final E is really about the end.
What happens to Location data after its immediate use.
Is the collection of Ambient Location Information temporary and limited to a defined period of storage, and if not why not ? Again of course there may be applications where the user might want data to be stored indefinitely, for example I have been storing my Location History in Google Maps since 2011 and it’s nice to be able to look back at my travels. But this is my explicit choice, recently an option has been introduced to automatically delete your location history after a period time – of course after you have opted in to it’s collection in the first place !
For all services which will store a users Ambient Location Information there needs to be a clear and well explained decommissioning process, what happens when I no longer use the service and what happens when the service is retired. There is a clear expectation that the data will be securely deleted from all systems, but again there may be justifications for keeping information for analytical purposes.
The soon to be released? NHSx contact tracing app it is reported for epidemiological research purposes would like to store user data (anonymised ?) for up to 20 years, this period of time I would expect would require considerable justification but again there may be valid reasons.
So there we are the four E’s are Efficacy, Equability, Execution and Eradication – what do you think ?