Insights into wireless privacy regulation

The Where Business
July 20th, 2010

INTERVIEW: Dr Martin Feuerstein, CTO of Polaris Wireless, on the current FCC proceedings. 

Polaris Wireless, a privately held wireless location company based in Santa Clara, California, is the global leader in providing high accuracy, software-based location systems for accurately determining the location of mobile phones.

The Polaris solution is ideal for E911 Phase II compliance services, wireless location-based service applications such as push advertising, yellow pages, social networking, friend or family tracking and enterprise applications such as work force and asset or fleet tracking applications. The solution can also be used by wireless operators for network optimisation analysis and by law enforcement agencies for lawful interception purposes.

Dr Martin Feuerstein, chief technology officer at Polaris, has been attending the US Federal Communications Commission (FCC) hearings on privacy. He gave TheWhereBusiness some insights into mobile privacy issues.

Privacy is currently a contentious topic in the mobile industry, the more so since Google Buzz, Google Street View, Facebook and other companies have been prominently in the news for their respective actions in harvesting user information or making this data or users' locations available to third parties. With Polaris's central position in location technology it was logical that the company might want to follow the FCC proceedings closely.

Dr Feuerstein is an observer who would know exactly what the hearings entail. He received a BE degree in Electrical Engineering and Mathematics from Vanderbilt University, an MS degree in Electrical Engineering from Northwestern University and his PhD degree in Electrical Engineering from Virginia Tech. He has more than 20 years of experience in research, development and deployment of wireless products. During his career he has produced many publications and more than a dozen patents in wireless telecom.

TheWhereBusiness: How well informed are the law-makers about the whole issue of mobile and Internet privacy? Are they served by knowledgeable researchers or lobbyists? Do they get both sides of the story? 

Martin Feuerstein: In general, lawmakers and industry bodies in the US are now extremely sensitive to the privacy and security concerns of the public. This awareness has been fuelled by recent, high-profile Internet debacles (such as Facebook's privacy issues, Google's Wi-Fi spy scandal, large-scale identity theft cases, and so on). There is growing recognition that location information adds a new and potentially controversial dimension to the privacy and security debate.

As an example, the US Congress's House Judiciary Committee on the Constitution, Civil Rights and Civil Liberties recently held hearings on revising the Electronic Communications Privacy Act (ECPA). This was a public hearing with a number of interested parties, including privacy advocates like the Digital Due Process Coalition and the American Civil Liberties Union (ACLU) stating their viewpoints. Government regulators are definitely getting both sides of the story.

To create a framework for the industry, the Wireless Association (CTIA) and the Mobile Marketing Association (MMA) have each independently developed guidelines on privacy and security for emerging location-based services. These guidelines involve the concept of "opt-in" where users' preferences are captured by their explicit acceptance of the service and associated information usage.

The guidelines also define how application and service providers may use personal information, such as recommended data retention practices. As in the Internet world, these guidelines are designed to provide consumers with confidence in how privacy and security will be handled.

TWB: Future legislation may possibly restrict the extent to which commercial enterprises may use people's personal information, but can it solve the problem of users blithely giving away their information? Recent research in the UK shows a surprising percentage of people happily share their location and other information with complete strangers.

MF: You've raised a critical point. The whole concept of effective privacy management has at its foundation the premise that users are both responsible and aware of how they share their personal information.

Societal norms are rapidly evolving as new technologies proliferate. The US Supreme Court noted last month that "rapid changes in the dynamics of communication and information transmission are evident, not just in the technology itself but in what society accepts as proper behaviour" [City of Ontario, California, and others versus Quon, Docket Number 08-1332, page 11, June 17, 2010]. An entire generation of teenagers, having grown up with the Internet, YouTube, Facebook, MySpace, Twitter, cell phones with cameras and so forth, harbour dramatically more open views about privacy compared to prior generations. Proper behaviour has shifted radically in the direction of sharing, not just with family and friends, but also in many cases with strangers.

Academic researchers have found that users do quite freely share their location if they are given user-friendly privacy policy controls and clear feedback about when and by whom their information is gathered [for more information on this topic, see Carnegie Mellon University's Mobile Commerce Lab presentation at the 2008 WPI Workshop on RF Localization for Next Generation Wireless Devices].

Initially users are often sceptical about sharing, but those barriers are quickly eroded when the benefits of sharing become evident. These benefits could be in the form of social networks (meeting a friend at the nearby pub) or economic (receiving a useful and relevant coupon or advertisement), but there must be some enticing "reward" for sharing. Some surveys have reported that for a modest reward fee - about 30 euros - users would be willing to freely share their location information.

As with any aspect of human behaviour, government legislators cannot regulate common sense. Nor can technologists for that matter. But regulators and technologists can put in place frameworks which give users adequate controls - clear choices, conservative default settings, relevant feedback and even warnings when recommended norms are being exceeded. At that point, ultimately it's up to users to decide.

TWB: Is there a case to be made for special exceptions to privacy laws? I'm thinking of the monitoring of criminal or terror activities, and also the value of instantly knowing location and related information, such as pre-existing medical conditions, in emergency situations.

MF: Absolutely, precedents for special exceptions to privacy laws already exist. One example is emergency call services, such as E911/112, which provide location information to public safety call takers. When a user makes an emergency call, they are by definition making a request to public safety agencies, and hence privacy rules for location and caller identity are overridden. This approach is clearly in the public interest and saves lives.

Another exception is Lawfully Authorised Electronic Surveillance (LEAS), where law enforcement agencies can gather content of communications and associated information, such as location, which is specifically authorised by appropriate legal entities through judicial or administrative orders (for example, court orders, warrants). These capabilities provide law enforcement agencies with the tools they need to apprehend criminals and terrorists operating in the modern world of mobile communications.

Polaris provides high accuracy location products that service both the emergency call E911/112 and law enforcement markets, as well as consumer location-based services.

Today, these special exceptions are narrowly defined for specific purposes. It's possible that they could be expanded in the future for broader categories of emergency situations that are in the public good.

However, privacy concerns may limit the degree to which location and related information may be shared, even with emergency responders. Likely, users would need to opt in by signing up for a service that reports their information, such as a person with a special medical condition agreeing to share that information under particular circumstances.

Read More