On Locational Privacy, and How to Avoid Losing it Forever

By

Andrew J. Blumberg, blumberg@math.stanford.edu

Peter Eckersley, pde@eff.org

August 2009

ELECTRONIC FRONTIER FOUNDATIONeff.org

1ELECTRONIC FRONTIER FOUNDATION EFF.ORG

On Locational Privacy, and How to Avoid Losing it Forever

Over the next decade, systems which create and store digital records of people’s movements through public space will be woven inextricably into the fabric of everyday life. We are already starting to see such systems now, and there will be many more in the near future.

Here are some examples you might already have used or read about:

• Monthlytransitswipe-cards

• Electronictollingdevices(FastTrak,EZpass,congestionpricing)

• Cellphones

• Servicestellingyouwhenyourfriendsarenearby

• SearchesonyourPDAforservicesandbusinessesnearyourcurrentlocation

• FreeWi-Fiwithadsforbusinessesnearthenetworkaccesspointyou’reusing

• Electronicswipecardsfordoors

• Parkingmetersyoucancalltoaddmoneyto,andwhichsendyouatextmessagewhenyour time is running out

These systems are marvellously innovative, and they promise benefits ranging from increased conveniencetotransformativenewkindsofsocialinteraction.

Unfortunately, these systems pose a dramatic threat to locational privacy.

What is “locational privacy”?Locational privacy(alsoknownas“locationprivacy”)istheabilityofanindividualtomoveinpublic space with the expectation that under normal circumstances their location will not be systematically and secretly recorded for later use. The systems discusssed above have the poten-tialtostripawaylocationalprivacyfromindividuals,makingitpossibleforotherstoask(andanswer)thefollowingsortsofquestionsbyconsultingthelocationdatabases:

• Didyougotoananti-warrallyonTuesday?

• Asmallmeetingtoplantherallytheweekbefore?

• Atthehouseofone“BobJackson”?

• Didyouwalkintoanabortionclinic?

• DidyouseeanAIDScounselor?

2ELECTRONIC FRONTIER FOUNDATION EFF.ORG

• Haveyoubeencheckingintoamotelatlunchtimes?

• Whywasyoursecretarywithyou?

• DidyouskiplunchtopitchanewinventiontoaVC?Whichone?

• Wereyouthepersonwhoanonymouslytippedoffsafetyregulatorsabouttherustymachines?

• DidyouandyourVPforsalesmeetwithACMELtdonMonday?

• Whichchurchdoyouattend?Whichmosque?Whichgaybars?

• Whoismyex-girlfriendgoingtodinnerwith?

Ofcourse,whenyouleaveyourhomeyousacrificesomeprivacy.SomeonemightseeyouenterthecliniconMarketStreet,ornoticethatyouandyoursecretarylefttheHiltonGardensInntogether.Furthermore,intheworldoftenyearsago,allofthisinformationcouldbeobtainedbypeoplewhodidn’tlikeyouordidn’ttrustyou.

Butobtainingthisinformationusedtobeexpensive.Yourenemiescouldhireaguyinatrenchcoattofollowyouaround,buttheyhadtopayhim.Moreover,itwashardtokeepthesurveillancesecret—youhadagoodchanceofnoticingyourtailduckingintoanalley.

Intheworldoftodayandtomorrow,thisinformationisquietlycollectedbyubiquitousdevicesandap-plications,andavailableforanalysistomanypartieswhocanquery,buyorsubpeonait.Orpayahackerto steal a copy of everyone’s location history.

Itisthistransformationtoaregimeinwhichinformationaboutyourlocationiscollectedpervasively, silently, and cheaply that we’re worried about.

Threats and opportunitySomethreatstolocationalprivacyareovert:it’sevidenthowcamerasbackedbyface-recognitionsoft-warecouldbemisusedtotrackpeopleandrecordtheirmovements.Inthisdocument,we’reprimarilyconcernedwiththreatstolocationalprivacythatariseasahiddenside-effectofclearly usefullocation-based services.

Wecan’tstopthecascadeofnewlocation-baseddigitalservices.Norwouldwewantto—thebenefitstheyofferareimpressive.Whaturgentlyneedstochangeisthatthesesystemsneedtobebuiltwithprivacyaspartoftheiroriginaldesign.Wecan’taffordtohavepervasivesurveillancetechnologybuiltinto our electronic civic infrastructure by accident. We have the opportunity now to ensure that these dangers are averted.

Our contention is that the easiest and best solution to the locational privacy problem is to build sys-tems which don’t collect the data in the first place.Thissoundslikeanimpossiblerequirement(howdowetellyouwhenyourfriendsarenearbywithoutknowingwhereyouandyourfriendsare?)butinfactas we discuss below it is a reasonable objective that can be achieved with modern cryptographic tech-niques.

Moderncryptographyactuallyallowscivicdataprocessingsystemstobedesignedwithawholespectrum of privacy policies: ranging from complete anonymity to limited anonymity to support law enforcement.Butweneedtoensurethatsystemsaren’tbeingbuiltrightatthezero-privacy,everything-is-recordedendofthatspectrum,simplybecausethat’sthepathofeasiestimplementation.

3ELECTRONIC FRONTIER FOUNDATION EFF.ORG

Location Based Services That Don’t Know Where You AreSurprisingly,moderncryptographyofferssomereallycleverwaystodeployroadtollsandtransitticketsand location searches and all the other mobile services we want, without creating a record of where you are.Thisisn’tatallintuitive,butit’sreallyimportantthatpolicymakersandengineersworkingwithlocationsystemsknowaboutit.Thissectionlistsjustafewexamplesofthekindsofsystemsthatarepossible.

Automated tolling and stoplight enforcement

Inmanymetropolitanareas,driversareencouragedtousesmallelectronictransponders(FastTrak,EZpass)topaytollsatbridgesandtunnels.Asmomentumbuildsbehindnuancedusagetollingandcongestion pricing schemes, we expect to see an explosion of such devices and tolling methods.

Forsimplepointtolls(e.g.bridgetolls),protocolsthatcryptographerscallelectronic cash are an excellent solution.Initscryptographicsense,electroniccashreferstomeansbywhichanindividualcanpayforsomething using a special digital signature which is anonymous but which guarantees the recipient that thecanredeemitformoney;itactsjustlikecash!Seethis paper for the details of a modern implemen-tation.Thus,adriver“Vera”wouldbuyawadofelectroniccasheveryfewmonthsand“chargeup”hertransponder.AsVeradrivesoverbridgesandthroughtunnels,thetollingtransponderwouldanony-mously pay her tolls.

Formorecomplicatedtollingsystems(inwhichthepricedependsonthespecificpathtaken),asome-whatmoreinvolvedimplementationcanbeused(discussedindetailinthistechnical paper).

Straightforwardbutprivacy-insensitiveimplementationsofcongestion-pricingsystemssimplytrackdriversandusethetrackinginformationtogeneratetolls.Forinstance,youmighthaveallofthecarsusingalittleradiogadgettoreporttheirlocationallthetime.AsVeradrivesthroughoutthecongestionpricingarea(e.g.down a street in central London),thegadgetsays“Hi,thisisVera’scar.”ThatcreatesarecordofeverywhereVerawent.Equivalently,onemightputcameraseverywherewhichrecordVera’slicenseplateasshedrivesandkeepstrackofeverywhereshegoestosubsequentlycomputehistolls.BothofthesesolutionsviolateVera’slocationalprivacy.

ThelessobviousbutmuchbetterwaytorunsuchtollsistohaveVera’sgadgetcommittoasecretlistof“dynamiclicenseplates”—alonglistofrandom-lookingcryptographicnumbers.Thiscommitmenttakestheformofadigitalsignaturegiventothetollingauthority.AsVeradrivesthroughthetollingregion, her gadget cycles through these numbers rapidly, sending the current number to the monitoring devicesshepasses.NoneofthosenumbersactuallyidentifiesVera,andsincetheykeepchangingthere’snowaytostringthemtogethertotrackher.

But,attheendofthemonth,Verahastopayherroadtollbypluggingthegadgetinhercarintohercomputer.Thecomputersexecuteafancycryptographicprocesscalleda“securemulti-partycommuni-cation”.Attheend,hercomputerproves that she owes $17.00 in road tolls this month, without revealing howsheacumulatedthattotal.ThecommittmentexchangedatthebeginningensuresthatVeracan’tcheat: she can’t prove a lower total if she actually drove across a bridge with the gadget active.

Thiskindofapproachcanbeusedtosolvevariousautomatedtrafficenforcementneeds,aswell.Forin-stance,everytimeVerapassesatrafficlightamonitoringdevicecancollectthecurrent“dynamiclicenseplate”.Althoughagain,thecollecteddatacan’tbeusedtotrackVeraaround,ifVerarunsaredlightthesystemcandetectthisandissueVeraaticket.

4ELECTRONIC FRONTIER FOUNDATION EFF.ORG

Location-based search

Alocation-basedsearchonamobiledeviceisanotherimportantexample.Phonesarestartingtobeable to locate themselves based on the signal strength or visibilityofnearbywirelessnetworksoronGPSdata.Naturally,companiesarealsoracingtoprovidesearchtoolswhichusethisdatatoofferpeopledifferentsearchresultsdependingonwheretheyareatanygivenmoment.Thenaivewaytodomobilelocationsearchisforthedevicetosay“ThisisFrank’sNokiahere.IseethefollowingfiveWiFinetworkswiththefollowingfivesignalstrengths”.Theservicereplies“okay,thatmeansyou’reatthecornerof5thandMaininSpringfield”.Thenyourdevicereplies,“Whatburgerjointsarenearby?AreanyofFrank’sfriendshangingoutnearby?”.Thatkindofsearchcreatesarecordofeverywhereyougoand what you’re searching for while you’re there.

Abetterwaytodolocation-basedservicesandsearchissomethinglikethis:“Hi,thisisamobiledevicehere.HereisacryptographicproofthatIhaveanaccountonyourserviceandI’mnotaspammer.Iseethefollowingfivewirelessnetworks.”Theservicereplies“okay,thatmeansyou’reatthecornerof5thandMaininSpringfield.Hereisabiglistofencryptedinformationaboutthingsthatarenearby”.IfanyofthatencryptedinformationisanotefromoneofFrank’sfriends,saying“hey,I’mhere”,thenhisNokiawillbeabletoreadit.Ifhelikes,hecanalsosay“hey,here’sanencryptednotetopostforotherpeoplewhoarenearby”.Ifanyofthemarehisfriends,they’llbeabletoreadit.(Anexcellentandde-taileddiscussionofarelatedapproachviasecuremulti-partycomputationispresentedin this paper.)

Transit passes and access cards

Anotherbroadareaofapplicationisforpasscardsanddevicesallowingaccesstoprotectedareas;forinstance,passcardswhichallowaccesstobikelockersneartrainstations,orcardswhichfunctionasamonthlybuspass.AsimpleimplementationmightinvolveanRFIDcardreportingthatBobhascheckedhisbikeintooroutofthestoragefacility(anddeductshisaccountaccordingly),orequiva-lentlythatBobhassteppedontothebus(andcheckstomakesureBobhaspaidforhispass).ThissortofschememightputBobatrisk.

Abetterapproachwouldinvolvetheuseofrecent work on anonymous credentials.ThesegiveBobaspecialsetofdigitalsignatureswithwhichhecanprovethatheisentitledtoenterthebikelocker(i.e.proveyou’reapayingcustomer)orgetonthebus.Buttheprotocolsaresuchthattheseinteractionscan’tbelinkedtohimspecificallyandmoreoverrepeatedaccessescan’tbecorrelatedwithoneanother.Thatis,thebikelockerknowsthatsomeone authorized to enter has come by, but it can’t tell who it was, anditcan’ttellwhenthisindividuallastcameby.Combinedwithelectronic cash,thereareawide-rangeofcard-accesssolutionswhichpreserveslocationalprivacy.

Privacy concerns and anonymized databases

Weshouldnotethateventheexistenceoflocationdatabasesstrippedofidentifyingtagscanleakinformation.Forinstance,ifIknowthatVeraistheonlypersonwholivesonDeadEndLane,thedatumthatsomeoneusedalocation-basedserviceonDeadEndLanecanbereasonablylinkedtoVera.Thisproblemiswidelyacknowledged(andstudied)inthecontextofepidemiologicaldataaswell:itturnsouttoberelativelyeasytodeducetheidentityofindividualdiseasevictimsfrom“anonymized”geographicinformationaboutthelocationofcases.Generallyspeaking,onesolutiontothisproblemistorestricttheuseoflocation-basedservicestohighdensityareas.Therearemorecomplicatedcryp-tographicsolutionsthatarealsopossible.Seethis paperforadiscussion(andproposedsolution)tothisprobleminthecontextofcollectionofaggregatetrafficstatistics,andthis paper for discussion of “differentialprivacy”,aformalizationofidealprivacyguaranteesinthefaceoftheexistenceofdatabases.

5ELECTRONIC FRONTIER FOUNDATION EFF.ORG

For more information

Safelyandcorrectlyimplementingsuchmoderncryptographicprotocolscanbeasubstantialengineer-ingchallenge.Andimplementingthemefficientlytakeswork.Butitcanbedone—thisisexactlythekindofcryptographicsoftwarethatprotectsthesecurityofourfinancialnetwork(e.g.ATMs),makesitsafeforustobuythingsonline,andencodesourphonecalls.Bigsoftwarecontractors(e.g.IBMandSiemens)maintainlargestaffsofcryptographers.

We’velinkedtosomeofthesourcesthatwouldbeusefulforengineerswhowanttounderstandhowtheseprotocolswork.But,ifyou’reapolicymakeroranengineerandyouhavequestionsabouthowthesemethodswork,don’thesitatetocontact us: we can point you at literature and connect you with expertstoansweryourquestions.

Why Should Private Sector Firms Prioritize Locational Privacy?Webelievethatgovernmentshaveacivicresponsibilitytotheircitizenstoensurethattheinfrastruc-turetheydeployprotectslocationalprivacy.Buttherearealsofinancialreasonsfortheprivatesectortogo to some length to design privacy into the locational systems they build.

Avoid legal compliance costs

Ifacorporationretainslogsthattrackindividuals’locations,theymaybesubjecttolegalrequestsforthatinformation.Suchrequestsmaycomeindifferentforms(includinginformalquestions,subpoe-nasorwarrants)andfromdifferentparties(lawenforcementorcivillitigants).Therearecomplexlegalquestionsastowhethercompliancewithaparticularrequestislegallyrequired,optional,orevenlegallyprohibitedandaliabilityrisk.

Thislegalcomplexitymayeveninvolveinternationallaw.Forinstance,UScorporationswhichalsohaveoperationsintheEuropeanUnionmightbesubjecttoEuropeandataprotectionlawswhenEUcitizensvisittheUnitedStatesandusetheUScompany’sservices.

Corporationswithlargelocationaldatasetsfaceariskthatlawyersandlawenforcementwillrealizethedataexistsandbeginusinglegalprocessestoobtainit.Thebestwaytoavoidthiscostlycomplianceriskis to avoid having identifiable location data in the first place.

Obtain a competitive edge

Thepublicisslowlybecomingawareofthepotentialdownsidesofhavingtheirlocationtrackedonacontinuousbasis.Theabilitytodemonstratereliableprivacyprotectionswillincreasinglyofferfirmsa competitive edge if they can persuade individual customers — or government clients — that their productoffersmorerobustandtrustworthyprivacyprotections.

Isn’t there an easier/different alternative?Usingcryptographyandcarefuldesigntoprotectlocationprivacyfromtheoutsetrequiresengineer-ingeffort.Soit’simportanttoaskwhetherthereareotheradequatewaystopreserveprivacyinthesesystems. Unfortunately, we believe the alternatives are unreliable or harder to implement and enforce.

6ELECTRONIC FRONTIER FOUNDATION EFF.ORG

Data retention and erasure

Onekindofprotectionyoumighthopeforisthatyourlocationrecordswillbedeletedbeforeyouradversarygetstothem.Ifthecompanythat’sofferingyouafancylocationsearchonyourcellphonedoesn’tneedtorememberyourhistoryaweeklater,perhapstheycanbepersuadedtoforgetitquickly.Perhapstheypromisethattheywill.

Unfortunately,thereisn’tmuchbasisforoptimismonthedataretentionfront.Searchcompanieshaveincentivestokeepextensiverecordsoftheirusers’queries,sothattheycanlearnhowtoimprovetheirresults(andsellmoreeffectiveadvertisements).Storagespaceischeapandgettingcheaper.Tollingagencieshaveincentivestokeepextensiverecordsoftollusage,tosettlecomplaintsandprovideaggre-gate statistics and accounting data.

Evenifthecollectingoutfitdoespromisetodeletethedataafterasetinterval,there’snoguaranteethatthey’reactuallygoingtodothatproperly.Firstly,securedeletiontoolsarenecessarytomakesurethatdeleteddataisreallygone;manysysadminswillfailtousethemcorrectly.Secondly,allittakesistheflipofaswitchtosuddenlychangepoliciesfromdeletiontoretention.Tomakemattersworse,there’snoguaranteethatagovernmentwon’tsuddenlypassalawrequiringsuchcompaniesandgovernmentagenciestokeepalloftheirrecordsforyears,justincasetherecordsareneededfor“nationalsecurity”purposes.Thislastconcernisn’tjustidleparanoia:thishasalreadyhappenedinEurope,andtheBushadministration has toyed with the same idea.

Andasforgovernmentagencies,experiencesofarwithdataretentionhasnotbeenreassuring.Aninterestingexampleisprovidedbyautomatedtollingdata(recordsfromFastTrakandEZpass).Differ-entstateshavemadedifferentpromisesabouthowlongtheykeepthedata,andtherehavebeenvaryingdegreesofeffectivenessincarryingoutthesepromises.Datahasoftenremainedavailableforsubpeonaafteranumberofyears.Legalpenaltiesfortheviolationofthesepromisesarecurrentlyminimal.

Limitingdataretentionisanimportantprotectionforprivacy,butit’snosubstituteforthebestprotec-tion: not recording that information in the first place.

Opting out

Sometimespeoplerespondtothesesortsofworrieswiththeclaimthatthefreemarketwillsolvethisproblem.“Peoplewhoareworriedaboutprivacyshouldn’tusetheseservices,”theysay.“Ifpeoplereallycare,acompanyofferingprivacyasanexplicitfeaturewillarise.”

We don’t believe this is an acceptable viewpoint — there is too much coercion in play. Often, there’s no adequatereplacementfortheserviceinquestion,anditisorwillsoonbeadramatichardshiptoavoiditsuse.SupposethatpartsoftheUnitedStatesbegantoadoptmandatory“payasyoudrive”insurance,orcongestionpricing,thatwasbasedonlocationtracking.InmostpartsoftheUnitedStates,it’snotreallyreasonabletosuggestthatpeoplewhoareworriedaboutprivacyshouldn’tdrive(orshouldn’tdrivetotheirreligiousinstitutionofchoice).Andinthecaseoflocation-basedservices,it’sclearthatthedeckisstackedagainstpeoplechoosingtotakeinconvenientmeasurestoprotectthemselves:it’stoohardtoknowwhatisbeingrecordedbywhom,toohardtoknowwhatoptionstherearetoavoidbeingrecorded,andtoohardtokeepresearchingthesequestionsasyouinteractwithnewpiecesoftechnol-ogy.Inthisenvironment,peoplesimplyhaven’tadjustedtothepotentialforthelossofthereasonable expectationofprivacyinpublicplaces,andourstandardintuitionshaven’tkeptupwithadvancesintechnology.

7ELECTRONIC FRONTIER FOUNDATION EFF.ORG

Cell phones and credit cards already create a trail

It’struethatmostcellphonesprovidesomeamountoftrackinginformationtothecarriersaslongasthey’re on, and that credit card records provide a pervasive trail of activity. This is no reason to sur-render further locational privacy, but rather a reason to fight for better practices or laws for cell phone technology and credit card data. The problems we’re having now with identity theftmakeitclearhowproblematic the handling of sensitive personal data is.

Law-abiding citizens don’t need privacy

Anothercommonresponsetoworriesaboutlocationalprivacyistosaythatlaw-abidingcitizensdon’tneedprivacy.“Idon’tcommitadultery,Idon’tbreakthelaw,”peoplesay(andtacitly,“I’mnotinthecloset,andIdon’tbelongtoanynon-majorityreligiousorpoliticalgroups”).

Oneanswertothisconcernisareminderthattherearemoresubtlereasonsforneedingprivacy.It’snotjust the government, or law enforcement, or political enemies you might want to be protected from.

• Youremployerdoesn’tneedtoknowthingsaboutwhether,when,andwhereyouwenttochurch.

• Yourco-workersdon’tneedtoknowhowlateyouworkorwhereyoushop.

• Yoursister’sex-boyfrienddoesn’tneedknowhowoftenshespendsthenightathernewboy-friend’s apartment.

• Yourcorporatecompetitorsdon’tneedtoknowwhoyoursalespeoplearetalkingto.

Preservinglocationalprivacyisaboutmaintainingdignityandconfidenceasyoumovethroughtheworld.Locationalprivacyisalsoaboutknowingwhenotherpeopleknowthingsaboutyou,andbeingabletotellwhentheyaremakingdecisionsbasedonthosefacts.

SupposethataninsurancecompanymanagestoobtainarecordofAlice’smovementsoverthepastyear, and decides that there is some aspect of that record which is grounds for raising her premiums ordenyinghercoverage.Theproblemwiththatdecisionisnotjustthatitisunfair,butthatAlicemayhavenoabilitytodisputeit.Iftheinsurancecompany’sreasoningismisinformed,willAlicehaveapracticalwayofknowingthatanddisputingit?

The`I’vegotnothingtohide’argumentagainstprivacyiscriticizedatgreaterlengthinthis article.

ConclusionInthelongrun,thedecisionaboutwhenweretainourlocationprivacy(andthelimitedcircumstancesunderwhichwewillsurrenderit)shouldbesetbydemocraticactionandlawmaking.Nowisakeymo-mentfororganizationsthatarebuildinganddeployinglocationdatainfrastructuretoshowleadershipand select designs that are responsible and do not surrender the locational privacy of users simply for expediency.