Sunday, May 16, 2010

Spatial Law and Policy Update (May 16, 2010)


So how many people "clean" their satellite navigation device before selling their car? According to this article, you probably should.

Google has admitted that it has been collecting - apparently without intent - private information (snippets from emails and on-line activities) from public Wi-Fi networks in connection with its Google Street View mapping efforts. (Google was also mapping public Wi-Fi networks as part of Street View). I have previously posted, there is great value in the street level imagery that Google is collecting. However, one can certainly appreciate the privacy concerns associated with any organization collecting this information - even if it was being sent over public (and presumably unsecured) Wi-Fi networks - particularly if the information was being collected as part of a broader mapping effort.


For those interested in a well-rounded technical discussion of the issues associated with data sharing, I would recommend reading Peter Batty's geothought blog. It includes a link to a video of a roundtable discussion from GITA 2010 with a number of deep thinkers in this area, including Peter (as moderator), Steve Coast, James Fee, Andrew Turner and Ron Lake.

Friday, May 14, 2010

Privacy Policies: Just Because They Are "Legal" Does Not Mean They Are "Right"

I hope that location-based service companies and other businesses that are developing business models around location are closely following the public's growing concerns with Facebook's privacy policies. According to reports, Facebook recently held an emergency meeting concerning its privacy issues. In addition, some reports suggest that it is losing customers due to privacy concerns.

Technology is improving so rapidly - and the business norm appears to be to bring those improvements to the market so quickly - that the general public is not able to keep up. Unfortunately, neither have the legal nor the policy systems. As a result, even though an application or business practice may be "legal", in that it does not - yet - violate any laws, it may not be "right" from a market standpoint. I believe this is particularly true when it comes to privacy and location as we are all struggling what privacy means to us from a location standpoint.

Thursday, May 6, 2010

Section 6 of the Proposed Internet Privacy Bill - What Does It Mean?

Section 6 of Rep. Rick Boucher's proposed internet privacy bill almost appears to have been included as an afterthought. Moreover, the section is so broadly written that it can be interpreted to regulate a wide range of companies that collect, use or distribute spatial data.

Section 6(a) is set forth below. I would be interested in your thoughts on exactly what is to be regulated.

"Sec. 6 Use of Location-Based Information

(a) IN GENERAL - Except as provided in section 222(d) of the Communications Act of 1934 (47 U.S.C. 222(d), any provider of a product or service that uses location-based information shall not disclose such location-based information concerning the use of such product or service without that user's express opt-in consent. A user's express opt-in consent to an application provider that relies on a platform offered by a commercial mobile service provider shall satisfy the requirements of this subsection"

Sunday, May 2, 2010

What To Look For In Any Proposed Privacy Regulations

Recently, there has been a great deal of discussion in the United States regarding the privacy implications of collecting and using spatial (or location) data. In February, Congressional hearings were held on privacy and location-based services. The Federal Trade Commission (FTC) has asked for comments on whether Children’s Online Privacy Protection Act should address the collection of geolocation data. In addition, privacy officials from a number of countries sent a well-publicized letter to Google criticizing its privacy practices with respect to a number of well-known services, including Google Street View.

Scrutiny of spatial technology from a privacy standpoint was to be expected, given the current legal and policy framework in the United States with respect to the collection of personal information in general. (Spatial Data Privacy and the Law: What a Spatial Data Company Can Do? (July 25, 2006)) As a result, the industry can expect increased calls for federal privacy regulation with regards to the collection, use and distribution of spatial data. In fact, Representative Rick Boucher, chairman of the House Subcommittee on Communications, Technology and the Internet is quoted as saying "I think you can expect to see this [topic] emerge as part of a larger legislative item".

However, in many instances legislators, regulators and their respective staffs will be addressing this issue with a limited understanding of the technology. As a result, there is a good chance that the language they use will be unclear or overly broad. Therefore, companies should be particularly mindful of the exact wording on the following items:

1. What is the nature and type of spatial data that is being considered for regulation? Terms such as “spatial data”, “geolocation data” or “location data” are broad and will need to be further defined. These definitions will be crucial.

2. What companies might be subject to regulation? Similarly, the definition of the company or industry subject to the proposed regulation will be very important.

3. Whether the proposed regulation applies to collection, use and/or distribution? Proposed regulations may permit the collection of spatial data but limit its use for certain purposes. Alternatively, regulations may restrict the ability to distribute the data to a third party. Such nuances could be very important to a company’s current and/or future operations.

4. Are notice and/or consent requirements included? Is consent or notice required to collect data? What constitutes consent? Does the proposed regulation include “opt-in” requirements? Are additional steps required to distribute the data or is notice/consent only required once? Particular attention should be paid to these requirements.

5. What security measures are required with respect to data? Privacy regimes will frequently require safeguards to ensure that any data collected is protected from improper use by either outside hackers or internal employees. It is important to understand what safeguards are being proposed and their potential impact on operations.