Geo-Privacy and Personal Location Information

2

We share our location thousands of times a day, sometimes we explicitly share with individuals, other times we share to specific platforms, and still other times the sharing is deeply embedded in the systems we use. In each case we share our location information, we are giving up some of our geo-privacy.

“Find my Friends” is a very common example of explicit geo-privacy sharing, so we can see where our friends are on a map in relation to ourselves. In many social apps you can “check-in” and share your location as part of social community, putting yourself as a dot on a map for others to find. But you may not be as aware that your location may also be constantly tracked from non-map apps, logs of IP address, and by your mobile provider.

Organizations: Adopt a Location Strategy

As an organization, you must be very aware of how you are using and storing location information. Most organizations have location information, such as mailing addresses (employees, customers, and suppliers), facility locations, and perhaps real-time feeds of their workers. How is that data managed? If it got out or was shared, what could that information reveal? Is there a certain pattern that could put people or assets at risk? Accessing this information over time can reveal patterns and compromise privacy. If this information gets into the wrong hands, it could have devastating effect.

Do you track your employee’s daily locations? Many organizations use employee tracking to optimize operations and improve security, but you may also be ‘tracking’ employees via their IP addresses when they access your company’s network. If so, what are you doing with that information? Just as PII (Personally Identifiable Information) has become something that CIOs need to worry about, so is PLI – Personal Location Information. Your organization needs to have a policy around what data is kept and why and who can get access to it.

You may feel reassured when people tell you, “don’t worry that data has been anonymized” so they cannot track an individual. But the reality is at some point it wasn’t anonymous. Is that data on your system? Even if the anonymized data is all you have now, it can still be analyzed and individual patterns derived. Let’s say, for example, that you have data from a company that has an exercise app. They shared the anonymized data with researchers to help them better understand where people are exercising (all good intent). But if you were to look at who was jogging at 5:00am in a neighborhood, you could see individual tracks, and by tracking the start and end position over a few days you probably know where that person lives, which leads to a name, to an email, to web sites visited….

If your organization collects this sort of data, you need to consider if removing the names is enough if you share this data with others. Ultimately, as part of a location strategy for your organization, you need to understand how you use location information to help your organization and how you protect and manage personal location information.

Individuals: Take Ownership of Your Location Data

As an individual what can you do to manage your own personal location information? First and foremost, don’t share your location with everyone. It sounds simple – and it usually is – but you should only share your location with your friends when you are in an app.

If you use an app for work, check on its tracking settings. It should be using your location only when the app is open. Then, only open the app when on the clock. Ask your employer how they manage this information. Ask them if they have a geo-privacy policy and understand what information they collect and store.

And finally check your location history. Many platforms save your location history and use it to improve the convenience of the app for you. This may include things like your search history and most visited locations. You can easily delete or reset it.

Developers: Just because you can, doesn’t mean you should

As an application developer, you should think beyond specific XYs.  If your application allows people to share their location, how specific does it really need to be? Just because the GPS gives you 6+ numbers after the decimal, do you really need that precision? I would argue probably not.

When sharing data, can you easily aggregate or generalize it at different resolutions as appropriate to obscure the source (hexagons are a great aggregation method). And it’s not just how you display the data, what you store is equally important, the less data you store, the easier it is to protect privacy.

Just because you can track individuals very precisely, doesn’t mean you need to store all that precision, nor does it mean you should analyze and share that precise data with others.

Personal Location Information – Harmless or Do No Harm?

We share all sorts of information, isn’t your Personal Location Information just like all that other information? I would argue no.

Sharing your thoughts, opinions, dreams, apparitions, or the fact you like pineapple on pizza does not impact you in the physical world. (Although the pineapple thing might get you in trouble.)  But location matters. If your location details are no longer private, any digital attacks can easily become physical. PII is increasingly regulated, but Location is a key aspect of your personal information that is not yet as closely guarded.

There are plenty of reasons we share our location in today’s world, and individually these are mainly harmless. However, because location is persistent and can be matched with other information, others may be able to figure out a lot more about you than just where you get your coffee. And for you and your organization to effectively understand and deal with the issues of Personal Location Information, you must ensure you have a comprehensive geo-privacy location strategy.

Damian Spangrud
Damian Spangrud is the Director of Solutions at Esri. In his 24+ years at Esri, he has focused on making the Science of Where understandable and actionable. As part of Esri’s corporate management team, he often travels to speak about the role of GIS along with technology and innovation trends. In his role as Director of Solutions, Damian manages teams that evangelize the role of GIS across industries and build industry focused apps, making it easier to use GIS across organizations while driving innovation. Prior to his current role, he led Esri’s product management team as the ArcGIS Product Manager. Damian has an MSc in Earth Science and a BS in Geography and a passion for maps and spatial analysis. Damian tweets about all things spatial (especially maps) @spangrud.