Connected car, big data, big brother?
Using geolocation in a trustworthy and compliant way
[email protected]
Trends that threaten trust
2
Connected cars with downloadable apps
Location services, cloud, internet-of-thing, big data
3
Privacy, security, safety
How it fits together
4
Topic
Is about
Key notions
Privacy
Self determination,
non-interference
Freedom, Liberty, Dignity,
Honor
Data Privacy /
Data Protection
Proper & fair use of
information about an
individual
Collection & use limitation,
Data quality, Purpose
specification, Security
safeguards, Openness,
Accountability
Information Security
Protecting/securing
information
Confidentiality, Integrity,
Availability
Safety, physical
security
Being “free” from
effects of errors,
accidents, incidents,
violence etc.
Ownership, integrity,
reliability, perimeter
Revolutionising navigation
In 4 steps
4. TomTom HD Traffic
3. IQ Routes
2. Map Share
1. Base maps
4. TomTom HD Traffic
3. IQ Routes
2. Map Share
1. Base maps
5
4. TomTom HD Traffic
3. IQ Routes
2. Map Share
1. Base maps
4. TomTom HD Traffic
3. IQ Routes
2. Map Share
1. Base maps
TomToms trip archive
Anonymous location and speed information from the
TomTom user community
5 billion (10E9) speed measurements per day
5 trillion (10E12) speed measurements to date!
by customers driving 50 billion kilometres
and visiting every spot over 1,000 times
Creating TomTom HD Traffic: data sources
Range of high-quality real-time data sources
7
In-car location services under scrutiny
8
Main GAO findings
10 companies were questioned
Disclosure:
all tell, 9 in broad terms, 5 omit
purposes for sharing
Consent & controls:
all seek consent in some way, all offer
some control, none who retain allow
deletion
Safeguards & retention: all take steps, but in different ways at
different levels of de-identification and
deletion
Accountability:
9
all take steps to protect location data
and have accountability policies, be it
internal only
Main GAO findings: room for improvement
10 companies were questioned
Disclosure:
all tell, 9 in broad terms, 5 omit
purposes for sharing
Consent & controls:
all seek consent in some way, all offer
some control, none who retain allow
deletion
Safeguards & retention: all take steps, but in different ways at
different levels of de-identification and
deletion
Accountability:
10
all take steps to protect location data
and have accountability policies, be it
internal only
Location privacy is top of mind
With bloggers, press, regulators, enforcers, legislators
and many users alike
11
•
TomTom investigated by
leading European Data
Protection Authority in 2011
•
TomTom’s use of location
data is in accordance with
EU Data Protection Laws
•
Processing and delivery to
third parties 100% OK
•
Informing users needed to
be more explicit, including
opt-in
Drivers, police & TomTom
An explosive mixture
12
Community input – with permission
We profile roads, not people
13
TomTom & Privacy
Vision:
Principles:
Community input (crowd
sourcing) is strategic
1. Avoid unpleasant surprises:
Privacy helps to realize business
objectives by ensuring trust
Privacy is integral part of
business continuity above and
beyond legal compliance
14
•
Customer insight is
paramount
•
Be open and explain –
hesitation is an omen
•
Keep it simple
2. The customer remains in
control of his personal data:
we have it “on a license”
Key elements of EU data protection laws
Challenging the potential of Big Data
1.
Personal data – broad(ening) definition
2.
Pre-defined purposes only
3.
Volume and time limitations
4.
Understandable explanation
5.
Consent, legal obligation or balance of legitimate interests must
apply
6.
Right to view, correct and object
7.
Protect confidentiality, integrity & availability
15
Privacy, amongst others, is about the
protection of personal data
Personal data:
•
Contains (whatever) information
relating to a natural (“real”) person
•
That person could be identified,
directly or indirectly
•
Typically: data attached to unique
identifiers
Anonymous only:
•
When no reasonable way exists to
identify (“single out”) a person
•
Even when requiring correlation with
other data sources (e.g. maps and
phonebooks)
•
By anyone with the right resources
16
But: do not forget EU “cookie law”
Much broader scope than you may think
Any data stored on or retrieved from a device
connected to a public telecom network requires
1. Understandable explanation
2. Unambiguous consent
Unless the data is strictly necessary for the services
offered to the user or for a purely technical purpose.
17
Privacy Policies, Standards & Guidelines
7 key objectives
1. We assess our intended use of PD early to drive requirements
2. We document PD: purpose, legitimate ground, retention, access,
jurisdiction(s)
3. We ensure we have obtained or will obtain informed user consent, if
applicable
4. We minimize the amount of PD (volume and time) and who has
access: we de-personalize or destroy PD as soon as possible
5. We keep ensuring adequate security measures based on risk
assessment of confidentiality, integrity and availability
6. We do not expose PD to any third party, unless the third party
contractually agrees to comply to our policies (or law forces us)
7. We enable the user to exercise his rights (information,
access/download, correction, deletion)
18
The 6 privacy questions
1. What
personal data are we processing?
in categories, groups, examples
2. Why
are we processing personal data?
clear (multiple) purposes
3. When
can we destroy the personal data?
automatically or user triggered
4. Who
will have access and will be accountable?
including third parties
5. Where
will we process and store the personal data?
transfer outside of the EU requires agreements
6. Will
we have a legitimate basis for processing?
19
Typical personal data misconceptions
very often present in technology companies
• We do not identify the user while using the data, so we have no
issues with privacy law
• We only use the serial number of the users device, so the data
is anonymous and we have no issues with privacy law
• We encrypt the data, so we are no longer
using/receiving/sending personal data
• We use hashes to replace all serial numbers, so the data is now
anonymous and we have no issues with privacy law
• We anonimize the data, so we are not using personal data
• We can use the users’ data for anything we want, as long as we
keep the data to ourselves
• Look: big name companies are doing the same,
so we are OK
20
provide a specific location-based service, such as real-time traffic
information. Companies may also choose to contract with third-parties
that provide all location-based services on their behalf; among our
selected companies, this is most common among the auto
manufacturers. 6 (See fig. 2.)
Location data in a car context
In the EU to be regarded as sensitive personal data
Figure 2: How Location Data Are Transmitted to Provide In-Car Location-Based Services
Source: GAO
Requires prior, informed,telecommunications
explicit consent
–provide
separate,
not
inreview
T&C’s!
companies that
these networks
from this
because they were
Note: While companies use cellular networks to transmit location data, we excluded
included in our 2012 report on mobile devices. See GAO-12-903.
21
The in-car location-based services industry continues to change and
evolve: new partnerships are emerging in the marketplace, existing
Can location data be anonymous?
Research indicates: hardly ever
22
Avoiding re-identification is key
TomTom has a strict code of conduct to adhere to privacy laws
1 month
• Historic trip archive only
to be used for road,
traffic and related
purposes
• No access to raw data
outside TomTom, ever
1 day
• TomTom performs
processing
• TomTom ensures reidentification is
impossible e.g. through
sufficient aggregation
23
GAO on reducing risks to privacy
Step by step reducing the potential to identify the user
Figure 3: Examples of De-Identification Methods and Privacy Risk
Source: GAO
24
Although location data that are coupled with personal information, such
as a name, pose the greatest privacy risk to consumers, company
representatives told us that in some cases, they need such data to
provide certain services. For example, one auto manufacturer we met
Recommendations
• Incorporate data protection requirements from the start
• Take a multi-disciplinary approach: it is about your
“license to operate in the information society”
• Embed “privacy by design” into development processes
• Document your data: “what, why, when, who, where”
• Appoint a “privacy czar” in your organization
25