understanding the importance and impact of anonymity and authentication in a networked society
navigation menu top border

.:home:.     .:project:.    .:people:.     .:research:.     .:blog:.     .:resources:.     .:media:.

navigation menu bottom border
main display area top border
« Why Definitions Matter: an Example Drawn from Davis on Privacy | Main | Anonymity: a relative and functional concept »

Technologies of Identification: Geospatial Systems and Locational Privacy

posted by:Lorraine Kisselburgh // 11:59 PM // October 31, 2006 // ID TRAIL MIX

trailmixbanner.gif

In an increasingly mobile information society, location has become a new commodity giving rise to technologies such as wireless cell phones, global positioning systems (GPS), radio-frequency ID (RFID), and geographic information systems (GIS). Location technologies make visible an individual’s movements and activities, revealing patterns of behavior that are not possible without the use of this technology. In a typical day’s activities – using a debit card, an electronic toll pass, an automobile’s GPS navigation system, and a cell phone – information about one’s location can be tracked and stored in many ways.

The desire to protect this information is called location privacy, and is based upon Westin’s (1967) notion of privacy as “the claim of individuals … to determine for themselves when, how, and to what extent information about them is communicated to others”, a framework of autonomy or control of information about one’s self. [1] While much literature focuses on informational and relational privacy, locational privacy, is less well studied.

Communication tools, transactional cards, personal locator and navigational systems, radio frequency identification devices, and surveillance cameras all have the capability to provide information about one’s location and behavior. In particular, geospatial technologies, such as global positioning systems (GPS) and geographic information systems (GIS), are powerful in their scope and capability to converge locational and tracking technologies. Geographic information systems (GIS) aggregate data and information from multiple sources including satellite, aerial, and infrared imagery, geodetic information, and “layered” attribute information (such as property records). These aggregates of data, like data mining systems, create collected bits of information that generate valuable and powerful profiles of objects.

Boundaries of intrusiveness

There are a growing number of high resolution satellites providing imagery for GIS systems. These eyes in the sky raise the question of “how close is too close”, or at what level (i.e. resolution) do these images become intrusive to individual privacy. High resolution commercial satellite systems currently allow general features of facilities to be readily observed: the QuickBird system provides 0.6mGSD resolution satellite images with 1-14 day sampling. At this resolution, features such as buildings, roads, and large objects are visible (for example, see a 0.6m GSD [2] image of the Washington D.C. airport). GIS systems also include aerial images that provide details at <0.3mGSD. Thus, precise geolocation information can be discerned in geospatial systems, especially when information is aggregated with other sources.

It is tempting to say that only very high spatial resolution is intrusive. But consider the situation of a low spatial resolution object (such as a dot representing an individual) overlayed onto a map and then captured in near-real time, i.e., at high temporal resolution. For example, one can identify a teenager’s location on a map, and then track his movements in near-real time through GPS data. In this scenario, even without high spatial resolution, one’s behaviors and actions are identifiable, allowing a system to track movements and infer from that information one’s actions and behaviors. Thus, the combinatory effect of high temporal resolution, with either low or high spatial resolution, identifies and becomes intrusive in ways that singular information would not. This means both the spatial and temporal contexts must be evaluated when determining intrusiveness.

The new Real-time Rome project announced last month by MIT provides an example of the applications of GIS systems and visualization tools, using data from cell-phone usage, pedestrian and transportation patterns, to map usages of urban space. While visualization is based upon aggregated information, individual-level data is collected.

Rights to locational privacy

What rights do we have to locational privacy? In the United States, common law gives rise to four generally recognized privacy torts: (a) intrusion upon a person's seclusion; (b) public disclosure of private facts; (c) publicity in a false light; and (d) misappropriation of one's likeness. However, the public disclosure tort is limited by the clause “if an event takes place in a public place, the tort is unavailable” (Restatement (Second) of Torts 652D, 1977), and the courts have generally ruled that a person traveling in public places voluntarily conveys location information. But courts have also recognized that “a person does not automatically make public everything he does merely by being in a public place” (Nader v. GMC, 1969, 570-71; see also, Doe v. Mills, 1995).

Constitutional protections for privacy, derived from the Fourth Amendment, restrict government intrusion into our personal life through searches of persons, personal space, and information. In the seminal case Katz v. United States (1967), the United States Supreme Court held that government eavesdropping of a man in a public phone booth violated a reasonable expectation of privacy because the Fourth Amendment protects “people, not places.” The Court held that whatever a person “seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected” (389 U.S. 347, 352, emphasis added). This gave rise to the two-pronged test of constitutional protection: whether an individual has an expectation of privacy that society will recognize as reasonable.

Case law has interpreted these locational privacy rights more specifically, examining intrusions of technology into the private sphere, government searches that are technologically enhanced, and the use of mobile devices and telecommunication information to derive locational information. While Fourth Amendment protection doesn’t extend to that which is knowingly disclosed to the public, the courts have ruled that the use of technologies not available to the general public can violate the privacy one reasonably expects (Kyllo v. U.S., 2001). But courts have shown a willingness to allow law enforcement to use technologically-enhanced vision for searches, including flying over a fenced backyard (California v. Ciraolo, 1986), a greenhouse (Florida v. Riley, 1986), or an industrial plant (Dow Chemical v. U.S., 1986), suggesting that the “open fields” doctrine [3] brings no reasonable expectation of privacy. [4]

This protection does not extend to deriving location information from communication devices. Transaction information such as telephone numbers is not protected (Smith v. Maryland, 1979), but providers are prevented from releasing information that discloses the physical location of an individual (CALEA, 1994/2000; U.S. Telecom v. FCC, 2000). However, using mobile communication devices as tracking devices to derive location information is not constitutionally protected (U.S. v. Meriwether, 1990; U.S. v. Knotts, 1983; U.S. v. Forest, 2004), as courts have ruled that individuals using cell phones, beepers, and pagers do not have a reasonable expectation of privacy when moving from place to place. (This interpretation continues to be challenged.)

Furthermore, while the Electronic Communication Privacy Act (1986) protects against unauthorized interception and disclosure of electronic communications (18 USC § 2510-22; 2701-11), it excludes tracking devices (§ 3117). However, the Wireless Communication and Public Safety Act (1999), explicitly protects location information in wireless devices, (47 USC § 222, §§ f), requiring customer approval for disclosure. [5] But the Patriot Act (2001) has nullified some of these protections, granting broad authorities for government surveillance, including the ability to use roving wiretaps.

In summary, legal protection for location privacy in the United States is inconsistent and sectoral, providing coverage under certain situations and for specific technologies.

Implications

Emerging geospatial technologies, through their power and invisibility, re-architect our public space and change our patterns of disclosure and interaction with others in this space. Architecture regulates the boundaries of accessibility in human interaction. Just as doors and windows increased barriers and expectations of privacy in 17th century rural villages, modern technologies are decreasing these barriers, by providing new capabilities to extend or enhance human senses (our eyes, ears, and memory). This changes the architecture of our public sphere, and shifts our constructions of public-private space and boundaries. These shifts are at odds with our expectations and sense of personal space, thus leading to a sense of intrusion. In turn, this changes our awareness of disclosing and interacting with others in this space.

At the same time, the pervasiveness and invisibility of locational technologies mean that control of access to information about oneself is not available. We are unaware of the presence and activity of such technologies, and thus lack autonomy in regulating the boundaries of accessibility. This has implications for understanding our navigation and negotiation of connectivity in the modern world. In addition, the aggregation of information – whether in data mining systems or geographic information systems – creates very powerful identifiers. Whereas a single bit of information may not be threatening, aggregated bits constitute a pattern of behavior or a profile that can reveal much information and threaten one’s privacy and liberty.

Thus, the unique threats of geospatial systems as technologies of identification are based on two primary factors: a) aggregated data creates very powerful identifiers; and b) the invisibility of data collection and use results in a loss of agency in the process by which we are identified. These in turn influence how we interact in our society, and by extension, the construction of our identities.

This raises questions that require further study: What do these technologies of identification mean for our construction of identity in digital realms? That is, when technologies extend human senses, what happens to our construction of personal space and retreat, and our concept of reasonable expectations of privacy? Further, under the current legal framework, how do we address new constructions of space (e.g., reconnaissance of space above private property), new technologies of intrusion (e.g., infrared, RFID, GPS, GIS), and new constructions of scope (e.g., aggregated information)? Additional research is needed to understand how individuals define these ambiguous boundaries, our expectations of private space, and the mechanisms by which we negotiate shifting boundaries in the face of emerging locational technologies.


[1] Westin, A. F. (1967). Privacy and Freedom. New York: Atheneum
[2] GSD, ground sample distance, refers to the pixel representation of the distance on the ground between two components, in digital imagery.
[3] See Hester v. United States, 265 U.S. 57 (1924) and Oliver v. United States, 466 U.S. 170 (1984) for a discussion of the “open fields doctrine” which suggests that constitutional protection is not extended to the open fields.
[4] Curry, M. (1996). In plain and open view: GIS and the problem of privacy. Paper presented at the Conference on Law and Information Policy for Spatial Databases, Santa Barbara, CA.
[5] Edmundson, K. E. (2005). Global positioning system implants: Must consumer privacy be lost in order for people to be found? Indiana Law Review, 38.

Lorraine Kisselburgh is a doctoral student in Media, Technology, and Society (Department of Communication) at Purdue University. Portions of this article were presented at the NYU Symposium on “Identity and Identification in a Networked World” and at the International Communication Association in Dresden Germany, and have been submitted for publication in the “ICA 2006 Theme Session Proceedings.” The author wishes to acknowledge the support of Eugene Spafford (Department of Computer Science, Purdue University) in the conceptualization of this project.

Comments

Hi Lorraine. Thanks for this very interesting piece.

One worry I have about the legal practice of tying the question of whether there was a violation of the individual's right to privacy to the question of whether the individual had a reasonable expectation of privacy concerns the notion of *expectation*. (Set aside the reasonableness issue for the moment.) Tying the two questions together suggests that a necessary condition on a subject's having her right to privacy violated is that she (subjectively) expects, in the relevant circumstances, not to have her privacy diminished. The trouble is that people's expectations can be diminished for no good reason, and it's not at all obvious that having one's expectations diminished in this way precludes the possibility of having one's right to privacy violated.

Consider the following fanciful, but I think illustrative, case -- the case of the Ultimate Pessimist Drug (UPD). Suppose someone surreptitiously slips me a drug whose effect is to cause me to become extremely pessimistic for a certain period of time. Under the influence of the drug, I become so pessimistic about life and human nature that my expectations of how others will treat me drop drastically. In particular, my expectation of whether others will respect my privacy drops to zero. Suppose further that during this period of a UPD-induced lack of any expectation of privacy, someone -- the very person who slipped me the drug, say -- takes advantage of me by secretly getting their hands on loads of my personal information. What are we to say of this individual's behavior? If we maintain that an expectation of privacy on my part is a necessary condition on the violation of my right to privacy, we'll have to say that the individual did not violate my right to privacy. But that seems entirely wrong to me. The right thing to say, I think, is that this individual violated my right to privacy despite the fact that, at the time, I had no (subjective) expectation of privacy. My lack of expectation, after all, came for no good reason. The reason, or cause -- the other individual's slipping me the drug -- was a bad one.

Similarly, it seems to me, we might find ourselves in a position in society where, due to the entrenched use of certain information technologies (like the geospatial ones you mention), people's expectations of privacy are significantly diminished. They become aware, for example, of just how widespread the use of these technologies is, just how much information about them is being collected, and just how unlikely it is that the system involving these technologies will change anytime soon. To point out that, post-entrenchment, people have little or no expectation of privacy does not in my view absolve those who use these technologies from the charge that they are violating people's right to privacy. After all, it might very well have been the case that the entrenchment of the technologies was wrong to begin with. That the entrenchment ultimately led to a lowering of expectations seems irrelevant to the question of the violation of people's right to privacy.

So, I wonder: should we add to the provocative questions you raise the further question of whether privacy right violation is properly tied to an expectation of privacy?

Posted by: David Matheson at November 1, 2006 11:35 PM

Post a comment




Remember Me?


main display area bottom border

.:privacy:. | .:contact:.


This is a SSHRC funded project:
Social Sciences and Humanities Research Council of Canada