GPS devices, geolocation data create privacy, security risks

Emerging technologies that allow users to broadcast geographic locations raise many issues for companies, CIOs, while legislatures and the FTC consider legal aspects.

In 2005, American Car Rental, doing business as Acme Rent-A-Car, used the Global Positioning System (GPS) devices in its rental cars to track the driving speeds of its customers. Each time a vehicle's speed exceeded 79 miles per hour for two continuous minutes or more, the car company charged the driver $150. Some customers were not given advance notification of the fees, discovering the charges weeks later on their credit card bills. The car rental company, which is no longer in business, argued that tracking the information was justified due to the additional wear and tear the excess speed exacted on its cars. But when a driver sued, a Connecticut jury saw it differently, ruling the practice a violation of the state's fair trade practices laws and awarding the plaintiff in James Turner v. American Car Rental Inc. the amount of the surcharges, plus legal fees.

More data privacy resources
Avoiding gotchas of security tools and global data privacy laws

U.S., EU personal data protection laws make e-discovery risky

Health care CIO tackles complex security, privacy mandates

Legislative action followed swiftly. Connecticut, California, New York and other states have since passed laws restricting the car rental industry's use of information gained from GPS devices to track location and behavior of its customers, as the American Bar Association reported in "Rent a Car, Rent a Spy."

Is this just a matter for the car rental industry? Hardly. The court's response and legislative action, experts said, should serve as a wakeup call to corporations about uses and abuses of geolocation data and the risks this information poses for their enterprises.

As applications and services for broadcasting a person's geographic location become more widespread, from Google Latitude and the GPS-enabled Garmin nuvifone to travel aggregation sites like TripIt, corporate policy questions and legislative action are bound to increase. Yet corporations, like most consumers, don't have a clue about how these technologies can lead to privacy violations or security breaches.

"Right now, enterprises do not have that risk plotted out -- anywhere," said Ian Glazer, a security analyst at Midvale, Utah-based Burton Group Inc.

Competitive advantage for rivals

Location-based data can be exploited for competitive advantage by rivals, Glazer pointed out, if, for example, a group of executives disclose location information that can be easily traced to sensitive business transactions, such as acquisitions or real estate sitings.

For multinationals doing business in politically unstable locations, geolocation can endanger employees. Then there are the privacy concerns. Can employers get access to the geolocation data associated with an employee but perhaps not directly related to the job if the device is company-owned?

"The upside is that these types of technologies and the challenges they present can be addressed with awareness training and policy. Educating employees to think about location as competitive intelligence or a safety issue is fairly straightforward," Glazer said.

Miriam Wugmeister, a partner in the New York office of Morrison & Foerster LLP and the head of the firm's global privacy and data security practice, agreed that employee training is key. Most devices with geolocation capabilities have a feature that allows users to turn them off. "CIOs need to educate the users, or they need to be cognizant of the notice given to employees," she said.

Active, passive and indirect geolocation technologies

Glazer divides geolocation data into three technology channels: active, passive and indirect. Active technologies actively disclose an employee's location. Google Latitude, which pulls data from the GPS in one's phone and makes a statement about it, is an obvious example. Geolocation information in pictures posted to is a less obvious example of an active channel, he said. "The data is right there for the taking, and it is also temporally linked … with a time stamp, so now I know when that person was there."

Passive channel technologies provide users with location capabilities. A travel aggregator site such as TripIt, for example, collects users' travel information in order to offer travel services but then can communicate it again to a social network or the public via Twitter.

Indirect channels are tools like Yelp "that allow users to get up on a soapbox and basically, say, 'Look at me, I am over here, having a great meal in Sheboygan,'" Glazer said.

When confronted with location data, particularly those that link to social media platforms, the instinct of some CIOs, understandably, will be, not my system, not my problem, said Glazer.

"CIOs now understand their relation to internal wikis and SharePoint. It's harder to wrap their brains around all these IT services outside the enterprise," Glazer said.

But turning a blind eye is probably shortsighted, he said, because corporate counsel and C-suite business executives will immediately get why location-based data is a risk, once they understand it can be used for competitive advantage. In fact, he and Wugmesiter recommend that CIOs take the geolocation data dilemma by the horns, educating C-level executives first about the possible risks and worrying about lower-level employees later.

Another avenue to follow? Wugmeister said the Federal Trade Commission will launch a series of roundtables in December to explore the privacy challenges posed by emerging technologies.

Issues and benefits of GPS devices

Larry Whiteside Jr., chief information security officer at the Visiting Nurse Service of New York (VNSNY), is not cowed by geolocation data. "It's an issue in some regards and it's a benefit in other ways. It's an issue if the technology is on and you don't capability to control whether it is on or off," Whiteside said.

Right now, enterprises do not have [geolocation] risk plotted out
-- anywhere.

Ian Glazer
security analystBurton Group Inc.

In his business case, where nurses, nurses aides and many clinicians are mobile, geolocation can be a good tool for management, Whiteside said, "if it can be configured centrally and managed centrally. It's about ensuring your employees are doing what they say they are doing." When employees are on per-diem or hourly salaries, verifying how much time they actually spend on tasks can be a time-consuming process, requiring nurses to dial in from client homes, punching codes, etc. Nurse safety is also an issue.

VNSNY employees use Google Maps to plot out their stops in the most cost-efficient way possible. Whiteside is working on putting Google Maps and a geolocation feature on company-owned phones. "There is no added cost for these features. It's a management issue. We would even pay for an overlay or build something that would give the supervisor the ability to log in, and basically see where their nurses are," he said.

The push has come entirely from the business. Whiteside said he's working closely with legal counsel, human resources and "everyone else imaginable" in the greater Manhattan area to sort out the privacy and security concerns. But the working premise, so far, is that employees understand that when they are using company-owned equipment in the course of their jobs, they "are under the watchful eye" of the corporation.

As for keeping tabs on geolocation data employees broadcast from personal phones, he said he hasn't heard of any CISOs investing resources in this, with one exception. "I have heard that, if that information is easily available, HR may choose to look at that information, if they have other reasons to believe the employee is not doing what he says he's doing."

Let us know what you think about the story; email: Linda Tucci, Senior News Writer

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
and ESG