Protecting individual privacy in an era of digital connectivity

Aug. 9, 2010

Andrew Blumberg became interested in the issue of "locational privacy" after his parents, who live in Boston, happened to leave their E-Z Pass electronic tolling device at his grandparents' place in New York.

"My grandparents mailed it back to them," says Blumberg, an assistant professor of mathematics. "That month, all of these crazy charges turned up on my parents' E-Z Pass bill, and they're thinking, 'What the hell, we didn't drive to Pittsburgh.'"

Andrew Blumberg
Math Professor Andrew Blumberg is working to protect our "locational privacy" from the prying eyes of the world.

What they soon figured out, says Blumberg, was that the mail truck delivering the package had taken a circuitous route from New York to Boston. Every time the truck passed through a toll station, his parents' tolling transponder dinged, and another charge was assigned to their account.

Blumberg was struck by the realization that an implicit map of the mail truck's journey was being generated. And that these tolling devices were just one of a small legion of devices many of us are carrying around, all the time, that accumulate data about where we've been.

It's not just people's commutes that are leaving a trace. It's their credit card purchases, ATM withdrawals, OnStar GPS devices, and—the mother of all tracking devices—their cell phones.

Blumberg began thinking about where all this data went, who had access to it, and what the consequences might be if there were inadequate safeguards in place to prevent a person—or a government, or a company—from taking advantage of the information.

At the less invasive end, says Blumberg, one could imagine retailers beaming advertisements to your phone based on your walking and driving habits. But what about when cell phone companies sell our data to credit card companies, who use the information on where we like to hang out to assess whether we can be entrusted with a credit line? Or when insurance companies begin instituting "Pay as you drive" premiums, which go up or down depending on when, where and how much you happen to drive? Or when stalkers start taking advantage of social networking, location-mapping applications like Foursquare?

Perhaps most worrisome, what happens when the government starts combing through terabytes of locational data in search of suspect patterns? Or when they simply ask for data from private companies that they may or may not be legally entitled to have?

"Sprint recently acknowledged that there were eight million warrantless requests last year, from law enforcement agencies, for data about people's locations," says Blumberg. "There isn't really a good legal structure for what's legal and what's not, what requires a warrant and what doesn't."

Although the 4th Amendment to the U.S. Constitution protects "against unreasonable searches and seizures,"  that's historically referred  to searches of one's person, home and property. It's not clear, says Blumberg, how, if at all, it prohibits the government from following the digital trail we leave when we're out and about in the world. And the Constitution clearly doesn't prohibit private companies from collecting such data, particularly when we've consented to giving it to them (when we sign a cell phone contract, for instance, with Verizon or Sprint).

In order to begin to push back against such invasions, or potential invasions, of privacy, Blumberg has done work over the past few years both as a policy advocate and as a part-time cryptographer. Working with the Electronic Frontier Foundation (EFF), Blumberg has pushed for state and federal governments to pass laws, for instance, that prohibit companies from selling citizens' locational data to other companies, or that require a warrant from the government before they can obtain such data. At the same time, he's been working with colleagues from MIT to devise practical ways to build anonymity directly into the technology.

It's not just people's commutes that are leaving a trace. It's their credit card purchases, ATM withdrawals, OnStar GPS devices and — the mother of all tracking devices — their cell phones.

"Our contention is that the easiest and best solution to the locational privacy problem is to build systems which don't collect the data in the first place," write Blumberg and a colleague in a white paper for the EFF. "This sounds like an impossible requirement (how do we tell you when your friends are nearby without knowing where you and your friends are?) but in fact ... it is a reasonable objective that can be achieved with modern cryptographic techniques."

At the simpler end of such technological solutions, says Blumberg, are already-existing systems for providing people "electronic cash." A user of an automated tolling device, for instance, could simply charge up their E-Z Pass or TxTag with a certain amount of anonymously purchased electronic cash every few months in much the same way that someone can walk into a gas station and pay cash for a bundle of cell phone minutes. The transponder in the device would then be able to pay every toll station with a digital signature that's not only untraceable back to the person who originally purchased it, but disconnected from any information about what toll station that device pays next.

Similarly, "anonymous credentials" could modernize ID cards that double as bus passes, subway cards or bike locker keys. One could get a special set of digital signatures loaded onto your card which prove that you're entitled to get on the bus, or access the locker, but which are cryptographically designed not to tell the bus or the locker anything other than that some individual authorized to have access—but no one individual in particular—has just swiped his card.

Things get more complicated, says Blumberg, when dealing with systems that track you at more than just one point. A GPS system like OnStar for instance, wouldn't be much good at giving you directions if it couldn't follow your car across space and time. And Foursquare would have a hard time telling you that your friends Nina, Jason and Jeremy were three blocks away at the café on the corner of 51st and Duval if it didn't know precisely who and where you were.

The easiest and best solution to the locational privacy problem is to build systems which don't collect the data in the first place. Dr. Andrew Blumberg

Even there, however, it turns out that there are ways to use cryptography to protect our identities.

"The naive way to do mobile location search," writes Blumberg, "is for the device to say 'This is Frank's Nokia here. I see the following five Wi-Fi networks with the following five signal strengths.' A better way to do location-based services and search is something like this: 'Hi, this is a mobile device here. Here is a cryptographic proof that I have an account on your service and I'm not a spammer. I see the following five wireless networks.' The service replies, 'OK, that means you're at the corner of 5th and Main in Springfield. Here is a big list of encrypted information about things that are nearby.'"

The obstacles to instituting measures like this, says Blumberg, tend to be more political and economic than they are technological. The basic cryptographic techniques are already available, and usually just need some tweaking to apply them to new systems. What's much more difficult is pushing back politically against industries or institutions—like the credit card companies, or police departments—that might directly benefit from having access to our locational data.

Less difficult, but still tough, is convincing governments or companies that don't directly lust after our data to spend the extra money it would take to incorporate privacy protections into their systems.

"A lot of this has to with how the procurement system works," says Blumberg. "The reason these tolling devices, like E-Z pass, have terrible privacy policies isn't because the Department of Transportation sat down and decided it should be terrible. They just put out a request for an engineering bid and this is what they got. It's cheaper to not have privacy. One of the things I'd love to see is for all of these procurement documents to have a requirement that whatever solution you have, it protects locational privacy according to a given standard. If the contractor has to protect locational privacy in order to get the bid, then they'll find solutions."

You're never going to get absolute privacy in the world. What you're looking to do is to make intrusions on our privacy more expensive. Dr. Andrew Blumberg

The bulk of Blumberg's effort in this area has gone into developing proof-of-concept systems—anonymous automated tolling, for instance—to demonstrate to government and industry that it's possible to incorporate privacy into their systems without spending too much or compromising any of the very real benefits that accrue to our society through such systems. We can still have our GPS directions, our ID cards, bus passes, and our cell phones that tell us, during South-by-Southwest, where on 6th St. our friends happen to be rocking out. The good guys can still track down stolen cars and suspected terrorists. We can just do it, argues Blumberg, with a presumption of privacy. And for not that much more money.

In a sense, says Blumberg, it all comes down to cost, and who's bearing the burden of it. It's always been possible, and usually legal, for others to watch us walk down the street, and to take note of where we go and what we do. In the past, however, surveillance demanded considerable resources. Human eyes had to be peering through the telephoto lens; human hands had to be steering the van that was tailing us. What's changed is the ease and the cheapness with which we can be tracked. Now the burden is on us to keep our location private-we have to be willing to forego certain technologies, avoid certain habits, and seek out encryption devices to protect our transactions. Blumberg would like to see the burden shift back.

"You're never going to get absolute privacy in the world," he says. "What you want to protect against is some clerk somewhere who has this huge dataset and who can, quickly and inexpensively, search for everyone who meets such and such criteria. What you're looking to do is to make it expensive."

For more information, contact: By Daniel Oppenheimer
Hogg Foundation