Confidentiality of Information About a Person’s Whereabouts

Most people volunteer their geographic location information every day to a variety of entities, and they may not even be aware of it. When we download a new app, we automatically agree to the Terms & Conditions, and Privacy Policy without reading them. The way that this information is used in a cyber context brings up issues of privacy. With cell phone use ubiquitous, and practically necessary in modern society, do citizens have a reasonable expectation of privacy with their geographic movements? In addition to cell phones, other geolocation technology has also become part of daily life. Who should be allowed to access this information and under what circumstances? Examining these issues of privacy of location information with regards to voluntary disclosure, government use, and third party sharing will show why the legal use of this information can be challenging. The collection and use of geographic data create legal privacy problems for both government and the private sector.

Even when an individual agrees to share their geographic location with certain party, privacy issues still exist. Cartography is a growing field, with many new applications for mapping in the digital world. One data collection method growing in popularity is volunteered geographic information, which although permission was granted, can sometimes be collected without the user’s notice. One example of this is the geotagging on photos; most do not consider the privacy implications every time they snap a photo. Another example is Google maps. By the nature of the app, users must share their location to navigate, but they may not realize that the data is used in real time to evaluate traffic.

In fact, Google was accused of misleading users about what data they collect by hiding default settings and not getting active consent in conformance with new GDPR laws. There are ways to anonymize or blur the details of the data, which is recommended for crowd-sourced mapping . In this case, data may show a user’s route from a certain neighborhood to downtown, but not from that individual’s house to their specific office. Even with users’ permission to collect location data, cartographers must still take care that the information they collect cannot be used alone, or in conjunction with other data sources, to identify an individual. This can be a particularly challenging prong. Even if users agree to share location data, they may not consent to sharing data about their health, family, or work life. However, geographic information can be used to discover this personal information. For example, someone who often visits a cancer treatment center probably has treatment. Someone whose daily route takes them to a preschool and a playground likely has a young child. Companies that collect geographic information must take care to anonymize data so they can’t be sued for violating a user’s privacy by putting together information that the user did not consent to share, but legal standards for correct anonymization do not exist.

In addition to the way geographic data is collected privately, there are also legal privacy concerns about the way that the government can gather and use this data. One of the most important developments in this area is the Carpenter vs. United State case heard by the Supreme Court in 2018. In this case, police used phone record requests to get location data about Carpenter and used it to tie him to a string of robberies. Carpenter objected to the use of his cell-site location information (CSLI) as an unwarranted intrusion on his privacy under the 4th Amendment. Although appellate courts held that this was legal because Carpenter had already disclosed his location to the cell carrier, so the data was no longer private, the Supreme Court ruled that we have a reasonable expectation for privacy regarding our physical movements. Previous decisions, including Smith v. Maryland, still set precedent for certain phone records to be collected without a warrant, but the Supreme Court ruled that the CSLI in the Carpenter case was much more exhaustive, and required a warrant to obtain . This was a narrow decision, but it represents a clear legal stance from the highest level. It will be interesting to see how future court cases use this decision to shape the legality of law enforcement’s use of location data.

Besides CSLI, there are other ways that location data can be collected and used. One of these is Automatic License Plate Recognition, or ALPR. This technology can be used to track down criminals, but organizations including the ACLU have raised concerns about how this data is tracked, stored, and combined into regional databases. Although license plates are tied to a vehicle, most vehicles have single or a few related drivers, and extensive data could be used to discover habits of normal citizens, which most people would consider an invasion of privacy. Additionally, a study found that agencies collecting ALPR data were each sharing it with an average of 160 other entities for research and law enforcement, and even selling the data to undisclosed parties. Regulations on how this data can be used range from allowing data to be stored for 21 days to 3 years, or having no specific regulations. Storing the data longer raises concerns about what the government is using it for if not to aid with active investigations. Another data source of interest is GPS data. The Supreme Court Ruled that GPS tracking was covered under 4th Amendments rights. However, comprehensive legislation about the use of GPS data has not been passed.

The Geolocation Privacy and Surveillance Act was introduced in 2011, and reintroduced in 2013 and 2015, but never passed. These are just a few examples of geolocation data that the government could use. Other geolocation devices include ATM cameras, traffic cameras, CCTV, or even public media posts. Even though the Carpenter case gave us a clear decision regarding CLSI for law enforcement, there are still unresolved issues about what geolocation data law enforcement can use without infringing on citizens’ privacy. The FTC advises that website operators should get affirmative consent before collecting sensitive data from users, which includes any precise geographic location information. This advice is non-binding, but it may be considered a best practice, and could come into play legally in data breach situations to decide if a company adequately protected personal data.

A final case to consider is when a private company discloses information to a third party. If a navigation company, like Google, sells the information they track about your location, a company may use it to distribute targeted advertisements. The Privacy Act of 1974 limits the way that agencies can distribute information and allows citizens to see what has been collected about them. However, it only applies to government agencies, not private companies. There is in fact a loophole in this law, which is that companies can sell this information to other companies, who can then disclose to the government. Recently, concern was raised about this issue, and particularly the way that Securus, a prison technology company, was able to access the location of anyone very quickly by using cell tower data collected from major carriers through an intermediary company. The cell tower data is not as pinpoint accurate as GPS, but the lack of regulation on this data points to legal uncertainty. Sometimes the third parties require explicit consent from users to disclose the data, but in certain situation, they claim that implied consent is given. In other situations, the validity of requests from law enforcement may not be explicitly checked before disclosing the data without the user’s knowledge. In the cyber world, the way that data can be shared instantly means that parties who would not have otherwise had access can obtain personal information, which raises concerns about the legality of sharing this information. No clear legal guidance on sharing private information has been given at this time.

In some ways, geolocation data may not seem to be a privacy issue. People see us publically every day. But the Supreme Court has ruled that we have a right to privacy of our physical movements, and courts in Europe have claimed the right to be forgotten is a human right. Given the way that geolocation data can be used to reconstruct a lot of information about personal lives, it seems clear that there are legal issues with the privacy of geolocation data in the digital age. Private companies must get consent to collect the data, and take care in the way that it is used or anonymized. The regulations for government collection and use of location data are developing, but still incomplete. Sharing this information creates new challenges to define how far user’s consent reaches, and who can have access to what data. Our reliance on location technology is not going away, and the implications on privacy must be given full legal consideration.