Spy in the Sky: Spatial Data Privacy Issues in Geographic Information Systems
presented by Jerry Waller and Karin Reese
October 4, 2005

Introduction

The old real estate addage that "location is everything" holds a new meaning in today's world. Not only can location tell us about where we are, it can also tell us about who we are and what we do. The spatial data systems that store and integrate facts about us are becoming just as, if not more, important than the maps that they produce. Location is the unique characteristic that can join disparate data sets and uncover a variety of information about our daily lives. The information that is gathered and stored in these systems leads to questions regarding who can use the data and for what purposes. Thus, "privacy is diminished as the use of geoinformation technology expands and personal data are combined, cross-matched and disseminated to a greater degree than hitherto thought possible. Furthermore, it will be difficult to for individuals to find out what other people know about them and in what detail" (Cho, 211). The danger lies in the extent of the data integration and the ease in which a large number of databases can be linked reliably and rapidly. The potential invasiveness of a system lies in its ability to track and monitor an individual in real-time as well as its ability to store the data for an indefinite period of time. This data could then be reconstructed to track an individual's movements and, potentially, insinuate for what purpose those movements occurred.

Monmonier wrote in his book Spying with Maps: Surveillance Technologies and the Future of Privacy (p.3):

Much depends, of course, on who's in charge, us or them, and on who "them" is. A police state could exploit geographic technology to round up dissidents –– imagine the Nazi SS with a GeoSurvelliance Corps. By contrast, capitalist marketers can exploit locational data by making a cleverly tailored pitch at a time and place when you're most receptive. Control is control whether it is blatant or subtle.


What is privacy and do we have a legal right to privacy?

The history of privacy in the American legal system can be traced back through Common Law and the concept of the curtilage (Curry, 1997). The curtilage, as defined by the Oxford English Dictionary, is:

Basically, the curtilage was thought of as the core of a landowner's property, and was where matters of all sorts were conducted. It can be imagined that the boundaries of the curtilage--for example a wall--represented the physical boundary of what was understood to be publicly visible. Whatever took place within the curtilage was the property owner's business. The U.S. Constitution itself says nothing about privacy.  However, privacy as a legal right in the United States began its explicit definition in an 1890 Harvard Law Review article entitled "The Right to Privacy," written by S.D. Warren and Louis Brandeis where it was defined as the “right of the individual to be let alone” and “the right to one’s personality”.  (Warren & Brandeis, 1890)

Privacy has been interpreted since that time by the Supreme Court of the United States as a “penumbral” right implied by the language of the First, Fourth, Fifth, Ninth, and Fourteenth Amendments.  (Onsrud, Johnson, & Lopez, 1994)

What is GIS and how does it work?

GIS is a computerized data collection system that allows for the capture, storage, manipulation and display of locational data. The overall goal of a GIS is to view and analyze data from a geographic perspective. Inherently, GIS data deals with location and as such, it is argued to be spatial data and not personal data. However, locational data does get linked to personal information in a way that links people to addresses, buildings to parcels, and streets within a network. The GIS organizes all of the data in to thematic layers and tables that have real-world locations that correspond to each other across the layers.

layers of gis
< Source: http://www.esri.com/software/arcgis/concepts/gis-data.html >

 

Addresses, place names, latitude and longitude are stored in the GIS as tabular data that can later be represented as information on a map.

address table and map in gis
< Source: http://www.esri.com/software/arcgis/concepts/gis-data.html >

 

What aspects of GIS can violate the privacy rights of an individual or a community?

Geodemographics

But, this isn’t just about images of your house online…

Cadastral data is that data that “…ties ownership information to the location and physical attributes of the land” (Onsrud et al., 1994), and local, state, and federal agencies are selling it. Instead of using your social security number to link all your information, your latitude and longitude do. (Curry, 1997)

Goss gives us the geodemographic system in three parts;

  1. Databases composed of public and private, individual and aggregate records on consumer identity and behavior.
  2. GIS that provide the tools to analyze, locate, and graphically represent the spatial distribution of consumer characteristics.
  3. Segmentation schemes that identify consumer types through factor and cluster analysis of spatially referenced demographic and psychographic data.

(Goss, 1995)

Fund Race Neighbor Search: Identifies names and address of political campaign contributors [based on records filed with the FEC of contributions by all individuals
totaling more than $200 to a single Republican or Democratic presidential campaign or national committee].

Example search:

1) Search on the name that you are looking for.

2) Fund Race then displays a map with the search criteria marked as "You" and lets you download an Excel file with the results set.

3) This results set displays the exact latitude and longitude of the address.

4) These plot points can, then, be searched in Google Earth.

You Are Where You Live: "You Are Where You Live" is based on a "neighborhood lifestyle segmentation" system called PRIZM from Claritas Inc., a market research firm headquartered in San Diego, CA. PRIZM, which was originally created over 20 years ago, classifies neighborhoods into one of 62 categories based on census data, leading consumer surveys and media measurement data, and other public and private sources of demographic and consumer information.

Law Enforcement

Thanks to movies and television, most people are familiar with law enforcement's use of push pins on wall maps as a method of ascertaining where a criminal may live or strike next. The Violent Crime Control and Law Enforcement Act of 1994 assisted in equipping agencies with high-tech crime fighting tools, including geographic information systems. The biggest problems in crime mapping today involve the street databases that are being used and basic human error. "New streets, similar street names, municipal prefixes and suffixes, and identical street names in separate municipalities may all cause geocoding errors" (Casady, 1999). For departments and agencies that use mapping technologies, all incidents (homicides, rapes, burglaries, traffic accidents, etc.) must be keyed in to the database by a technician. That means that if the Durham police department responded to 200,000 incidents last year and the source data was 100% accurate and the records were entered into the database accurately 99% of the time, there would be 2,000 incorrectly placed dots on the map. This inaccuracy could lead to several neighborhood problems, including the "redlining of a neighborhood with higher frequencies of crime" (Casady, 1999). Real estate developers and agents may also find that public crime data in high crime areas will lower housing prices.

In an attempt to combat the inaccuracies that are inherent in crime mapping and the problems involving the presentation and interpretation of the data, nearly all crime applications contain a disclaimer. The following is the disclaimer that is on the San Diego Police Department's Crime Mapping Application site:

Many states disclose the addresses of convicted sex offenders in publicly available registries. These registries, however, are often riddled with errors due to the fact that the information is reported by offenders and can be inaccurate and incomplete. Another problem stems from the use of mugshots and mistaken identity. Civil rights advocates have referred to the online use of photo and address information of sex offenders as the modern-day equivalent of shaming. In fact, many communities are on the verge of implementing laws that would make it impossible for repeat sex offenders to live in their communities.

The databases themselves also offer a different kind of threat. What would prevent a vigilante from looking up offenders in a registry and then setting about to institute revenge with an offenders photo and address in hand? What if there was a case of mistaken identity and the revenge was inflicted on the wrong person?

 

Global Position Systems (GPS)

What exactly is GPS? It consists of satellites that give data, based on position, in four different dimensions: latitude, longitude, altitude, and time. GPS devices can be used to track vehicles, products, animals or human beings. Devices can be installed, worn or implanted subcutaneously... oftentimes without the knowledge of the individual being tracked.

< Source (edited): http://www.mitsubishielectric.co.jp/carele/carnavi/history/histry3_b.html >

 

Recent events have proven instrumental in changing the ways in which law enforcement agencies use GIS in dealing with sex offenders as well as other criminal suspects. After 9 year-old Jessica Lunsford was murdered in March of this year by a registered sex offender, Florida legislators quickly went to work to mandate tougher prison sentences for sex offenders and are now requiring the lifetime GPS monitoring of offenders after they have served their prison terms. Missouri, Ohio, and Oklahoma soon followed suit with their own versions of the law while legistlation is pending in North Dakota and Alabama. Pennsylvania, New Jersey, and New York are also considering satellite tracking.

One of the main reasons why GPS is being pursed so heavily in law enforcement has to do with the fact that it costs approximately $10-$12 per day opposed to the nearly $100 per day it costs to imprision someone. In a Slate article earlier this year, William Saletan discussed an article in the Cincinnati Enquirer in which the Hamilton County commissioner referred to GPS as an "electronic jail." The commisioner went on to say that you "plug in the coordinates of the places they're [the inmates] allowed to go" and "the hours they're supposed to be at work and the hours they are supposed to be at home." Saletan adds:

As GPS gets cheaper, politicians will be tempted to order it not just for people who would otherwise be jailed, but for those who wouldn't. Some jurisdictions authorize it for all sex offenders, including teenage boys with underage girlfriends. Others are extending it to abusive husbands, stalkers, and gang members who might intimidate witnesses. Others are using it to enforce curfews on wayward juveniles. In Britain, some auto insurers use it to monitor drivers.

In 2001 Acme Rent-a-Car in New Haven, Connecticut issued a $450 fine to a driver after it was discovered that he had exceeded the speed limit. How did the company know? Unbeknownst to the driver, the vehicle was equipped with a GPS device. It is common practice for smaller rental companies to use the services of AirIQ, a GPS monitoring service. The company can "squeal if you've broken the contract by taking a rental car on a cross-country jaunt or south of the border into Mexico. It can even disable a car's ignition if the car has been abandoned or stolen" (Razzi, 2001).

Many states are even experimenting with the use of GPS for taxation purposes. Oregon is currently conducting a pilot program with 300 drivers to measure how many "road miles" a vehicle travels on Oregon roads. A GPS device, along with a special electronic speedometer will tax the driver based on miles driven instead of gallons of gasoline used. According to the Oregon Department of Transportation, here is how the system would work:

If the program is implemented, then all Oregon drivers will have $100 GPS installed into their vehicles. Think of all the constitutional and privacy issues that arise from a government requirement –– one that requires the government to track citizens. Can the GPS data be used to retrack a route after the fact, if it is for a criminal case? The ability to do so implies that data is being stored somewhere. Stored data can always be used for illicit purposes.

Tracking technologies do not apply to vehicles alone. In the late 1990's a company called Digital Angel unveiled a subdermal microchip implant for tracking not only pets, but human beings as well. The microchip could not only track an individual's location, but could also relay information about the "wearer's" body temperature and heart rate. It was marketed as a location device for patient's suffering with Alzheimer's disease who might be apt to just walk off from home or a care facility, but the developer's also projected the device's use as a means of keeping tabs on children as well. It was even considered as a means to keep children out of dangerous places by allowing the "monitor", the person paying for web access to track the "wearer" via digital map, to issue a subtle warning to the child that they had gone out of their alloted boundaries: by the means of a small electric current. The Digital Angel product is no longer being marketed for human use. Instead, Digital Angel is now seen as a means for identifying and tracking animals; both pets and livestock. However, the company that owns the "new" Digital Angel product, Applied Digital Solutions Corporation, now makes implantable RFID chips (VeriChips) as "security for people."

What is the big deal?

So what, really, is all the fuss about? The strongest arguments for the notion that GIS threatens privacy revolve around the idea that the curtilage--the sphere of privacy once bounded by physical walls--is diminishing. Technology is primarily held responsible for this. “Autonomous technology," as a concept, is like the 21st century equivalent of "manifest destiny". It's the belief -- whether conscious or not--that technology is destined to advance and improve, almost of its own volition. This idea may seem innocuous at first glance, but when autonomous technology is taken for granted by the court system as decisions are made, the means by which the curtilage is diminished are laid out well in advance of their actual implementation. Autonomous technology shrinks the curtilage by "making visible what was previously not." (Curry, 1997) Add to this the fact that the definition of "public record" differs depending on the state, (Jain, 2003) and that local, state, and federal governments sell individuals' data to private companies (Onsrud et al., 1994), the curtilage suddenly seems very small indeed.

The private companies, like Equifax, Trans Union, and Experian, buy census data, state and local government data, and tax records. (Monmonier, 2002) These companies in turn sell this aggregated data to other private companies:

As things currently stand, "[t]here is no comprehensive federal privacy statute that protects personal information held by both the public sector and the private sector." (Jain, 2003)

https://www.econsumer.equifax.com/consumer/sitepage.ehtml?forward=privacy_policy#disclose

 

What do we gain by protecting privacy?

Privacy is the basis of democracy

In a society where many of the things you buy and bring in to your house—for that matter where your house is located—are publicly available knowledge, can real privacy truly be said to exist?  It’s not a great leap to determine what you do inside your home based upon the products you buy.

 

Conclusion

As GIS technology becomes cheaper, its use becomes more prevalent and it becomes easier for the public to learn about "private" aspects of individual's lives. Geographic and spatial data is quickly becoming the driving force in our market economy. As such, state and federal government may opt for minimal legislation in the wake of privacy concerns related to the sale and redistribution of locational data.

Privacy begins with the collection of data. If individuals were notified from the onset that their public records were being sold to private agencies for geodemographic uses, many people might choose to forego giving out personal data to any organization. One way around this would be to include a clause that requires express consent for the transfer of information, or gives the option to opt out of a transfer. The collection of data should be "be lawful, fair, and with the knowledge and consent of the individual" (Onsrud, 1994).

GIS database administrators themselves should provide substantial security against "unauthorized access, destruction, use incompatible with original collection, and unauthorized modification of..." personal data. (Onsrud, 1994). Data contained within databases need systems for verification, and guidelines for dealing with privacy concerns must be developed. GIS data controllers should be held accountable for adhering to guidelines set up by the GIS community. Individuals should be allowed to easily determine what types, if any, files exist about them. They should be given the right to inspect and correct data at minimal cost, and they should be provided with the source data upon request. This would assist in avoiding the secrecy in data collection & distribution and would assist in creating an open policy regarding data collection procedures. Governments also need to think about just how public "public" data should be. Gone are the days when acquiring your neighbor's data meant a trip to the county tax assessor. Though officially a means for distributing public information, this system meant non-anonymous and very limited access, two safeguards to protecting the integrity of personal data that no longer exist.

 

Bibliography:

Associated Press. "States Track Sex Offenders by GPS." July 30 2005 <http://www.wired.com/news/technology/0,1282,68372,00.html>.

Barr, Robert. "Nowhere to Hide." Geographical 69.4 (1997): 30. <http://search.epnet.com/login.aspx?direct=true&db=afh&an=9704163268>.

Casady, Tom. "Privacy Issues in the Presentation of Geocoded Data." Crime Mapping News 1.3 (1999). <http://www.policefoundation.org/pdf/58.pdf>.

Cha, Ariana E. "To Protect and Intrude; GPS Proliferates as Costs Fall; Privacy Strained." The Washington Post Jan 15 2005: A.01. <http://proquest.umi.com/pqdweb?did=779091861&Fmt=7&clientId=65345&RQT=309&VName=PQD>.

Cho, George. "Geographic Information and Privacy." Geographic Information Science: Mastering the Legal Issues.John Wiley & Sons Ltd., 2005. 207-290.

Curry, Michael R. "The Digital Individual and the Private Realm." Annals of the Association of American Geographers 87.4 (1997): 681. <http://search.epnet.com/login.aspx?direct=true&db=afh&an=9712156294>.

Cutter, Susan L., Douglas B. Richardson, and Thomas J. Wilbanks. The Geographical Dimensions of Terrorism. New York: Routledge, 2003.

Dobson, J. "Is GIS a privacy threat?" GIS World 11.7 (1998): 34-35.

Goss, Jon. "We Know Who You Are and We Know Where You Live: The Instrumental Rationality of Geodemographic Systems." Economic Geography 71.2 (1995): 171. <http://proquest.umi.com.libproxy.lib.unc.edu/pqdweb?did=4580856&Fmt=7&clientId=15094&RQT=309&VName=PQD>.

Jain, Dharmesh. "A Discussion of Spatial Data Privacy Issues and Approaches to Building Privacy Protection in Geographic Information Systems." Assessment Journal 10.1 (2003): 5. <http://search.epnet.com/login.aspx?direct=true&db=afh&an=10271056>.

Joffe, Bruce A. "Open Data Consortium project: Model Data Distribution Policy." 2003 <http://www.in.gov/ingisi/committees/datasharing_odc_policy.pdf>.

McCullagh, Declan. "ATF Admits Tracking Jim Bell." April 6 2001 <http://www.wired.com/news/politics/0,1283,42895,00.html>.

---. "George Orwell, Here We Come." 2003 <http://news.com.com/George+Orwell%2c+here+we+come/2010-1071_3-979276.html>.

Monmonier, Mark S. Spying with Maps: Surveillance Technologies and the Future of Privacy. Chicago: University of Chicago Press, 2002.

Onsrud, Harlan J., Jeff P. Johnson, and Xavier Lopez. "Protecting Personal Privacy in using Geographic Information Systems." Photogrammetric Engineering and Remote Sensing 60.9 (1994): 1083-95.

Onsrud, Harlan J. "Privacy and the Use of GIS." 2005 <http://www.spatial.maine.edu/~onsrud/Courses/SIE525/SlidesPrivacy.pdf>.

Razzi, Elizabeth. "Spy in the Sky." Kiplinger's Personal Finance 55.9 (2001): 121. <http://proquest.umi.com/pqdweb?did=77222828&Fmt=7&clientId=65345&RQT=309&VName=PQD>.

Saletan, William. "Call My Cell: Why GPS Tracking is Good for Inmates." Slate. 2005 <http://slate.msn.com/id/2118117>.

Schilit, B., J. Hong, and M. Gruteser. "Wireless Location Privacy Protection." Computer 36.12 (2003): 135-7.

Schuurman, Nadine. GIS: A Short Introduction. Malden, MA: Blackwell Publishing Ltd, 2004.

Stephens, Scott. "Going Public with GIS." American City & County 119.4 (2004): 26. <http://search.epnet.com/login.aspx?direct=true&db=afh&an=12911083>.

Warren, S., and L. D. Brandeis. "The Right of Privacy." Harvard Law Review 4.5 (1890): 193-220. HeinOnline.

Wade, Will. "Privacy While Intaxicated." June 3, 2003. < http://www.wired.com/news/autotech/0,2554,58616,00.html >.