A geoprivacy manifesto

Carsten Keßler, Grant McKenzie
2017 Transactions on GIS  
As location-enabled technologies are becoming ubiquitous, our location is being shared with an ever-growing number of external services. Issues revolving around location privacy -or geoprivacy -therefore concern the vast majority of the population, largely without knowing how the underlying technologies work and what can be inferred from an individual's location, especially if recorded over longer periods of time. Research, on the other hand, has largely treated this topic from isolated
more » ... nts, most prominently from the technological and ethical point of view. This article therefore reflects upon the current state of geoprivacy from a broader perspective. It integrates technological, ethical, legal, and educational aspects and clarifies how they interact and shape how we deal with the corresponding technology, both individually and as a society. It does so in the form of a manifesto, consisting of 21 theses that summarise the main arguments made in the article. These theses argue that location information is di↵erent from other kinds of personal information and, in combination, show why geoprivacy (and privacy in general) needs to be protected and should not become a mere illusion. The fictional couple of Jane and Tom is used as a running example to illustrate how common it has become to share our location information, and how it can be usedboth for good and for worse. monthly pass to enter the subway station. Since the construction work only caused a few minutes delay in her commute, she still has time to stop at her favorite co↵ee shop, using her credit card to pay for a cappuccino. When she enters the o ce building she works in, her phone brings up the reminder she had set the day before to make sure she downloads the client presentation she had been working on last night from her cloud storage to her o ce computer. Jane's husband Tom left the house early this morning for a two-day meeting out of town. He did not really mind the two hour drive, since this was his first opportunity for an extended trip in his brand new car. When he purchased it the week before, he had signed up for the roadside assistance plan after his old station wagon had left him stranded several times. Following the GPS instructions, he takes the toll bridge to get out of town and onto the highway. Before he arrives at the meeting, he decides to find a place for breakfast, checking for on-line ratings and recommendations first. Later that day, Tom goes out to have dinner with his colleagues, checking in at the restaurant with his favorite social network to let his friends know about their fantastic selection of red wines. After paying with his company credit card, he uses the limousine app on his phone to find a nearby driver to take him back to the hotel. In these two short, yet very common examples, Jane and Tom have shared their location with a dozen parties: the weather app provider, the operator of the digital assistant, the subway operator, two credit card companies, the reminder app, the cloud storage provider, the roadside assistance provider, the toll station operator, the restaurant ratings service, the social network, and the limousine app service. While some of these services may be o↵ered by the same provider -such as the operating system provider running the weather service and the digital assistant -this demonstrates how we share our location information with a large number of entities on a daily basis, together with other personal identifiable information (PII) such as credit card numbers, user names, license plates, or customer numbers. Such location information does not always come as readily mappable pairs of geographic coordinates, but rather as the ID of a subway turnstile, a toll gate, or the name of a restaurant. However, such qualitative location information can still easily be georeferenced (Vasardani et al., 2013, for example), and in combination provide a detailed picture of an identifiable individual's whereabouts. While these samples of their location history are always triggered by a specific action such as a credit card payment or the swipe of a subway pass, cell phones act as permanent (coarse) positioning devices through the cellular towers they are connected to. With the vast majority of adults in the worldincluding many developing countries -carrying cell phones today (World Bank, 2016), network providers have a continuous record of their users' locations that goes far beyond the samples in our introductory example (Ahas et al., 2015) . Moreover, having these records for a large number of users and long periods of time bears the potential for analyses at the social network level (Eagle et al., 2009) , especially if linked to the users' communication through phone calls and text messages. Likewise, operators of WiFi hotspots can keep track of devices that pass by frequently, even if they do not connect to the hotspot (Miller,
doi:10.1111/tgis.12305 fatcat:lwlxrfo2njhwranw2pmf7rdyoi