Evaluation Criteria for Location Privacy

I ran across an interesting study the other day out of the U.C. Berkeley School of Information. The study considered the privacy provisions laid out in the W3C Geolocation API, and recommendations for its improvement. The Geolocation API is a part of the HTML5 specification, and as such will play an important role in location-based mobile web applications as mobile devices continue the rapid adoption of HTML5.

While the conclusions of the study were certainly excellent, I found most interesting the list of privacy-related criteria that were derived after considering a range of existing frameworks and standards. These are reprinted here:

1. Appropriateness: Is the collection of location information appropriate given the context of the service or application?
2. Minimization: Is the minimum necessary granularity of location information distributed or collected?
3. User Control: How much ongoing control does the user have over location information? Is the user a passive receiver of notices or an active transmitter of policies? Are there defaults? Do they privilege privacy or information flow?
4. Notice: Can requesters transmit information about their identity and practices? What information is required to be provided to the user by the requesting entity? What rules can individuals establish attach to their location information and transmit? Is there a standard language for such rules?
5. Consent: Is the user in control of decisions to disclose location information? Is control provided on a per use, per recipient or some other basis? Is it operationalized as an opt-in, opt-out or opt model?
6. Secondary Use: Is user consent required for secondary use (a use beyond the one for which the information was supplied by the user)? Do mechanisms facilitate setting of limits or asking permission for secondary uses?
7. Distribution: Is distribution of location information limited to the entity with whom the individual believes they are interacting or is information re-transmitted to others?
8. Retention: Are timestamps for limiting retention attached to location information? How can policy statements about retention be made?
9. Transparency and Feedback: Are flows of information transparent to the individual? Does the speci cation facilitate individual access and related rights? Are there mechanisms to log location information requests and is it easy for individuals to access such logs?
10. Aggregation: Does the standard facilitate aggregation of location information on specific users or users generally? Does the specification create persistent unique identifi ers?

When designing Veriplace, we considered these very same questions. In some cases (such as appropriateness and minimization) the application developer is largely in control of managing these issues. Veriplace addresses these cases by working with the developer, ensuring that guidelines such as these are followed. In other cases (such as user control, consent and transparency) Veriplace is more actively involved, building these requirements and safeguards directly into the platform architecture.

Taken together, this is a great list, and expands in important ways on existing guidelines, such as the CTIA Best Practices and Guidelines for LBS. Although perhaps an implementation detail, I might add one item: Uniform Privacy Management Interface. As LBS services proliferate, it will become more difficult for the end user to effectively manage location privacy. Providing a unified, consistent interface for managing access to location across services will be critical to ensuring the simplicity and transparency necessary to safeguard user privacy.

Scott