Privacy, human rights and Location Based Services

Dr Ian Brown, UCL Computer Science

Who cares about human rights?

• Citizens – who want to be treated with dignity and respect

• Regulators – who want to make sure law is being followed

• Legislators – who will be pressured to create new legislation by unhappy voters

Overview

• What is privacy?• Is privacy incompatible with location-based

services?• Designing in privacy

Privacy

• “The right to be let alone” – Supreme Court Justice Louis Brandeis, 1898

• “A free and democratic society requires respect for the autonomy of individuals, and limits on the power of both state and private organisations to intrude on that autonomy... Privacy is a key value which underpins human dignity and other key values such as freedom of association and freedom of speech” –Australian Privacy Charter

Dimensions of privacy (Simon Davies)

• DATA PRIVACY– collection of personal information– control over the use of personal

data– access to personal files

• COMMUNICATIONS PRIVACY– telephone interception– mail interception– internet surveillance

• BODILY PRIVACY– drugs testing– strip searches– cavity searches

• TERRITORIAL PRIVACY– search warrants of the home– trespass– electronic sensor surveillance

Data Protection Act 1998

1. Personal data shall be processed fairly and lawfully2. Personal data shall be obtained only for one or more specified and

lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.5. Personal data processed for any purpose or purposes shall not be kept for

longer than is necessary for that purpose or those purposes.6. Personal data shall be processed in accordance with the rights of data

subjects under this Act.7. Appropriate technical and organisational measures shall be taken

against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

European Convention for the protection of human rights and fundamental freedoms

• Reaffirming their profound belief in those fundamental freedoms which are the foundation of justice and peace in the world:

• Everyone has the right to respect for his private and family life, his home and his correspondence.

• Everyone has the right to freedom of peaceful assembly and to freedom of association with others

• Everyone has the right to freedom of expression.

Need to address social impacts to ensure trust in new systems

• Just like security, privacy is much easier to design in from the start than to lump on at the end

• Privacy disasters (see RFIDs) are hard to recover from• “How would you like it if, for instance, one day you realized your

underwear was reporting on your whereabouts?”– California State Senator Debra Bowen, at a 2003 hearing

Security not enough

• Security is necessary but not sufficient for privacy• Magical crypto fairy dust will not solve your

privacy problems• "those who think that their problem can be solved

by simply applying cryptography don't understand cryptography and don't understand their problem" (Needham/Lampson)

Government data sinks

• If data can be collected about individuals, there will always be government pressure to store and access that information

• E.g. PATRIOT Act National Security Letters, NSA activities within the US, EU data retention directive

• Data minimisation is a key requirement for privacy in this legislative environment

• Encryption is no protection if governments can compel decryption

“Snooper’s charter”

• The Department for Environment, Food and Rural Affairs.

• The Department of Health. • The Home Office. • The Department of Trade and Industry. • The Department for Transport, Local

Government and the Regions. • The Department for Work and Pensions. • The Department of Enterprise, Trade and

Investment for Northern Ireland. • Any local authority within the meaning of

section 1 of the Local Government Act 1999. • Any fire authority as defined in the Local

Government (Best Value) Performance Indicators Order 2000

• The Scottish Drug Enforcement Agency. • The Scottish Environment Protection

Agency. • The United Kingdom Atomic Energy

Authority Constabulary.

• A Universal Service Provider within the meaning of the Postal Services Act 2000

• A council constituted under section 2 of the Local Government etc. (Scotland) Act 1994.

• A district council within the meaning of the Local Government Act (Northern Ireland) 1972.

• The Common Services Agency of the Scottish Health Service.

• The Northern Ireland Central Services Agency for the Health and Social Services.

• The Environment Agency. • The Financial Services Authority. • The Food Standards Agency. • The Health and Safety Executive. • The Information Commissioner. • The Office of Fair Trading. • The Postal Services Commission.

Insider fraud

Information required Price paid to ‘blagger’

Price charged to customer

Occupant search/Electoral roll check (obtaining or checking an address)

not known £17.50

Telephone reverse trace £40 £75 Telephone conversion (mobile) not known £75 Friends and Fami ly £60 – £80 not known Vehicle check at DVLA £70 £150 – £200 Criminal records check not known £500 Area search (locating a named person across a wide area)

not known £60

Company/Director search not known £40 Ex-directory search £40 £65 – £75 Mobile t elephone account enquiries not known £750 Licence check not known £250 Source: “What price privacy?”, Information Commissioner, May 2006

Designing for privacy

• Data minimisation key: is your data really necessary?

• Limit personal data collection, storage, access and usage

Phone location data

• Does phone or network carry out triangulation?

• What resolution location can network access?

• How long is that data stored?

• Who has access?• For what purpose?

Transport pricing

• Monitor all traffic (London) or deduct payment from anonymous toll cards (Singapore)?

• Link all payment card usage (Oyster) or use unlinkable RFID tokens (Shenzen)?

Source: Technology Review, 2006

Anonymisation harder than it looks

Buried in a list of 20 million Web searches collected by AOL and recently released on the Internet is user No. 4417749. The number was assigned by the company to protect the searcher's anonymity, but it was not much of a shield.

No.4417749 conducted hundreds of searches over a three-month period on topics ranging from "numb fingers" to "60 single men" to "dog that urinates on everything”.

Search by search, click by click, the identity of AOL user No.4417749 became easier to discern. There are queries for several people with the last name Arnold, for "landscapers in Lilburn," Georgia, and for "homes sold in shadow lake subdivision gwinnett county georgia”.

It did not take much investigating to follow that data trail to Thelma Arnold, a 62-year-old widow who lives in Lilburn, frequently researches her friends' medical ailments and loves her three dogs. "Those are my searches," she said, after a reporter read part of the list to her over the phone

Conclusions

• Privacy is key to human dignity and autonomy in the information age

• Customers, regulators and legislators all have an interest in privacy

• Privacy can and should be designed into systems by minimising personal data collection, storage, access and usage