Roger Clarke's Web-Site

© Xamax Consultancy Pty Ltd,  1995-2024
Photo of Roger Clarke

Roger and Marcus' 'You Are Where You've Been'

You Are Where You've Been
Location Technologies' Deep Privacy Impact

Roger Clarke **


Marcus Wigan **

Preprint for the Third Workshop on Social Implications of National Security, Canberra, 23-24 July 2008. It appears in Michael K. & Michael M.G. (2008) 'Australia and the New Technologies: Evidence Based Policy in Public Administration' Research Network Secure Australia, July 2008, pp. 100-114

(See the Project Overview)

© Xamax Consultancy Pty Ltd and Oxford Systematics Pty Ltd, 2008

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at


Location is a critical aspect of both privacy and surveillance. A detailed record of locations allows all sorts of other information to be linked together, adding to information about the subject and his or her associates in the same way that a unique identifier allows dataveillance to be expanded so swiftly and extensively. This time by allowing the linking of both the activities and records of many different people together. Location technologies have far outstripped both public awareness and legal and policy attention. Addressing this gap will require careful use of precise language to ensure that unexpected side effects do not occur when this is finally faced up to, and the present paper explores both this essential language and some of the applications and linkages that need addressing.

A wider public and policy understanding of the implications of the expanding capacities to track, record and monitor location is an urgent need, as it is very difficult to reverse capacities once integrated into a wide range of commercial, enforcement and intelligence systems - as is already happening.

1. Introduction

A decade ago, technologies that could provide information about the location of a motor vehicle, or a computer, or a person, were in their infancy. A wide range of tools are now in use and in prospect, which threaten to strip away another layer of the limited protections that individuals enjoy. While steady moves to identify, trace and record locations of things and animals has long been established, the application to people is now gaining momentum, and requires a reappraisal.

An understanding of the landscape of location and tracking technologies, and of the issues that they give rise to, depends on establishing a specialist language that enables meaningful and unambiguous discussion to take place

Location-based aspects of mobile phones, public transport smart cards and Automatic Numberplate Recognition are used to illustrate the emergent prospective and retrospective issues. The central concern is that the multiplying technologies for real time and retrospective location tracing have advanced far beyond the legal and privacy frameworks that we have in place. In combination with unique identifiers (for people or vehicles) the potential for remarkably intrusive data assembly and use has become a reality that has not been catered for. Neither public expectations not policy exists to handle the social impacts of this wonderfully unobtrusive surveillance technique, and both are necessary if the benefits are to continue to be realised without either significant losses to civil society or a substantial backlash once it becomes known.

Even when appropriate policies and legislative backing have been developed, the confusions between privacy and identity, and what comprises a sufficient yet not enduring identity to preserve privacy will need to be carefully communicated.

This paper commences with a brief overview of key concepts underlying the subsequent discussion. One cluster of relevant concepts comprises real-world entities (particularly humans and vehicles), identities, and pseudonymity and anonymity. A second cluster comprises the concept of location and the process of acquiring it, and the concept and process of tracking.

Building on these ideas, the paper briefly surveys the privacy impacts of location technologies, in order to set the scene for subsequent papers, and to provide a basis for addressing the possibility of privacy protecting middleware for systems currently being developed and deployed. One's location is potentially very sensitive personal data. But the tracking of people's movements both real-time, and retrospectively, lifts the threat to a much higher level and has become a form of function creep that has already become established practice in some quarters.

1.1 Background

Nearly two decades ago Daniel, Webber and Wigan (1990) identified the likely outcomes from the advanced traffic identification, tolling and linkage technologies becoming planning options for operations, and the implications of these location, time and activity specific tracing technologies. Roughly a decade later the sharper issues of more general location data acquisition and integration with other data holding were highlighted by Clarke (1999a), who reviewed location and tracking in what was then still a somewhat simpler world than today. Clarke's paper noted increasing intensity in the collection of transaction data, in the association of personal identifiers with that data, in the retention of that data, and in mining of that data. It also referred to the emergence of spies in people's pockets, wallets and purses (smartcards and cellular mobile phones), and in their cars (toll-road tags, and tagging by car-hire companies, insurers and investigators), and to the integration with other data systems as foreshadowed ten years earlier.

Those technologies are now well-established, and lack any form of consistent- or in some cases even any- regulatory framework. Cellular triangulation and signal-differential techniques, and self-reporting of GPS measurements are also error-prone, but their accuracy and precision appear to be improving. However, Nokia in California has been actively developing methods of movement and traffic monitoring that preserve anonymity, and advocacy for privacy in the emergent location based services via mobile phones is a live and promoted issue in this research team (Jacobsen, 2008).

Radio Frequency Identification (RFID and Near Field Communication (NFC) devices identify and locate chips with reasonable reliability, and, because of their short range, with considerable accuracy. NFC is not widely known. A good source of information on NFC is the industry forum (NFC Forum, 2008), and NFC is increasingly being integrated into mobile phones and used for contactless transactions in various forms of transactions - including public transport. The NFC Forum specifically included credit card companies such as Visa, and is working on device independent intercommunciation with a major emphasis of contactless identification applications. Meanwhile, Automatic Number Plate Recognition (ANPR) surveillance of traffic has been introduced with minimal regard for its impact on privacy and freedom, although very recently a Queensland Government enquiry into ANPR recognised it as an issue in the issues paper (Travelsafe, 2007).

For the last four decades, discussions of privacy and surveillance have primarily focussed on the collection and handling of personal data. In effect, the orientation has been towards 'you are what you've transacted with us'.

The march of information technology has resulted in the scope of the transactions that are being recorded are expanding exponentially, due to the increasing ability to link different data sources- and now to add probabilities of associations from proximity or repeated visits to specific locations, where `people of interest' might also go. Now organisations in both the public and private sectors are seeking data about where people are, in order to use it - sometimes at least nominally for themselves, but in practice mostly against them or at the very least to pick them out as objects of special interest, be it marketing, tracking, monitoring, or active surveillance. The almost complete absence of data destruction requirements for such implied transaction data means that data about 'where you are now' is kept, and becomes a trail of 'where you've been'. The presumption underlying the exploitation of this pool of data is that 'you are where you've been', and to which we may now add `the probabilistic associations of others visiting the same locations at various times'. This addition enhances intelligence activities (Michael et al, 2006.) - but does not increase precision in a civil law sense.

The latter is a critical and quantum change in the surveillance capacities, as such associations are (necessarily) probabilistic (or circumstantial) evidence - until unique personal identifiers on both parties are added to the mix. This new expansion of dataveillance techniques moves from the evidence base of current surveillance systems, which are largely compatible with civil law, to the anticipatory and necessarily probabilistic approaches that are the unique domain of intelligence and anti-terrorist operations - which operate on quite different bases for action. This is a major shift, and one that is largely innocuous when done for marketing purposes- but changes the nature of civil society if added to normal civil law and the complementary police approaches to evidence.

2. Concepts of Identity, Entity, Nymity

This section provides an overview of the concepts of identity, entity and nymity. It draws heavily on relevant parts of Clarke (2001, 2004).

The term 'entity' refers to any item that exists in the real world. It is sufficiently generic to be applicable to a rock, a chair, a motor vehicle, a device with a computer embedded in it, and a human being.

The term 'identity' refers to a particular presentation of an entity, such as a role that the entity plays in particular circumstances. For example, a motor vehicle is an entity. It may have multiple identities over time, such as taxi and getaway car. A mobile phone is an entity, but it may take up different identities depending on the SIM placed in it. A computer is an entity, but each process that runs on it is capable of being an identity distinct from both the entity and the other identities represented by other processes.

People perform many roles, and most individuals are known by different names in different contexts. In some cases, the intention is dishonourable or criminal; but in most cases the adoption of multiple personae is neither, but rather reflects the diversity of contexts in which they act, including within their family, their workplace(s), their profession, community service and art. In common law countries, people are in no way precluded from using multiple identities or aliases. Actions that take advantage of multiple or situation-specific identities in order to cause harm or circumvent the law are, on the other hand, criminal offences, and there are increasing attempts to limit even the legal use of multiple identities for administrative and enforcement convenience. If this occurs there are many unfortunate consequences (Wigan 2007).

An identity may be distinguished from other, similar identities through the use of some kind of label or signifier. For example, a SIM card has a SMI-card identifier, a process running in a computer has a process-ID, and a human being has (many) names and codes assigned to them.

Similarly, an entity may be distinguished from other, similar entities through the use of some kind of label or signifier. Even some rocks have names or numbers, motor vehicles have vehicle id numbers (VINs), engine numbers and registration 'numbers', mobile phones have unique numbers associating with housing, Radio Frequency ID (RFID) chips (used in all sorts of transport, logistics and manufacturing process, passports etc) and human beings have biometrics. Given that the term for an item of information that distinguishes an identity is 'identifier', it is convenient to refer to an item of information that distinguishes an entity as an 'entifier'.

An identifier that can be linked to the underlying entity only with considerable difficulty is commonly called a pseudonym. If an identifier cannot be linked to an entity at all, then it is usefully called an `anonym'. And a term that usefully encompasses both pseudonyms and anonyms is `nym'.

Anonymity is a characteristic of Records and Transactions, such that they cannot be associated with any particular entity, whether from the data itself, or by combining it with other data. Pseudonymity is a characteristic of Records and Transactions, such that they cannot be associated with any particular entity unless legal, organisational and technical constraints are overcome. And a term that encompasses both anonymity and pseudonymity is `nymity'.

The concepts of location and tracking, discussed below, clearly apply to entities. However they may also apply to identities in various circumstances, and hence to nyms.

3. Concepts of Location and Tracking

This section provides an overview of the concepts of location and tracking for geospatial referencing. It draws heavily on relevant parts of Clarke (1999a).

By an entity's location is meant a description of its whereabouts, in relation to other, known objects or reference points. Examples include the following:

The 'space' within which an entity's location is tracked is generally physical or geographical. All of the above examples relate to location within physical space. Other kinds of 'space' exist and location within such spaces may be defined in other terms. For example, a location may be virtual, as in the case of a person's successive interactions with a particular organisation. A particularly important example is 'network space'. An IP-address records the location in network space of a software process entity (which necessarily is running in a computer entity).

Location can be ascertained with varying degrees of precision, accuracy and reliability. These are addressed formally in the US Federal Geographic Data Committee (FGDC, 1998) metadata system for geospatial information in addition to other issues in geospatial quality as they are critical factors in location (see also Perusco and Michael, 2005). The location of installed devices such as fixed ATMs and EFT/POS terminals may be quite exact, and reliable. The locations of some EFTPOS (Electronic Funds Transfer at the Point of Sale) terminals (e.g. those in taxis) are much more ambiguous, as are those of small modems, codecs and Ethernet and other network interfacing cards, which may be removed from their recorded location.

Devices such as cellular phones, and portable and hand-held computers, are designed to be mobile, and additional information is needed in order to draw inferences about their location at the time of a particular event. Some kinds of location definition may be limited to a line or cone (e.g. those relying on directional mechanisms), or an area bounded by three or more lines (e.g. those relying on triangulation). However there is a rapid growth in Augmented GPS systems, where GPS is supplemented by additional information of local inputs..

Measures of location may be available with varying degrees of timeliness. By this is meant the lag that occurs between the event, and the availability to a person undertaking surveillance of the transaction data reflecting that event.

By `tracking' is meant the plotting of the trail, or sequence of locations, within a space that is followed by an entity over a period of time.

Due to timeliness limitations, data may only be available for Retrospective analysis of a path that was followed at some time in the past. A 'real-time' trace, on the other hand, enables the organisation undertaking the surveillance to know where the entity is at any particular point in time, with a degree of precision that may be as vague as a country, or as precise as a suburb, a building, or a set of co-ordinates accurate to within a few metres.

Moreover, a person in possession of a real-time trace is in many circumstances able to infer (as yet only selectively) the subject or object's immediate future path with some degree of confidence (Graham, 2008). The capacity to do this on increasing numbers of designated targets (people of vehicle/objects of interest) is rapidly increasing. However the Microsoft, UC Berkeley and University of Maryland collaborative work program (Hu &Wang, 2005; Jiang et al, 2007), on which Graham's article is based, also addresses privacy options.

4. Privacy Threats in Location and Tracking

This section provides an overview of the privacy threats inherent in location and tracking. It draws substantially from Clarke (1999a). The threats arise from individual technologies, and the trails that they generate, from compounds of multiple technologies, and from amalgamated and cross-referenced trails captured using multiple technologies and arising in multiple contexts. The human and ethical issues of enhanced location based identification are also addressed by Perusco and Michael (2005). The fundamental concepts of dataveillance and the risks it embodies are examined in Clarke (1988).

Location and tracking technologies give rise to data-collections that disclose a great deal about the movements of entities, and hence about individuals associated with those entities. Given an amount of data about a person's past and present locations, the observer is likely to be able to impute aspects of the person's behaviour and intentions. Given data about multiple people, intersections of many different kinds can be computed, interactions can be inferred, and group behaviour, attitudes and intentions imputed.

Location technologies therefore provide, to parties that have access to the data, the power to make decisions about the entity subject to the surveillance, and hence to exercise control over it. Where the entity is a person, it enables those parties to make determinations, and to take action, for or against that person's interests. These determinations and actions may be based on place(s) where the person is, or place(s) where the person has been, but also on place(s) where the person is not, or has not been. Tracking technologies extend that power to the succession of places the person has been, and also (probabalistically, but in the case of real time monitoring, increasingly accurately) to the place that they appear to be going.

Currently locational data is largely only a by-product of the operations of traffic systems, public transport operators, mobile phone operations, ambulance and courier services, and those actively collecting data from a small sample of people for research purposes. Active monitoring is in place for vehicle theft, high value transactions in transit - or, in the case of operators such as FedEx or UPS, a realtime monitoring through transit points is a user service that they offer for all their identified packets. The ANPR systems in the UK are now connected to the online registration and licensing databases at the Driver and Vehicle Licencing Authority (DVLA), and is in use by police to anticipate the arrival of vehicles and persons of interest travelling along UK motorways. These are simply a few of the growing number of systems and capabilities: the ANPR/DVLA linkage to Police operations is a significant harbinger of what is in store.

The nature and extent of the intrusiveness is dependent on a variety of characteristics of location and tracking technologies. An analysis is provided in Clarke (1999b), encompassing such factors as the intensity of the data collection process, the data quality, data retention and destruction, and data accessibility.

Dangers that are especially apparent include the following:

The degree of impact on each individual depends on their psychological profile and needs, and their personal circumstances, in particular what it is that they wish to hide, such as prior misdemeanours, habits, and life-style, or just the details of their personal life. Some categories of individual are in a particularly sensitive position.

'Persons-at-risk' is a useful term for people whose safety and/or state of mind are greatly threatened by the increasing intensity of data-trails, because discovery of their location is likely to be followed by the infliction of harm, or the imposition of pressure designed to repress the person's behaviour. Examples include VIPs, celebrities, notorieties, different-thinkers, victims of domestic violence, people in sensitive occupations such as prison management and psychiatric health care, protected witnesses, and undercover law enforcement and security operatives.

Marketers have an interest in identifying population segments and networks, and in building personal behaviour profiles (e.g. mobile location advertising). So too do intelligence agencies, to identify associated persons in National Security applications.

Legislative bodies are beginning to make such information the basis (which may be by visits to a location) grounds for potential criminal action or enforced restrictions. Recent legislation passed in South Australia (Government of South Australia, 2008) will, when it comes into effect, make a limited number of associations through membership or deemed membership (visits to specific locations being one, if circumstantial, basis for such assignment) a basis for assigning people to a specific group subject to police and possible legal action.

More sinister applications arise because so-called 'counter-terrorism' laws have greatly reduced the controls over data gathering, storage and access, over inferring about where people have been and whose paths people have crossed, and over detention, interrogation and prosecution.

5. Location and Tracking Technologies

A wide variety of location and tracking technologies exist. They are mostly oriented towards entities, and their effective operation depends on the collection of entifiers (the range of possible encodings of different forms of identity for entities) that distinguish the particular entity and enable transaction data to be reliably associated with the appropriate entity and perhaps with other transactions. Some technologies are relevant to spaces other than physical space (especially net space), and some to identities rather than entities. Many specific instances of location and tracking technologies were catalogued and outlined in Clarke (1999a).

During the intervening decade, a few of these have become noticed by the general public. In particular, there is an increasing appreciation that mobile phones have become not only a personal convenience, but only a spy in the person's pocket, reporting continually the device's presence in a particular cell (and hence continually disclosing its location to an accuracy of 100m to a few km), even when nominally switched off.

Cell-phone location and tracking data is subject to security and some privacy regulation, but most of the features have been designed from an engineering perspective and privacy protections are incidental rather than intrinsic. The protections are subject to very substantial exceptions. The protections have been effectively nullified by extended powers for law enforcement agencies during the long national security extremism phase that followed 11 September 2001. The protections are subject to compromise by the increasing prevalence of public-private partnerships, and the vast concessions that Governments are granting for-profit corporations in return for taking over the burden of infrastructure provision and maintenance.

The rapidly developing scenario of location base services is not without positive examples. The Mountain View based company Loopt\ (LoopT, 2008a) offers geospatial social networking services, and now deliver location based push advertising with CBS. Clearly aware of the sensitivity of location-linked and sensitive technologies, they have carefully expressed aims to allow users to manage their privacy- LoopT, 2008b). It remains to be seen of the advertising linkages with CBS will leave this intent untouched. There are no formal controls or standards in this area, and they are clearly already badly needed. CBS Mobile are requiring users to `opt-in' and CBS intend to deliver advertisements anonymously and not retain any location records.

"So far, privacy and technology concerns have held back the prospect of personalized mobile ads from the likes of Starbucks or Barnes & Noble. But using Loopt's G.P.S.-based technology and capitalizing on its relationships with mobile carriers, CBS Mobile wants to make it easier for advertisers to aim promotions at consumers more precisely as they walk by particular stores and restaurants" (New York Times, 2008c).

Clearly, some users are apparently not as sensitive about some location based services as they might be were they fully aware of the cumulative record linking capacities of such services. They will pay for them (Isqbal & Lim, 2007), and their specific consent is needed under European Privacy legislation (Loenen & Zevenbregen, 2007). Pelsys (2008) in South Australia already offers personal tracking via mobile phones as a commercial service for employers to track their staff and even to tale pictures and transfer these back to a monitoring base station as part of the service. It is not clear what freedom - if any - these staff may have to disable or deny the use of such intrusive location based services for their employer, although it is but a small step onwards from the accepted commercial vehicle tracking services already on offer. Such commercial services might indeed in the future be used for personal carbon budgets...or to track the carbon budget usage of an organisations' staff.

The assessments of particular technologies in Clarke (1999a, 1999b) and above are mainly conceptual, and the terms `locational' etc are now being more clearly framed in specific cases for discussion of privacy and surveillance issues, although the privacy issues are well recognised (Bettini et al, 2005; Ackerman et al, 2003) In order to bring real examples into closer focus, this section adds a few succinct vignettes that illustrate in greater depth some of the specific and highly problematic technologies (and software and management systems) that have rapidly appeared and even more rapidly been applied. Many appear to be subject to almost no meaningful privacy controls, and have extraordinary and highly negative implications for privacy, and for civil liberties and political freedoms more generally.

To position the nature of the concerns and how they might be addressed, a positive and negotiated example is given first.

5.1 Detailed identified trip purpose, location and data collection programs

The use of GPS to track individuals with their full consent to secure transport planning information now has close to a decade of experience, and has become a standard tool of trade. This is perhaps the only area where full knowledge and assent is always secured, and anonymising is part of the protocol. As long ago as 2004, typical mainstream examples and commentary was provided by the US TMIP (Transport Modeling Improvement Program) program. Murakami et al (2004) summarise the detailed travel data collected, emphasising how detailed and comprehensive it is compared to household methods, and Guensler (2004) reports result of adding instrumentation to 487 vehicles in 270 households which in addition to trip data report speed and engine operating data in real time via a mobile phone connection. The subjects were sampled randomly and a very large fraction agreed to participate over a substantial period of time.

Specialised high sensitivity personal recording equipment has been developed by several transport data specialists in Australia, such as the Centre for Logistics and Transport at the University of Sydney who has applied it to commercial vehicle data collection (Graves & Figliozzi, 2007). The general area of location based services and security and privacy has been given a further impetus from the augmented GPS systems in the European Union. The GALILEO project (European Commission, 2007) is well known for being planned to provide an alternate set of GPS services, but far less well known for offering augmentation of the GPS data and the list of specific services that will be offered. An encrypted authentication scheme is to be available for navigation services, for example, as well as a structured series of ground GPS augmentation and the EGNOS service provision centres on which third party location based services can be delivered.

"The European Geostationary Navigation Overlay Service (EGNOS) is Europe's first venture into satellite navigation. It augments the two military satellite navigation systems now operating, the US GPS and Russian GLONASS systems, and makes them suitable for safety critical applications such as flying aircraft or navigating ships through narrow channels" (European Space Agency, 2007).

This infrastructure is an example of what is possible (Pozzobon et al, 2004) if new technology for linking location-based services with other types of services is planned for in advance.

The lesson is that fully informed consent and responsible management can be acceptable, especially when the application is so clearly for the constructive purposes of transport and traffic planning in the area where the vehicle owners live and work. The levels of detail are very fine grained and linked directly to the people and the vehicles and their operating characteristics at any point in time. The difficult issues are those where these conditions are not satisfied. These are for far less transparent and agreed purposes, and the management of the data and its subsequent recording, linkage and data mining are not disclosed to those monitored.

5.2 Automatic Number Plate Recognition (ANPR)

Far from a balanced and considered implementation of ANPR and the associated databases and linkages, the UK has raced ahead to implement and deploy a national ANPR vehicle surveillance scheme.

In March 2005 the Association of Chief Police Officers of the UK demanded [and now have widely operational] a national network of Automatic Number Plate Recognition (ANPR) UK-wide ANPR data capture "utilising police, local authority, Highways Agency, other partner and commercial sector camera, including the integration of the existing town centres and high street cameras, with a National ANPR Data Centre with an operational capacity to process 35 million ANPR reads every day increasing to 50 million by 2008, stored for two years" (Wood, 2006: p 19).

5.3 Public transport smart cards

The Oyster card for public transport in London is a salient example: one of sufficient notoriety that Richard Stallman (2008) - the founder of Open Source - has publicly protested at such an onerous use of Open Source software. 90% of all bus and underground travel in London is now paid for using Oyster RFID cards (Transport for London, 2008), with 12 million cards now in use. There is no anonymous method of payment, and the linkages between credit cards and the Oyster travel and timing records are thus unavoidable. The function creep is well established, with extensive police and surveillance access used. The commercial extensions and function creep is now beginning with the re-implemented Linux based software for faster modification and greater flexibility for Transport for London to utilise- promoting iTunes on the Oyster system with new members get free vouchers.

The Oyster principles are a major influence on the well-overdue (and over cost) MyKi (myki, 2006) transport ticketing system still under development for Melbourne. Although at least some token attention to privacy is indicated on their website, it remains to be seen if it will remain. In the case of MyKi the extended use of the card to other types of purchases is clearly signalled, so the function creep has begun long before the system has even been finalised.

Oyster has progressively become an major tool for general enforcement and surveillance, the function creep that inevitably occurs once an expensive system begins to work well - many different parties press to get the potential (usually privacy invasive) advantages at minimal marginal cost. This persuasive economic dynamic is one that can confidently be expected to occur again and again - unless clearer privacy rules and new enforcement techniques (maybe drawing upon the same locational technologies with the addition of nyms and other forms of temporary identification adequate for the purpose and no more).

5.4 Identity variants and location based services

There has been little coherent treatment of the privacy and security aspects of the many and various forms of location based services. A few examples have been given here where they has been recognised as an issue of recognised importance, and some provisions have been made. These provisions are inconsistent, and follow no particular pattern.

GALILEO has provided for encrypted navigational services with a full protocol, but it is up to service creators to decide how to use these facilities, but they are indeed there to be used. There is no equivalent of middleware for location based privacy services, although there are systematic efforts to move towards it by mobile phone manufacturers. For example, Nokia (2008) provides full application programming interfaces to support such facilities for its developers so that GPS augmentation by other data sources can be easily be used to enhance the location determination and location attributes.

Nuanced locational anonymity is not impossible. Beresford & Stanjo (2003) propose and demonstrate the mix zone, a locational extension of techniques developed for anonymous communications. Another example is Priyantha et al (2000) who describe the Cricket location system under sole control of a PDA user.

Microsoft is also one of the organizations working on a range of protocols for privacy (or the choice of its absence) at both a middleware level and an application level. All of these approaches are not focussed on providing a coherent approach to privacy in a location-enabled environment, and do not distinguish between people and objects.

As a result the careful niceties expounded in the early section of this paper where the variations in association type (and indeed duration) of associations between individual entities in a data system are not yet widely recognised.

It is only when the overall privacy design of the system is considered that such provisions become necessary. The Internet Taskforce GEOPRIV initiative (IETF, 2008) is probably one of the most effective (or at least pervasive) places to begin to contribute such fine - but critical- distinctions to the process.

6. Conclusions

Locational technologies have not previously been seen as surveillance devices in common use, and so the controls - or even the need to have any - have been slow appear

`Where you have been' is not restricted to location, the massive pressure from many different areas of government and commerce to link up existing data collections on people has a special meaning once the locations visited are not only physical but also social and transactional. To this extent locational issues are sensitive in its own right- but the combination of backward integration with other types of data, as well as historical physical locations, allied to social network analysis offers an almost irresistible attraction to many areas of government administration and commercial enterprises.

In this regard the multiplications of connections that result from adding historical or real time locational data has an impact that draws all individuals and their associations into a single tightly closed net: you may be judged not only where you have been, but by who you were there with (or even close to) - and when. This expansion of connections cannot be ignored and entwines all of us with anyone or any group under monitoring for any purpose, historically or prospectively, or, as one might put it, `you are where you have been and ....who with and when'

Information technology shares a key characteristic with an elephant: it doesn't know how to forget. It needs to be taught how: very quickly - and provably. This is almost certainly an impossible dream, and the best course of action is to focus on three things:

  1. Secure a layered privacy and record linkage process, supported by widely used middleware to buffer the added sensitivities of linking in locational data.
  2. Ensure that the duration of associations between nyms, names and objects etc is as brief as is necessary for the transaction, and make this an industry standard.
  3. To develop policies that articulate clearly that the intermediate associations are neither needed nor kept beyond the transaction in which they are involved. Especially when approximate locations are used to link disparate people or `objects of interest'.

This too may already be impossible to secure, so `we are where we were - and are now likely to be labelled by the characteristics of those who might also pass through the same locations'.


Ackerman, L., Kempf, J. & Miki, T. 2003. `Wireless location privacy: law and policy in the US, EU and Japan'. Internet Society Member Briefing at accessed 3 July 2008.

Beresford, & Stanjo. 2003. `Location Privacy in pervasive computing'. IEEE Pervasive Computing pp. 1536-1268. At accessed June 29 2008.

Bettini, C., Wang, XS and Jajodia, S. 2005. `Protecting privacy against location-based personal identification'. In Secure Data Management. Springer Verlag, Berlin. Pp185-199.

Clarke, RA. 1988, 'Information technology and dataveillance', Commun. ACM 31(5), 498-512Clarke, RA. 1994, 'Human identification in information systems: Management challenges and public policy issues', Information Technology & People 7(4), 6-37

Clarke, RA. 1999a, 'Person-location and person-tracking: Technologies, risks and policy implications', Proc. 21st Int'l Conf. on Privacy and Personal Data Protection, pp.131-150, Hong Kong, 13-15 September 1999. Revised version in Information Technology & People 14(2), 206-231

Clarke, RA. 1999b, 'Relevant characteristics of person-location and person-tracking technologies', Separately-published Appendix to (Clarke 1999a). Xamax Consultancy Pty Ltd, Canberra.

Clarke, RA. 2001, 'Authentication: A sufficiently rich model to enable eBusiness', Xamax Consultancy Pty Ltd, December 2001, at

Clarke, RA. 2004, 'Identification and authentication fundamentals', Xamax Consultancy Pty Ltd, May 2004, at

Clarke, RA. 2006, 'What's 'Privacy'?', Prepared for a Workshop at the Australian Law Reform Commission on 28 July 2006, at

Clarke, RA. 2007, 'What 'Uberveillance' is, and what to do about it', Invited Keynote, In K Michael and MG Michael. `From dataveillance to uberveillance and the realpolitik of the transparent society'. Proc. 2nd RNSA Workshop on the Social Implications of National Security'. University of Wollongong. pp. 27-60.

Clarke, RA. 2008, 'Dissidentity', Xamax Consultancy Pty Ltd, Canberra, at

Daniel, M., Webber, MJ & Wigan, MR. 1990, `Social impacts of new technologies for traffic management', Research Report ARR 184, Australian Road Research Board, Vermont, Victoria.

European Commission 2007. `GALILEO European Satellite Navigation System'. At accessed 21 June 2008.

European Space Agency 2007. `The present- EGNOS navigation'. At accessed 21 June 2008.

Federal Geographic Data Committee. `Content standard for digital geospatial metadata (revised June 1998)'. FGDC-STD-001-1998. Washington, D.C. USA. At accessed 12 June 2008.

Government of South Australia. 2008. Serious and organized crime (Control) Act 2008. At accessed on 6 July 2008.Greaves, SP & Figliozzi, MA. 2007. `Commercial vehicle tour data collection using passive GPS technology: Issues and potential applications'. Paper 08-1294. CDRom, Annual General Meeting of the Transportation Research Board, Washington DC.

Graham. F. 2008. `GPS gadgets can reveal more than your location'. New Scientist, 3rd June. At accessed 5 June 2008.

Guensler, R. 2004. `Atlanta's comprehensive travel data collection effort', TMIP Connection, Spring. p3 at

Hu, YC, & Wang, HJ. 2005. `A framework for location privacy in wireless networks'. At accessed 6 July 2008.

Internet Task Force Secretariat, 2008. `Geographic location/privacy (geopriv)' at accessed 9 June 2008.

Isqbal, MU & Lim, S. 2007. `Designing privacy-aware mobility pricing systems based on user perspective'. Journal of Location Based Services, 4(1), pp. 274-299.

Jacobsen, Q. 2008. `Location based wireless services in urban areas and mobility', Volvo Research Foundation Global Workshop, Berkeley, California (Private communication).

Jiang, T., Wang, HJ. & Hu YC. 2007. `Preserving privacy in wireless LANSs'. Proc. 5th International Conf. on movile systems, applications and services. San Juan Puerto Rico. ACM. NY. pp 246-257.At accessed 8 July 2008.

Kim, MC. 2004. `Surveillance technology. Privacy and Social Control', International Sociology 19(2), 193-213.

Loenen, BV & Zevenbregen, JA. 2007. `The impacts of European privacy regime of locational technology development'. Journal of Location Based Services 1(1) pp. 165-178.

LoopT. 2008a. `LoopT transforms your mobile into a social compass'. At accessed 24 June 2008.

LoopT, 2008b. `Privacy & Security. At accessed 24 June 2008.

Michael, K. McNamee, A. Michael, MG. & Tootell, H. 2006. `Location-based intelligence- modeling behavior in humans using GPS'. International Symposium on Technology and Society, 2006. ISTAS 2006. IEEE. At accessed 1 July 2008.

Murakami, E., Taylor, S., Wolf, J., Slavin, H. & Winick, B. 2004. `GPS applications in transportation planning and modelling', TMIP Connection, Spring. p.3 at .

myki, 2006. "myki will be your key to opening Victoria's public transport'. At accessed 12 June 2008.

New York Times, 2008. At accessed 20 June 2008.

NFC Forum, 2008. At, accessed 20 June 2008.

Nokia 2008. "Forum Nokia - driving mobile innovation: Location-Based services' at on 1 July 2008.

PELSYS (2008). `Pelsys-Tracker: Vehicle tracking/ Personal tracking'. At accessed 7 July 2008.

Perusco, L. & Michael, K. 2005. `Humancentric applications of precise location based services'. IEEE International Conference on e-Business Engineering (ICEBE'05), pp. 409-418.

Poszzobon, O., Williams, C. & Kubik. K. 2004. `Secure tracking using trusted GNSS receivers and Galileo Authentication Services'. Journal of Global Positioning Systems 1-2(3), pp. 200-207.

Priyantha, NB, Chakraborty, A. & Balakrishnan, H. 2000. "The Cricket location-support system'. Proc. International Conference on Mobile Computing and Networking. ACM NY pp. 32-43.

Stallman, R. 2008. `Stallman attacks Oyster's `unethical use of Linux', Quoted by Judge, P in ZdNet 9 June at,1000000121,39431419,00.htm.

Transport for London. 2008. `What is Oyster?'. At accessed 31 May 2008.

Travelsafe. 2007. `Inquiry into automatic number plate recognition technology', Issues paper 12. Parliamentary Travelsafe Committee, Legislative Assembly of Queensland.

Wigan, MR & Clarke, RA. 2006, `Social impacts of transport surveillance'. Prometheus 4(24), 389-404.

Wigan, MR 2007, Owning identity: one or many: do we have a choice?', In K Michael and MG Michael. `From dataveillance to uberveillance and the realpolitik of the transparent society', Proc. 2nd RNSA Workshop on the Social Implications of National Security'. University of Wollongong. pp. 61-70.

Wood, DM [Ed.] `A report on the surveillance society', for the Information Commissioner by the Surveillance Studies Network, London UK.

Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., a Visiting Professor in the E-Commerce Programme at the University of Hong Kong, and a Visiting Professor in the Department of Computer Science at the Australian National University.

Marcus Wigan is Principal of Oxford Systematics, Professorial Fellow at the University of Melbourne, Visiting Professor at Imperial College London, and Emeritus Professor of both Transport and of Information Systems at Napier University Edinburgh. He serves on the Ethics Task Force and the Economic Legal and Social Implications Committee of the Australian Computer Society, of which he is a Fellow. He has worked on the societal aspects of transport, surveillance and privacy both as an engineer and policy analyst and as an organisational psychologist. He has published for over 30 years on the interactions between intellectual property, identity and data integration in electronic road pricing and intelligent transport systems for both freight and passenger movements. He has long been active with the Australian Privacy Foundation, particularly on transport issues, and works with the University of Melbourne on transport engineering and information issues in both logistics and social and environmental factors.

xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 65 million in early 2021.

Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 24 July 2008 - Last Amended: 24 July 2008 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2022   -    Privacy Policy