Saturday, January 30, 2016

Geolocation: always evolving toward a finer grain

I was looking at geolocation data on the laptop the other afternoon, and thinking how it is part of the data collection picture so desirable for advertisers these days and so saturated by government security programs. Both advertisers (business) and government seem important and thereby worthy of a short post on geolocation.

Advertisers can be controlled, but after 9/11, our own government transitioned into a silent and invisible 24/7 domestic data collector. How does this relate to location. Well, location privacy feels important because our location is immediate -- it's first-person and physical, not conceptual. It feels normal to occasionally want to be alone somewhere. We understand this in our personal relationships, for example. This used to be as simple as going for a walk in nature, or around the block for a smoke at midnight -- very simple actions a person takes for granted. People feel such moments are private. However, since as recently as 2012, non-exempt citizens can only guess at how comprehensively during their daily activities they fall within camera range. Citizens can likewise merely guess at what is done with the images. In other words, citizens are given no clues as to where to file an inquiry if they do not approve of some camera or want access to its images -- we don't know who's operating them or what they're used for.

facial and license plate recognition

In addition to static cameras, note that every time you see a newer police car, or parking enforcement vehicle, an ALPR or some facial recognition system is likely built-in. A police vehicle is, among other things, and depending on a department's budget, a network node continually transmitting information. The transmissions have time and geolocation stamps added to the information. For example, in the transmission of license plate numbers from a cruiser, a combination of the license plate number+geotag+time is sent. This is a nearly insignificantly small database line entry. However, the entered data is easily reassembled into patterns of travel A lifetime collection of a person's driving and location-based facial recognition instances could easily fit on a USB stick. We'd want to hope that depth of information was being used in an entirely temporary and exculpatory manner by agencies which gathered it. Good luck.


Assuming a phone with a battery and a SIM registered to its owner (not a borrowed or stolen phone), the owner's location is known to at least three meter accuracy. Added to this, government offices listening-in to the content of the call, or reading its text messages, accomplish these actions easily in real time, within agencies as low as city police departments, and with or without warrants. This is just by our friendly government and business organizations; foreign governments' interests are lesser known, but can reasonably be imagined.


When we use our desktops, the public (government) sphere again sees whatever it wants; what about the private sphere? Consider your monthly ISP bill. One's home address is tied to their account, it makes no difference whether one is being served a dynamic or static IP. ISP's could sell this bundle of info to advertisers in real time. Further, physical street addresses are easily interchangeable with exact GPS coordinates -- it makes little difference if the GPS coordinates or a physical street address is sold to advertisers.

Those in law enforcement, military, and perhaps some other protected categories (judges, etc) have some protections against commercial incursions or release of their information, depending on the situation. Citizens however, have only whatever's customary for a limitation, since there are very few explicit, effective privacy laws. Customary business limitations are not black and white restrictions on the release of data, and they can easily change, as you may note at the fine print of any privacy policy you accept. For example, lawsuits might occur as a result of, say, a stalker purchasing one's street address directly from an ISP, or if ISP's made one's mailing address easily available to advertisers. But if wins in court made it possible to absolve ISP's from any responsibility for selling your information to a stalker posing as an advertiser, ISP's might start selling that information tomorrow. So ISP's don't divulge the entire package to advertisers... yet. Instead, ISP's divulge some network node/hub near your home, usually a sphere of within 10 or 12 blocks, probably in your zip code, but without your name attached. Try this site, for example. And again, these are simply business practices, not real privacy protections. They can be changed at any time.


As just noted, public opinion or civil cases are probably the motivation for ISP's and major websites providing some grudgingly small privacy protections --- for now. But even these appear to be at the lowest possible boundary of honesty. For example, with geolocation, by asking the user if they will allow geolocation, the provider is giving the user an impression that no geolocation information has already been released. We've already seen from the link above that this is not the case. Let's say I'm browsing in Opera and I want to listen to a radio station in Pittsburgh. I go to the radio station's website and click on, say, a "listen now" button. I will very likely see a window such as this one:

The impression is the station does not know my location and wants to learn it (for regional advertisers, or so on). But we've already seen above at iplocation. net, that the station already has a fix on my location within an accuracy of several blocks from my laptop. What advertiser (or MPAA/RIAA stooge) needs more information than this? So what's really going on? When I read the notice, it seems very possible the reason for asking is the privacy policy notice: I am accepting Google's, or Microsoft's (Silverlight), or the station's, privacy policy regarding location information. Recall that privacy policies, once accepted, can be changed in the future without notice. Information about me can be added to the data stream at a later date, eg, my home address or email address, without further notice, once accepted. If we follow the money, and previous for-profit privacy incursions, it appears this is why acceptance of geolocation is being requested.


Just like other webpages, geolocation queries from webpages are cached and need to be purged, if you don't want the results read by other applications later.

the future

Profit pressures and motives will likely degrade these policies until, at some future date, it seems reasonable to assume our physical address/GPS coordinates will be known in real time and possibly tied to our name. This is currently trivial for some government agencies, but I'm talking about within the private sphere also. At the point it becomes accepted for business, there will be little difference between a cell phone or a home desktop, and in fact, the desktop may be less private at such a time, since a home address is also a mailing address. Accordingly, businesses which support law enforcement and law enforcement unions have proactively lobbied for protections for their officers. The situation varies by State, and even by jurisdiction, but it's a good idea: all citizens should have such protections. Since government agencies can pierce any privacy protection with ease, there is no national security implication for extending such protections to all citizens.


The Chrome browser used to have a way to enter, "emulate", spurious GPS addresses (again, only for private concerns, not for government concerns), but this has been eliminated, probably due to advertiser, or MPAA/RIAA pressures. Essentially, if you are streaming anything, you are likely to see a window such as the one above.


Take all of this location and identity information above, and integrate it with credit card data, browsing habits, email and text parsing, and you've got quite a case, or advertising file, on anyone. Still want to go outside for that walk or stream that radio station from Pittsburgh?

No comments: