Secondary Uses and Privacy
There’s an interesting New York Times article on the use of cell phone tracking data for criminal prosecutions. It’s a classic example of secondary uses of data. Briefly, phone companies keep several months worth of tracking data: which cell sites talked to which phones, and when. This data can be subpoenaed by prosecutors and used as evidence in criminal cases. (Oddly enough, the story was in the New York section of the paper, not the national or technology sections.)
There are a variety of legal issues about the validity of such evidence that I’m not going to discuss. These include accuracy (did you know that during busy periods, your call may be handed off to a more distant cell site? I didn’t.), whether the location of the phone corresponds to the location of some particular person, etc. My focus here is on privacy.
First — as I discussed in an post on pen registers, the data is almost certainly available to prosecutors with little trouble. After all, subscribers voluntarily "give" their location to the phone company, and given that location data shows up on phone bills it’s hard to argue that people don’t know this. It might take specific statutory authority for prosecutors to get this without a subpoena, but such a law would almost certainly pass constitutional scrutiny.
Second, it’s not just criminal cases; similar data can be and has been used in things like divorce cases.
The root issue, though, isn’t legal. Rather, it’s one fundamental to the privacy problem: the secondary use of data. That is, data legitimately and properly collected for one purpose, with the consent of the subject and perhaps for necessary technical reasons (the cellular phone system can’t work if the network doesn’t know which towers are near which phones), can be retained and used for other purposes. The purpose of cell phone location data is first, to make the network function, and second, for billing records; it is not intended for use by divorce lawyers or prosecutors.
Ironically, there was an article a few days later in the technology section of the Times about GPS phone location-based services. This article does not mention the word "privacy". It’s instructive to look at the privacy policies of some of the service providers mentioned in the article. Where.com’s policy is pretty good; it tells you what it collects, doesn’t disclose personal information to third parties, solicits your consent before sending you marketing email, and promises that you’ll be notified if a new owner of the company plans to change the privacy policy.
Other policies aren’t as attractive from a privacy perspective. One states that "We maintain a database with this location and route information, and may keep such information indefinitely." It goes on to say
We may disclose to unaffiliated third parties without your consent information about you that we collect, including information that we collect through your registration to be a customer, through one of our promotions, or through your request to us or one of our partners for details about our services. Such third parties may use this information (including your name, telephone number, and email and mailing addresses) to promote their products and services to you.
Lots of what we do in a digital world creates data. Curtailing secondary uses is key to maintaining privacy.
