Left Hand, it’s Time to Meet Right Hand
Privacy Plus+
Privacy, Technology and Perspective
Left Hand, it’s Time to Meet Right Hand. Recently, the Electronic Frontier Foundation (“EFF”) revealed that the Illinois Department of Transportation (“IDOT”) bought the precise geolocation data of Illinois residents from a data broker funded by the former Saudi Intelligence Head. We are not making this up, and a link to the EFF’s story on the subject follows:
Today, however, let’s focus on the disconnect between Illinois’s purchase and use of that data (again, from a company funded by the former Saudi Intelligence Head) and that state’s privacy laws, which generally restrict the processing of biometric information (Biometric Information Privacy Act, 740 ILCS § 14/5 (“BIPA”)), and require notice of a breach effecting the personal information of Illinois residents (815 ILCS §§ 530/1 – 530/25). Unlike the CCPA’s definition of personal information, which includes geolocation data, Illinois does not yet recognize geolocation data as personal information.
Yet, as we have written before, in Carpenter v. United States, the Supreme Court recognized that tracking the “location of a cell phone…achieves near perfect surveillance....” Our previous post is available by clicking on the link that follows, and it contains another link to an eye-opening, interactive story about geolocation data published by the New York Times, which is worth the time to engage:
https://www.hoschmorris.com/privacy-plus-news/your-location-data
In the macro context, therefore, we think that IDOT’s exploitation of Illinois residents’ geolocation data is ill-advised. In procuring this data, IDOT made at least two big mistakes. First is the obvious mistake – Not doing sufficient due diligence by vetting the data broker, SafeGraph, and raising a red-flag upon realizing its connection to Saudi intelligence. Second, IDOT should have more carefully reviewed Safegraph’s Privacy Policy, which is available here:
https://www.safegraph.com/privacy-policy
If it had carefully reviewed this Privacy Policy, two statements should have jumped out: (1) “we collect information about users of mobile applications that provide us information,” and (2) “we may aggregate and/or de-identify any information collected… We may use Aggregate/De-Identified Information for any purpose…”
With respect to statement (1), above, it would appear that SafeGraph collects at least some of its geolocation data, indirectly, by having app developers embed the company's code, or software development kit (“SDK”), into their apps. As such, a question arises about whether or not SafeGraph ever obtained the appropriate consent to collect such data.
With respect to statement (2) regarding de-identification and unfettered use, we recently wrote about how easy it is to de-anonymize or re-identify specific people, even in big data sets of purportedly anonymized location data, and such action has already had real-world consequences, which you can read about in our post, “When Anonymous Isn’t,” available by clicking on the following link:
https://www.hoschmorris.com/privacy-plus-news/when-anonymous-isnt
As expressed by Senator Ron Wyden in a statement to Motherboard:
"Experts have warned for years that data collected by advertising companies from Americans’ phones could be used to track them and reveal the most personal details of their lives. Unfortunately, they were right… Data brokers and advertising companies have lied to the public, assuring them that the information they collected was anonymous. As this awful episode demonstrates, those claims were bogus—individuals can be tracked and identified."
A link to the Vice article containing that quote follows:
https://www.vice.com/en/article/pkbxp8/grindr-location-data-priest-weaponization-app
Moreover, restrictions on use of data, including geolocation data, are a precept of responsible data stewardship – as recognized under the CCPA and the GDPR. So, SafeGraph’s statement that “We may use Aggregate/De-Identified Information for any purpose…” should have raised more questions.
Where Illinois leads the country in protecting biometric information, like fingerprints, we would hope to see more thoughtfulness around its use of data, especially when such use is intended to track its citizens. And this causes us to return to the title of the post:
Left hand, it’s time to meet right hand.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.