Contextual privacy and the proliferation of location data
Project summary in layman’s terms (max. 200 words).
Location privacy has come to the fore due to increasingly widespread practices that
involve the storage and analysis of location data. Traffic monitoring, friend finding
services, tracking and tracing of mobile communication devices, contextual or
behavioural advertising, and location based services all thrive on capturing and
mining location data. Location privacy has received much attention from both legal
and technical experts. There is, however, a good deal of confusion as to how location
privacy is understood, how it relates to notions like contextual privacy, anonymity,
unlinkability, autonomy and control. Within the legal domain there is confusion about
the difference between privacy and data protection, controversy about which data
must be qualified as personal data and about the extent to which consent, purpose
limitation and adequate feedback are at stake in particular situations. Within the
technical domain we lack a grounded conceptual and methodological foundation for
the design and analysis of location privacy technologies; existing solutions and
evaluation methods are ad-hoc and can neither be assessed outside a narrow context,
nor compared to each other. This project aims to provide a framework for lawyers and
computer scientists to (1) negotiate a shared understanding of what is at stake and to
(2) examine to what extent location privacy technologies can integrate the more
ambiguous and dynamic nature of legal and ethical notions of contextual location
privacy. Furthermore, we will develop original contributions to both law and
computer science.
In the face of an overwhelming proliferation of data and increased sophistication of
data analysis some have claimed that ‘you have zero privacy anyway. Get over it’
(Sun Microsystems’ CEO Scott McNeally in 1999). It seems that privacy is one of the
fundamental challenges for our society in the next decade. Though lawyers and policy
makers may call for new legislation to ward of further intrusions, we note a growing
awareness that merely adding to the existing legal framework will not suffice to
sustain the value, interest and right of privacy. Concepts like ‘values in design’
[Ni10], ‘privacy by design’ [Ca09] and ‘ambient law’ [HK10] suggest that specific
social and/or legal values, notably privacy, require technological articulation to be
sustainable in a high tech environment. This project seeks to translate the diversity of
societal, ethical and legal notions of privacy into a set of technical requirements and
tools that provide citizens with a measure of feedback and control regarding their
location data.
From the perspective of computer science location privacy has been described as ‘the
ability to prevent other parties from learning one’s current or past location’ [BS03]. In
ubiquitous computing environments the collection and processing of location data
may be necessary to provide useful services. Knowledge of these patterns may,
however, constitute major privacy invasions [HCL04]. Various types of location
privacy tools have been developed [Kr09] but we must note that the problem of rerecognition and subsequent identification [Do05, GP09] creates uncertainty about the
extent to which a sufficient degree of protection is indeed achieved. Furthermore, the
big picture gets more complicated as location data is implicitly or explicitly available
in many system layers: at the physical layer, personal devices can be identified and
tracked based on radio fingerprinting [BM+09]; traffic analysis and inference attacks
on anonymous data may reveal enough to enable pseudonymous profiling and
eventual user re-identification [Kr07]; and at the identity layer we must take into
account the linkability of pseudonyms within or across applications [TC+10]. A wellfounded, comprehensive assessment of location privacy technologies requires analysis
methodologies that take into account the technical details of the basic techniques,
their context of usage and application, and possible interactions with other
technologies that operate on a different layer of abstraction.
Project outline (max. 4 pages, incl. reference list). Give a short overview of previous research activities
which are related to this proposal. If it considers a new topic, describe the abilities your research group has
to conduct the proposed research. Describe the methodology of the project, the collaboration and
coordination between the different participating research groups and the role of the different units and
promoters. Provide references of the most significant international literature on the topic.
From the perspective of law and ethics the proliferation and analysis of location data
present a series of problems that relate to privacy in the broad sense of identityformation and autonomy [AR01, DG03, RPP03]. As the work of Danezis et al.
[DLA05] suggests, people may not attach much value to location privacy if
understood in terms of hiding one’s location data. Instead Zimmer [Zi05] broadens
the scope by explaining how vehicle safety communication technologies ‘might
disrupt the “contextual integrity” of personal information flows’ and ‘threaten one’s
“privacy in public.”’ We think that Roussos’ [RPP03] description is particularly apt
here, distinguishing a ‘locality principle’ that refers to the different contexts in which
identity is constructed rather than just physical location; a ‘reciprocity principle’ that
requires some measure of ‘knowledge- symmetry’ between data subject and data
controller; and the ‘principle of mutual understanding’ that highlights the need for
two-way communication between whoever is being located and whoever is using the
location data. This project seeks to engage lawyers and computer scientists in a
collaborative effort to provide adequate technological articulations for the protection
of personal identity and autonomy. It aims to relate the protection of discrete data to
the goal of protecting privacy, instead of reducing privacy to the protection of
personal data.
Objectives and approach
This research project focuses on infringements of one particular type of privacy,
namely location privacy. Depending on how one defines privacy (warding off any
knowledge of one’s private life; being in control of which data are provided and to
whom; negotiating the boundaries of one’s personal space in the physical, social and
virtual sense of the term), many different dimensions or incarnations of location
privacy can be conceptualized. A person may wish to hide her whereabouts from a
specific organisation or person, in a specific instance, or with regard to a particular
place. She may, on the other hand, not mind sharing isolated pieces of information on
her whereabouts with particular organisations or persons, whereas she does not want
information about different locations to be linked up together.
A conventional way of defining location privacy would be that users are able to
follow up on a legitimate desire to withhold location information in an easy and
convenient manner, while preserving the functionality of the environment. Tools must
therefore be developed to translate the concept of ‘location privacy’ into the technical
infrastructure that could otherwise simply render the concept entirely impractical and
thus void. These tools require a translation of social and legal concepts of ‘location
privacy’ into technical – computational – terms, taking into account that this
articulation has to be defined in a machine-readable manner. This will unavoidably
challenge conventional meanings of privacy and location privacy, requiring, in turn, a
translation of the technical possibilities of location privacy methods into the social,
ethical, legal and political dimensions.
This project aims to work on both sides of the translation: (1) translating the social,
ethical, legal and political concept of location privacy into computational models that
can operationalize its meaning in a high tech environment and (2) translating the
various technological location privacy models into their social, ethical, legal and
political implications.
1. Conceptual framework
The term location privacy takes very different meanings depending on the context in
which it is used. Indeed, location privacy seems to be not a monolithic concept but
rather a family of related concepts. Some examples of technical notions of location
privacy include considering that it is achieved when pieces of a pseudonymous user
trajectory cannot be linked together [BS03, HG05]; when an adversary’s
reconstruction of the user trajectory is sufficiently distorted [SF+09]; when users are
anonymous in a region containing at least k people [GG03]; or when coarse
information about a user’s location is revealed, but her precise location cannot be
established [XC09].
Within the legal context ‘location privacy’ refers on the one hand to the notion of
privacy as defined in art. 8 European Convention of Human Rights (the right to
private life, protection of the home and correspondence) and to various rights and
obligations stipulated in the European Data Protection Directive 95/46/EC and the
Directive on Privacy and Electronic Communications 2002/58/EC. In both directives
the focus is on the protection of personal data, which has resulted in a concurrent
focus on anonymity. In its opinion on the use of location data for value-added
services, the art. 29 Working Party notably speaks of ‘the freedom to come and go
anonymously’ [WP05]. This project will raise the question of (1) to what extent
anonymity is a categorical or a statistical attribute and (2) to what extent anonymity of
location data is an adequate solution for privacy
problems in the era of profiling. As to the last point we note that surveillance based on
group profiles mined from anonymous data cannot be solved by means of
anonymization [RG09]. The first objective then, will be to develop a conceptual
framework that expresses the various location privacy notions existing within both
domains and their interrelations. This will require mapping the relationships between
the technical, legal and ethical concepts (and terms); identifying technical properties
not usually captured in the legal and ethical domains; and identifying legal and ethical
concepts not yet articulated in technology. Furthermore, we will investigate which
notions imply others, which overlap and which are in conflict with each other, within
and across domains. The close collaboration between the researchers from both
groups will be invaluable to deepen the understanding of location privacy in its many
dimensions, and lead to new insights that will enrich both disciplines.
2. Ethical and legal framework
Building on the conceptual framework, we will develop an ethical and legal
framework for targeting location privacy, involving concepts such as ‘privacy in
context’ [Gu02, Ni10], ‘digital territories’ [DM07], and the ‘reciprocity principle’
[RPP03]. We will investigate the links between privacy and location in the physical
sense as well as the more complex notion of context, referring to the fact that one
physical location will often involve both private and public contexts (e.g. a person
using her home pc for both work and leisure).
To come to terms with the opacity of the ‘hidden complexity’ of the processing of
location data, we will develop the notion of access to the ‘logic of processing’, as
stipulated in art. 12 of D95/46/EC. We will take this as a starting point to construct ‘a
right to know’ about how location data is processed, considering not only personally
identifiable data but also pseudonymous and anonymous data. The analytical
framework described in the third objective (below) will be key here to provide an
understanding of the extent to which “anonymous data” can be used to construct
location profiles, re-recognize, and eventually re-identify the individuals who
generated the data, who can in turn then be associated to their behaviour, whereabouts
and movements. Even when full re-identification is avoided, the association of
anonymous individuals with inferred group profiles may suffice to intrude into their
privacy. This implies that privacy is defined as more than mere anonymity [DS+02],
taking into account its relation to identity-construction and autonomy [AR01]
[Z0203].
3. Analytical framework
In order to technologically sustain conceptual, legal and ethical notions of location
privacy we must first understand what current technologies can offer and which are
their limitations with respect to well-understood privacy requirements. Currently this
is a difficult task, as every new technique relies on a different set of arbitrary
assumptions, defines its own notion of location privacy (which is often tied to the
specific technical details of the application and hard to interpret in a broader context),
and proves its validity through an ad-hoc analysis. Therefore, we identify the need for
a general, systematic analysis methodology to evaluate location privacy technologies
under comparable conditions. This analytical framework must be able to capture and
exploit data leakages from multiple system components, and model the inferences that
could be made from combining pieces of anonymous data. For this we will explore
advanced Bayesian inference techniques, in particular Markov Chain Monte Carlo
Methods [Ma03]. These algorithms use sampling to efficiently analyze complex
systems with a large number of possible states, and subject to multiple constraints.
Moreover, they provide the right level of abstraction to analyze arbitrary system
configurations in a general, rather than ad-hoc, manner. Together with the definition
of appropriate location privacy metrics, this framework will allow us to assess the
extent to which the identified conceptual, legal and ethical notions are satisfied, and
facilitate the design of systems that offer well-understood privacy guarantees.
Methodology
The project work will be organized along three work packages, each addressing one
of the objectives identified above, and executed by two Ph.D. students. One of the
students will have a legal (and preferably also philosophical) background and will be
supervised by Prof. Serge Gutwirth and Prof. Mireille Hildebrandt, who bring to the
project extensive expertise in studying the impact of emerging technologies on core
tenets of democracy and the rule of law, notably on privacy, non-discrimination and
due process. The second student
will have a technical background, and will be supervised by Prof. Bart Preneel and
Dr. Claudia Diaz, who are experts in computer security and privacy. The fulfilment of
the project objectives will require that both students work in close collaboration, as
specified in the description of the objectives, which provides the basis for the
workplan for their interaction. In more detail: we plan for a monthly seminar during
the first year, alternating between Leuven and Brussels, inviting experts and debating
in function of the first objective. This should result in a co-authored paper by both
students in an international peer reviewed journal that caters to interdisciplinary
research, as well as separate articles in journals and top conferences within the
respective disciplines. During the following two years similar seminars will be
organised to work on the second and third objectives, again resulting in one or two
co- authored publications, separate publications, and an international working
conference on the topic. During the fourth year we expect that all attention will go to
finalizing the PhD theses. The experiences of interdisciplinary cooperation between
our two research groups in the context of the EU FIDIS Network of Excellence
suggests that this joint undertaking will prove to be highly successful.
The PhD student working within the technical discipline will prepare a PhD thesis on
the subject of computational location privacy, focused on developing the analytical
framework described in the third objective. The added value of the input from the
legal and ethical domain will be that privacy attributes taken for granted within
computer science will be challenged and rethought in order to develop a more
comprehensive understanding of the nature of privacy beyond the hiding of discrete
personal data. This will include an analysis of the extent to which the ambiguity
inherent in a broader notion of privacy can be translated into mathematical models. It
is expected that this will augment the chances that these technologies will be taken up
by society, instead of remaining a tool for a minority of privacy advocates.
The PhD student working within the disciplines of law and ethics will prepare a PhD
thesis on the subject of location privacy as contextual privacy, investigating to what
extent the dynamics and ambiguity of the ethical value and legal right of privacy can
be translated into the analytical framework described in the third objective. The added
value of the input from the computer science domain will be that it requires the
lawyer (philosopher) to investigate the implications of computational location privacy
for the legal (and ethical) domain, thus inviting a much needed reflection on the
effectiveness and the legitimacy of written law as compared to its articulation in ICT
infrastructures.
Bibliography [AR01] P.E. Agre, M. Rotenberg (eds.). “Technology and Privacy: The New Landscape”.
Cambridge, Massachusetts, MIT, 2001.
[BS03] A. Beresford, F. Stajano. “Location privacy in pervasive computing”. IEEE
Pervasive Computing 2(1):46-55, 2003.
[BM+09] K. Bauer, D. McCoy, B. Greenstein, D. Grunwald, D. Sicker. “Physical Layer
Attacks on Unlinkability in Wireless LANs”. In 9th Privacy Enhancing Technologies
(PETS’09), Springer LNCS 5672, pp. 108-127, 2009.
[Ca09] A. Cavoukian. “Privacy by design... take the challenge”. Information and Privacy
Commissioner of Ontario (Canada), 2009.
https://ozone.scholarsportal.info/bitstream/1873/14203/1/291359.pdf
[DS+02] C. Diaz, S. Seys, J. Claessens, B. Preneel. “Towards measuring anonymity”. In
2nd Privacy Enhancing Technologies (PET’02), Springer LNCS 2482, pp. 54-68, 2002.
[DM07] B. Daskala, I. Maghiros. “D1gital Territ0ries. Towards the protection of public
and private space in a digital and Ambient Intelligence environment”. Institute for
Prospective Technology Assessment (IPTS), 2007.
[DLA05] G. Danezis, S. Lewis, R. Anderson. “How much is location privacy worth?” In
4th Workshop on the Economics of Information Society (WEIS’05), online proceedings,
2005.
[Do05] F. Dötzer. “Privacy Issues in Vehicular Ad Hoc Networks”. In Privacy Enhancing
Technologies (PET’05), Springer LNCS 3856, pp. 197-209, 2005. [DG03] P. De Hert, S.
Gutwirth. “Making sense of privacy and data protection. A prospective overview in the
light of the future of identity, location based services and the virtual residence”. In IPTS JRC Security and Privacy for the Citizen in the Post- September 11 Digital Age. A
prospective overview, Report to the European Parliament Committee on citizens’
Freedoms and Rights, Justice and Home Affairs (LIBE), IPTS-Technical Report Series,
EUR 20823 EN. 2003. p. 111–162 [GP09] P. Golle, K. Partridge. “On the anonymity of
home/work location pairs”. In Pervasive Computing, Springer LNCS 5538, pp. 390-397,
2009.
[GG03] M. Gruteser, D. Grunwald. “Anonymous usage of location-based services
through spatial and temporal cloaking”. In proceedings of MobiSys '03. ACM, 31-42,
2003.
[Gu02] S. Gutwirth. “Privacy in the information age”. Rowman & Littlefield, 2002.
[HCL04] J.-P. Hubaux, S. !apkun, J. Luo. “The security and privacy of smart vehicles”.
IEEE Security and Privacy 2(3): 49-55, 2004.
[HK10] M. Hildebrandt, B. J. Koops. “The challenges of Ambient Law and legal
protection in the profiling era”. Modern Law Review 73(3), 2010 (forthcoming). [HG05]
B. Hoh, M. Gruteser. “Location privacy through path confusion”. In IEEE Security and
Privacy for Emerging Areas in Communication Networks (SecureComm), IEEE Computer
Society, pp. 194-205. 2005.
[Kr07] J. Krumm. “Inference attacks on location tracks”. In Pervasive Computing,
Springer LNCS 4480, pp. 127-143, 2007.
[Kr09] J. Krumm. “A survey of computational location privacy”. Personal and
Ubiquitous Computing 13(6): 391-399, 2009.
[Ma03] D. Mackay. “Information theory, inference, and learning algorithms”.
Cambridge Univ. Press, 2003. [Ni10] H. Nissenbaum. “Privacy in context: technology,
policy, and the integrity of social life”. Stanford Law Books, 2010.
[SF+09] R. Shokri, J. Freudiger, M. Jadliwala, J.-P. Hubaux. “A distortion-based metric
for location privacy”. In 8th ACM Workshop on Privacy in the Electronic Society (WPES),
pp. 21-30, ACM, 2009. [Sw02] L. Sweeney. “k-anonymity: a model for protecting
privacy”. International Journal on Uncertainty, Fuzziness and Knowledge-based Systems,
10 (5): 557-570. 2002.
[RG09] C. Raab, B. J. Goold. “Putting surveillance on the political agenda. A short
defence of surveillance, citizens and the state”. Surveillance & Society 6 (4) 2009, 408413.
[RPP03] G. Roussos, D. Peterson, U. Patel. “Mobile identity management: an enacted
view”. International Journal of Electronic Commerce 8(1): 81-100, 2003.
[TC+10] C. Troncoso, E. Costa, S. Schiffner, C. Diaz. “How the Vehicle Infrastructure
Integration anonymous certificates enable the tracking and re-identification of vehicles”.
COSIC technical report, 15 p, 2010.
[WP05] Art. 29 Working Party. WP 115. “Opinion on the use of location data with a view
to providing value- added services”. November 2005.
[XC09] T. Xu, Y. Cai. “Feeling-based location privacy protection for location-based
services”. In 16th ACM conference on Computer and communications security (CCS’09),
pp. 348-357, ACM, 2009.
[Zi05] M. Zimmer. “Surveillance, privacy and the ethics of vehicle safety communication
technologies”. Ethics and Inf. Technol. 7: 201-210, 2005