The value of time and place: mastering data privacy in geolocation tracking

Geolocation tracking and data privacy

The collection of location data is inherent all kinds of devices, from smartphones to connected cars, and anyone who has ever worked with spatial data will agree that geolocation analytics is one of the most powerful tools an organization can use to inform business decisions and improve profitability. Rapid developments in geolocation tracking technologies and data analytics methodologies have already shown how it can be used for the public good and location data tracking is of great interest as a result.

Whether it’s been used to provide better healthcare, track the spread of a virus, fight climate change, or for more prosaic reasons — such as targeted advertising, supply chain management, and consumer services (maps, delivery, micro-mobility) — location analytics technologies are continually improving. In fact, the global location analytics industry, which was valued at $11.80 billion in 2020, is anticipated to hit $36.22 billion by 2028, more than tripling its worth.

As the industry grows, however, so do the concerns about ensuring ethical use and personal privacy. There is mounting evidence of dubious practices where identifiable geolocation tracking data is regularly acquired and used by third parties with whom the individual has no direct relationship and where de-identified or anonymized location data is regularly combined with identifiable personal data to compile comprehensive profiles of the individual.

Investigations, such as The New York Times Privacy Project are raising awareness of how even supposedly anonymous location data can reveal highly sensitive details about consumers’ behaviours, patterns, and also personal lives. If we want location analytics technology to fulfil its potential as an effective tool for the public good and business growth, then it must enjoy a high degree of public confidence and trust.

Geolocation tracking: history calling

Some of today’s concerns around the use of geolocation tracking data date back to the times when big telcos and some phone manufacturers were using geotracking for internal purposes, such as service and product improvements, as well as for sales. Advertisers, online publishers, retailers, and big digital companies were particularly interested in purchasing this data and benefitting from the insight into where their customers and prospects are and where they tend to go regularly.

While this data wasn’t sold at an individual level, but rather in an aggregate form, the sale of such data has become a major concern as the public became savvy about the collection and misuse of their personal data generally. Today, this is prevented by various data protection regulations to ensure consumers’ privacy is not compromised while telcos are required by law to be able to locate a person within a certain distance.

With technology advancing, the need for organizations to be able to use geolocation tracking data that doesn’t interfere with privacy rights becomes more pressing. Today, the majority of industries can be improved with location-based insight. From fine-tuning targeted advertising to assisting drivers of connected cars and making smart cities truly smart, it is no longer just a matter of business interest.

Locating the risk

As location data is generally considered ‘private’, the studies that point how little effort it takes to track an individual clearly indicate how much of a privacy risk working with such data can be. With just four points of time and place information, it is possible to uniquely identify 95% of individuals. Making geolocation tracking data anonymous by removing names or email addresses from those records simply doesn’t work.

An infamous example of this risk is the 2014 example of New York City Taxi data being used to show what sort of damage could be done to people’s privacy. Using data concerning 173 million taxi trips, including drop-off times, pickup locations, fare, and tip amounts, privacy researcher Anthony Tockar was able to identify which celebrities, for example, took a specific cab at a specific time. All that he needed to do was to search Google for publicly available images of celebrities getting out of a taxi. This is an extreme example, but it’s worth noting that any concierge desk would have the details of taxi rides that have been ordered.

More recently, the Life360 app has received heavy criticism when it came to light that raw location data of families, including children, has been sold in raw form to “dozens of brokers” who then sell it “to virtually anyone who wants to buy it”. Furthermore, according to former employees, Life360 “does not implement privacy protection measures such as fuzzing, hashing, aggregating, or reducing the precision of the data”.

Thinking about the privacy of these datasets, it is essential to thoroughly analyze and establish how identifiable each point is. Only then is it possible to manage this risk and understand which technique is best placed to mitigate it, whether that is zooming out of exact locations and working with larger areas or opting to not use every single point along a trajectory.

This more proactive approach to privacy management enables businesses to deploy privacy-enhancing tools that preserve data utility for analytics while reducing the privacy risk. By having more data accessible, businesses can then generate more insight and benefit from the knowledge of where their customers and prospects are going and what they are doing.

In the name of public good

The events of the past two years have seen governments around the world explore the use of mobile and other location data to respond to the spread of COVID-19 for understandable public health reasons. While in this case only very few would argue that this has not been done with a legitimate interest in mind, it has pushed the debate about the power of location data high on the agenda.

The rise of tracking apps sparked loud comments from privacy advocates about the key considerations that need to be accounted for in the rush to stop the spread of the virus. While businesses must always have an individual’s consent to use their geolocation tracking data, protecting public health at a time of emergency is a situation that can justify some restrictions on rights. But as critics pointed out, it does not warrant free rein and even less not disclosing sufficient information about the protocols and procedures used to handle the data. In some cases, the promises not to use COVID-19 tracking data have already been broken.

Fundamentally, respecting people’s privacy in this scenario would mean ensuring data collected for the purpose of combatting the pandemic was not used for any other purpose, shared with 3rd parties and was deleted once the pandemic is over. The data management policy should cover the agreement on how the data would be stored and used after the immediate threat to the public has been eliminated, and ensure that any action taken now will not open the door to any privacy issues arising further down the line. Unfortunately, many of these questions still need to be addressed.

Mapping the journey ahead

The pandemic has highlighted the power of the location trackers that everyone now carries in their pocket and being able to control the associated privacy risks will provide a crucial competitive edge in the years to come. Location data is a rich source of valuable insight, but it needs to be used in a responsible way.

While businesses that have not prioritized building privacy by design into systems from the outset will now need to adjust the way they operate, today’s technology makes it possible to work with location datasets in a privacy-enhanced way and achieve the same business outcomes. This journey begins with identifying exactly where the risks are and only then applying state-of-the-art techniques to mitigate them.

If you found this article on geolocation tracking insightful, it’s worth exploring the challenges of privacy engineering in a big data economy for further insights on privacy-preserving geo-mapping. Alternatively, take a deeper dive and explore our recent privacy engineering webinar.