220 likes | 654 Views
Locational privacy: a new challenge for geographic information science Jonathan Raper http://www.soi.city.ac.uk/~raper raper@soi.city.ac.uk The impact of LBS on GIS GIS make LBS functionally possible LBS are a rapidly growing part of GIS BUT, LBS and GIS are qualitatively different
E N D
Locational privacy: a new challenge for geographic information science Jonathan Raper http://www.soi.city.ac.uk/~raper raper@soi.city.ac.uk
The impact of LBS on GIS • GIS make LBS functionally possible • LBS are a rapidly growing part of GIS • BUT, LBS and GIS are qualitatively different • The experience of Hypergeo and Webpark IST projects demonstrates this
LBS will be personal GIS • Individual mapping in real time • Interactive guide adapted to your preferences • Geographic information retrieval • Tracking service? • Geographic diary linked to e.g. your camera
Streams of data • Current position • Location, time of transactions • Movement trends A 10km car journey at 1 minute sampling interval
Challenge • Lots of GIS functionality to offer LBS • Context-aware mapping • Proximity searches • Routing • Spatio-temporal data mining • Must persuade users to allow us to provide it • Must also persuade users to allow us to collect data • Need to demonstrate that we are responsible with LBS data
User power • Need to put the users in control • Webpark study of 1200 potential LBS users: • 31% would like to get all information by request (pull) • 26% want to define the way they get information (pull+controlled push) • 18% would be prepared to have safety info pushed • 6% prepared to have all kinds of information pushed • Providing and managing push and pull modes at user discretion makes new demands on GIS • LBS and GIS are different functionally and in terms of the relationship between user and producer
GIS vs LBS collected data generated data offline real time analysis oriented transaction oriented b2b b2c professionals public aggregated data personal data LBS can only develop within a privacy framework
Privacy • What is privacy? • an individual human right preventing intrusion, appropriation, breach of confidence • ECHR: Article 8: right to respect for private/family life • 1. Everyone has the right to respect for their private and family life, their home and their correspondence • 2. There shall be no interference by a public authority with the exercise of this right except ... in accordance with the law and (as) is necessary in a democratic society • Data protection • European Directive (95/46/EC)
Information privacy • What is privacy in information? • Human rights (EHCR) • Private communication (needs encyption?) • Authentication of identity/ right to anonymity • Data protection (EU Directive 95/46/EC) • Fairly and lawfully processed • Processed for limited purposes and according to rights • Adequate, relevant and not excessive • Accurate and secure • Not kept longer than necessary • Not transferred to third countries without protection
Information privacy provisions • Dutch Constitution Article 10 (2): • Rules to protect privacy shall be laid down by Act of Parliament in connection with the recording and dissemination of personal data • Spanish Constitution Article 18 (4): • The law shall limit the use of data processing in order to guarantee the honour and personal and family privacy of citizens and the full exercise of their rights • Canadian Personal Information Protection and Electronic Documents Act 2001 • US Bill of Rights- privacy ‘implicit’: Supreme Court
Sensitive data • Data Protection Directive as implemented in all EU states gives extra protection to ‘sensitive data’ requiring explicit informed consent to release • Racial • Political • Health • Religious • Trade union affiliation • BUT: Location ‘traffic’ data is not defined ‘sensitive’ • Can be used in compliance with general principles
Use of location ‘traffic’ data • More than half the population of the UK carries a tracking device. Its records can be accessed by police officers, intelligence authorities, customs officials and Inland Revenue inspectors. Crimes, unpaid taxes or government dues can be investigated using this information. The data is held for several months: in some cases, for several years. We carry these devices voluntarily. They are called mobile phones. • Guardian, London, November 29th, 2001
How sensitive is location? • For some, very: • Those in fear of harassment • For some, not at all • Exhibitionists e.g. gpsdrawing.com • There is though a natural suspicion of services • A survey at personalisation.org suggested that <50% of people were prepared to give personal information to service providers • There is tolerance of mobile phone location data • At current levels of accuracy (between 50m & 20km) • At future levels of accuracy (5-20m), then perhaps not?
Jonathan’s weekly movement 1km Each colour= 1 day Darker= later in the day
Implications for LBS data • Security- how is identity verified? Who has device? • Consent- to who can streams of data be given? • Usage- how can the data be processed? • Linkage- with what can this data be linked • Inference- what can be stored in the profile? • Limits on transfers of data • Privacy issues must be addressed by LBS
Spatio-temporal data mining Processing location data: Location trends knowledge discovery tool from Hypergeo
Locational behaviour analysis • Where you are usually (envelopes) • Guess current activity (movement styles) • Locational profile defines geographic relevance • Movement- direction, minimum effort direction • Constraint- path options, accessibility, perspective • Association- contiguity, place • Setting- what has influence over, focus • Geographic relevance defines spatial privacy as the inverse?
Transaction logging example Subscription database Transaction log Transaction profile Georeferenced Postcodes Electoral roll Location/household profile Neighbourhood characterisation Socio-economic profile
Locational profiling Linkage: Location data Plotted over Poverty map
Locational privacy • Locational persona- identity defined by location? • GIS/LBS should explore this hypothesis • Access to tracking- only for applications + consent? • Which applications are compelling enough? • Resolution- how much resolution is sensitive? • Once resolution reaches ‘street level’ • Locational profiling • Home range distinction, conjectured activity by movement? • Information needs • geographic patterns in requests revealed?
Agenda for GI/LBS research • LBS require personal data safeguards • Need to engage with consumer world view • Browsing, retrieving and analysing GI • (locational) privacy pragmatism? • How to sell GIS functionality for micropayments?