Wireless Location Privacy: Law and Policy in the U.S., EU and Japan
MEMBER BRIEFING 15 < Main Index
|November 2003||By Linda Ackerman, James Kempf, Toshio Miki|
Location-based services are applications that use information about where a communication device is located. In the U.S, the European Union, and Japan, laws require that mobile telephones be able to provide location data with a fairly detailed accuracy for emergency purposes. Such information also enables location-based services in mobile commerce, which presents a major new market for the telecommunications industry.
Unlike other information in cyberspace, location information has the potential to allow an adversary to physically locate a person, and therefore most wireless subscribers have legitimate concerns about their personal safety if such information should fall into the wrong hands. Laws and rules of varying clarity, offering different degrees of protection, have been or are in the process of being enacted in the United States, the European Union, and Japan. This paper summarizes the status of location data laws and regulations in these areas, and presents some basic recommendations for location privacy regulation that are consistent with Internet values.
Regulation of wireless location information in the U.S. at the federal level is currently in a muddled state. The 1996 Telecommunications Act included location information as Customer Proprietary Network Information (CPNI), along with time, date, and duration of a call, and the number dialed. Current regulation, however, does not specify what kind of customer consentexpress prior consent to use (opt-in) or express prior consent not to use (opt-out)is required for CPNI, except for information involved in completing a call and for a billing cycle, and how that information is to be obtained. The 1999 Wireless Communication and Public Safety Act (WCPSA or E911 Act) rectified this omission by requiring opt-in for location information used for any non-emergency purpose.
The FCC has interpreted the 1996 Telecommunications Act and the E911 Act on consent in contradictory ways with respect to location information. In 1998 it decided that opt-in consent is required for use of location information. However, the 10th Circuit Court of Appeals decided in U.S. West v. FCC that opt-in consent is a restriction on a telecommunication carrier's First Amendment rights in commercial speech, but did not consider location information as separate from general CPNI. As a result, the FCC ruled in 2001 that opt-in consent is not required, and in 2002 that companies could use either opt-in or opt-out consent for general CNPI. Concurrently, the FCC declined to consider a Cellular Telecommunications and Internet Association (CTIA) request for rule-making that would have included opt-in consent for use of location information, stating that statutory language on the subject was already clear. Several bills recently introduced in Congress to require opt-in consent specifically for location information have never made it to the floor. In addition, the E911 Act was specifically written to apply to mobile telephones, and the status of wireless devices that are not cellular telephones, such as mobile computers with IEEE 802.11 wireless LAN, is not clear.
In the absence of clear FCC guidance, industry has stepped in with some self-regulatory proposals. In September 2003, the CTIA proposed a "consumer code" for self-regulation. The proposed consumer code does not mention customer consent to use for CPNI or location information, but simply asks that companies abide by their own privacy policies. On the state level, Washington State introduced strong opt-in regulation for CNPI, but the U.S. District Court in Washington State recently followed the U.S. West decision in ruling against the Washington Utilities and Transportation Commission's (WUTC) opt-in requirement. In this context, the survival of opt-in requirements in at the state level is uncertain.
The regulatory situation in European Union countries is much clearer. The European Union got a late start, but the Directive on Privacy and Electronic Communications (2002/58/EC) issued in 2002 establishes "technology-neutral" legal standards for privacy protection in the processing of personal data for all electronic communications. Article 9 of the Directive unambiguously requires informed opt-in consent for the provision of telecommunications services based on use of location information. Subscribers must be able, without charge, to withdraw their consent for the collection or processing of their location information at any time. Article 9 leaves it to member countries to decide what constitutes consent and how it is to be obtained and withdrawn. The Directive is supposed to be implemented by October 31, 2003, but so far only four of the fifteen member countriesDenmark, Sweden, Finland, Spainhave actually transposed it, although the process is underway in the remaining countries.
It is no coincidence that location-based services and mobile commerce are more developed in Japan than in either the U.S. or Europe. The Ministry of Posts and Telecommunications issued "Guidelines on the Protection of Personal Data in Telecommunications Business" in 1998, establishing a clear standard for consent to use of location information. That is, a "telecommunications carrier shall not disclose the location information (the information indicating the location of the party in possession of a mobile terminal) to another except when the data subject gives consent." More recently, in May 2003, the Diet passed a package of bills known collectively as the Personal Data Protection Law. Among other things, this law codifies the requirement for informed opt-in consent established in the 1998 Guidelines. The existence of clear legal and regulatory standards providing consumers with control over exposure of their location information in non-emergency situations has allowed a burgeoning market in location-based services to develop.
The location technology most familiar to people from consumer devices and media reports about smart bombs is GPS. Until recently, however, mobile wireless devices did not use GPS for determining location, due to some significant power and functionality drawbacks. GPS requires 3 to 4 satellites to be visible, and only provides location information to an accuracy of 5 to 15 meters. This is insufficient for indoor use, and precise emergency location. In response to the E911 Act, the Assisted GPS, or A-GPS technology has been developed. A-GPS utilizes a server at a known geographical location in the network, reducing the time, complexity and power required for location determination. GPS and A-GPS require hardware modifications to the wireless device, and A-GPS additionally requires network support.
Other technologies that do not depend on GPS have been or are being used to provide location information. Most of these depend on triangulation between the wireless device and three or more base stations. For example, the Enhanced Observed Time Difference (E-OTD) method uses difference in the time of arrival of burst traffic from different base stations at the wireless device. The Time Difference of Arrival (TDOA) uses differences in the exact time of arrival of the wireless device's signal at separate base stations. E-OTD requires changes in both the mobile device and the network, while TDOA only requires changes in the network. E-OTD has been used in Global System for Mobile communication (GSM) cellular networks, while TDOA has been used primarily in Code Division Multiple Access (CDMA) and Time Division Multiple Access (TDMA) networks.
Most of these technologies have only been of interest to cellular telecommunications providers due to the nature of the E911 Act, however, recently a number of companies have sprung up to provide technology for location information in mobile devices utilizing IEEE 802.11 wireless LAN. These technologies are typically only applicable indoors and mostly require an extensive configuration or training period prior to use in order that the geographic space can be characterized sufficiently for recognition. In addition, the IETF Geopriv Working Group has been developing technical standards for protocols to provide Internet location-based services with location information. A strong requirement for security and authorization is included in the requirements for Geopriv protocol work.
Because of the sensitive nature of location information, legal and regulatory approaches for controlling access to location information should be different than other CNPI. Specifically, consumers must be comfortable that they have control over who can obtain location information and when such information can be obtained in order that they will be willing to buy location-based services. Laws and regulations play a significant role in the development of location-based services by providing guidance to companies, government officials, and others about what they may or may not do. Telecommunications carriers and other businesses have a strong interest in developing a new market in location-based services and mobile commerce based on wireless devices, and governments have a strong interest in seeing that the personal safety of their citizens is protected. Laws and regulations specifying how consumers authorize access to their location information need to be clear, consistent, and technology-neutral.
Of the U.S., the European Union, and Japan, Japan has been the most successful in developing its location-based wireless services market. No doubt many factors combine to produce this result, but significant among them is the fact that Japanese industry has had clear guidelines since 1998 for consent to use location information. The EU Directive on Privacy and Electronic Communications will help bring Europe rapidly up to speed. In the U.S., however, the absence of clear federal guidelines has already caused delays and led to an emerging patchwork of state regulation and industry self-regulation. The only certain outcome of the FCC's failure to regulate clearly and the inability of Congress so far to come up with a remedy, is further litigation. This situation is likely to lead to further delays in the introduction of advanced location-based services in the U.S.
Expanded Coverage from ISOC
In-depth articles, papers, links and other resources on a variety of topics are available from the ISOC site at: www.isoc.org/internet/issues
Examples in the News
August 19, 2003
About the Authors
Linda Ackerman is an attorney who works with consumer privacy issues, particularly where they overlap with technology. She is staff counsel at PrivacyActivism, a nonprofit organization.
James Kempf is a Research Fellow at DoCoMo Communications Laboratories USA, Inc., currently a member of the IAB and a working group co-chair of 2 wireless related working groups.
Toshio Miki is former President & CEO of DoCoMo Communications Laboratories USA, Inc., and an ISOC Trustee.
The ISOC Member Briefing series is made possible through the generous assistance of ISOC's Platinum Program Sponsors: Afilias, APNIC, ARIN, Microsoft, and the RIPE NCC, Sida. More information on the Platinum Sponsorship Program...
About the Background Paper Series
4, rue des Falaises
Series Editor: Martin Kupres
Copyright C Internet Society 2005.