On this week of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal of Crawford & Company dive deep into the topic of location data, which is considered sensitive personal data and is often not disclosed in many apps. We talk about geopositioning satellites, a journalist investigation into the Polar's fitness app, transparency reports on responses to government requests, such as this one by TMobile, and creative uses such as tracking saguaro cacti in Arizona and raising money for No Kid Hungry. (and a bonus on Beyonce's Texas Hold Em in honor of K’s session with Maggie Gloeckle and Ashley Slavik at IAPP Global Privacy Summit in DC and the LGBTQ party with Ron de Jesus themed on Alice in Wonderland... where K might just leverage a little cosplay on the Queen of Heart of Privacy.
If you have comments or questions, find us on LinkedIn and IG @seriousprivacy @podcastprivacy @euroPaulB @heartofprivacy and email podcast@seriousprivacy.eu. Rate and Review us!
Proudly sponsored by TrustArc. Learn more about NymityAI at https://trustarc.com/nymityai-beta/
#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO
On this week of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal of Crawford & Company dive deep into the topic of location data, which is considered sensitive personal data and is often not disclosed in many apps. We talk about geopositioning satellites, a journalist investigation into the Polar's fitness app, transparency reports on responses to government requests, such as this one by TMobile, and creative uses such as tracking saguaro cacti in Arizona and raising money for No Kid Hungry. (and a bonus on Beyonce's Texas Hold Em in honor of K’s session with Maggie Gloeckle and Ashley Slavik at IAPP Global Privacy Summit in DC and the LGBTQ party with Ron de Jesus themed on Alice in Wonderland... where K might just leverage a little cosplay on the Queen of Heart of Privacy.
If you have comments or questions, find us on LinkedIn and IG @seriousprivacy @podcastprivacy @euroPaulB @heartofprivacy and email podcast@seriousprivacy.eu. Rate and Review us!
Proudly sponsored by TrustArc. Learn more about NymityAI at https://trustarc.com/nymityai-beta/
#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO
Please note that this is largely an automated transcript. For accuracy, listen to the audio.
[00:00:00] Paul Breitbarth: On this week's show, we talk about one of the most intimate pieces of personal data out there that many just don't seem to care about location data. I still recall the days when the first question anyone would ask on a mobile call was where are you? But mobile phones have long since replaced moans landlines, making this question somehow less relevant as a conversation starter. Your location is however, it's still very much of interest to telephone companies, advertisers, law enforcement, security services, and many, many others. All the more reason to have a good discussion about it. My name is Paul Breitbarth.
[00:00:47] K Royal: And I'm K Royal and welcome to Serious Privacy. So Paul unexpected question.
[00:00:54] Paul Breitbarth: Oh.
[00:00:55] K Royal: What color are your bathroom towels? Cause that's you and neither you or I have a bathroom right now. I think that's absolutely perfect.
[00:01:04] Paul Breitbarth: No, I do have a bathroom right now. I haven't moved house yet. And actually the bathroom in the new house is ready too. It just doesn't have hot water yet, but that should be sold by the end of the week.
The towels will be green. Dark green.
[00:01:17] K Royal: dark green. I like that. So yeah, I have a bathroom too. I mean, I'm living with my daughter, duh. I'm not using an outhouse. But Tim and I are going, we have everything white right now in the bathrooms, I think. And We had our last bathroom that was white. I mean, essentially, since I made the Tempe house into what I wanted it to be, my kitchen and my bathroom were all white.
I mean, duh. So we did that in this house as well, even
[00:01:46] Paul Breitbarth: Boring white.
[00:01:47] K Royal: you know, even though I, I will admit it's funny that our dream bathroom was not white. Our dream bathroom was The dark, rich colors and the earthy tones like you would get in a spa. And then we were going to do that in our Texas house, and then we moved.
And so we said, you know what, we've already demoed the bathroom. So now we can't do it in our dream color. So let's find something we'd never do a bathroom in, and so we did it all white. And ever since then we fell in love with the white bathroom. So that's what we've done. Go figure.
We typically add in another color just to just to give some splash of cover for So this one i'm thinking we might also do green but probably a probably a deep forest green
[00:02:29] Paul Breitbarth: there's nothing wrong with a deep forest green.
[00:02:33] K Royal: Last time it was, it was blue.
[00:02:35] Paul Breitbarth: That's fine. But I mean, you and I won't have the same bathroom anyway.
[00:02:38] K Royal: well, that's true.
[00:02:40] Paul Breitbarth: Mine won't be white, that's a certainty.
[00:02:43] K Royal: We're so busy now trying to shop for furniture and stuff and not knowing when we can order, because we have nowhere to store stuff until the house is ready to move in, but I have a garage floor now.
They just poured the concrete today. I'm waiting on the workers to leave so we can run go stick our initials in it. So let's talk about things that are coming up. So one of the biggest things coming up is by the time this comes out, it will be next week. And so we'll be right before the IAPP Global Privacy Summit in DC.
I am busy designing stickers so we can hurry up and get some more stickers. So we have stickers for people in DC.
[00:03:16] Paul Breitbarth: Will you actually be on the conference floor this time or will you be holding court outside again?
[00:03:22] K Royal: I will be on the conference floor this time because I am speaking. So Ashley Slavik with Archer Daniels Midland, Maggie Gloeckle with HPE Enterprises and myself. We are doing a panel on know when to hold them, know when to fold them. dealing in as the new privacy lead. So we're taking it from the perspective of the three of us kind of grew up in privacy together and now we all hold the title of chief privacy officer, which
[00:03:52] Paul Breitbarth: With a nice Beyonce soundtrack, Texas Hold'em?
[00:03:55] K Royal: Actually, Maggie, we just met the other day and Maggie's like, Ooh, we should do a little bit of the Beyonce song and yeah. Okay. We are not Beyonce, but we might put a snippet in there. Cause who can't nowadays, who can't? so we would probably do that, but it is interesting. We're looking forward to it, but it will be all about, you know, not just coming into a company as chief privacy officer, but how do you come in after someone?
Are you the first one or are you following in someone's footsteps? Do you chart your own path? How do you deal with projects that are already in flight? Did they want a new privacy officer because they didn't like what the other one did? Do they want a new perspective? Do they want things to continue as they are?
And it's already a stellar program. I mean, there's all these different nuances to think about coming in as a new privacy lead to a company.
[00:04:54] Paul Breitbarth: That's actually a large part of what I was discussing earlier this week, because I'm teaching the new ECPC M. So that's a management course from Maastricht University that builds on their basic DPO course. The first version I did last year together with Ralph O'Brien. He couldn't make it this time, so we had Andrea Liasevice.
From Boeing and also and I pull you from Mars. We, we did the course together this time, but we were also talking about. Indeed. How do you build that privacy culture? How do you get started on building your program? What if something else already there? What if you need to start from scratch? So that rings that rings a good
[00:05:32] K Royal: Yeah, it does.
So we're really excited about it. So we will be there. We also bought our tickets to the LGBTQ party with Ron DeJesus.
And the theme this year is Alice in Wonderland, and I mean, I am the heart of privacy, and I am a queen, I mean, in my own pageant world but I, I feel like I have to dress up as the queen of hearts.
And so I wrote Ron, I'm like, okay, here's the deal, Ron, I do cosplay. I said, so I could go all out full Queen of Hearts with the full ball gown and everything if I pull it together. And that was a big if, if, if. So I think I've decided on my costume now. And it's not going to be a full on ball gown, I don't think.
I'm going a little in between, but I found the best red boots yesterday. Oh my God. Everything's around the shoes. So it will be, it will be a lot of fun. I also had to tell Maggie I had to warn her that I'm going to be dressing up as the Queen of Hearts because she and I are rooming together. I love it when friends help each other out.
And so she and I are rooming together. So I had to warn her I'm getting all dressed up. Because, you know, wig and crown and everything is going to be a lot of fun. So, anyway, I'm really looking forward to it. I'm going to post some probably uh, graphics of the stickers. I meant to do it in enough time for people to vote on it.
And I know I have leftovers of the stickers from last year. I just don't know where I put them in the moving, Paul.
[00:07:01] Paul Breitbarth: I also don't know.
[00:07:02] K Royal: Knowing me, I put them somewhere safe so I could have them for this year. And that somewhere safe is God only knows where right now. So, talk about, let's talk about location tracking this time.
So we're kind of getting in this habit now where we do a week in privacy, we have an interview, we do a week in privacy, or another interview, and we do a topic. So we seem to be averaging at least a really good big topic once every other month with just you and I doing it. So this year we kind of virtually drew straws and I think we landed on locational tracking.
[00:07:38] Paul Breitbarth: Yes, also just because there wasn't a lot happening this week.
[00:07:41] K Royal: Shhh! You weren't supposed to say that!
[00:07:43] Paul Breitbarth: Oh, oops.
[00:07:44] K Royal: Keep that, keep that to yourself.
[00:07:47] Paul Breitbarth: As, as Brisbane would have said, oops, I did it again.
[00:07:49] K Royal: oops, I did it again.
So locational tracking, and this is something that is very important to a lot of people and a lot of people probably don't realize it happened. Now here in the U S one of the biggest locational tracking things that has happened was the multi state settlement with Google for like 93 million. There's, there's other settlements with them on the same thing about the locational tracking and about how, when you turned it off on your phone, there was still locational tracking, even though you turned it off. Now we all know when it comes to specific apps that you can, you know, grant and deny permission when you first download the app, but then you put your, phone on automatic updates of the apps and then they throw these permissions back in again, locational may be one of them, but there's been a lot of situations where your location has been tracked even though you may have turned, you know, location tracking off on your phone.
So it could be through your browser, it could be through an app, could be different ways, but it could also be things like apps and services you use like car rideshare services, so Uber and Lyft and different ones that, you know, they, they physically take you different places.
They have your location in their history and there have been situations where those companies have been selling or leasing that data. Now before you say, well, what's so bad with that? Which nobody listening to this podcast is going to ask what's so bad with that?
[00:09:16] Paul Breitbarth: so bad about that?
[00:09:17] K Royal: you crack me up.
They know the people that go to church on a regular service. If they're, take, if you're, Actually, sometimes the app tracks you even when you're not using the vehicle services, but they know of the ones that take it to church at a regular time or specific times or where you go or are you in the vicinity of reproductive clinics different things like this, which is something that Texas law was saying that apps have to disclose if people are, you know, in the vicinity of those clinics.
So it's tracking where you go, but sometimes the apps were also even listening when you weren't using the app
[00:09:53] Paul Breitbarth: Hmm.
[00:09:54] K Royal: TikTok, I think, does that too. But they could say whether or not you were in a household with children, or domestic disputes. There was arguing and yelling all the time. You could just be, you know, someone that likes to yell all the time.
But you could live in a house with animals, or with toddlers, or where you get sleep, good sleep or bad sleep. It's really weird, the type of data. That apps that you would think would be location based only were actually tracking when you weren't actively using their services. But back to the location.
I don't know if people understand how the location tracking works, but it's based off of satellite positioning and
[00:10:31] Paul Breitbarth: Yeah. It's geopositioning. It's not just the satellites, it's the combination between GPS and the European Galileo system, and also the cell tower triangulation.
So typically your phone connects to the closest cell tower but it also knows which other cell towers are close. Sometimes the closest cell tower is full or almost full. So your phone would connect to one
[00:10:55] K Royal: next one over.
[00:10:56] Paul Breitbarth: a block away, the next one over And. Phone location data has been around for, for many, many years. Already in 2009 the Massachusetts Institute for Technology together with the University of Louvain in Belgium conducted the study unique in the crowd.
Where they followed for 15 months a lot of people, I think it was 1. 5 million people for 15 months, just using their cell phone data. And they were able based on four data points out of that whole year. Or out of those 15 months actually of, of location data, just four data points allowed them to identify over 95 percent of individuals correctly.
And that was just with phone triangulation.
[00:11:41] K Royal: Yeah.
[00:11:41] Paul Breitbarth: no GPS data involved at that time.
[00:11:44] K Royal: And, and the geopositioning, the, the, the location, whatever you want to call it, can track you down to, I think, just a few meters away. It can be very, very precise.
[00:11:56] Paul Breitbarth: let me ask you a question here. And if you don't want to respond, also just say so. But You're a Google phone user, right? You're an Android user.
[00:12:05] K Royal: I prefer my Android, but my active cell phones are
[00:12:08] Paul Breitbarth: Okay. but when you were using your Android phone, did you have your device location or your favorite location data on?
[00:12:18] K Royal: No.
[00:12:19] Paul Breitbarth: I've seen that once with friends, just all their favorite locations and their commutes and where it would, where they would all go and all of that
[00:12:28] K Royal: No. No. No.
It is scary as hell and when you, when you've been through the relationships that I've been through being stalked or tracked by someone is a bad thing.
Actually, it's a bad thing regardless of what relationships you've been in. Let's, let's just be frank, but yeah, no, I get paranoid about that
[00:12:46] Paul Breitbarth: Actually, today in the newspaper the Amsterdam newspaper, there was a whole article about the Find My functionality that iPhone has. And that friends are actually sharing that actively with each other so that they can monitor where they are. Oh, they
[00:13:01] K Royal: Find their phone.
[00:13:02] Paul Breitbarth: they are, no, not find their phone, just to find their friends, actually. They are in this pub. Oh, I'm going to go as well and have a drink. Oh, all my friends or my roommates are all at home, and I want a quiet night, so I'm not going home right now, because Then it will be party again. i'm having a date. So i'm sharing the location, with all my friends or with my mother oh i'm having a date so i'm switching my mother off.
So mother panics. Hey, I can't see you anymore All those kind of thingsIn the newspaper and also some specialist saying maybe you shouldn't share it that widely because it is also a
[00:13:39] K Royal: Maybe you shouldn't it is a risk. I lost my iPhone this week. Now, funny enough, I lost it in the house. But, apparently, when you've got grandchildren my kids age, it's quite common to lose my cell phones in the house.
[00:13:50] Paul Breitbarth: Are they lost or Are they stolen?
[00:13:52] K Royal: stolen. So yeah, when I lost my Android phone, we found it underneath the granddaughter's bed. She's two. She stole my phone to watch videos. So, I lost it. It was in the house somewhere. Finally, finally, the next day I said, fine, I'll use Find My Phone for my iPhone. I couldn't because I didn't remember my iPhone user ID, password, blah, blah, blah, whatever it was.
You can't recover it unless you can text the cell phone that you use. And then, of course, if you use someone else's device to find yours, you have to have shared your information as friends or family. And my husband looked at me, he said, so maybe we should do that. So next I'm like, no.
[00:14:31] Paul Breitbarth: no.
[00:14:31] K Royal: No, not happening.
Sorry. I'll just have to do it the old fashioned way. Of course, there are these services that you can pay. You can either subscribe or you can pay one time and they'll locate your cell phone for you one time. How do they know it's your cell phone? How do they not know you're not trying to stalk someone and putting their phone in?
This just makes me crazy. So, okay. So back to location tracking. So it's not always the best, the best thing to do, but your location is tracked. Now all. I think Kentucky passed. All 15, if not 14, of the state laws that have a definition for sensitive data include precise geolocation information, not general location information, but precise geolocation information as sensitive data.
And well, it should be. Now it is not a special category of data under the European law and the state and the countries that pass laws based on GDPR using the same combination, but here in the UK,
[00:15:30] Paul Breitbarth: as high risk data
[00:15:32] K Royal: It is high risk data
but we do define it as sensitive data here. So it's interesting. There is also way back when early two thousands, I believe everything had to be capable of identifying your precise geolocation on your phone because of 911 people would call emergencies on their phone and P and nobody would know where they were.
So here in the U S we passed it. It had to be affected by 2005. And then all the new cell phones had to contain GPS chips by 2018. So, they may be in place for a good reason, but the capabilities are widely misappropriated for other purposes, whether the people are doing it deliberately or accidentally.
But shouldn't you want to track your loved ones if you have a vulnerable adult? That that may have some mental instabilities or may have alzheimer's and how do I'm, yeah, I'm, I'm, I'm fine that the possibility exists, but
[00:16:29] Paul Breitbarth: it needs to be a very deliberate choice. It needs to be, it needs to be your choice that, that is happening. And also then, even if you have that access you should use it in moderation. Because our society has already become way too much of a surveillance a surveillance society with CCTV cameras everywhere, everything that's happening online, everything that's being tracked and documented and just the fact that you are continuously tracking your friends or your family and it's it is creepy indeed.
Also location sharing via via whatsapp or iMessage sure if you are traveling to the same location and you want to Make sure that everybody is more or less arriving around the same time then it's helpful to To show hey, we are on our way. We are here and and you can monitor progress and know that if you are at a restaurant Oh, they're coming in in 10 minutes or in
[00:17:29] K Royal: Right
[00:17:30] Paul Breitbarth: That's fine. If that is a one off choice
[00:17:33] K Royal: Yeah, when I travel and I use lyft or something like that. I do share my trip in the car with my husband because I'm traveling alone. So I do that, but that's a very deliberate choice I make at the time. Now, are they misusing it? God only knows, probably. But I pulled up some information, and I think it's current, on retention periods of the major cell phone providers, in the U.S. So how long they keep the subscriber information, for three to five years, five years, length of service, or unlimited for some. Call detail records are A rolling year. Or if it's a prepaid phone, it might be two years or five years. It varies 18 to 24 months, two years for call detail records, cell towers used by phones, usually a rolling year or ever since it went into effect or two years, something like that. Text message details again, one to five years, 18 months depends on the time. text message content. Most of them don't retain it.
Three to five days or 90 days search warrant is required if they want the content. Or pictures. Do they retain the pictures? Most of them say contact us and ask us. Or they don't retain or you can store them online until you delete or the service is deleted.
Now the other thing is your cell phone carriers like a lot of technology companies do post their transparency reports of how often they get law enforcement requests for this data. And it's in the hundreds of thousands, hundreds of thousands of requests that they get. They usually post post statistics on how far they do.
I pulled up the most recent transparency report of T Mobile. And you can just go to most of them and do this. So there's a sample. This one I just pulled a couple of weeks ago. It's for the year, I think, 2022. So, they would post it in 2023. The following table shows the number and type of legal demands which they provided a response for in 2022.
Subpoenas. 301, 000. Emergency 911 requests, 146, 000. Court orders, 42, 000. Warrants or search warrants, 95, 000. Other, 22, 000. PIN, register, or trap and trace orders, 23, 000. Wiretap orders, 4, 000. Customer requests for their own information, 1, 000. Requests from foreign entities. It doesn't say how many, I guess it is the number of requests from foreign entities.
Let's see, and there is a, a piece of that request. There were Canada 27, China 1, India 5, and Mexico 1. They, the number of responses that they did not respond to, so either they received no response at all or they got a written explanation that they were unable to respond. No response was 28, 000 and unable to respond was 81, 000.
And then there's request for location information. So that's general. Let's go specifically for request for location information. Requests for historical cell site information, 113 requests.
For timing advance, 45, 600. Requests for prospective location. 92, 000 requests for a tower dump, 8, 000 requests for an area dump, 4, 600. So there were 263, 000 requests overall. And they have on here that they will release historical information and prospective information upon receipt of an appropriate legal demand.
The data reflects the number of demands that were processed in 2022 based on a warrant or court order Or when a government entity requests the same in connection with an emergency request. This is a subset of the chart that I read above. And see, and legal demands frequently authorized release of multiple types of location information.
So, it says prospective location, because I know you probably picked up on what exactly is prospective location, right?
[00:21:51] Paul Breitbarth: Probably where they expect you to go or something like that based on your historical pattern.
[00:21:56] K Royal: It consists of live location information delivered as longitude and latitude coordinates to a government requester. It's often referred to as geolocation or real time GPS. Prospective location is released to government only after receipt of a search warrant or appropriate emergency request. Then there's statistics on national
[00:22:18] Paul Breitbarth: And how many, and how many time appropriate immediate security request or whatever they call it, how many times will that actually be used when it may be, it isn't that urgent?
[00:22:31] K Royal: Right? Right?
I think you're being a little cynical, but I don't blame you for being cynical, because this is just one carrier. One carrier in the U. S. Now, They do have also national security requests, so national security letters and visa orders. The USA Freedom Act of 2015 permits reporting of this information in half year increments in bands of five hours.
They are not included in the charts that I gave permission above. You can look this information up on almost any technology company you want, but fascinating for our conversation here on location data. Google, Facebook, all of these produce the same type of transparency reports that you have.
[00:23:17] Paul Breitbarth: Yeah, and it it and it will be the same across the European union. We've had for quite a long time already, data retention requirements across the European Union Those were introduced following the terrorist bombings in Madrid and in London.
[00:23:32] K Royal: Same thing here for Boston Methadone. Yep.
[00:23:35] Paul Breitbarth: yeah, they've been stricken down by the court multiple times because the court classifies those as mass surveillance and says this is Not what is allowed under the EU Charter of Fundamental Rights.
But it is still happening.
And data is retained for up to 24 months. And then also shared with law enforcement and national security. That is an ongoing discussion for, for, for many years already, but there are actually two other things on, on location data that I picked up on. That I would like to share another news report from earlier this week.
When you pick location data as the topic for today. This immediately sprang to mind as well. Our T Mobile here in the Netherlands it's now been rebranded into something else. But back in 2018, between 2018 and 2020 they partnered with our national statistics bureau trying to develop an algorithm.
To predict locations where it could be busy on, on given moments of time so that maybe certain areas could be roped off or that they needed an extra lane on the highway or things like that. And the telco provider between 2018 and 2020. So this is well before COVID actually shared between 2.
5 and 4. 5 million subscribers, their data. Their location data with the statistic euro to see whether that algorithm could be could be developed. It was all pseudonymized and encrypted, but it was still identifiable
So all of that was was happening and the Dutch authority for digital infrastructure Actually fined the telecommunications company earlier this week 175 000 euros
[00:25:22] K Royal: and Amazon got in trouble for tracking its employees, didn't it? Just a few weeks ago.
[00:25:27] Paul Breitbarth: think that was in France, right?
[00:25:28] K Royal: Yeah, I think so. And I mean, of course they're doing it all over the world because they're looking at productivity and how to best use their resources and blah, blah, blah, blah, blah. In Arizona, the University of Arizona got in trouble because the student ID cards of course have RFID chips.
Now, if y'all haven't been worried about RFID, Because it's a low technology or an old technology, y'all still need to worry about RFID. Let's be honest there. But they were tracking students. They were doing it for a good purpose. They wanted to indicate which ones were potential for dropouts. Were they not going to classes?
Were they hanging out at the bars around campus? Which the bars were not participating in the tracking, but you could tell when the students were nearby, right? And in one general vicinity. Were they hanging out in the student union all the time and not leaving? Or were they in their rooms and never leaving?
So they were trying to do it for potential, but of course they didn't disclose it to anybody and you know They didn't get permission for it and it got in a lot of a lot of trouble for it Now for a long time as a professor at asu, I refused to get a faculty card because it could be tracked But during covid they started locking the buildings and you could only get in through certain doors and you had to have a stupid card So I have a card blah but but I do have it but it is crazy but they say a number of, a number of universities use student tracking software to monitor students.
They usually rely on Bluetooth transmitters hitting around campus rather than GPS. They gather about 6, 000 data points per student. per day, right? They could use it to monitor class attendance, which I mean, you can take attendance in class too. Hello. But they also use it to calculate a risk score for students.
That's crazy. I'm sorry. That's crazy. Now rental car tracking not seen as really rental car tracking not really seen is really risky. Because you know, it's not your car, it's their car. So, should they be allowed to track it? Sure, why not, right?
[00:27:34] Paul Breitbarth: Yeah. No, the this also all comes down to, to privacy by design and even more important privacy by default. Because building in certain location functionality. For a lot of apps, for a lot of functionality actually also could make sense. And certainly a phone would not be able, especially in today's day and age, would not be able to function without some sort of location data.
Especially if you want to use maps or, or indeed an Uber or a ride sharing app or a home delivery app or, or whatsoever, you need some form of location data for that, but it should be a deliberate choice what to share with whom and for how long.
[00:28:13] K Royal: Yes, it should follow the rules of transparency and notice and consent.
[00:28:18] Paul Breitbarth: Yeah, but also just make sure that the default settings are right. And, and that reminds me of a research project that was undertaken by a Dutch online news medium, The Correspondent, together with Bellingcat. Already back in 2018, it's called Project Polar, and we'll share the link to the whole story in the notes.
But this goes back to 2018 when there was the Polar activity map that accompanied the Polar smartwatches.And Polar is mainly used for people who use it for fitness. So they, they go running, they use their their watch and you can create this, this very nice map.
The thing is that by default, the maps for all these users were set to public.
[00:29:02] K Royal: Yes, same thing happened to the U. S. Secret bases over
[00:29:07] Paul Breitbarth: that is this, that is this study.
Because together with Bellingcat, the journalist from this, this online platform, they found out first of all, that these maps exist and that you could actually. Drill down so you can zoom in on a sensitive area, see who is working out in that neighborhood, click on the person's workout details, and then zoom out and see their routine.
So also where they move. And then also that you, that something is probably their home address or at least their place of residence. So they selected quite a few sensitive locations, including 125 military bases uh, 48 nuclear weapons storage facilities, the home offices of the intelligence agencies, Royal residences, the white house.
And they were able on that basis to identify. Staff working at the NSA and the U S secret service GCHQ and MI6 the Russian intelligence services the French ones, the Dutch military intelligence service. But by exposing all of that data for all to see Polar was also in breach of law because in the U S sharing the identity of an intelligence agent is punishable for up to 10 years in prison. And by just. Finding out their location and where they live. It's also fairly easy to, Find out that what their name is.
[00:30:32] K Royal: That doesn't even need a lot of technology. that's just kind of Google.
[00:30:36] Paul Breitbarth: that's just kind of Google. Absolutely. And then using the phone book to identify a name.
So they also reached out to some of these people and said, Hey can you confirm that you work for security service X, Y, Z?
And of course these people panicked and also wanted to know how did you find this out? So the journalists did an ethical thing. So they first alerted Polar before releasing their story as is supposed to be the case in, in, in this situation.
And this is, again, this goes back to 2018. So this is six years ago. and that was already possible back then just with the development of technology nowadays, it is even more important for organizations to bear in mind that whenever they use location data, Make sure that you don't make it public by default and that you give users the possibility To block it to switch it off or
[00:31:27] K Royal: Yeah.
[00:31:27] Paul Breitbarth: share it whenever it's relevant in a specific
[00:31:30] K Royal: Right. And there are other uses we're coming to the end of our time, but there's other uses in here. Speed limit enforcement, remote braking for speeding vehicles. GPS cameras for geotagging, traffic monitoring, TV and other expensive equipment with location sensitive immobilizers. So it stops them from being stolen.
GPS enabled firearms, GPS enabled electronic documents. So you can't share the documents where they shouldn't be shared. There's a ton of other information. Again, in Arizona, they're geochipping the saguaro cacti. Because it is illegal to take a sororo, because they take so long to grow and they're protected.
So they're tagging sororos to see if people steal the sororos. There's been a lot of cases, a ton and ton and ton of cases. against people selling the geolocation information or having it available. There's a lot of location data brokers. I mean, there's a ton out there. I have, I'm looking at a a slide with like 50 of them on here, I think.
And this is not all of them. And you probably don't hear of a lot of location brokers. Not just data brokers, location data brokers. But they're buying and selling the geolocation data for ads, for profiling, for targeting people. But, in case you think that it's all bad let me tell you of one geolocation advertising that really worked.
It was for the Dine Out for No Kid Hungry, a year round rotate, uh, restaurant led campaign to when you go and buy food, you buy food for a kid. Or, you know, you donate a certain money that will incentivize them to feed others at the same time. It was four restaurants Qdoba Qdoba, Qdoba. Jack in the Box, On the Border, and Habit Burger Grill.
And they would send you ads when you were at the restaurant. So if you visited the restaurant, they would send you an ad. Or if you were driving by, they'd be like, Hey, why don't you go to this restaurant? They raised over a million dollars, and they drove 129, 000 visitors into the restaurants. for this campaign.
So it's not always bad. Geolocation, advertising, and yes, it does mean that when you're walking down an aisle in the grocery store and you're reaching for Honey Nut Cheerios, it's going to say, hey, wait, wouldn't you rather have Froot Loops? And you're thinking, God, I probably would rather have Froot Loops, but no, I'm going to do the healthy ish er alternative of Honey Nut Cheerios.
So, there's a lot of things it could be used for, and those of us in privacy, we're generally considered conservative because we think these rights should be protected. And we're generally pretty cynical and paranoid because we know that they're not. So, we're probably not the right ones to think of all the different ways that location data could be used wrongly.
We just know that when we see it, we're like, Nope. That shouldn't happen. And then of course there's stories that come out, but I will say one last one and then Paul, I'll let you close us out. Another tactic of police is reverse location or geofencing services. Now, if you know, when we talked about the Washington My Health, My Data Act, There's no geo fencing allowed around particular areas in what you do because you don't want that data.
But this is police reverse searching. So there was a case that came out about bank robberies. And in searching all the different cell phones and all the different vehicles and everything that were in that area at that time, and pinging them, They were able to find the ones that were in those four areas at the times of the robberies.
So using that reverse location kind of search for it, which is not the same thing.
GPS mistakes. Shall I cover those before your last thoughts? I have to do this. Okay. There are GPS mistakes. You can go to a website and you can watch the worst GPS mistakes ever.
People following the GPS instructions on their car or on their phone rather than paying attention to what they're doing. A dozy driver took GPS directions onto a railroad line.
[00:35:44] Paul Breitbarth: Oh, that's a bright idea.
[00:35:46] K Royal: Girl crashes into the lake following bad directions. Japanese tourists drive into the Pacific Ocean because their GPS told them to.
A truck driver took a 1, 600 mile detour due to satellite navigation. So, that's the other thing. If you're affirmatively using GPS to tell you where to go, put your eyes on the actual road sometimes.
[00:36:11] Paul Breitbarth: Yeah. And also be careful for GPS spoofing because also that is happening more and more. Apparently Russia is now also using that as a weapon for Western planes
[00:36:23] K Royal: Oh my goodness. Oh no.
[00:36:26] Paul Breitbarth: yes. Don't you love it?
[00:36:29] K Royal: Our job just can't get any better, Paul. Look at all
[00:36:33] Paul Breitbarth: No,
[00:36:33] K Royal: information we have.
[00:36:35] Paul Breitbarth: it cannot. So indeed location data is is extremely useful also for us on a daily basis, indeed as you mentioned for a 911 or other emergency calls and you have no idea where you are, then it's very helpful that your car or your phone can share a location.
[00:36:53] K Royal: yes.
[00:36:53] Paul Breitbarth: if you want to use the right sharing app, if you want to order some food and get it delivered.
[00:36:59] K Royal: your Amazon delivery. How close are they? Cause, you know, you can't just wait for it to be delivered.
[00:37:04] Paul Breitbarth: true, but that
is already a part where I think it's becoming scary because you are also surveilling your delivery guy
[00:37:10] K Royal: Right?
[00:37:11] Paul Breitbarth: aren't they allowed to take a five minute break to
[00:37:14] K Royal: No!
[00:37:15] Paul Breitbarth: to the facilities or maybe have a 20 minute lunch break to eat a sandwich
[00:37:19] K Royal: Paul, my husband, did that. He would track his delivery. Oh, it's supposed to be here by 10 a. m. Then he'd look at 9. 30 and be like, Oh, now it's not going to be here until 2. I bet they stopped and took a lunch break. Oh. Like
[00:37:29] Paul Breitbarth: Well,
[00:37:30] K Royal: dude?
[00:37:31] Paul Breitbarth: that's exactly what I don't like about that kind of monitoring. So yes, it can be useful, but we should really be careful that we don't turn
[00:37:39] K Royal: Yeah,
[00:37:39] Paul Breitbarth: Into spooks, all of us, because we are surveilling each other continuously
[00:37:44] K Royal: and do pay attention to those apps that you have on your phone every now And then go through and see which ones have what permissions turn on you can look at that easily
[00:37:52] Paul Breitbarth: and every once in a while switch off your phone and reboot it. So that you can also, if there is something running in the background that you don't like, we haven't discussed even Pegasus and, and all those kinds of tracking tracking applications. We'll leave that for another time.
But. Make sure that if you reset your phone every once in a while, that will also help to at least to some extent confuse those kinds of spy software.
[00:38:17] K Royal: Yeah, make good choices
[00:38:19] Paul Breitbarth: but on that note, we wrap up this episode of serious privacy. I'm pretty sure this is a conversation we'll continue. So share your thoughts, share your ideas on LinkedIn.
You'll find us under Serious Privacy, get in touch with Kay under Heart of Privacy, or just follow her voice when you are somewhere in the DC Convention Center and find her. You'll find me on social media as Europolbee. I won't be on DC, unfortunately, but you'll find me at events somewhere else in the world later this year.
Until next time, goodbye.
Bye, y’all.ashley