The Privacy Implications of Mobile Sensor Networks
Speech given at 4YFN Barcelona on the 2nd of March 2015 by Samuel Johnston

1) Privacy, from the state and from society

I’m sure I do not need to explain to anyone sitting in this room today exactly why privacy is important. Privacy, above all the right to areas free from state observation and intervention, has been a much-discussed topic especially over the past couple of years – with Wikileaks and Edward Snowden pushing these issues to the very forefront of conversations about technology’s place in our lives.

The right to privacy is a long-standing and recognised one. Characterised as a form of ‘negative liberty’ by British philosopher Isaiah Berlin, meaning the right to live your life free from intervention from the state. It is a key tenet of representative democracy that there must be areas of activity where it is not the state’s duty to intervene, and where individuals have the freedom to think, discuss and exist. It is, above all, important for people to not only be actually free from observation when in a private state, but also to feel that they are unobserved. To be hidden from view from the gaze of both state and society.

Hannah Arendt, the German Political theorist, has written extensively about privacy in her book ‘The Human Condition’. In this book she has a wonderful phrase that describes the necessity of privacy to full social existence:

‘A life spent entirely in public, in the presence of others, becomes, as we would say, shallow. While it retains its visibility, it loses the quality of rising into sight from some darker ground which must remain hidden if it is not to lose its depth in a very real, non-subjective sense.’

For Arendt, the depth and richness of the stage of public life is only made possible by the presence of private wings to exit into. There are three chief areas that discussions about privacy generally center around: 1) State surveillance of citizens 2) The dissemination of personal data and 3) preventing intrusion into spaces deemed private, both from other citizens and agents of the state. During this talk I will discuss how historical precendent reveals how technology has previously impacted these discussions, and offer up some thoughts about how the mobile sensor network will pose new challenges to the ways we conceptualise privacy.

2) How privacy law has historically responded to technological change

It is important to remember that privacy norms are not fixed, societal expectations change over time. Many of the debates being had today, about surveillance, encryption and the right to privacy in an increasingly digitized world are not new – and fit clearly into a historical narrative of privacy and challenges to it brought about by the development of new technologies, particularly technologies of observation. The history of privacy legislation in the United States is a rich field from which to contextualize today’s debates – as it clearly shows the ways in which the courts have previously dealt with issues surrounding new technology that can potentially impact on the privacy of individuals. This is especially important to remember, as privacy debates seem often to be held in a vacuum – as though new technologies beget entirely new problems, as opposed to problems that have clear historical analogy. This approach to contextualising current issues through a kind of ‘archaeology’ of their intellectual past, is an approach that was popularized by French thinker Michel Foucault – whose work on surveillance in ‘Discipline and Punish’ is of particular relevance to the privacy implications of the mobile sensor network – the main subject of this talk.

The law's place in safeguarding privacy in the United States – above all in response to the development of technology, was kickstarted in the 1890s. This decade saw the development of a technological device with worrying privacy implications, a device that, it was felt, had the potential to permanently damage the otherwise inviolate divide between public and private space, between the home and the external world. This device was the camera.

In 1890, two years after the release of the first Kodak camera, an essay was published in the Harvard Law Review by two legal scholars, Samuel Warren and Louis Brandeis. It is entitled ‘the right to privacy’ and is today regarded as the cornerstone for privacy law in the United States. In this article Warren and Brandeis argue for a ‘right to be let alone’, and make it clear that existing laws ‘in an era that now allows for the recording of sound or images’ was not sufficient to protect what they viewed as a fundamental right. What is interesting about this article is that it uses as its examples cases of non-governmental intrusion, talking about the presence of press photographers at a society party. In doing so they split the idea of a right to be let alone from the state (already well established constitutionally) from the right to be let alone from society. Photography (and to a lesser extent) voice recording – had created a whole new type of privacy concern – one where private situations could be displayed and reproduced on a broader scale. Warren and Brandeis, mindful of the damage that could be caused by making legal, but private, behaviour public – helped to create a new body of law that protected individuals from each other, in a fashion that resembled the right to be withdrawn from the gaze of the state.

Speaking over the telephone was treated as a public act – a conversation between two peers who could have no expectation of privacy

In 1928 the case of Olmstead vs United States was heard by the Supreme court. This case was concerned with whether or not wiretapping private phone calls without a warrant (again, a relatively recently widespread technological invention) constituted a violation of a citizen’s rights. The protection from illegal seizure (taking evidence without a warrant from a citizen’s house) had been enshrined in US law for over a decade and is based on the fourth amendment and this case was concerned with whether or not that protection should be extended to phone lines. The question concerned whether protections given to certain spaces, i.e. the home, should be extended to non-physical space – a telephone line – a point of obvious relevance to privacy and the internet. In this case the supreme court ruled that the fourth amendment did not apply and that gathering evidence through wiretapping did not constitute a form of illegal seizure. Future president William Howard Taft, then chief Justice of the Supreme Court summed it up: "The [fourth] amendment does not forbid what was done here. There was no searching. There was no seizure. The evidence was secured by the use of the sense of hearing and that only. There was no entry of the houses or offices of the defendants." He then pointed out that one can talk with another at a great distance via telephone, and suggested that, because the connecting wires were not a part of either the petitioners’ houses or offices, they cannot be held subject to the protections of the Fourth Amendment. New technology, giving rise to new non-physical spaces, was not protected by existing law – chiefly because the law spoke in improper idioms, idioms of geographic delineation that were not appropriate for a telephonic age. Speaking, even in confidence, over the telephone, was treated as a public act – a conversation between two peers who could have no expectation of privacy, as though their conversation was occurring on the high street or in a crowded bar.

In 1967 wiretapping without a warrent was deemed unconstitutional, a time lag of almost 50 years since the first ruling: the law could not keep up with technological change

However, the Supreme Court were not in complete agreement on this ruling. One strong dissenting voice – Louis Brandeis, who had risen from young author of ‘the right to privacy’ to supreme court justice, argued that telephone calls should be treated the same way as the postal service (which was protected as inviolate) – arguing that when the fourth and fifth amendments had been written governments only had ‘force and violence’ to compel self-incrimination. In his dissenting opinion to the judgement, Brandeis argued that the government now had more subtle ways to invade privacy and protested that it could not be that the constitution did not afford protection against such invasions of individual privacy. The fact that the post was protected, while telephone calls were not, was a clear sign that the law could not keep up with technological change. In 1967, the supreme court heard Katz vs United States and overturned the ruling of Olmstead. It is worth bearing in mind in the wake of Snowden’s revelations about the NSA, that it took the US supreme court almost 50 years to recognise the right to privacy over the telephone. With the pace of technological innovation today, especially in ways to communicate, such a time lag cannot not be considered acceptable.

Katz vs the United States introduced the legal test of whether or not an individual had ‘a reasonable expectation of privacy’, which has since been used to test whether or not collection of information (or evidence) by the government was legitimate without a warrant. This test dealt with two key areas, firstly, whether the individual believed their action was private or in private, and secondly, whether that was a reasonable objective belief.

Two cases make this clear. In Kyllo vs United States (2001) police used thermal imaging to detect whether or not someone was growing Marijuana (as growing Weed requires a large amount of heat). The police did so without a warrant. The case was struck down, with the court concluding that using thermal imaging constituted a ‘search’ of the home – and that because the device was not in common use, not a common part of daily life, it meant that the defendant had a reasonable expectation of privacy in his own home and could reasonably expect their private domain not be to subjected to warrantless thermal imaging. In contrast, in 1989 a similar case – Florida vs Riley, was heard by the supreme court in which marijuana growth was spotted by police in a helicopter, acting warrantlessly on an anonymous tip. The Supreme Court ruled that air traffic was a normalized part of everyday life, and therefore the defendant could have no reasonable expectation of privacy – even on his own land – from anyone (citizenry or police) flying overhead.

3) Contextual Integrity - a framework for understanding privacy

So how can we judge what constitutes a privacy violation? It should by now be apparent that this is a more difficult question than simply ‘did it occur in private or in public?’ and it is not necessarily clear that the question of whether or not the individual had a reasonable expectation of privacy covers it. The example of thermal imaging may seem to be a good example of traditional privacy laws protecting against new technology, but the crux of that case rested clearly on traditional idioms of geography – it being a private residence that was being invaded in an unexpected way. With the world increasingly characterised by the collection and transmission of personal data, for both profit and research, it is not clear that ‘having a reasonable expectation of privacy’ covers the myriad of complex issues raised from digital interaction and data collection. If someone shares their data with an app developer, is it then appropriate for that developer to share that data with whoever they choose? Can an individual have a reasonable expectation of privacy if they have consented to their data being used by a profit-driven organisation? Or what about G-mail? Google target ads to their users based on the content of emails, in some ways you might argue the g-mail user has consented to have their e-mails ‘read’ in order to provide targeted adverts, they cannot really have an expectation of privacy, so would Google be committing a privacy violation by publishing the full texts of our e-mail exchanges?

Information is not simply public or private, it is divulged in numerous discrete contexts where differing rules apply

Helen Nissenbaum, a professor at NYU and one of the world’s foremost privacy scholars, introduced a valuable and persuasive way of thinking about privacy called ‘contextual integrity’. Contextual integrity holds that there are no areas of human life not governed by norms of information flow, and that different contexts bring with them different norms of appropriateness. What Nissenbaum means by a norm of appropriateness is that different types of information are appropriate for a different type of context – it would be appropriate to discuss your medical condition with your doctor, but not necessarily to bring it up at a dinner party. The second norm is that of flow or distribution, which relates to the expectation of how that information will be transmitted once uttered – meaning that appropriate information is not transmitted into a context where it becomes inappropriate. Under the theory of ‘contextual integrity’, a privacy violation has occurred either the norms of appropriateness or norms of flow are breached. The point is that information is not simply ‘public’ or ‘private’, but every time information is divulged it is governed by the rules of the context in which it was divulged. This is important because it does not treat human interactions as undifferentiated, but allows for a series of contexts that more accurately reflects the ways people interact in day-to-day life. The binary distinction between public/private has to be done away with, as people share information about themselves into different types of private context, and different types of public context.

4) The Mobile Sensor Network

But how does this relate to mobile? We are after all Mobile World Congress – an abstract discussion of theories of privacy and its relationship with US law definitely seems to be violating some kind of norm of appropriateness. Earlier this year my colleague James Robinson and I published a white paper entitled ‘Mobile Sensor Networks: creating a social laboratory’ which can be found on the OpenSignal website. In this paper we describe what we regard as having the potential for being the most significant scientific tool of the 21st century, the mobile sensor network.

We think of mobile phones as communication devices, as games consoles, as portable video players. The uses to which people put mobile phones, as this conference should only makes clear, are incredibly varied and only becoming increasingly more so. What is often less thought about, because it is hard to see in isolation, is the extent to which your device is capable of functioning as a multi-faceted individual sensor, or as part of a network of sensors – capable of collecting information about the world around it and your own interaction with that world.

Modern smartphones contain an impressive array of sensors, most of you here will have in your pocket a device that contains a lightmeter (used for determining screen brightness), a barometer (for correcting GPS positioning by adjusting for altitude), a gyroscope (for screen orientation), a microphone and a GPS sensor. Those of you who have a galaxy s4 will also have a humidity and temperature sensor, courtesy of Sensirion’s SHTC1 chip. These sensors were mostly put in the device with a clear purpose, aimed at improving the phone’s functionality in a specific way (except for the ambient temperature and humidity sensors in the S4 – Samsung’s logic for that appears to have been ‘because we can’).

Fingerprint scanner
Heartrate
RGB Ambient Light
Relative humidity
Env. temperature
Barometer
NFC
Gyroscope
Accelerometer
Bluetooth radio
WiFi radio
FM radio
Cell radio
Front camera
Rear camera
GPS
Magnetic field
Light flux
Battery temp.
Microphone
Touch
S S II S III S4 S5

The rise of smartphone sensors

So what can be done with these sensors? While they may have been put into devices for specific individual purposes, there is no reason why these sensors cannot be repurposed and accessed for other projects. Developers are increasingly tapping into sensors on mobile devices to centrally collect information about the world in new ways. Anyone who can build an app can cheaply develop their own sensor network, an incredibly exciting opportunity as it reduces the barrier to entry for sensor-based research and investigation (previously enormous) to practically zero. Across the world there are a billion smartphones, already-networked sensors just waiting to be accessed. The sensors are already deployed, they just need to be harnessed.

With pre-existing distribution channels in the form of the App Store or Google Play it incredibly easy for a developer to access these devices. As smartphones get ever smarter and even more widespread, the richness and sophistication of mobile sensor networks is only going to grow. When people download an app which relays data from their device to a central location, they are participating as a node in what we call a crowdsourced sensor network – acting as gatekeepers of their devices, which are capable of transmitting information passively, without specific user intervention. Any individual smartphone is capable of being part of any number of different mobile sensor networks, as the sensors are non-proprietary - helping to increase the scope of sensor network-based research.

Two examples of the mobile sensor network in action are our own projects OpenSignal and WeatherSignal. OpenSignal is an app which helps the user find a better mobile connection in real-time, by pointing them in the direction of their nearest cell tower or free Wi-Fi network. The app also collects mobile network performance data, on both speed and availability allowing us to create independent maps of mobile coverage that can be accessed on our website. We also sell reports based on this data to mobile networks to help them understand the experience of their customers and benchmark against competitors. We currently have over 1.5 million devices reporting on mobile network performance across the globe – mapping coverage at a scale, accuracy and frequency impossible using other testing methods.

WeatherSignal is a project to improve weather forecasting based on smartphone pressure data, as granular pressure readings have the potential to improve the inputs into forecasting models – hopefully leading to long-term improvements in forecasting. We currently have around 60,000 devices contributing to this project and our data is being used by academics worldwide to look at how our data can impact on forecasting, and so far it’s looking extremely promising – with smartphone pressure readings helping to more accurately track the movements of fronts and predict short term storm movements.

These are just two examples of mobile sensor networks in action – but this is only the beginning. With both OpenSignal and WeatherSignal we emphasise the data collection as a benefit, rather than a cost, to users. Making explicit the data we collect and the uses to which we put it. Above all, the ways in which we make that data public, the coverage maps and regularly-updating map of smartphone pressure readings on the WeatherSignal website, are anonymized. We never share data, to either paying customers or academics that contains unique device identifiers. We do our best to respect the integrity of the context in which users consent to share their data with us, and we believe this trust between developer and user is a key aspect of what we believe will make crowdsourced mobile sensor networks one of the most important tools of the 21st century.

5) The privacy implications of the mobile sensor network

However, as with almost all many forms of new technologies of observation, there are associated privacy concerns brought about by the development of the mobile sensor network. As sensors profilerate across the globe, not simply in mobile phones but in all devices connected as part of the Internet of Things, the question must be asked as to whether any reasonable expectation of privacy can possibly remain – especially as these networks become a more normalised part of our every day lives. If we are consenting to have data constantly collected from the always-on devices we carry everywhere, where does this leave privacy?

The problem with data collected by mobile sensor networks is that big data technologies are increasingly making new datasets useful in ways that were not expected when the data was initially gathered. Data viewed as non-private when initially collected may come to reveal much more about users than expected, so users may not have cared about the potential distribution of that data in the initial context in which it was given up. A study that came out of MIT in 2013 showed that only a limited number of location points were required to successfully identify an individual from an otherwise anonymous dataset – as people have predictable trajectories, or movement patterns. Between four and eleven cell-phone derived locations were enough to uniquely identify an individual from a dataset of over 1.5 million people. Similarly, a recent leak of UBER data allowed for the identification of Muslim drivers based on prayer times and matching this up with times of driver inactivity – in short, it is hard to know exactly how the data could be used when it is first collected.

Jeremy Bentham's Panopticon

The variety of sensors in mobile devices, allows for sophisticated contextualisation of location data – data which is already made use of by law enforcement, as anyone who watches any number of police dramas on television will already know. Individual sensors themselves could be used to identify individuals, as it has been shown that acclerometers on phones have unique fingerprints, and it is possible to collect accelerometer data which is unique to the device supplying it. This is in similar fashion to dot matrix printers, or to guns, each of which can be uniquely identified by forensic scientists – as they leave slightly different signatures. A huge amount of data can be, and is being, collected from mobile devices and all of this data is potentially accessible by law enforcement agencies – hopefully with a warrant, but after Snowden’s revelations it is highly probable without.

When I quoted Hannah Arendt way back at the beginning of this talk, I emphasized that public life is given its special qualities through the ability to withdraw from it. As we carry around devices that are constantly reporting data to centralised locations, collecting data on us and our intersection with the physical world, there is a concern that we will lose this quality – in part dependant on how people interpret this information-gathering structure. When the first concerns were raised about how much information people were sharing online, it was always pointed out that people could just ‘switch off’ or disconnect – their information only collected when they actively made use of web services. With mobile devices, that becomes much harder – especially as we grow only more dependant on them. The dream of a connected world is one where the mobile device practically becomes an extension of the person using it, and it is a vision that we see all around us in Barcelona this week. It is important that this development does not come at the cost of, as Arendt would put it, an increase in ‘shallowness’.

Whether this occurs or not is highly dependant on how these data gathering networks are perceived by users. The world’s largest mobile sensor network is Google Maps, which collects location data from users in order to improve its services. Many people do not know this, as the information is only mentioned in the terms & conditions that most people simply click through. I believe that it is important that users are aware of the data they are sharing, are aware of who is collecting what in order to be able to make informed decisions about what data they share and with who. The most important balance is between harnessing these incredible networks, that have the potential to revolutionise the way we study the world, and protecting the idea of private space. It is for this reason that due judicial process is so important, the state can potentially access any and all data collected by private companies. This does not have to be problematic, provided that total warrantless surveillance is not allowed to become the norm. I can think of no worse future for mobile than for people to fear their devices, devices that they can no longer live without, as potentially capable of spreading information about them in ways they cannot control and with results they cannot expect.

In the late 18th century Jeremy Bentham designed a new kind of prison in London, this prison was called the Panopticon – a name derived from Ancient Greek that broadly means ‘sees everything’. In this prison all inmates were visible to a watchman in a central tower, though the inmates themselves did not actually know at any one point whether anyone was actually in the tower. In this way the inmates felt like they were permanently observed, constantly fixed in the gaze of a centralised authority. Michel Foucault used this as a great example of how structures of power can transform behaviour, and the panopticon was a much discussed metaphor for the rise of CCTV in modern society – especially in my home country of Britain, where citizens are observed by camera more than in any other. It is important that mobile sensor networks do not become a form of digital panopticon, where users feel themselves constantly in the gaze of corporations, and over the shoulders of corporations, the state. Mobile devices are transforming the way we interact with each other and the world around us, and mobile sensor networks are tools of great promise, both for jumpstarting a potential revolution in citizen science and making for new and better information to be collected about human behaviour and the physical world. What is important is that these networks do not come at the cost of an almost total reduction in privacy – a right crucial to the functioning of modern societies and modern democracies.

Contact Sales

Are you having trouble with the OpenSignal Apps and need some help?

Are you a mobile operator or analyst and want to contact a sales expert?

Share Graph