A flurry of investigations published over the past month have intensified scrutiny of location data brokers to an unprecedented degree.
It began when Atlas Privacy, a startup offering consumers personal data removal services, gained access to a mobile location tracking tool marketed for use by law enforcement agencies and contractors. The tool, known as Locate X, is a service of Babel Street which aggregates commercially available location data collected via mobile phone apps.
Atlas Privacy, in turn, shared two hours of footage of its use of Locate X with journalists from NOTUS, 404 Media, Haaretz and The New York Times.
Reflecting on his review of the data, NOTUS reporter Byron Tau alleges the Locate X service allowed for the identification of devices visiting abortion clinics as well as the tracking and identification of law enforcement officers at the likely location of their homes.
Law enforcement officers are the focus of Atlas Privacy's investigation because the company is in the process of suing numerous data brokers, including Babel Street, on behalf of a class of thousands of New Jersey officers. A law in New Jersey known as Daniel's Law empowers law enforcement and judicial officials in the state to remove their data from public view. Dozens of lawsuits have recently been filed invoking the law and alleging that companies are failing to meet its requirements.
An in-depth analysis of the evidence by security researcher Brian Krebs, who also was given access to the Locate X footage, is headlined with the stark conclusion that the current market reality is a "global surveillance free-for-all." Krebs' work is supplemented by his own technical analyses and investigations, including evidence from freedom of information requests from federal agencies.
As Krebs reports, related online sleuthing into overly descriptive federal procurement records recently revealed what is likely a pending U.S. Federal Trade Commission investigation into Venntel, a subsidiary of Gravy Analytics. If rumors become reality, a settlement with Gravy Analytics would complete the FTC’s Triple Crown of enforcement actions addressing alleged shortcomings in commercial location insights services. Meanwhile, the FTC’s Kochava matter remains pending in court, with new filings last month still fighting to resolve the early stages of litigation.
The FTC's recent enforcement has focused primarily on location data revealing visits to sensitive locations such as abortion clinics or places of worship. Best practices around sensitive locations are already starting to emerge, no doubt heralded by the passage of laws like Washington state's My Health My Data Act, which covers any precise location data that could reasonably indicate an attempt to receive health services. This month, the Networking Advertising Alliance published updated voluntary enhanced standards for precise location information solution providers, which prohibit the use, sale and transfer of U.S. consumer precise location information related to what NAI has dubbed sensitive points of interest or POI.
The Atlas Privacy investigation is a reminder that the sensitivity of location data doesn’t stop with POI. Certain individuals may have a stronger interest in keeping their location history out of public view. And for everyone else, location observed over time or with enough precision is treated as sensitive data under many privacy laws. Prior FTC precedent, most notably in the Goldenshores case, encourages affirmative express consent before collecting precise location data.
We see you when you're sleeping
Public servants are another class of individuals whom policymakers have considered deserving of additional privacy protections in both their official and unofficial capacities.
As Justin Sherman describes in a Lawfare article, recent research showed the feasibility of purchasing the location data history of Securities and Exchange Commission investigators as they visited companies under investigation. The research was first described in a Politico article.
Sherman writes, "It would be trivial for malicious actors, whether foreign or domestic, to acquire geolocation data to track government employees at any of these organizations — to hunt people down and harm them, discover information about confidential or even classified government activities, and otherwise interfere with agency missions."
Policymakers have taken note, and though Sherman writes eloquently about why more action is needed, some action has already been taken to put limited restrictions in place. The executive order limiting the sale of sensitive data to certain foreign adversaries bans the sale of precise location data of government workers to covered recipients. I wrote about the draft regulations from the Department of Justice under the executive order last week.
Mind the gap between rules and reality
As we reflect on how the recent wave of public scrutiny will shape best practices in the location data space, it may be a good time to discuss the technical reality of location measurement and how geolocation data is treated under existing U.S. laws.
In effect, U.S. state privacy laws have created a threshold of 1.1 kilometer, equivalent to around half a mile or 3,600 feet, for the definition of precise geolocation, at least when the location is expressed in latitude and longitude coordinates.
But no, you say, U.S. state privacy laws use a threshold of 1,750 feet — 1,850 in California. The laws say geolocation is precise enough to count as sensitive personal data if coordinates can be used to locate a consumer within a geographic area with a radius of 1,750 feet or less — 1,850 in California.
The thing is, latitude and longitude coordinates expressed to three decimal places describe a circle with a radius of just over 111 meters or 364 feet. Therefore, when geolocation data is recorded with three decimal places it will always easily exceed state sensitive data thresholds. Such data may not accurately describe an individual’s location in every instance, but once the data is recorded it becomes difficult to disclaim its accuracy. All that matters is how precise the data appears.
Truncating the data to two decimal places is the only surefire solution to avoid this level of precision. And two decimal places of latitude and longitude coordinates describe a circle with a radius of 1,111 meters. Since this is well outside the threshold for sensitive geolocation, truncated location coordinates can guarantee the exclusion of imprecise location data from sensitive thresholds.
Other techniques are improving too
GPS is not the only way to measure location. Location information can also be derived from other widely collected personal information, including the current IP address of a consumer’s device. Technical advances over the years have rendered IP address geolocation increasingly precise.
In some cases, this precision is beginning to approach the level that would trigger the definitions of precise geolocation data though, in general, IP address mapping remains imprecise.
Over the past decade, the median error has dropped in some services from the 10s of kilometers to as low as 3 kilometers. An in-depth 2021 study of IP address accuracy tested against GPS recordings reported a Unacast product had a median accuracy of 2.62 kilometers in the New York City market. Though the researchers report "extreme but unsurprising heterogeneity" in IP address location accuracy, the widespread availability of GPS data continues to fuel the increased accuracy of IP address measurements. Systems enhanced with AI methodologies have begun to show even more accurate results.
Mobile beacons, like those widely used in the retail context, similarly measure individual’s location based on interactions with their devices, but with much higher accuracy. Unlike an IP address map, which relies on a changing table of information managed by internet service providers, mobile beacons have static locations that can be accurately mapped by their owners. Measuring a consumer’s proximity to a mobile beacon is always precise and accurate enough to be sensitive, if used in the relevant manner under state laws.
The ubiquity of location data should not lead Privacy Pros into a false sense of complacency. Whether driven by policymakers, plaintiff’s firms, or consumer advocates, the scrutiny around location data is not going away. Legal and technical analyses should always be coupled with a robust analysis of how practices could affect consumer trust. Companies that fall to adapt to new risks of location data sharing are increasingly likely to be met with legal penalties.
Please send feedback, updates and digital crumbs to cobun@iapp.org.
Cobun Zweifel-Keegan, CIPP/US, CIPM, is the managing director in Washington, D.C., for the IAPP.