The cover story on the latest issue of Nature talks about a study that tracked the locations of 100,000 cellphone users for six months without their consent. The best part is the article doesn't even mention the location privacy issue associated with the study, which was conducted for the purpose of inferring upon people's movement patterns.
I came across a company named Path Intelligence that is selling equipment to track consumer's locations passively using their cellphone signals inside shopping centers, malls, etc. ostensibly for the purpose of tracking consumer behavior. Apparently, their 'equipment' is centered around the GNUradio platform and uses triangulation based schemes for localization. What is interesting to me is that:
(1) They manage to use signals from cellphone even when the phone is not in a voice call (There must be some beacons!?)
(2) They manage to simultaneously localize multiple phones.
(3) The company website claims accuracy of 1-2 meters
It appears that early adopters of their solution are in the UK. A large mall can be covered by 20 of their 'boxes'.
The Privacy issue:
"The Information Commissioner's Office (ICO) expressed cautious approval of the technology, which does not identify the owner of the phone but rather the handset's IMEI code - a unique number given to every device so that the network can recognise it."
So they don't just track the pure signal but they also demodulate the IMEI code - a reverse lookup may reveal IMEI -> Phone number -> identity but would probably require the cooperation of the carrier. Unlike MAC addresses in 802.11 networks, the IMEI cannot be changed as easily. From a privacy perspective, it appears that the IMEI is therefore a really bad thing (it is unencrypted) as it could potentially allow one to be spied upon (location traces, etc etc.) There are various other privacy issues especially when such a technology is put into effect without having shoppers sign disclosure forms. The page on slashdot has many interesting user comments.
Some links are here, here and here.
Here is an email from Toby Oliver, the owner and CEO of Path Intelligence explaining the technology in an effort to allay concerns.
Here is a particularly insightful comment from Slashdot that brings out the 'value' of location information rather than worrying about privacy:
"My shop usage data have great financial value (otherwise the shops wouldn't pay to install surveillance systems) and the shop's surveillance is involuntary - I am not given a choice whether to allow them track me or not, except if I avoid transmitting wireless signals while near their shop. As the data collection is not voluntary and my shop usage data have financial value, I demand payment from shops using this system. I want a share of my shop usage data's financial value."
I think this makes a good case for researching PHY-layer based location privacy. Having simple omni transmitters is equivalent to relinquishing one's privacy as well as volunteering usage data for free.
Anonymity is a big deal these days. And it should be, because the proliferation of personal computing devices with multiple radio interfaces places individual privacy in question. Consider the problem of de-anonymizing the Netflix database released for the Netflix prize project. A recent paper from U. Texas showed that the records released as part of the database were not anonymous at all and given a little bit of side information, allowed easy identification of individual records in a simple way.
It is clear that some information must be removed from a database or a set of trajectories in order to prevent re-identification. But WHAT part of the information to remove is not so clear! I am pretty sure information theory must have something useful to say about this problem. In particular, the Information Bottleneck Method of Tishby et al might be useful place to look for answers. Pending job for the summer.
Here is a story I just saw on Slashdot about how cellphone companies give away location information to the police without a warrant for persons reported missing (which means they log location information of course):
I attended some interesting talks at the 3rd Rutgers-Helsinki PhD Student Workshop on Spontaneous and Pervasive Networking (phew!) today. In particular, a talk by Marco Gruteser reviewing location privacy for various applications caught my eye. Location based services have been much talked about and are expected to take off (any moment now) in a big way. This introduces the problem of preserving user-privacy. Marco talked about an interesting class of problems that deal with preserving the privacy of location traces. The idea is as follows: Each mobile client periodically transmits its location to a central server, which then forwards this information on to a application service provider (ASP) that provides some location-based service to the user. (Think DASH!) However, the user wishes to conceal its identity to the ASP. Hence we would like to make it impossible (or very hard) to infer the user's identity from observing location updates.
Marco's group has proposed a centralized processing architecture for solving the problem, wherein the location updates from all users are first 'anonymized' by a central server (call it the 'location broker') by what can be termed verious signal processing techniques such as dropping a few samples, shifting the time stamps a bit, etc. Note that the degree of location privacy granted to a user is a coupled function of the information about other users that is revealed by the location broker to the ASP.
An interesting extension of the problem would be to engineer a system wherein the availability of a location broker cannot be guaranteed and users wish to solve the problem themselves, i.e. a distributed architecture for the problem of location privacy/ praivacy of location traces. Ostensibly, this would require some cooperation /message passing between the mobile clients because intuitively, the degree of anonymity enjoyed by a user is a function of the user density in its surroundings. Something to think about..