ABSTRACT
Location-based services (LBS) have seen a rise in popularity in recent years. These services employ the use of real time GPS data to help facilitate many of our everyday tasks such as identifying nearby points of interest, locating restaurants, and providing other travel-related information. Moreover, LBS are used in more serious situations like those of fraud prevention and emergency locating. However, as this technology continues to progress, concern has been raised over its ethical implications. In particular, many are worried about its threats to user privacy. This paper works to identify these potential threats and outlines ways in which security can be improved without compromising our privacy.
INTRODUCTION
As reported by a survey conducted by the Pew Research Center in 2016, more than three-quarters of Americans own a smartphone [1]. Further, an impressive 92% of individuals between the ages of 18 and 29 own this kind of device, suggesting a positive trend in smartphone usage for generations to come [1]. Indeed, the rise in smartphone popularity is well-deserved, as the applications of these devices extend to many facets of everyday life.
Perhaps one of the more notable achievements within smartphone development is the adoption of location-based services (LBS). These are geographic services which leverage the built-in GPS technology of smartphones to track the location of their users. Such services are employed by cell phones in a variety of different contexts, contributing to the overall practicality of this technology. For instance, many phone applications utilize LBS to locate nearby points of interest (like restaurants or shops) and to facilitate emergency assistance [2]. However, while this technology is in part responsible for the heightened functionality of smartphones, it is not without its drawbacks. In particular, although LBS may enhance security, the act of collecting user location data inherently leaves individuals susceptible to an array of issues such as threats to privacy. This brings about many ethical concerns, since this is a direct violation of the primary principle in the Association for Computing and Machinery’s (ACM) code of ethics: “Software engineers shall act consistently with the public interest” [3]. Therefore, in order for this technology to continue making technical advances, its ethical implications must first be addressed to ensure the wellbeing of those who use it.
WHY THE PRIVACY CONCERN?
Throughout the day, we constantly move from one place to another, suggesting that mobility plays an essential role in each of our lives [4]. Whether as a GPS tool or as a means to search for a new restaurant, the location services of our smartphones often guide our trips. Yet, each time we enlist the help of an LBS application, a new point of user-specific location data is created. While this may appear harmless at first, these data points, when summed across days of travel, generate unique geographical footprints for each individual. The root of the privacy concerns lies with this user location data and more specifically with who has access to it. In particular, the entirety of the LBS process consists of many different stakeholders such as content providers, network operators, virtual operators, service administrators, and financial parties [5]. The complex set of interactions between these players facilitates the transfer and retrieval of location data within LBS [6], exposing this data on a variety of different fronts.
Several studies analyzed the implications of LBS and examined how they could jeopardize the privacy of users [7, 8, 9]. Each found that location data from both mobile and GPS data logs could be used to reveal key points of interest and could expose personal information such as one’s place of residence, place of work, family life, and general routine [4]. For instance, imagine if your location data fell into the hands of a criminal, either by sale from one of the various stakeholders or by cyber hacking. This individual now has the ability to monitor when you leave your house and track the patterns of your movements. Effectively, this is an open invitation for the criminal to rob your house without having to worry when you will return. For example, one city in New Hampshire, Nashua, was subject to a group of burglars who robbed nearly 20 homes in the area [14]. Upon their arrest, they revealed that each robbing was carefully conducted using location data which they pulled off their victims’ Facebook accounts [14]. By looking at the geo-location tagging and status updates of social media, the robbers were able to deduce when individuals would leave their houses. In an even graver case, imagine if another malicious individual managed to acquire the location data of your child–especially with the growing popularity of smartphones among younger users. With the knowledge of such sensitive information, there is nothing to deter child predators from committing acts of stalking and harm. In fact, in 2009 the U.S. Department of Justice reported that global positioning system (GPS) technology accounted for a tenth of stalking cases dealing with electronic monitoring [15]. With the increase in the use of technology, this number is likely to have grown in recent years. As a result, while the effects of LBS can vary in terms of seriousness, each case of a privacy breach nevertheless results in a potential threat to one’s personal safety [5].
ETHICAL IMPLICATIONS OF LBS
Perhaps one of the most complex challenges to addressing the ethics of LBS is defining user privacy. Privacy is not a quantifiable object. Rather, it is unique to each person and reflects their perceptions of unwanted intrusions or disturbances to their lives. This subjectivity suggests that the idea of privacy is different from person to person, making it difficult to address the threats LBS may pose to this construct.
Further, an individual’s idea of privacy is also shown to have a strong correlation with their education on this topic. In particular, one study of LBS devices describes how existing privacy literatures typically target educated users when explaining the effects and privacy complications of LBS [10]. However, the use of smartphones with LBS is becoming more widespread, even in more rural areas and individuals with less education[10]. This raises the concern that select consumers may not realize the underlying ramifications of using LBS and may unknowingly jeopardize their privacy, simply because they lack the necessary education on this topic. Thus, it becomes the responsibility of the engineers of LBS to ensure that the public as a whole is well informed on the implications of this technology.
Even still, the idea of privacy is inherently dynamic; it can change over time on both individual and population scales. In other words, the concept of privacy from decades ago is far from that of today. For instance, using LBS to identify the exact location of friends or family members through the click of a button was unheard of until recently. Thus, as time goes on, we become more accustomed to intertwining our lives and technology, often at the expense of our personal privacies. One example of this is a recent LBS advancement in which parents can utilize a phone application to monitor the whereabouts of their children. This application forces adolescents to answer all incoming calls from their parents, as it will remotely lock their mobile devices if they fail to comply [11]. As a result, the act of using LBS tracking is being normalized, and these children are conditioned to accept this privacy compromise for added security. This is problematic since if each subsequent generation possesses more of a disregard for privacy, where then can we draw the line for the intrusiveness of items like LBS? At what point have we gone too far in compromising our privacies for the sake of security? As engineers, it is imperative to look ahead and consider these future implications of LBS before they become realities.
Much of the tension between privacy and security can be related to the idea of control; more specifically, in whose hands the control lies [6]. Certainly, if society opts in favor of increased monitoring and security, those who are operating the LBS devices, whether with pragmatic or malicious intentions, hold the power. However, we must be careful to draw the distinction between practical monitoring and intrusive surveillance. For instance, no matter how well justified the outside surveillance may be, personal autonomy becomes a concern when an individual is constantly watched [12]. Think again to the example of parents who use a phone application intrude on their children’s lives. The kid has no choice but to answer the phone, unable to exercise their own autonomy. Therefore, it is evident that a more privacy-favored approach leaves control with the individual. This in turn aids in the protection of one’s personal autonomy as a decrease in external monitoring will leave individuals more in power over both their privacy and their lives.
APPROACHES TO PRIVACY PROTECTION
1. Policy Based Regulation
One of the more straightforward methods of privacy protection is policy-based regulation. Under this form of regulation, the LBS provider is to specify their intentions behind the use of any user location data that they collect. This largely is a trust-based model in which these service providers define restrictions that manage the distribution of this data to outside parties [5]. However, a focus on trust inherently leads to one of the large pitfalls of this privacy solution, as providers may find ways to work around the policies they have in place and jeopardize personal information without the users ever knowing. As a result, if the service providers fail to adequately enforce the policies which they prescribed, the privacies of the public are still very much at risk [13]. Fortunately, there are more robust forms of privacy protection which do not leave all the power in the hands of LBS providers.
2. Location Obfuscation
A more proactive category of privacy protection is location obfuscation. Contrary to policy-based regulation, which relies on human-made rules and regulations, this form of protection relies only on the extension of software. This results in a more neutral and secure model. In particular, location obfuscation acts to protect an individual’s privacy by worsening the quality of the location data received by the LBS providers [5]. As a result of this data alteration, it becomes increasingly difficult to identify the precise location of a given individual. Some of the most common methods of location obfuscation are the use of mix zones, spatial cloaking, and random noise and dummies [5, 13].
3. Mix Zone
The mix zone approach operates by anonymizing user location data. Within a given mix zone, the following principles hold: no user can provide location updates to the service providers also contained in the specified zone, and each user is assigned a new pseudonym (fictitious alias) upon exiting their current zone [13]. Mix zones are typically designated by a function which evaluates both the size of the anonymity set and a location entropy-based (degree of disorder) metric [13]. However, a drawback to this methodology is that while the identities of users are preserved by pseudonym anonymization, malicious attackers may still be able to predict the general locations of users by analyzing the patterns of their movements throughout these zones. As a result, it is important for engineers to ensure that the entropy-based metric they choose is optimized in order to make it as difficult as possible to identify any movement patterns.
4. Dummy Generation
Another approach to privacy protection is that of dummy generation. Under this method, dummies (fake individuals) are added to the pool of the location data which the LBS receives. These dummies are created to mimic the movement patterns of actual users, so as to provide LBS servers with mixed locations of real users and dummies [13]. If implemented sufficiently, dummy generation can protect a user’s privacy without enlisting in the help of a trusted server to facilitate the process [13]. However, this technique is not always a guarantee of protection, as a malicious LBS provider may still find a way to distinguish the real users from dummies after tracking movement patterns for extended periods of time.
5. Spatial Cloaking
The last and perhaps the most promising approach is spatial cloaking. Spatial cloaking works to achieve user privacy protection through the use of a technique called k-anonymity. This technique received its name because it ensures that each “k” individual’s location data in a given spatial region is indistinguishable from that of the other “k-1” users in this region [5]. The K-anonymized technique accomplishes this feat through the use of an anonymization algorithm, which serves as the middleware between consumer and provider. In this way, user data is first passed through the algorithm to generate “cloaked” boxes of location data [13]. These anonymized boxes are then passed on to the service providers, allowing them to conduct their normal operations on the location data.
Unlike the previous location obfuscation approaches, k-anonymity allows for a more modular catering to user preferences. For instance, one implementation of this technique allows users to create profiles which describe their personal privacy settings. Specifically, these privacy profiles are structured around a user’s preferred anonymity set (the k value in k-anonymity) and the minimal acceptable location resolution (the specificity of a user’s geographic and temporal coordinates) [13]. Therefore, if either one of these parameters is not satisfied, we can determine if there is a breach in user privacy due to a compromise in spatial cloaking. As result, k-anonymity’s dynamic nature and effective anonymization make it a very promising candidate within the future of privacy protection.
CONCLUSION
ACM’s software engineering code of ethics holds that “software engineers shall act consistently with the public interest” [3]. No matter how innovative a product may be, if it threatens the wellbeing of those who use it, then our job as developers and engineers is not yet finished. This is precisely the case with LBS, because although much attention has been drawn to the benefits of this technology, not enough attention has been given to the potential dangers it may cause to its users.
As with any form of monitoring or surveillance, many of its implications stem from trust or a lack thereof. Thus, if we are to begin making steps in the right direction with LBS, we must establish a foundation of trust between consumers and producers. This starts with transparency from service providers, as a means to not only gain trust but to also educate consumers. Naturally, users deserve to be well-informed on the implications of this technology and on precisely where their location data will end up. Moreover, proper education fosters more efficient privacy protection measures for these consumers. For instance, the adoption of a methodology like k-anonymization can be more effectively implemented, since well-informed users will learn to better configure their privacy profiles to reflect their own preferences. In turn, this ensures that each individual has his or her privacy needs satisfied.
With regards to the software engineering side, the implementation of spatial cloaking algorithms like k-anonymity unfortunately has not yet fully reached the public. Instead, the privacy features for both Android and iPhone users are very much binary in nature. For instance, smartphone users only have the option to disable or enable LBS for each of their applications. If they choose to leave LBS on, their locations are revealed at full precision, leaving no opportunity for privacy modularity. While there are third-party applications on the market that employ techniques like spatial cloaking, many of these applications are not well known and thus receive little use. A more robust solution would be for the actual engineers of iPhones and Androids to take a stand on this issue instead of leaving it for outside parties to remedy. With years of scientific studies supporting spatial cloaking, this technology has proven itself and is ready to be put to use. All that remains is the commitment of these smartphone engineers to integrate this technology into the operating systems of these devices. Moreover, if privacy protection functionality is already built within phones, users will have much more control over what location data they choose to share and may even be more inclined to engage in these protection measures. Therefore, only with the compliance of the manufacturers of smartphones will we be able to achieve a future in which advancements in LBS technology are made without compromising the wellbeing of the public.
By Ryan Espiritu, Viterbi School of Engineering, University of Southern California
REFERENCES
[1] A. Smith, “Record shares of Americans now own smartphones, have home broadband,” Pew Research Center, 2017. [Online]. Available: http://www.pewresearch.org/fact-tank/2017/01/12/evolution-of-technology/ [Accessed Oct. 1, 2017].
[2] R. Goodrich, “Location-Based Services: Definition & Examples,” Business News Daily, 2013. [Online]. Available: http://www.businessnewsdaily.com/5386-location-based-services.html [Accessed Oct. 2, 2017].
[3] Computer.org, IEEE-CS/ACM Joint Task Force on Software Engineering Ethics and Professional Practices, 2015 [Online]. Available: https://www.computer.org/web/education/code-of-ethics [Accessed Oct. 2, 2017].
[4]K. Michael. and M. Michael, “The social and behavioral implications of location-based services,” tandfonline.com, 2011. [Online]. Available at: http://www.tandfonline.com/doi/full/10.1080/17489725.2011.642820 [Accessed Oct. 1, 2017].
[5]P. Jagwani. and S Kaushik,
“Privacy in Location Based Services: Protection Strategies, Attack Models and Open Challenges,” Information Science and Applications, 2017 [Online]. Available: https://link-springer-com.libproxy2.usc.edu/chapter/10.1007%2F978-981-10-4154-9_2 [Accessed Sep. 30, 2017].
[6]R. Abbas et al., “The regulatory considerations and ethical dilemmas of location-based services (LBS): A literature review,” Information, Technology, and People, 2014. [Online]. Available: http://www.emeraldinsight.com.libproxy2.usc.edu/doi/full/10.1108/ITP-12-2012-0156 [Accessed 1 Oct. 2017].
[7]M. Gasson et al. Normality Mining: Privacy Implications of Behavioral Profiles Drawn From GPS Enabled Mobile Phones, Technology and Society (ISTAS), 2011. [Online]. Available: http://ieeexplore.ieee.org/abstract/document/5599314/ [Accessed Oct. 2, 2017].
[8]S. Fusco et al, “Monitoring people using location-based social networking and its negative impact on trust,” Technology and Society (ISTAS), 2015. [Online]. Available: http://ieeexplore.ieee.org/abstract/document/7160597/ [Accessed Oct. 1, 2017].
[9]K. Michael et al, “Location-based intelligence – modeling behavior in humans using GPS,” Technology and Society (ISTAS), 2007. [Online]. Available: http://ieeexplore.ieee.org/abstract/document/4375889/ [Accessed 2 Oct. 2017].
[10]A. Tan et al, “Location Based Services and Information Privacy Concerns among Literate and Semi-Literate Users,” Technology and Society (ISTAS), 2014. [Online]. Available: http://ieeexplore.ieee.org.libproxy2.usc.edu/stamp/stamp.jsp?arnumber=6758998&tag=1 [Accessed Sep. 29, 2017].
[11]G. Retscher. and F. Obex, “Ubiquitous User Localization in LBS – The Need for Implementing Ethical Thinking in Our Research Field,” Journal of Applied Geodesy, 2016. [Online]. Available: https://www-degruyter-com.libproxy2.usc.edu/view/j/jag.2015.9.issue-4/jag-2015-0015/jag-2015-0015.xml#j_jag-2015-0015_ref_024 [Accessed Oct. 2, 2017].
[12]L. Perusco et al, “Location-Based Services and the Privacy-Security Dichotomy,” School of Information Technology and Computer Science, 2006. [Online]. Available: http://www.icmu.org/icmu2006/pdf/ICMU2006-1568989945.pdf [Accessed Oct. 2, 2017].
[13]K. Shin et al, “Privacy protection for users of location-based services,” IEEE Wireless Communications, 2012. [Online]. Available: http://ieeexplore.ieee.org/document/6155874/ [Accessed Oct. 1, 2017].
[14]N. Bilton, “Burglars Said to Have Picked Houses Based on Facebook Updates,” Bits Blog, 2010. [Online]. Available at: https://bits.blogs.nytimes.com/2010/09/12/burglars-picked-houses-based-on-facebook-updates/ [Accessed Nov. 17, 2017].
[15]K. Baum et al,
“Stalking Victimization in the United States,” U.S. Department of Justice, 2009. [Online]. Available: https://www.justice.gov/sites/default/files/ovw/legacy/2012/08/15/bjs-stalking-rpt.pdf [Accessed Nov. 17, 2017].