Location-Based Services and Privacy Law — Part II
In the last TLQ, we canvassed the technologies (including cellphone, GPS and Wi-Fi) that have unleashed a plethora of location-based services (LBS) that are accessible over the Internet and through a wide range of mobile devices. The upshot of these technical and business developments is that a whole range of service providers (and other companies who interface or transact with service providers) can learn where you are located at any time. This edition explores the interesting privacy law and related legal issues raised by this state of affairs.
Who Knows You’re Not Home?
It has recently come to light that a number of the houses of elite UK soccer players have been broken into by thieves while the players were out of town at "away" games. The thieves knew the owners of these posh houses would not be at home merely by looking at the soccer team’s home and away game schedule.
In the paper-based world, in order to avoid such burglaries, you probably asked your daily newspaper to suspend delivery for the two weeks you were going to be out of town on holiday — as a mounting pile of yellowing newsprint on your front walk would advertise your absence. You may have also installed a timer on at least one of your living room lamps to turn it on for a few hours each evening, again to mislead potential thieves into thinking you were at home when you were not.
Ironically, many people who take such precautions in the physical world exercise much less — or no — caution in the digital one. When you tweet for two weeks about your daily wanderings in Paris, everyone who receives your engrossing updates learns of your absence from your primary residence. And maybe you can trust all 327 people who get your tweets – but what about the extra 272 people to whom your messages are forwarded? Including the furtive-looking fellow who came to one of your parties at the "invite" of one of your co-workers, and who, unbeknownst to you, took all sorts of pictures of your Asian art collection on his mobile phone as you were busy recounting to friends on the patio your last trip to Japan.
To raise awareness of how new LBS-related technologies and services can increase such risks, a few Europeans created the site "pleaserobme.com." The name of the site tells it all, and by raising awareness of "over-sharing" of personal data — especially location-related information — serves as a sober reminder to practise safe social networking over the Internet. It will be interesting to see, however, whether or to what degree this cautionary message resonates in an environment of hyper-social interactivity as practised by the Facebook generation.
Not Just More of the Same
Some will argue that the digital/networking technologies that facilitate location awareness simply continue a trend that pre-existed the computer age. The point is made that, unless you live like a recluse or a hermit, you lose a certain degree of privacy as soon as you leave your house and enter the public realm. You could run into someone in the subway, who would then know you are out. Or, more nefariously, someone wanting to know your location on a more sustained basis might hire a private investigator to follow you around town.
This is all true, but the facilitation of tracking and surveillance by electronic, location-enabled devices really does introduce a whole new variable into the private/public debate. This was recognized recently in a US criminal case that looked at whether law enforcement needs a court-approved warrant in order to lodge a GPS tracking device inside the bumper of a suspect’s car.
There is case law that indicates that police do not need a warrant to take advantage of technology in order to observe something they could have surveilled without the technology. In this case, the police argued that they could have simply followed the car, like the private investigator noted above.
The court concluded otherwise. A critical difference, noted the judge, is that a GPS device tracks every single movement of the automobile (and hence the suspect). The functional equivalent in the non-tech world, the court reasoned, would require "millions of additional police officers, and cameras on every street lamp." (Since that decision was rendered, appellate courts in the US have delivered opinions on the issue. In one case, the appellate court ruled that the police required a warrant to attach a GPS tracking device to the defendant's car while another came to the opposite conclusion.)
The Supreme Court of Canada, as early as 1992, mused about a world where devices could track all of a person’s movements all the time without visual surveillance. Now that that world has arrived, it will be interesting to see how courts, both in Canada and abroad, apply search and seizure law to this new LBS environment, and specifically whether they ultimately will require court-approved warrants for certain types of location-based information.
Is Your Location Private?
As the courts work through these issues, one core question will be whether a person should have a reasonable expectation of privacy in their location-oriented data. Some will argue that location does not encompass the "core biographical information" that traditionally attracts Charter protection for warrant-based searches.
On the other hand, while your presence at the local coffee shop may not seem very revealing of your personal information (unless the café is in Paris, and you’d prefer that information not get into the hands of would-be thieves), what if it can also be determined that your assistant from work is also at the same coffee shop, and that the two of you have been meeting there each day for the past two weeks. And what if the coffee shop is in a hotel? Would your spouse be interested in this information?
Or would your employer be interested in the fact that every Tuesday you attend a psychiatric clinic? Or that recently you attended a meeting of the Marijuana Party?
The courts may go with the Privacy Commissioner’s statements about Internet Protocol (IP) addresses, i.e., that strictly speaking, an IP address is just a number that identifies a computer. As such, on its own, an IP address is not personal information. If, however, the IP address is used in the context of other, personally identifiable information, then privacy regulators are willing to characterize the IP address as personal information.
Managing Location Information Carefully
Given the sensitivity of location-based information, at least in certain circumstances, we are likely to see more decisions like the one made by the Privacy Commissioner a few years ago when employees of a trucking company complained that their employer was able to track their every movement through the new GPS devices that the company had installed in each truck in the fleet. The Privacy Commissioner concluded that the trucking company could use the GPS to manage asset protection and scheduling, as these were legitimate business objectives facilitated by new LBS applications.
On the other hand, the Privacy Commissioner also held that the company could not use the GPS data to make inferences about employee performance, as this was too invasive of a person’s privacy, and therefore was not allowed under Canada’s national privacy statute.
In a similar vein, companies that provide LBS will have to be very careful about the privacy policies they implement regarding the capture, storage and usage of location-based information. And of course, users of such services will have to develop very sophisticated methods of managing the privacy preferences and settings on these services. Otherwise, there will be many awkward moments ahead, some of which undoubtedly will result in legal claims.
Equally, LBS-related applications should be designed, whenever possible, in a manner that reduces privacy risk. For example, rather than have the toll highway track the location of each car through the transponder on the car’s dashboard, consideration should be given to pre-loading the transponder with "electronic cash," which is then anonymously paid down every time the toll highway is used. In short, organizations should be aware of location-oriented privacy legal issues, and take reasonable steps to accommodate sensible solutions.