Report: "Privacy Issues of the W3C Geolocation API"

Hello all,

As I mentioned at the F2F in November, I've been working on
documenting the web sites that are currently using the W3C Geolocation
API and how they provide notice of their information practices to
users (as we require in Section 4.2).  Working with a couple
professors at Berkeley, I've written up the results of that research
and also done some broader analysis of how the API deals with privacy
issues.

The report is available online [1] and I hope it will be helpful to
the Working Group.  (It's also been sent to the Device APIs and Policy
Working Group [2].)

In particular, we found web sites to be consistently lacking in the
notice they provided: frequently prompting users immediately on
loading the page and rarely providing a clear explanation of how
collected location data will be used, stored or re-transmitted, even
one buried in a privacy policy.  On the plus side, we were impressed
with the handful of sites that let users inspect and change location
data before submitting it in a form back to the server.

This report includes only a limited survey of implementing web sites
and we're currently pursuing ways to get a much broader set of data --
we'll be sure to keep the group updated on what more exhaustive
surveys reveal.  Though this is quickly getting unmanageable, I'm
trying to keep an updated list of sites that use the API [3], what
they use it for and whether they provide notice to users.

Much thanks to co-authors Deirdre Mulligan and Erik Wilde for help in
analysis and writing and to the Working Group for your support.

Thanks,
Nick Doty
UC Berkeley, School of Information

[1] http://escholarship.org/uc/item/0rp834wf
[2] http://lists.w3.org/Archives/Public/public-device-apis/2010Feb/0174.html
[3] http://npdoty.name/location/services

Received on Monday, 1 March 2010 00:38:40 UTC