The EFF has posted a very interesting and sensible article on locational privacy. The solutions to the problems are not trivial, but they do exist, at some cost.
Locational privacy (also known as “location privacy”) is the ability of an individual to move in public space with the expectation that under normal circumstances their location will not be systematically and secretly recorded for later use.
The first example the article details is road tolls. Every system in use I know of uniquely identifies the car by a transponder, and thus tracks a location. If the car goes through multiple toll sites, the monitoring system can begin to put together a detailed history of your travels, as well as make inferences about where you might have or couldn’t have been. Or even issue you a ticket if you traveled between two sites faster than the speed limit would allow.
Of course, these systems are tracking the transponder and not you, but they also photograph the license plate(s) of the car. What if the camera up front just happens to be positioned so it also photographs the driver?
The article proposes an alternative that uses cryptography to anonymize the transponder. One catch is that the proposal requires you connect your transponder to your computer so it can communicate with the company’s systems to calculate what you owe. Obviously, it would be simpler if it could do this wirelessly, but that brings up other locational privacy issues.
The biggest problem I see goes back to the photographs. Some drivers will go through the toll site without a transponder, either because they never had one or because they thought they had it when they didn’t (perhaps they took it into their house to connect to the computer to anonymously pay their tolls and then forgot to put it back in the car). Also, in a case that has happened to me, the transponder was on the dashboard, but not detected. When that happens, the system falls back on photos of license plates and optical character recognition software.
I don’t think the toll taking companies are going to give up those images easily. Perhaps they could be convinced to delete them if a valid transponder was detected. However, I think they will still want them, even in that scenario, for non-repudiation. Until they get paid, they are likely to retain the images. As long as the images exist, they are subject to abuse. The EFF article acknowledges and explores this issue.
The EFF article brings up several other important areas where your location info can be pervasively tracked and easily abused. A big challenge is that the proposed anonymizing solutions involve additional effort and cost for the provider. In many cases, this is a double whammy, since the provider must shoulder more implementation and maintenance cost and no longer has as much marketing data to sell. This can be offset if the service is valuable enough to consumers to pay more for. Unfortunately, though, I’ve read about a couple of studies that have shown that most consumers don’t value privacy very highly when it comes to paying for it. I think that often this is due to a lack of awareness of how their data can and is being used. Hopefully, the EFF’s very important work will change this.
The only electronic cash system that seems to have had much success is Hong Kong’s Octopus Card system, which is run by a private company. However, according to the Wikipedia article it seems to have succeeded by forced migration (to transit systems gave users only 3 months to switch over from old cards), misconception (residents thought older coins were becoming more valuable than face value, so they stockpiled them) and forced inconvenience (buses began requiring exact change). The popular On-Loan cards are anonymous. A Personalized card has additional uses beyond electronic cash. Although some coercion was involved, the fact that convenient, anonymous solutions succeeded at a large scale is very promising.