Over the next decade, systems that track and record our movement through physical space will be woven inextricably into everyday life. Already we operate some location-based systems: dashboard navigation systems, smartphones with GPS features, and electronic tags that help us zip through toll stations. But in the coming years, location-aware tools will become more common, sophisticated, and indispensable.
There are good reasons for people to be nervous about this: Locational records convey where we travel and with whom; where we have lunch and with whom; which political meetings we attend; where we go to church; what kinds of nightclubs we frequent; with whom we conduct business meetings; and with whom we spend the night. The records won't be available to everyone, but they will likely be sold to advertisers and made available to law enforcement, hackers, lawyers in divorce cases and other civil lawsuits, and to nosy employees of the companies that build location-tracking systems. In countries with repressive political systems, location-tracking records may also be made available to secret police forces. These constitute threats to privacy that must be taken seriously.
This is not a call to halt the development of location-based software, services, and gadgetry. We don't want to stop people from being able to find directions on pocket-sized digital maps, from getting recommendations for the best nearby café, or from seeing when their friends happen to be just around the corner. The new inventions are far too useful and cool for their development to be thwarted by fears about privacy.
Sprint shared 8 million GPS snapshots
What needs to happen instead is that these services must be designed, from the ground up, to include robust privacy protections. For starters, the central servers for locational systems should never know the location and identity of a user at the same time. This may sound impossible, but it turns out that cryptographers have found ways to build tolling systems, locational search engines, and even applications that tell you when your friends are nearby without those systems ever knowing where their users are. Engineers must now draw on privacy-protective designs.
Why should businesses spend additional effort and resources to create privacy-friendly locational applications? Many consumers can be reassured by soothing words about privacy and won't read the fine print and technical specs. But failing to seriously defend customers' locational privacy will prove to be a time bomb for any business.
Take the example of Sprint Nextel (S), which gave law enforcement agencies an automated Web site through which officers could find the current location of any GPS-equipped Sprint phone. Police used the Web site to obtain more than 8 million phone-location snapshots in the 13 months preceding November 2009. How could Sprint's Web site possibly check that each of those 8 million requests met the appropriate legal standards for disclosure of a customer's location? The sheer scale of this operation is alarming. What if the viewers were not the police, but hackers hungry for millions of customer GPS locations?
Protecting privacy: good for business
That revelation could do serious harm to Sprint's business. In 2006, after it was reported that AOL had allowed a massive leak of private-search histories, the company's search engine market share fell by almost 20%.
The bottom line for businesses is that it's smart to design your products so that such public relations catastrophes simply can't happen. If your phones don't call home to report their GPS locations, those locations can't be used for an Orwellian surveillance program, or stolen by hackers, or used in lawsuits. And having systems designed for privacy also means that when your competitors are shown to be poor protectors of their customers' privacy, you can be ready to offer a compelling alternative.
Unfortunately for consumers, there aren't many gadgets today that offer locational services and locational privacy at the same time. So for the moment, when you look at that little GPS map in your pocket, you should assume it's looking back at you—and that it may share that data when asked.