Location Privacy Legislation is Move in Wrong Direction: Part 1 – User Notice and Choice

Location-based apps

Over a decade ago, President Clinton ordered the Department of Defense to discontinue “Selective Availability”, the intentional degrading of the civilian Global Positioning System signal, in an effort to allow all businesses and residents in America to have access to the numerous benefits of location-based technology. This has been an enormously successful policy decision that has unleashed a wide range of innovations for consumers and businesses that use geo-location data in sectors as diverse as transportation, agriculture and public safety. Today location can be determined on mobile devices, with various degrees of precision, from a variety of data including GPS, cell towers, Wi-Fi signals, and IP addresses. Unfortunately Congressional legislation would prohibit companies from collecting or using location information from electronic devices without first obtaining consent from the user might stall many of these benefits.

This bill in question is the Location Privacy Protect Act of 2012 which passed the Senate Judiciary Committee in late December. This legislation would require any company that discloses geo-location information collected from an electronic device to another entity, including its affiliates, to identify these entities and obtain user consent. This is particularly problematic for apps that are supported by location-based advertising because it would mean that anytime the app uses a new ad network, it would need to re-obtain user consent. Sen. Al Franken (D-Minn.), who is sponsoring this legislation, argues that this bill is needed for three reasons: 1) because some companies are sharing location information with third-parties without the knowledge of the user; 2) because some apps for children are sharing location information without the knowledge of their parents; and 3) because some domestic violence abusers use “stalking apps” to track their victims.

It’s worth addressing each of these points. In this post, I will address the first two arguments, and in a later post I will address the third point.

First, it is important to recognize that the vast majority of uses of location data in mobile devices are legitimate and beneficial. It is not a 50/50 split of “some legitimate, some sleazy” as implied by certain advocates of the legislation. Geo-location data is used in mobile devices for a huge variety of applications, including finding local points of interest, participating in location-based online games, engaging in new forms of social media, receiving location-based advertising, and helping people navigate by car, bike or on foot… to name just a few. And developers are continuously creating innovative new applications that take advantage of location data to offer consumers better experiences and useful tools.

Second, the legislation makes no distinction between identifiable and non-identifiable data. The use of de-identified data should not be restricted. The use of non-identifiable data generally poses no risk to the user, but offers a number of collective benefits. For example, one way to measure road traffic is to track the unique Bluetooth MAC addresses that pass by a particular sensor. This data is collected anonymously from mobile devices but this use would seemingly be restricted in this legislation since obtaining consent from the individuals would be nearly impossible. As a result, mobile devices could not be used as sensors to track traffic flows on roadways—a hugely beneficial service that helps relieve roadway congestion and reduce fuel consumption.

Third, it’s worth noting that the two initial reasons given for this legislation do not point to any specific harm. Simply revealing location data to a company is not itself harmful, and consumers routinely reveal geo-location information in multiple ways. If you swipe your debit card at a gas station or ATM, you reveal precise, time-stamped, geo-location information. If you walk in front of a security camera, there is now a precise electronic record of where you were. Even if you take a photo, many digital cameras will now include the time and location of where the photo was taken in the image file’s EXIF metadata. While there may be occasional privacy concerns about some of these activities (just ask John McAfee), overall the collection and use of this information benefits consumers and society.

Consumers are generally not being misled about mobile apps with false information in a privacy policy—if they were, the FTC (or the litigious California Attorney General) could take action against these companies. Supporters of this legislation know this, and so rather than point to a specific harm, they express a vague concern that some companies might be doing something that some consumers are unaware of. This is probably true. I’m sure some consumers are unaware of how some apps work. But I also think it’s time we stop assuming that willful ignorance of the inner workings of software constitutes a public policy problem and start acknowledging that we don’t need Congress to step in every time a consumer doesn’t know something.

Moreover, many websites and apps already disclose this information in privacy policies. This legislation is at odds with efforts to simplify privacy policies for consumers since it requires a separate disclosure. One reason for the incredible innovation we are seeing in mobile devices is because these devices now have a variety of low-cost sensors that provide a wealth of information. If we continue down this path in the future we may have legislation requiring separate pop-up notice and consent requirements for every type of information collected and used by an app.

In addition, app developers and others are already working to make privacy disclosures more understandable to consumers. For example, as shown below, the App Trust Project has been developing and testing icons that make it clear to users whether location information is being collected and used on mobile devices.

Mobile app icons

Finally, the argument that this is needed to protect children (again without showing how children have actually been harmed) has been made even more irrelevant because the FTC’s recently revised its regulations to define geo-location information as protected personal information under COPPA. This means that companies must give parents notice and receive their verifiable consent before collecting, using and disclosing this information. So it is unclear what additional benefit this legislation would add for providing parents additional notice and choice. (For more on COPPA, see my recent filing.)

It has become fairly common for privacy advocates to trot out the “it’s creepy” and “think of the children” arguments whenever they want to pass privacy legislation. But when pressed they have a hard time showing any actual harms or showing how the benefits of implementing privacy legislation outweigh the costs. Given that there has been a tremendous amount of innovation based on location data and likely much more to come, Congress should be wary of interfering, especially since current measures offer consumers sufficient protection, notice and choice.

Print Friendly

About the author

Daniel Castro is a Senior Analyst with ITIF specializing in information technology (IT) policy. His research interests include health IT, data privacy, e-commerce, e-government, electronic voting, information security and accessibility. Before joining ITIF, Mr. Castro worked as an IT analyst at the Government Accountability Office (GAO) where he audited IT security and management controls at various government agencies. He contributed to GAO reports on the state of information security at a variety of federal agencies. He has a B.S. in Foreign Service from Georgetown University and an M.S. in Information Security Technology and Management from Carnegie Mellon University.