"Toto, we're not in Satnav anymore": Does the Law Protect Mobile Users from a misuse of their Location Data?
Most ordinary citizens wouldn't be conscious that they are using a location-based service ("LBS"), despite doing so frequently.
Once upon a time, eons ago (which isn't much more than 5 years in the tech world) a location-based service referred to a portable GPS car navigation system and not much else. Fast-forward 5 years through the advent of the smart-phone and the explosion of mobile apps and today location-based services, or "LBS", is a buzz-word in the industry right up there with "cookies" and "tablets". So what does it mean and why should we be concerned? .
Most ordinary citizens wouldn't be conscious that they are using an LBS, despite doing so frequently. The most obvious example other than SatNav is Google Maps, which uses the 'My Location' feature to find the approximate location of your phone using a combination of GPS coordinates along with the ID of the nearest mobile tower. This is known as your location data. Once your location is found, the app can work out the directions from that location to the address you input, mapping your route along the way. This is clearly a convenient and useful service and is only one of many other LBS apps which are similarly useful (and in some cases would be useless if they did not use location data). However, there are also plenty of mobile apps which users don't realise are collecting their location data. For example, many users aren't aware that popular iPhone app "Paper Toss" – a game in which you score points for virtually tossing paper in a bin - collects their location data.
Further, many users don't realise that some app providers and developers sell their users' location data to marketing companies, allowing profiles to be built for targeted advertising and other purposes not necessarily apparent from use of the original app.
It is, therefore, little wonder there is a growing distrust amongst mobile users regarding LBS, much to the vexation of the genuine LBS providers. So what does the law do to protect users from a misuse of their location data?
The good news is that the interception and processing of location data from mobile phone users is already heavily regulated in the EU and UK. The not-so-good news is that the laws were drafted eons before The Age of the Apps. Location data is regulated in the EU by the "e-Privacy Directive" (2202/58/EC) and has been implemented locally in the UK by regulation 14 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PEC Regs). Under the PEC Regs, location data may only be collected and used if:
- the user cannot be identified by the data; OR
- it is necessary for the provision of a value-added service (e.g. the app or the service provided by means of the app) AND the user has given his or her consent.
Further, if a user is able to be personally identified, the person or persons who control what happens to their location data must also comply with the Data Protection Act 1998. As location data primarily relates to the geographical position of a user, at first glance it may not appear to make the user personally identifiable, meaning any app developer may be misled into believing they can do whatever they like with that data. However, if the location data is combined with any other data that then makes the user personally identifiable, it may only lawfully be used where necessary for the purposes of the app, and only where the user has given consent. It would be difficult for an app developer of a game that on-sells location data to marketing companies to argue that it is necessary to do so in order to play that game, even where they have the user's consent.
Finally, whether or not a user has given consent could, of itself, fill a library with competing legal theories and debates, but needless to say in this context, in the UK at least, it must be freely given, specific and informed. In addition, the user must be given an opportunity to withdraw consent at anytime and each time they connect to the network or transmit their location data.
Taking this all into account, when was the last time you bought an app that gave you prior notice asking if it was okay for your geographical coordinates and the places you visited on any given day to be sold to marketing companies for the purposes of peppering you with ads based on assumptions about your interests, socio-economic background or even your sexuality? Nine times out of ten, an LBS app simply tells you that the application wants to use your location and then asks you whether to allow, or not allow; hardly sufficient to be considered 'informed' consent, as most users wouldn't understand the full implication of pressing 'allow'.
As such, there currently appears to be a disconnect between what the law requires and how it is applied in practice, partly because, as previously stated, the laws were drafted at a time when the extent of LBS uptake on the mobile platform had not been fully comprehended. There is also the overarching issue of inconsistencies in how the e-Privacy Directive has been implemented among the member states in the EU and, more generally, inconsistencies in data protection laws across the pond and beyond.
It's not all panic stations, however. The industry itself is coming up with some novel ideas to counter the growing mistrust among LBS users. Concepts that have been mooted include:
- providing users with the ability to 'cloak' their location, by enabling privacy settings so that their location can only be approximated to the hundreds rather than tens of metres;
- allowing users to set their privacy settings so that they can 'hide in the crowd', by delaying transmissions of location data until a minimum number of other users is in or nearby that location; and
- the use of a what is known as a privacy broker. This is a term we're likely to see more and more of. The concept involves a "trusted server" acting as a proxy between users and LBS. All user requests are sent through the trusted server, which anonymises or blurs the information as it leaves the proxy server and is sent to the LBS, preventing the release of personal information. The LBS then communicates with the trusted server, which provides the reply to the mobile device while also preventing cookies from mining phone data.
All of these methods aim to put the user back in the driver's seat and in control of their privacy.
Ultimately the solution will require a combination of regulatory and industry activity. On the regulatory side, the e-Privacy Directive and PEC Regs could do with tweaking to clarify and confirm the reach of the regulation to capture renegade app developers. Unfortunately this was an opportunity missed when other parts of the e-Privacy Directive were amended in November 2009 following a series of consultations, but with no changes made to the Article which governs the use of location data.
There is also increasing recognition that to restore the confidence of mobile users the law only goes part of the way. The industry itself also needs to show it is serious about privacy by adhering to standards and implementing technological measures such as those outlined above in order to reduce the need for further regulation. A good example is currently being set by the GSMA, an organisation that represents the interests of the mobile communications industry, which is taking a pro-active approach to addressing the growing mistrust of LBS providers by developing a set of Mobile Privacy Principles as a basis for more detailed codes of conduct for the industry.
Until such industry measures have been widely implemented, consumers who are concerned by what happens to their location data when they press 'allow' can either simply select 'not allow', or tap into their phone settings and switch off the location function in respect of those apps they feel don't require knowledge of their location.
One thing is clear though: mobile location based services are here to stay. LBS providers would be well advised to remain alert to consumer concerns and the ongoing legal and industry developments that must surely come.
"There is a disconnect between what the EU and UK laws say about the use of location data and what is happening in practice."
"Many users don't realise that some app providers and developers sell their users' location data to marketing companies."