Roger Clarke's Web-Site

 

© Xamax Consultancy Pty Ltd,  1995-2017


Roger Clarke's 'You Are Where You've Been'

You Are Where You've Been
The Privacy Implications of Location and Tracking Technologies

Roger Clarke ** & Marcus Wigan **

Version of 3 August 2011

Journal of Location Based Services 5, 3-4 (December 2011) 138-155

This version supersedes the preliminary version presented as an Invited Keynote at a Seminar on 'Location Privacy' at the University of N.S.W. on 23 July 2008

(See also the Project Overview)

© Xamax Consultancy Pty Ltd, 2008-11

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at http://www.rogerclarke.com/DV/YAWYB-CWP.html

The accompanying slide-set is at http://www.rogerclarke.com/DV/YAWYB.ppt


Abstract

A decade ago, technologies that could provide information about the location of a motor vehicle, or a computer, or a person, were in their infancy. A wide range of tools are now in use and in prospect, which threaten to strip away another layer of the limited protections that individuals enjoy.

An understanding of the landscape of location and tracking technologies, and of the issues that they give rise to, depends on establishing a specialist language that enables meaningful and reasonably unambiguous discussion to take place.

An outline of the familiar case of mobile phones, complemented by deeper assessments of road tolling and the surveillance of individual motor vehicles on the road, provides a basis for appreciation of the substantial threats that location technologies represent to free society.


Contents


1. Introduction

Over twenty years ago, Daniel et al. (1990) identified implications of the advanced traffic identification, tolling and linkage technologies that were then emergent. A decade later, Clarke(1999a) analysed the nature of location and tracking, and identified many then-current and emergent technologies. These papers noted the increasing intensity in the collection of transaction data, in the association of personal identifiers with that data, in the retention of that data, and in mining of that data. It also referred to the emergence of spies in people's pockets, wallets and purses (smartcards and cellular mobile phones), and in their cars (toll-road tags, and tagging by car-hire companies, insurers and investigators).

Those technologies are now well-established, yet they lack a regulatory framework. IP-address location remains laughably inaccurate. Cellular triangulation and signal-differential techniques, and self-reporting of GPS measurements, are also error-prone, but their precision and accuracy have greatly improved. Radio-Frequency Identification (RFID) and Near Field Communication (NFC) devices identify and locate chips with reasonable reliability, and, because of their short range, with considerable accuracy. Meanwhile, some of the scatter of technologies that constitute Intelligent Transport Systems (ITS) are gradually delivering on their promises and threats, and surveillance of traffic using Automated Number Plate Recognition (ANPR) technologies is proliferating without regard for its impacts on privacy and freedoms.

For the last four decades, discussions of privacy and surveillance have primarily focussed on the collection and handling of personal data. In effect, the orientation has been towards 'you are what you've transacted with us'.

The march of information technology has resulted in the scope of the transactions that are being captured expanding wildly. Now organisations in both the public and private sectors are seeking data about where people are, in order to use it - sometimes at least nominally for them, but in practice to a considerable extent against them. The almost complete absence of data destruction requirements means that data about 'where you are now' is kept, and becomes a trail of 'where you've been'. The presumption underlying the exploitation of this pool of data is that 'you are where you've been'. This paper's purpose is to delineate the nature of these technologies, and of what they do to privacy.

This paper commences with overviews of key concepts underlying the subsequent discussion. One cluster of ideas comprises the concept of location and the process of acquiring it, and the concept and process of tracking. In order to be able to undertake effective analysis, a model is needed of what it is that is being located and tracked. Relevant concepts include real-world entities (particularly humans and vehicles), identities, and pseudonymity and anonymity.

Building on these ideas, the paper reviews the privacy impacts of location technologies. It notes that one's location is potentially very sensitive personal data. But the tracking of people's movements both real-time, and retrospectively, lifts the threat to a much higher level. The paper is a further contribution in research programs conducted by the authors over a 25-year period, and hence cites multiples of the authors' previous publications from those programs. These contain references to the wider literature additional to the modest set cited in the present paper.


2. Concepts of Location and Tracking

This section provides an overview of the concepts of location and tracking. It draws heavily on relevant parts of Clarke (1999a).

By an entity's location is meant a description of its whereabouts, in relation to other, known objects or reference points. Examples include the following:

The 'space' within which an entity's location is tracked is generally physical or geographical. All of the above examples relate to location within physical space. Other kinds of 'space' exist and location within such spaces may be defined in other terms. For example, a location may be virtual, as in the case of a person's successive interactions with a particular organisation. A particularly important example is 'network space'. An IP-address records the location in network space of a software process entity (which necessarily is running in a computer entity).

Location can be ascertained with varying degrees of precision, and varying degrees of accuracy and reliability. These qualities are addressed formally in the US Federal Geographic Data Committee's metadata system for geospatial information (FGDC 1998). The location of installed devices such as fixed ATMs and EFT/POS terminals may be quite exact, and reliable. The locations of some EFT/POS terminals (e.g. those in taxis) are much more ambiguous, as are those of small modems, codecs and Ethernet and other network interfacing cards, which may be moved from their previously-recorded locations. Devices such as cellular phones, and portable and hand-held computers, are designed to be mobile, and additional information is needed in order to draw inferences about their location at the time of a particular event. Some kinds of location definition may be limited to a line or cone (e.g. those relying on directional mechanisms), or an area bounded by three or more lines (e.g. those relying on triangulation). Differential and Augmented GPS systems have improved GPS services through the use of additional data from terrestrial reference-points.

Measures of location may be available with varying degrees of timeliness. By this is meant the lag that occurs between the event, and the availability to a person undertaking surveillance of the transaction data reflecting that event.

By tracking is meant the plotting of the trail, or sequence of locations, within a space that is followed by an entity over a period of time.

Due to timeliness limitations, data may only be available for retrospective analysis of a path that was followed at some time in the past (Graham 2008). A 'real-time' trace, on the other hand, enables the organisation undertaking the surveillance to know where the entity is at any particular point in time, with a degree of precision that may be as vague as a country, or as precise as a suburb, a building, or a set of co-ordinates accurate to within a few metres. Moreover, a person in possession of a real-time trace is in many circumstances able to perform predictive tracking, because, with some degree of confidence, it will be possible to infer the subject's immediate future path, perhaps their destination, and even their intention.


3. Concepts of Identity, Entity and Nymity

This section provides an overview of the concepts of identity, entity and nymity. It draws heavily on relevant parts of Clarke (2001, 2004 and 2009b).

The term 'entity' refers to any item that exists in the real world. It is sufficiently generic to be applicable to a rock, a chair, a motor vehicle, a device with a computer embedded in it, and a human being.

The term 'identity' refers to a particular presentation of an entity, such as a role that the entity plays in particular circumstances. For example, a motor vehicle is an entity. It may have multiple identities over time, such as taxi and getaway car. A mobile phone is an entity, but it may take up different identities depending on the SIM placed in it. A computer is an entity, but each process that runs on it is capable of presenting identities distinct from both the entity and the other identities represented by other processes. In addition, some clients, including some web-browsers and plug-ins, support multiple personae.

People perform many roles, and most individuals are known by different names in different contexts. The identifiers that are associated with these identities may be name-variants (Mr Smith, John Smith, JS, Jacko) or more distinctive (Mrs Smith in social contexts, Ms Jones in professional settings). In some cases, the intention is dishonourable or criminal. In most cases, however, the adoption of multiple personae is neither, but rather reflects the diversity of contexts in which they act, including within their family, their workplace(s), their profession, community service and art.

In common law countries, people are in no way precluded from using multiple identities or aliases. Actions that take advantage of multiple or situation-specific identities in order to cause harm or circumvent the law are, on the other hand, criminal offences. Although some jurisdictions have created criminal offences relating to identity fraud, they preclude not the use of multiple identities but rather their abuse.

An identity may be distinguished from other, similar identities through the use of some kind of label or signifier. For example, a subscriber identity module (SIM) card has a SIM-card identifier, a process running in a computer has a process-ID, and a human being has (many) names and codes assigned to them.

Similarly, an entity may be distinguished from other, similar entities through the use of some kind of label or signifier. Even some rocks have names or numbers, e.g. those that are sacred to an indigenous community and need to be either preserved or moved to enable agricultural or mining operations to proceed. Motor vehicles have vehicle id numbers (VINs), engine numbers and registration 'numbers'; mobile phones have unique numbers associating with housing; and human beings have biometrics. Given that the term for an item of information that distinguishes an identity is 'identifier', it is convenient to refer to an item of information that distinguishes an entity as an 'entifier'.

An identifier that can be linked to the underlying entity only with considerable difficulty is commonly called a pseudonym. If an identifier cannot be linked to an entity at all, then it is usefully called an anonym. And a term that usefully encompasses both pseudonyms and anonyms is nym.

Anonymity is a characteristic of records and transactions, such that they cannot be associated with any particular entity, whether from the data itself, or by combining it with other data. Pseudonymity is a characteristic of records and transactions, such that they cannot be associated with any particular entity unless legal, organisational and technical constraints are overcome. And a term that encompasses both anonymity and pseudonymity is nymity.

The concepts of location and tracking clearly apply to entities. However they may also apply to identities in various circumstances, and to nyms.


4. Location and Tracking Technologies

A wide variety of location and tracking technologies exist. Clarke (1999a, 1999b) catalogued a many specific instances of location and tracking technologies, and many more are documented in Michael & Michael (2009). They are mostly oriented towards entities, and their effective operation depends on the collection of entifiers that distinguish the particular entity and enable transaction data to be reliably associated with the appropriate entity and perhaps with other transactions. Some technologies are relevant to spaces other than physical space (especially net space), and some to identities rather than entities.

In order to provide a deeper sense of the ways in which location and tracking is impinging on human behaviour, this section considers two particular categories of entities.


4.1 Handhelds

During the last two decades, first mobile phones, and progressively networked personal digital assistants (PDAs), smartphones and tablets, have delivered enormous personal convenience, but public understanding has also slowly grown that such devices are a spy in the person's pocket. The term 'handheld' is used in this paper to refer to any mobile access device with the capacity to communicate by wireless means.

Mobile phones were designed to support voice-calls from any location within range of a transceiver connected to the relevant wireless network. Network protocols developed for this purpose have been referred to as 'cellular networks'. They have included analogue, early digital (such as GSM and CDMA), and later digital networks commonly referred to as third generation (3G, such as GSM/GPRS, CDMA2000 and UMTS/HSPA). As chip-capacity grew to the point that it could support operating systems, the functionality of phones was extended to a wide range of applications, and the much-upgraded category of devices were dubbed 'smartphones'. Many now have the capability to connect to Wireless Local Area Networks (WLANs), in particular so-called 'WiFi' based on the IEEE 802.11x family of protocols.

PDAs were designed to support computing on the move. They exist in many variations, reflecting orientation towards business or personal use; text capture, despatch and receipt; sound receipt and playback (particularly music); image capture, despatch and receipt; and game-playing. Designs continue to proliferate and cross-fertilise. In addition to being capable of connection to fixed networks, handhelds have had wireless network capabilities added. These have most commonly been Wireless LANs such as Wifi, but Wide Area Network technologies also exist, such as `WiMax' / IEEE 802.16 and iBurst.

More recently, a long-awaited category of devices with a form-factor between handhelds and laptops has emerged, initially the iPad. These are being released as much less general-purpose devices, particularly those from Apple. Location and tracking of these devices have been high priorities in the design of these devices, partly to enhance services, but also because it is in alignment with the tight user-control that the suppliers want over their customers.

The analysis conducted in this section focusses on location and tracking, including the identification of the handset and the user. It intentionally leaves aside such questions as traffic analysis (i.e. which devices communicated with one another) and the interception, storage, use and disclosure of message-content.

Location and tracking are inherent in wireless networking technologies. Each message that is transmitted over a wireless network needs to reach the intended handheld. There is insufficient capacity to broadcast all traffic in all cells. It is therefore necessary for the network to know in which cell the targeted handset is to be found, so that the message can be transmitted in that cell only. Each handset therefore continually transmits registration messages that are picked up by the base-station(s) that service each cell. Handsets are generally designed to transmit registration messages even when nominally switched off or placed on standby, and perhaps even when the (main) mattery is removed.

In cellular networks, there is generally a clear distinction between the entity (the handset) and the identity it is adopting at any given time (which is determined by the module inserted in it). In GSM and UMTS devices, the identity is the Subscriber Identity Module (popularly known as the 'SIM-card'), in CDMA devices the Removable User Identity Module (R-UIM) or CDMA Subscriber Identity Module (CSIM), and in generic 3G devices the Universal Subscriber Identity Module (USIM). These modules store an International Mobile Subscriber Identity (IMSI), which constitutes the module's identifier. Among other things, this enables network operators to determine whether or not to provide service, and what tariff to apply to the traffic.

However, cellular network protocols may also involve transmission of a code that distinguishes the handset in which the module is currently inserted, i.e. the device entifier. In GSM and UMTS devices, this is the International Mobile Equipment Identity (IMEI), and in CDMA devices the Electronic Serial Number (ESN, in the USA) or Mobile Equipment Identifier (MEID). Among other things, transmission of the device entifier enables network operators to disable, refuse service or track handsets reported as having been stolen.

In some jurisdictions, all handsets are required by law to be registered to a particular owner, while in others some or all handsets may be used in an anonymous or at least pseudonymous manner, perhaps up to some limit of call-value. In practice, the vast majority of handsets are used for long periods with a single SIM-card installed, and by a single person. Hence, in many cases, it is effectively the individual user of the handset who is being tracked.

In the case of computing devices that use wireless networks such as Wifi and Wimax, the base-station (commonly, although not entirely accurately, called a router), generally has access to an entifier for the device, such as a processor-id or a network interface card identifier (NIC Id). These tend to be less tightly linked with an individual than is the case with mobile phones. It is also feasible for users who wish to do so, to exercise control over the entifier that it presents. The tendency towards multi-functionality of handsets, and connection with both cellular and Wifi networks, may, however, be breaking down that remnant element of nymity.

In some circumstances the Internet Protocol (IP) address is used as a proxy for a device-id or user-id. Among the disadvantages of doing so is that an IPv4 address may be assigned for a relatively short period, particularly where the device is portable. Depending on the implementation, however, IPv6 addresses may contain or imply the device-id. If so, that would substantially undermine nymity and enhance trackability.

The network is aware of the cell-location of each handset that uses the network and is currently within range of a base-station - and hence an observer with access to the identity of the handset's usual user is aware of that person's cell-location. The precision of the location may be limited to the particular transmission cell, which may be as large as a 10km radius, or as small as 100m radius. However, a number of techniques exist whereby the precision may be far greater than that. These include:

The stream of messages that a handset sends enables the network to not only locate it, but also to track it. The tracking may be something close to real-time, depending on the frequency with which registration and other messages are sent (which is generally often), and the latency in the system (which is generally very short). If the series of locations is logged, and the log retained, then the tracking can be retrospective. It appears that logs are commonly collected, and that they may be retained for periods that may be quite long. If the data-stream is sufficiently intense and latency low, then it is capable of being applied to predictive tracking.

The data's intrinsic purpose is network management; but it is attractive for a range of purposes additional to that. Network service providers are increasingly seeking to extract additional revenue from subscribers (by offering location-sensitive services), and from advertisers (by transmitting location-sensitive offers).

In addition to such extrinsic uses by the network operator, disclosure to other parties already occurs, and may worsen. The data-stream and logs are accessible by law enforcement agencies, and by national security agencies. In many cases, this appears not to be subject to the hitherto conventional control of requiring a prior, specific-purpose judicial warrant based on evidence of reasonable grounds for suspicion of a criminal offence. Further, despite longstanding protections in the telecommunications laws of many countries, there is considerable pressure from business enterprises for the data to escape beyond the network service providers, to other business units, related business enterprises and 'strategic partners'. The exposures even extend to community settings (Abbas et al. 2011).


4.2 Motor Vehicles

Motor vehicles are increasingly subject to automated monitoring. The vision of ITS as a whole has moved more slowly than its proponents suggested, but various aspects have matured or are coming to fruition. Passive RFID tags transmit an identifier when control-points are passed and in some schemes active tags report their position under program control. This section focusses on the location and tracking aspects of the particular technology most commonly referred to as Automated Number Plate Recognition (ANPR). It draws in general terms on Wigan & Clarke (2006) and in more specific terms on Clarke (2009a).

Automated Number Plate Recognition (ANPR) involves the use of:

ANPR differs from its predecessors ('speed cameras' and 'red-light cameras') in that it necessarily involves digital rather than wet-chemistry photography, and automatic extraction of the registration data in real-time rather than manual and/or deferred extraction.

Both suppliers and user-organisations project the notion that ANPR is highly accurate and highly reliable. However, very little evidence is publicly available, and results of independent testing are so difficult to find that accusations are readily levelled of collusion between law enforcement agencies and technology-providers (e.g. Lettice 2005, Keilthy 2008).

Anecdotal evidence suggests that the reliability of the process whereby registration data is extracted from the digital images is actually quite low, with success-rates perhaps as low as 70% even under favourable conditions, and lower in many common circumstances that present challenges. Among the factors that are known to reduce reliability are the lighting, the angle, and the states of the registration plates, the camera lens and the light-path between them. The extraction is by its nature 'fuzzy', and confidence threshholds have to be set. In any circumstances in which the implications for false positives are serious, it is vital that the threshholds be set so that innocent passers-by are not significantly impacted.

The object that ANPR locates and tracks is a vehicle identifier - the registration-plates that the vehicle carries. This is distinct from a vehicle entifier such as a Vehicle Identification Number (VIN), or an engine-number. In some countries, registration-plates are permitted to be used on more than one vehicle, whereas other countries require its use only on one vehicle. For people and organisations that have sufficient motivation, the falsification and duplication of registration-plates is relatively easy, the likelihood of detection is low, and the sanctions if the offence is detected are relatively low.

In practice, ANPR can be and is used as a basis for the location and tracking not only of vehicles, but of vehicles as a proxy for people. A vehicle is registered in the owner's name, and hence an inference may be drawn that that person is the vehicle's driver, or one of its occupants.

ANPR is capable of being applied to several different categories of purpose, and the infrastructure to support it can be architected in several different ways. The following sub-sections outline three categories of application, and architectural features that vary in their privacy impacts and implications.

(1) User-Pays Charging

Motor vehicles use resources, including infrastructure (roads, control devices such as signs and traffic lights, on-street parking, garages and parking stations) and fuel. They also generate noise and pollution, and are likely to be subject to further, indirect charging and/or taxation in the near future through 'green credit' mechanisms. For various reasons, there has been a drift away from State-funded infrastructure towards a user-pays approach. Charges are therefore levied for on-street parking, use of space in garages and parking stations, use of toll-roads, and use of congested areas such as inner-cities.

There are two broad ways in which charges for the use of road transport infrastructure give rise to location and tracking of people: through the payment process, and through mechanisms designed to achieve control over errors and abuse of the scheme.

Cash payments are regarded by many service-providers as expensive and inconvenient. A number of facilities can only be used if payment is made using a credit-card or debit-card. Other facilities require use of a specialist payment device that commonly takes the form of a contactless smartcard or RFID-tag. These in turn are in some cases unable to be purchased or 'topped up' in return for cash, but only by means of a credit-card or debit-card.

During the last few decades, governments around the world have imposed increasingly stringent requirements on card-issuers to authenticate the identities of their customers. Moreover, the face of the card generally carries the card-holder's commonly-used name. The net effect of these factors is that a number of user-pays road transport facilities are not currently available unless the person using them identifies themselves more or less directly to the operator. The human right of freedom of movement is seriously harmed by the denial of anonymous use of road transport infrastructure.

The second source of person location and tracking through road transport arises from the control mechanisms that infrastructure and fuel providers alike need to exercise over the evasion of their fees. For example, a toll-road may be used by a vehicle with no tag, a defective tag or a tag that carries insufficient value; a parking location or congested area may be used without payment of the fees or the fine; and a driver may 'skip' after filling their petrol-tank but without paying. A commonly-used control is the video-recording of the vehicle's registration plates, originally on a tight-loop analogue video-tape with 24-hour retention of the images. But ANPR has obvious application to these needs, and tight-loop / short-retention analogue recording has been rapidly giving way to digital recording, automated recognition of registration data, and longer, and even indefinite retention of the images.

It may only be necessary to record images of vehicle registration data in the small minority of cases where the vehicle has been detected as being infringing in some way. On the other hand, vehicle identities may need to be recognised and matched at two or more points, e.g. where the fee is dependent on entry and exit locations and times (e.g. for parking, in congested zones and for variable-cost toll-roads). There are a variety of ways in which that can be achieved.

In principle, the vehicle registration data in such circumstances is needed only for as long as it takes to compute and collect the fee, perhaps followed by a retention period long enough to enable audit by the operator and/or reporting to or handling of a complaint by the road-user. In addition, privacy-protective schemes can be devised and implemented relatively easily. (For example, the vehicle registration data could be retained for the duration of the trip only, with the payment tag issued with an electronic receipt number, which is stored by the operator together with the facility usage data that gave rise to the charge).

But, despite the ease of creating such schemes, it appears to be highly unusual for operators to do so. In practice, vehicle registration data is collected and retained, and perhaps retained long-term, used and disclosed. With storage costs continuing to plummet, a great deal of data capture and retention of this kind is indiscriminate, i.e. the registration data of all vehicles is captured, and retained, irrespective of whether the action is justified.

(2) Law Enforcement

ANPR has a number of applications in support of policing, particularly of road traffic, but to some extent more generally. Law enforcement uses involve the detection of a registration-plate of interest to a law enforcement agency. In some cases, a traffic infringement notice may be automatically generated (as with longstanding manual processes using wet-chemistry photography, for speeding and red-light offences). In other cases, the vehicle of interest may be intercepted a short distance further down the road. The applications can be categorised as follows:

The first and second of those categories are specific policing applications that are characterised by relatively high reliability and straightforward justification. The third is more speculative, particularly in relation to the impact on accidents involving unregistered vehicles and unlicensed drivers. The fourth is much more problematical. It has potential, and potentially substantial, negative implications for the safety of police officers, of people in the vicinity of interceptions, and of occupants of vehicles that are intercepted on grounds that transpire not to be justified.

There are prospects that ANPR may be effective for the purposes for which registration plates were issued - specifically, traffic administration and traffic law enforcement. Considerable care is needed even in these cases, however, because the reliability of data in registration databases, and of the data extracted from the photograph, are both of moderate rather than high quality. There is considerably more doubt about the more remote, consequential contributions to public safety, and the substantially speculative application fo criminal law enforcement more generally.

It is straightforward to devise an architecture for ANPR that is effective for operational policing but avoids undue collection of data. The camera-unit can be designed as a high-security device that only discloses data that satisfies tightly-defined and tightly-controlled criteria. This can be achieved through what can be usefully described as 'blacklist in camera' architecture. Tightly-coupled processing within the camera-unit can compare the registration data extracted from images against one or more controlled blacklists that have been downloaded to it. These can contain the registration numbers of vehicles that law enforcement agencies want to intercept for specific reasons. The only data disclosed by the device would be high-probability 'hits' against those blacklists.

Multiple controls are needed in order to achieve the dual objectives of operational policing and protections for privacy, civil liberties and democracy. Crucial among them are tight controls over the quality of the blacklist data. This includes accuracy and precision - which is known to be an issue with many vehicle registration databases. Another quality factor that is especially challenging is timeliness, particularly in the case of such fraught categories as stolen vehicles, and especially getaway cars. Tight controls over the transmission of the data are also essential. Serious public safety issues arise from some potential categories of blacklist, including getaway cars, but also vehicles associated with people wanted for arrest, and even for questioning.

A further possible variant is a 'white-list in camera' approach, whereby listed vehicle registrations would not be reported, but all others would be. This may have application in areas that are subject to very tight physical controls, such as within nuclear power plants, and in the areas immediately adjacent to meetings involving dignitaries considered to be at risk of being targeted by activists. However, the approach gives rise to serious concerns about public safety, unreasonable interception and unreasonable inferences about vehicle drivers and occupants.

Despite the ease with which ANPR can be architected so as to balance policing needs with privacy and civil liberties, 'blacklist-in-camera' infrastructure remains uncommon. The following sub-section describes the way in which most ANPR works in the United Kingdom, and is emergent in Australia.

(3) Mass Surveillance

The ANPR camera-unit can be designed to transmit every instance of vehicle registration-data that it is able to extract from passing vehicles. The receiving device might be a display, for example in a nearby police patrol vehicle. In practice, however, the receiving device is generally a computer with substantial data-storage. The extracted registration-data may be used for user-pays charging and/or law enforcement, as described in the previous sub-sections, but is also stored, together with the date, the time and some indication of location, probably the direction of movement, and perhaps the direction of view.

Over time, and with the proliferation of image-capture devices, the effect of this process is the accumulation of a massive database of vehicle movements. Nothing remotely resembling it has ever existed in the past, even in the old USSR (where internal passports were used to restrict freedom of movement) and East Germany (where monitoring of the population reached its then greatest extremes).

The justification for such mass surveillance is that there is intelligence value in ANPR data. It might be feasible to locate designated vehicles, to track them in real-time, and to submit vehicles of interest to retrospective tracking. Further, proponents postulate that a wide array of (loose) inferences may be able to be drawn about vehicles being associated with one another in some manner (such as travelling in proximity, or being co-located on multiple occasions).

Firstly, it is far from clear that any such intelligence benefits are real, and secondly, it appears that national security agencies expect their propositions to be accepted by politicians and the public without supporting evidence, and without question. Even the most cursory consideration of the claims leads to a completely contrary conclusion: vehicle registration data is unreliable, false positives will be frequent, forgery is easy, and both 'organised crime' and terrorists can readily organise themselves so as to circumvent, nullify and even subvert such monitoring.


5. Privacy Threats in Location and Tracking

The previous sections have considered the conceptual basis of identification, location and tracking, and several examples of relevant technologies. Some of the privacy impacts have emerged from those discussions. This section brings greater structure to that analysis, by presenting firstly a generic overview of privacy threats and then, within that framework, an outline of specific impacts.

5.1 Generic Privacy Threats

The nature of privacy is summarised in Clarke (2006). It is usefully treated as "the interest that individuals have in sustaining a 'personal space', free from interference by other people and organisations". It has multiple dimensions, including privacy of the physical person, of personal behaviour, of personal communications, and of personal data. Appreciation of its importance requires consideration of multiple levels, including the philosophy of human rights, individual and group psychology, sociology, economics and politics.

The location and tracking of known identities and entities is a form of dataveillance Clarke (1988). In some cases it represents personal dataveillance, because a particular human has been targeted for monitoring, which in free nations must be based on reasonable grounds (e.g. for suspicion that the person has committed or is intending to commit a criminal offence of sufficient gravity to warrant the commitment of resources and the infringement of the individual's freedoms).

In other cases, location and tracking is mass dataveillance, by which is meant indiscriminate monitoring of a population. The justification (to the extent that any exists) is based on the generalised suspicion that some members of the population are of interest, and that suspicion as to which ones they are can be generated by means of the collection and mining of vast quantities of data. The privacy risks that dataveillance embodies are examined in Clarke (1988).

5.2 Specific Privacy Threats

This sub-section provides an overview of the privacy threats inherent in location and tracking. It draws heavily on relevant parts of Clarke (1999a). The threats arise from individual technologies, and the trails that they generate, from compounds of multiple technologies, and from amalgamated and cross-referenced trails captured using multiple technologies and arising in multiple contexts.

Location and tracking technologies give rise to data-collections that disclose a great deal about the movements of entities, and hence about individuals associated with those entities. Given an amount of data about a person's past and present locations, the observer is likely to be able to impute aspects of the person's behaviour and intentions. Given data about multiple people, intersections of many different kinds can be computed, interactions can be inferred, and group behaviour, attitudes and intentions imputed.

Location technologies therefore provide, to parties that have access to the data, the power to make decisions about the entity subject to the surveillance, and hence to exercise control over it. Where the entity is a person, it enables those parties to make determinations, and to take action, for or against that person's interests. These determinations and actions may be based on place(s) where the person is, or place(s) where the person has been, but also on place(s) where the person is not, or has not been. Tracking technologies extend that power to the succession of places the person has been, and also to the place that they appear to be going.

Marketers have an interest in identifying population segments and networks, and in building personal behaviour profiles. More sinister applications arise because so-called 'counter-terrorism' laws have greatly reduced the controls over data gathering, storage and access, over inferencing about where people have been and whose paths people have crossed, and over detention, interrogation and prosecution.

The nature and extent of the intrusiveness is dependent on a variety of characteristics of location and tracking technologies. An analysis is provided in Clarke (1999b), encompassing such factors as the intensity of the data collection process, the data quality, data retention and destruction, and data accessibility.

Dangers that are especially apparent include the following:

The degree of impact on each individual depends on their psychological profile and needs, and their personal circumstances, in particular what it is that they wish to hide, such as prior misdemeanours, habits, and life-style, or just the details of their personal life. Some categories of individual are in a particularly sensitive position. 'Persons-at-risk' is a useful term for people whose safety and/or state of mind are greatly threatened by the increasing intensity of data-trails, because discovery of their location is likely to be followed by the infliction of harm, or the imposition of pressure designed to repress the person's behaviour. Examples include VIPs, celebrities, notorieties, different-thinkers, victims of domestic violence, people in sensitive occupations such as prison management and psychiatric health care, protected witnesses, and undercover law enforcement and security operatives. A much more substantial list is at GFW (2011).


6. Controls and Protections

Since the 1970s, privacy has been a considerable subject of conversation and analysis. Many laws have been passed, and in some countries successive generations of amendments and replacement laws have been enacted. It might be expected that these laws would provide protection against location and tracking technologies.

On the other hand, privacy laws suffer a wide range of substantial deficiencies (Clarke 2000):

In short, existing laws, worldwide, are permissive of all manner of policies and practices that business and government find convenient, are permissive of information technologies, and are not adaptive. The march of location and tracking technologies is hardly hindered at all by existing laws. And, to the extent that individual countries from time to time consider enhancing their limited and hopelessly outdated laws, the combined lobbying powers of government agencies and the private sector ensure that minimal change occurs.

The literature is not short of resources that could be applied by legislatures, by regulators and by technology providers, e.g. Ackerman et al. (2003), Ginger et al. (2003), Gruteser & Grunwald (2003), Bettini et al. (2005), Hu & Wang (2005), Loenen & Zevenbregen (2007), Bettini et al. (2009). The problem has been the lack of understanding and interest among policy-makers.


7. Conclusions

A range of location and tracking technologies have exploded onto the scene. They have extraordinary and highly negative implications for privacy, and for civil liberties and political freedoms more generally. Contrary to people's expectations, they are subject to almost no meaningful privacy controls. The current circumstances are highly threatening to individualism and to the kinds of society and economy that have been regarded as the norm in European and European-derived countries.

To an organisation that seeks to exercise control over a society, a person is a threat depending on who they associate with, and the concept of personal associations is readily modelled based on where the person has been, and who else has been there. Hence 'You Are Where You've Been'. Location and tracking technologies that can distinguish individuals provide authoritarian organisations, whether of the public or private sector, with the capacity to distinguish those members of a society who represent potential threats, and to exercise control over them.

The information technologies that have been developed since 1950 share a key characteristic with elephants: they don't know how to forget. Information technologies need to be taught how to forget, and very quickly.


References

Abbas R., Michael K., Michael M.G. & Aloudat A. (2011) 'Emerging Forms of Covert Surveillance Using GPS-Enabled Devices' Journal of Cases on Information Technology (JCIT) 13, 2 (2011) 19-33, at http://works.bepress.com/kmichael/224

Ackerman L., Kempf J. & Miki T. (2003) 'Wireless location privacy: law and policy in the US, EU and Japan' Internet Society Member Briefing, at http://www.isoc.org/briefings/015/ accessed 3 August 2011

Bettini C., Jajodia S., Samarati P. & Wang X.S. (Eds.) (2009) 'Privacy in Location-Based Applications: Research Issues and Emerging Trends' Lecture Notes in Computer Science 5599, Springer-Verlag, 2009

Bettini C., Wang X.S. & Jajodia S. (2005) 'Protecting privacy against location-based personal identification' in 'Secure Data Management', Springer Verlag, Berlin, pp.185-199

Clarke R. (1988) 'Information Technology and Dataveillance' Commun. ACM 31,5 (May 1988) 498-512, at http://www.rogerclarke.com/DV/CACM88.html

Clarke R. (1994) 'Human Identification in Information Systems: Management Challenges and Public Policy Issues' Information Technology & People 7,4 (December 1994) 6-37, at http://www.rogerclarke.com/DV/HumanID.html

Clarke R. (1999a) 'Person-Location and Person-Tracking: Technologies, Risks and Policy Implications' Proc. 21st Int'l Conf. on Privacy and Personal Data Protection, pp.131-150, Hong Kong, 13-15 September 1999. Revised version in Information Technology & People 14, 2 (Summer 2001) 206-231, at http://www.rogerclarke.com/DV/PLT.html

Clarke R. (1999b) 'Relevant Characteristics of Person-Location and Person-Tracking Technologies' A separately-published Appendix to Clarke (1999a), Xamax Consultancy Pty Ltd, Canberra, October 1999, at http://www.rogerclarke.com/DV/PLTApp.html

Clarke R. (2000) 'Beyond the OECD Guidelines: Privacy Protection for the 21st Century' Xamax Consultancy Pty Ltd, January 2000, at at http://www.rogerclarke.com/DV/PP21C.html

Clarke R. (2001) 'Authentication: A Sufficiently Rich Model to Enable e-Business' Xamax Consultancy Pty Ltd, December 2001, at http://www.rogerclarke.com/EC/AuthModel.html

Clarke R. (2004) 'Identification and Authentication Fundamentals' Xamax Consultancy Pty Ltd, May 2004, at http://www.rogerclarke.com/DV/IdAuthFundas.html

Clarke (2005) 'Human-Artefact Hybridisation: Forms and Consequences' Proc. Ars Electronica 2005 Symposium on Hybrid - Living in Paradox, Linz, Austria, 2-3 September 2005, at http://www.rogerclarke.com/SOS/HAH0505.html

Clarke R. (2006) 'What's 'Privacy'?' Prepared for a Workshop at the Australian Law Reform Commission on 28 July 2006, at http://www.rogerclarke.com/DV/Privacy.html

Clarke R. (2007) 'What 'Überveillance' Is, and What To Do About It' Invited Keynote, Proc. 2nd RNSA Workshop on the Social Implications of National Security', 20 October 2007, University of Wollongong, at http://www.rogerclarke.com/DV/RNSA07.html

Clarke R. (2008) 'Dissidentity' Xamax Consultancy Pty Ltd, Canberra, March 2008, at http://www.rogerclarke.com/DV/Dissidentity.html

Clarke R. (2009a) 'The Covert Implementation of Mass Vehicle Surveillance in Australia' Proc. Fourth Workshop on the Social Implications of National Security: Covert Policing, 7 April 2009, ANU, Canberra, at http://www.rogerclarke.com/DV/ANPR-Surv.html

Clarke R. (2009b) 'A Sufficiently Rich Model of (Id)entity, Authentication and Authorisation' Proc. IDIS 2009 - The 2nd Multidisciplinary Workshop on Identity in the Information Society, LSE, 5 June 2009, at http://www.rogerclarke.com/ID/IdModel-090605.html

Daniel M., Webber M.J. & Wigan M.R. (1990) 'Social impacts of new technologies for traffic management' Research Report ARR 184, Australian Road Research Board, Vermont, Victoria

FDGC (1998) 'Content standard for digital geospatial metadata' Federal Geographic Data Committee, FGDC-STD-001-1998. Washington, D.C. USA, rev. June 1998, at http://www.fgdc.gov/metadata/csdgm/ accessed 12 June 2008

GFW (2011) 'Who is harmed by a "Real Names" policy?' Geek Feminism Wiki, at http://geekfeminism.wikia.com/wiki/Who_is_harmed_by_a_%22Real_Names%22_policy%3F, accessed 3 August 2011

Ginger M., Friday A. & Davies N. (2003) 'Preserving Privacy in Environments with Location-Based Applications' IEEE Pervasive Computing 2,1 (Jan-Mar 2003) 56-64, doi:10.1109/MPRV.2003.1186726

Graham F (2008) 'GPS gadgets can reveal more than your location' New Scientist, 3 June 2008, at http://technology.newscientist.com/article/dn14052-gps-gadgets-can-reveal-more-than-your-location.html

Gruteser M. & Grunwald D. (2003) 'Anonymous Usage of Location-Based Services Through Spatial and Temporal Cloaking' Proc. MobiSys '03

Hu Y.C. & Wang H.J. (2005) 'A framework for location privacy in wireless networks', at http://research.microsoft.com/~helenw/papers/sigasia05.pdf, accessed 3 August 2011

Keilthy L. (2008) 'ANPR System performance' Parking Trend International, June 2008, at http://www.parkingandtraffic.co.uk/Measuring%20ANPR%20System%20Performance.pdf, accessed 3 August 2011

Kim M.C. (2004) 'Surveillance Technology - Privacy and Social Control' International Sociology 19, 2 (2004) 193-213

Lettice J. (2005) 'No hiding place? UK number plate cameras go national' The Register, 24 March 2005, at http://www.theregister.co.uk/2005/03/24/anpr_national_system/

Loenen B.V. & Zevenbregen J.A. (2007) 'The impacts of European privacy regime of locational technology development' Journal of Location Based Services 1, 3 (2007) 165-178

Michael K. & Michael M. G. (2009) 'Innovative Automatic Identification and Location-Based Services: From Bar Codes to Chip Implants' IGI Global, 2009

OECD (1980) 'Guidelines on the Protection of Privacy and Transborder Flows of Personal Data', Organisation for Economic Cooperation and Development, Paris, 1980, at http://www.oecd.org/document/18/0,2340,en_2649_201185_1815186_1_1_1_1,00.html

Wigan M.R. & Clarke R. (2006) 'Social impacts of transport surveillance' Prometheus 4, 24 (December 2006) 389-403, at http://www.rogerclarke.com/DV/SITS-0604.html


Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Research School of Computer Science at the Australian National University.

Marcus Wigan is Principal of Oxford Systematics, Professorial Fellow at the University of Melbourne, Visiting Professor at Imperial College London, and Emeritus Professor of both Transport and of Information Systems at Napier University Edinburgh. He serves on the Ethics Task Force and the Economic Legal and Social Implications Committee of the Australian Computer Society, of which he is a Fellow. He has worked on the societal aspects of transport, surveillance and privacy both as an engineer and policy analyst and as an organisational psychologist. He has published for over 30 years on the interactions between intellectual property, identity and data integration in electronic road pricing and intelligent transport systems for both freight and passenger movements. He has long been active with the Australian Privacy Foundation, particularly on transport issues, and works with the University of Melbourne on transport engineering and information issues in both logistics and social and environmental factors.



xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 23 February 2008 - Last Amended: 3 August 2011 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/YAWYB-CWP.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2017   -    Privacy Policy