August 7, 2020
Consumers find third-party use of personal location data privacy violations, study shows
The National Security Agency issued a warning to its employees Aug. 4 that cellphone location data could pose a national security risk.
The data, which is collected and sold for advertising and marketing purposes, "can reveal details about the number of users in a location, user and supply movements, daily routines and can expose otherwise unknown associations between users and locations," according to the warning.
But how do consumers feel about their location data being tracked and sold? New research from the University of Notre Dame yielded surprising results.
"What is it about location?" published in the July issue of the Berkeley Technology Law Journal by Kirsten Martin, the William P. and Hazel B. White Center Professor of Technology Ethics at Notre Dame's Mendoza College of Business, and Helen Nissenbaum from Cornell Tech, showed that people are nuanced about how their location is tracked. They don't appreciate it if, say, their location data is used to identify if they are voting or attending a protest, but approve if location data is used by a family member to figure out if they are home. Also, overwhelmingly, people are not comfortable with third-party location data brokers, or data aggregators, collecting for any reason.
It's common knowledge that tech companies mine users' personal information. Apps often collect and share location data with aggregators, who then sell it to corporate and government customers. Privacy issues involving TikTok, Facebook and others have repeatedly been documented in national news stories. Martin said, in her study, respondents were OK with some aspects of location data collection, and not OK with others.
"They didn't seem to mind as much if employers collecting their data could identify if they were at work, but they did mind if their employer figured out they frequented a liquor store or attended a protest," said Martin, a nationally recognized expert in privacy, technology and corporate responsibility at Notre Dame's Technology Ethics Center. "However, they did not like data aggregators collecting their data. They consistently rated the collection of location data by aggregators for any reason as not OK—and by a large margin."
In the study, the duration of the collection of data did not matter to respondents once it was explained what the collector would know about them as a result. Respondents initially were concerned about the length of time location data was being gathered but stopped caring once it was explained the collector would know they went shopping or to a restaurant with friends.
"Two things stood out," Martin said. "Respondents clearly differentiated the collection of location data to track if they voted or attended a rally as different from locating them at, say, a restaurant or store. They definitely were not OK with location data being used to locate them voting or protesting. And this study was run two years ago before today's major protests, so I would imagine it would be vastly more pronounced if conducted today.
"Also, just including the place where the person would be located—at a restaurant, mall, school or work—was enough to skew the rating as less OK. In other words, asking respondents just about collecting location data without explaining what you want to know about them is meaningless. Where they were located and what the company could infer about them—who their friends were or if they attended a rally—were much more important."
Interestingly, the study showed that regardless of whether or not people were comfortable with the data being collected, it never really mattered to them what type of technology was used to collect it.
"Collection technologies we used in our study included phone, mapping app, license-plate reader, Fitbit, CCTV and social media posts," Martin said. "The impact was minimal or nonexistent when we varied the technology. This is important because we often focus on techniques to collect location data. For example, collecting from a Fitbit might be OK but not from a phone. Respondents do not see any difference in their expectation of privacy across types of technology. So if users say they don't want location data gathered from their phone, getting location from their Bluetooth signal, an app or social media posts is problematic overall. They don't want you to have it no matter what source is used."
Take TikTok's recent media scrutiny, for example. Martin said its tactics are no different from standard social media data collection practices and that banning or selling that company would do nothing to diminish the privacy violations occurring on people's smartphones every day.
The study asked a national sample of people to rate a vignette as to the degree that a particular type of collection was acceptable. It included varied specifics about who collected the data—family, data aggregator, employer, FBI, online company, etc.—and what the collector could learn about the individual as a result.
"This information is important for regulators in protecting location data, as well as the companies collecting the data," Martin said. "For regulators, respondents did not care about technology, yet we tend to regulate by a type of collecting technology or ask for consent for only one type of technology. This would suggest that individuals do not think that way and assume location data is generally protected if they have requested it for one type. Perhaps most importantly, data aggregators who collect location data should be worried if individuals ever get any say as to the collection of their data. Consumers clearly do not trust them."