W3C home > Mailing lists > Public > public-geolocation@w3.org > October 2008

Re: Location privacy concerns

From: Alissa Cooper <acooper@cdt.org>
Date: Fri, 24 Oct 2008 15:20:12 -0400
Cc: public-geolocation@w3.org
Message-Id: <B873E290-DC22-40FC-8691-26F1F6ED6C2B@cdt.org>
To: Ian Hickson <ian@hixie.ch>

(John is traveling and offline until Monday, but I will weigh in with  
a few thoughts in the meantime.)

On Oct 23, 2008, at 4:23 PM, Ian Hickson wrote:
> Could you elaborate on the exact scenario through which a user's  
> privacy
> can be violated?
> As I understand it, the user has full control over whether a site has
> access to this information or not, and would thus only give the
> information to a site that the user trusts to not abuse the  
> information.
> If the user doesn't trust the site not to abuse the information,  
> then it
> doesn't matter what privacy theory is passed along with the  
> location, the
> site can't be trusted to make abuse it (by definition).

This seems to assume that the only scenario in which this API will be  
used is when a user manually enters his location information on a site  
or manually authorizes that site to obtain his location. I imagine  
that the use cases for the spec are actually much broader, and may  
well encompass scenarios where the user is not involved in providing  
his location information or authorizing its use.

Consider a slight variation on the existing Geode add-on as an  
example. Right now, when you visit a site that requests your location,  
Geode prompts you to decide whether and with what specificity your  
location information can be shared with the site. But what if this  
prompt didn't exist? Then the site would request location information,  
and it would be delivered without the user being involved (this is  
exactly what happens already with IP address-based geolocation  
lookups). Although existing implementations may obtain permission, it  
seems plausible (and likely) for user agents to implement the API such  
that sites can directly obtain location information without  
interacting with the user.

This could be an attractive avenue for, say, third-party advertisers  
who want to serve location-based ads but don't want to (or aren't  
allowed by the site to) interject a request for permission from the  

The spec does not appear to be limited in any way to the case where  
users have full control. If that is the intention, we should discuss  
how to make it explicit (although even in that case there would still  
be value in crafting the spec such that sites will be more likely to  
take privacy considerations into account).

> This seems equivalent to all other private information a user gives  
> a site
> access to, such as credit card details, social security numbers,
> preferences, etc. The information is held under the terms of the  
> site's
> privacy policy, and the user makes a decision as to whether to  
> provide the
> information based on whether they trust the site operator or not.

Relying on a site's privacy policy for enforcement of privacy rules  
strikes me as a much riskier approach than, at a minimum, forcing  
sites to consider privacy rules that are always automatically conveyed  
together with location information. Take the example of a pizza place.  
You provide your location information to a pizza place's web site, and  
it returns to you the nearest chain location. An average user probably  
expects the pizza place to get rid of his location information  
relatively soon afterward. But what if the pizza place keeps it, or  
sells it? What if law enforcement then comes and asks for all of the  
pizza place's location info? It is far preferable from a privacy  
perspective for the pizza place to be forced to confront these issues  
when it receives location data accompanied by rules explaining the  
user's preference not to have his location data stored. The rules can  
still be ignored. But without them, the pizza place can much more  
easily absolve itself of all responsibility for the data it collects  
merely by stating its practice of retaining location information  
indefinitely in a privacy policy which no average user is likely to  
read. With rules attached, the pizza place must at the very least  
develop a rationale for ignoring the rules.

If you decouple the conveyance of location information from the rules  
associated with that information, it's an invitation for sites to  
ignore privacy altogether. Given that location information may be  
extremely sensitive, forcing sites to at least think through an  
approach to privacy, rather than skirting it entirely, seems sensible.

It is certainly true that much of the data shared on the web today is  
governed by privacy policies. If we decided today to develop a  
standard for the conveyance of social security numbers on the web, I  
think it would be a good idea to consider how such a standard could  
have rules or user preferences about the onward transfer of the  
numbers built into it. That's not the standard we're focused on, but  
we are focused on conveying location information, which can be just as  
sensitive if not more sensitive in certain contexts than the kinds of  
data you list above. So I think it makes sense for those involved in  
this effort to consider how we can improve over the status quo for  
conveying user data on the web.


Alissa Cooper
Chief Computer Scientist
Center for Democracy and Technology
1634 I Street NW, Suite 1100
Washington, DC 20006
202 637 9800
fax 202 637 0968
Received on Sunday, 26 October 2008 15:27:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:50:52 UTC