Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, and Kim Cameron, a leading digital identity expert, have released a new joint publication called “Wi-Fi Positioning Systems: Beware of Unintended Consequences – Issues Involving the Unforeseen Uses of Pre-existing Architecture.” In this white paper, launched at the SC Congress Canada 2011 Conference in Toronto today, Cavoukian and Cameron call for the use of Privacy by Design to protect the privacy of mobile device users.
Mobile devices are becoming more crucial in our daily lives, with people now carrying them and using them practically everywhere. Whenever an individual uses location-based services on his or her mobile device, a unique identifier of nearby traceable Wi-Fi access points called a Media Access Control (MAC) address is relayed. This raises privacy concerns because this location information may be compiled into a profile of an individual over time, such as where they have travelled to, shopped, eaten or banked.
In addition, potential unintended consequences stem from the intrinsic nature of MAC addresses that are at the core of current networked communications. For instance, with minimal time and resources, one may be able to associate MAC addresses of mobile devices to physical addresses, and then to a specific individual. Furthermore, depending on future developments, it may even be possible that individuals using geolocation services could inadvertently report the MAC address (and, simultaneously, location) of mobile devices belonging to friends, family or co-workers – creating an unintended ‘unknowing informant’ model of data collection.”
“Privacy must be designed into Wi-Fi positioning systems to prevent unintended consequences,” says Commissioner Ann Cavoukian. “I’ll repeat the message I gave about the Apple and Sony controversies – don’t practice privacy by chance. Companies should practice Privacy by Design – they should address privacy proactively and put control squarely in the hands of the users, where it belongs.”
“What companies, government departments, people and systems will be able to follow our physical movements and activities, five or ten years from now? How will what they see change the way we are treated? Will individuals have any protections? That is what location technology is about,” says Kim Cameron, co-author of the paper. “When you look into this, it becomes clear that location technology must embrace our human need for privacy. In this paper we try to point to ways that can come about.”
The authors caution that when designing an architecture (e.g. wireless networks), the question of unintended uses, inadvertently introduced through the existence of that architecture, should form part of a privacy threat risk analysis. In no case, should the MAC address of end-user devices be collected or tracked without the consent of the owners of such devices.