Beyond Privacy

New Use of Cellular Networks

The Necessity of Recognizing the Nuances of Privacy

Martijn de Waal

April 23, 2010essay,

According to media researcher Martijn de Waal, it is time to rethink our ideas of privacy. The growing use of cellular networks is generating data that plays an important role in civil society projects. To be able to continue using such data in a meaningful and fair way, people must become aware of the fact that privacy is not only a question of either private or public, but includes many gradations in between.

During the Notte Bianca 2007 (an event in Rome comparable with the Museum Night in the Netherlands), researchers from MIT’s SENSEable City Lab set up at different urban locations a number of big screens upon which they projected dynamic maps of the city. Light blue spots indicated large numbers of people, thus enabling visitors to the event to immediately see which museum was crowded and plan their route accordingly. Making the task even easier, yellow stripes representing Rome’s municipal buses could be followed live on the same map. This project – ‘WikiCity Rome’ – sounds like a nice gimmick. The researchers gained access to the location data of mobile phone users through a telecom company. The anonymized coordinates of individual phones were combined to compile an algorithm of a – handsomely designed – real-time map of nighttime Rome.

But ‘WikiCity Rome’ was more than just a gimmick. The project made use of an important shift in the functionality of the mobile phone (or ‘cellphone’, as it is called in parts of the English-speaking world). It is no longer simply a means of communication. Increasingly, the mobile phone is also being used as a sensor that gathers information about us and our surroundings.2 Location coordinates, images and sounds can be recorded and shared with friends, colleagues, social institutes or even with others who are unknown to us. This new use of mobile phones can have great social consequences, but it also raises questions about privacy. Who has access to all of this data we are gathering? To whom does this information actually belong? To us? The telephone company? Or should it – in anonymous form of course – be considered common property? Ought the government be allowed to monitor our movements in times of emergency? And if so, precisely what constitutes an emergency?

For the American civil rights organization Electronic Frontier Foundation (EFF), these developments are sufficient reason to introduce a new category of privacy: ‘locational privacy’. Will we still be able to move through a city in the near future without the places we go to being systematically recorded in all sorts of databases?3 The new developments are so far-reaching that we must ask ourselves whether our traditional idea of privacy is still tenable. The discussion is no longer only about the right to be able to act anonymously in our private lives without the government or our employers looking over our shoulders. In many instances, people will actually want to voluntarily make information about their private lives public. For the fact of the matter is that this can also have certain advantages, both for individuals and for society as a whole. But precisely what are the conditions under which this occurs? What possibilities does technology offer for sharing or protecting information? In this essay, I would first like to give a number of examples of how the use of the mobile phone as a sensor encroaches upon our lives in today’s society. Then I will go into the consequences of this for the debate on privacy and technology.1

Scientific Research: A New Form of Demography?

Researchers in various disciplines are extremely enthusiastic about the mobile phone as a means of collecting data. Finally, they sigh, we can chart the behaviour of an entire population in real time instead of taking a few random samples afterwards. ‘Reality Mining’ is the name of the new discipline in which different streams of data are combined to get a handle on complex social processes. Social scientists often speak in slightly euphoric terms about these new possibilities. For instance, take Alex Pentland of the MIT Medialab: ‘By using data from mobile phones… we can create a “god’s eye” view of how the people in organizations interact, and even “see” the rhythms of interaction for everyone in a city.’4 This new method of measuring not only gives better insight into social processes, claims Pentland, it also has greater predictive value. Traditional demography, he states, is a bad predictor of behaviour. How old someone is, where they live and even their income is interesting information, but says little about how that person will behave in the future. Only when you can actually analyse their behaviour, can you – within certain margins – start predicting. Says Pentland: ‘The fact that mobile phones have GPS means that we can leap beyond demographics directly to measuring behaviour. Where do people eat? Work? Hang out? How does word of mouth spread? Analysis of travel patterns using mobile phone GPS data, for instance, allows discovery of the independent subgroups within a city.’5

At present, the mobile phone is already being used in this manner for health care research. In Kenya, for example, mobile phone data is being used to localize breeding grounds of infection for malaria. Other scientists have developed algorithms with which – again through data generated by mobile phone use – behavioural patterns that indicate the outbreak of a cholera epidemic can be identified. In the Dominican Republic, research into the spread of HIV is being conducted in a similar fashion.6

Urban planners are also enthusiastic about this new way of collecting information. The British ‘Cityware’ project tracked visitors to inner cities with the help of the Bluetooth technology on their phones.7 Here too, expectations are often high. Anthony Townsend, for instance, a researcher specialized in technology, sees the rise of networked sensors as a development comparable to the rise of aerial photography. For urban planners, that was a revolutionary media technology: for the first time, they could see the city from above, as a whole. And if aerial photography reveals the city’s skeleton, we now have a view of its nervous system. For the first time in history, people often optimistically say, we can observe all sorts of social interactions in the city in real time.

A little perspective is not out of place here, however. Although these methods of gathering data certainly can lead to new insights, the debate still does not address the question of exactly what kind of knowledge they actually produce. Data is not the same as knowledge, and so far the nature of the data is primarily quantitative. Researchers now know how many people are at certain places at certain times, where they have come from and where they are going. But more qualitative aspects – why do people move as they do, and what is their experience of that? – still remain out of the picture as a rule.

Citizen Science

In the above instances, scientists work from the top down in collecting great amounts of data in order to analyse social processes. But the mobile phone can also be used to collect data from the bottom up, at the initiative of users themselves. ‘Biketastic’, a project aimed at bicyclists in the notoriously car-oriented city of Los Angeles that has been set up by the Center for Embedded Networked Sensing, is one such example. This research centre from the University of California Los Angeles has developed a mobile phone app that bicyclists can use to collect data on their trips through the city and share it with one another. The app measures the location, distance and speed of the bicycle route, but also its comfort. The microphone measures the noise of the other traffic, while the accelerometer indicates whether the cyclist can smoothly cruise along or has to keep stopping and starting. The geographical data can later be linked with external databases: How much air pollution is there throughout the route? And what about traffic safety? By combining the data from different cyclists with external databases, after a while you also get a bicycle map of Los Angeles with which you can plan the most pleasant, safest, cleanest or fastest route.8

This is similar to a number of ‘Citizen Science’ projects, in which citizens use the mobile phone’s sensor capacity in order to work together for a specific purpose. Eric Paulos conducted research on campaigns in which neighbourhood residents charted the quality of the air with the help of mobile sensors. Such campaigns had many positive effects. The participants gained an increased awareness of the problem of air quality and their involvement in local politics improved.9 But there are also negative aspects: Just how trustworthy is the data that is collected? Can the results be influenced, for example by holding a sensor next to a car muffler?10

Personalized Locational Services

Finally, the use of the mobile phone as a sensor can also have advantages for individual users. The mobile phone makes it possible to register information about your life automatically. Services like Google Latitude or Bliin plot your movements through the city on a map. You yourself are always at the centre, surrounded by those of your friends who have the service turned on and voluntarily share their data with you. Other services, like Yelp in the USA, also centre the map on the user’s position and then place balloon markers for the nearest pizzeria, optician, cash dispenser, taxi or other search command. Companies like Sensenetworks can also make analyses of your spatial behaviour and use that to recommend all sorts of services to you.

Christophe Aguiton, Dominique Cardon and Zbigniew Smoreda – researchers at Orange Labs, the R&D department of France Telecom – call this phenomenon ‘Living Maps’. A map is no longer a static representation of a geographical reality but a dynamic reflection of social activities. In the long run, the advent of such maps can lead to a cultural shift. Right now, our social lives still largely consist of making appointments that we write down in our agendas. But after a while, a ‘map of opportunities’ might very well seem like a much more attractive idea. If you momentarily have nothing to do, simply take a look at your personalized map. Who is in the immediate vicinity right now to meet up with? What is there to do at a reasonable distance from where I am?11

Critics point out that this can have huge consequences for life in the city. Does it still leave any room for chance encounters with the unknown? Will we become ‘people without characteristic traits’ who slavishly follow the recommendations of our ‘clever’ systems? These are relevant and meaningful discussions, which I do not wish to go into further right now. In the second part of this essay, I prefer to examine the notion of privacy that is at stake with these new technologies.12

Who Is the Owner?

How does the advent of the mobile phone as a sensor relate to our thinking about privacy? In academic circles, a cautious consensus is becoming apparent: users should be the owners of their own data. No matter how you generate data – for example, through the sensors in your mobile phone – you must be able to access that data, wipe it out yourself, keep it saved securely, and decide what is going to happen with it. Only in very exceptional circumstances should the government be able to have access to such databases.13 A view like this could very well lead to new forms of inequality. Personal particulars are very attractive data for commercial parties, and some critics suspect that the selling of your personal data will be made attractive. People who don’t want to share their personal details with commercial parties will, for example, have to pay more for a mobile phone subscription.14

Precisely what does ‘data ownership’ mean for the analysis of information on an aggregated scale? Are researchers only allowed to collect data if phone users give them permission to do so? And is that permission also necessary if the data is only used for mapping group behaviour? After all, in such cases the individual information is swallowed up in the group profile and a link with individual behaviour can no longer be made. But then, who is allowed to collect this sort of information, and under what conditions? Should telephone companies collaborate on this, for example?

Erin Keneally and Kimberly Claffy – researchers at UC San Diego – argue in favour of regulation that takes into account the positive aspects of sharing data. At present, the rules are not always so clear about what is allowed and what is not. As a result, many parties react defensively to requests for sharing data. They prefer not to take risks, seeing as the debate on privacy escalates quickly. The idea of privacy as the absolute right to protection of personal particulars soon loses out to the possible social benefits of sharing data – such as in the above-mentioned instances in the area of health care, for example. Keneally and Claffy call upon researchers and the telecom industry to develop a new protocol that makes the sharing of data possible and at the same time limits the risks of improper use of sensitive information.

Nathan Eagle compares ‘reality mining’ with large-scale medical research projects. There too, extremely sensitive personal information is stored in databases, which is why there are strict rules for their use: only professionals have access to the information and they must sign in when they want to use the databases. Eagle therefore proposes that such protocols also be quickly set up for the use of sensor data from mobile phones.

Organizations like the Dutch ‘Bits of Freedom’ are concerned about these new developments. Information that is stored anonymously, warns this organization, does not always remain that way. ‘Better technologies are always being developed to strip anonymous data of their anonymity. What might not be a “personal detail” now can soon turn into one.’15 Researchers Aguiton, Cardon and Smoreda concur. More than once in the past, new technologies have made it possible to trace anonymous data to specific users.16

The EFF therefore proposes using cryptography to design systems such that sensor information can be used without having to store it. Technologically, this is a rather roundabout way, although possible: ‘But we need to ensure that systems aren’t being built right at the zero-privacy, everything-is-recorded end of that spectrum, simply because that’s the path of easiest implementation.’17

The Desire to Share Data

The EFF’s idea of using strong cryptography can protect personal sensor data. That might come in handy with a system like pay-as-you-drive, for example. But there are also situations in which users do want to share their data, albeit not necessarily always or with everyone.

In daily life, privacy is a complex and above all dynamic negotiation between various parties, argue researchers Paul Dourish and Leysia Palen. In social situations, what plays a role is not so much the fear of the state’s misusing information but is much more likely to be ordinary worries. People do not want to be embarrassed. They want to assert their authority or voice in a certain area. And they like to have control over their own lives. Because of this, we make different demands of privacy at different moments.

In social situations it is often more important to make yourself known than to protect your privacy. If you want to capitalize on your authority in a certain area, you have to be able to show the corresponding badges. With the help of all sorts of signs – varying from word choice to greeting rituals – we send out signals through which others can deduce our social status or background. Sometimes we want to give our opinion, or we benefit from letting others know who we are. Just how much we wish to reveal depends upon what estimate we make of a situation. Who exactly is the audience? What do we expect, hope or fear in regard to the situation? Privacy, in other words, is a question of ‘identity management’, in which we show or conceal different aspects of ourselves to different audiences in different situations.

Palen and Dourish’s most important point is that the use of the mobile phone as a sensor, combined with the storage of information in databases, changes the parameters of this privacy negotiation. The situations in which we find ourselves are originally spatial and temporal. They are physically limited, for instance by the four walls of a room, and have a certain duration. Both factors play an important role in the estimates we make. We can see who is present and who is not – and therefore who could call us to account for an eventual faux pas.

When we use automatic sensors to register our behaviour in all sorts of situations and share it with others – for instance through social networks – the nature of the situation changes. Suddenly, space, time and audience are no longer limited, and instead the registration of the situation can also be called up at other times and places. But can another audience actually interpret the original context of the situation properly? And maybe you would have acted very differently if you knew that the audience was going to be wider.

Researcher Danah Boyd has written about how this development can lead to all sorts of misunderstandings. As an expert on social networking, Boyd was approached by the admissions committee of a leading university. They had received an application from a student from South Central LA. In a letter describing his motivation, he wrote that he wanted to break away from the gang life there. But when the committee looked at his page on a social network, Myspace, they saw all sorts of symbols glorifying gang life. Was he making a fool of them? Boyd pointed out to the committee that there was also another possibility. The applicant’s Myspace page was intended for his classmates and neighbours, not the admissions committee. And in his neighbourhood the social pressure to be part of something is so high that the young man probably could do nothing else but post the gang’s insignia on his Myspace page.18

Similarly, a commotion arose over the Facebook website. There too, users can voluntarily keep a log of their activities, hobbies and other titbits of information. At first this was only possible on the person’s own page. But one day Facebook changed the setup of its site. All of the messages that users placed on their own page were now automatically published on the pages of all their ‘friends’. Facebook’s reasoning was that this way, friends would be better able to keep abreast of each other’s activities. Besides, hadn’t the information already been made public by users on their own page?

Facebook didn’t do much more than publishing what was already public. But many Facebook users thought otherwise. They saw a subtle difference between making something public on one’s own page, which others must make an effort to access, and automatically distributing that data.19 Once again, this was about the assessment that users make of their audience in determining what information they do or do not wish to make public. To be sure, the information was now being distributed among friends, but there were also subtle differences within that. Some friends might very well be difficult co-workers that a person would not want to offend by rejecting their ‘friendship request’. And people show different things to members of their family than they do to old school friends. Facebook does not make it possible to make that distinction.

Privacy as Design Criterion

At the Center for Embedded Networked Sensing (CENS, the research lab behind the earlier-mentioned bicycle project in LA) they therefore believe that privacy is an important responsibility for designers. There should be a system that gives users the possibility to decide for themselves what information they want to share with whom, under what conditions, and for what length of time.20 This is why it is important that designers develop systems that visualize information in an understandable way and that immediately make it clear what sort of consequences certain settings can have.

CENS itself uses such an application in its Personal Environmental Impact Report (PEIR) project, in which data is again collected with the help of mobile phones. This information is then converted into a carbon footprint and simultaneously combined with databases on local air pollution. In this way, users not only learn how much they themselves contribute to air pollution but also how much pollution they are being exposed to. In a log file, users can see precisely how the system uses their data: what information is registered when, and uploaded and shared with whom. Eric Paulos argues that interfaces like this should also make clear how reliable such (collectively gathered) data are. It is important that users do not trust all flows of data blindly, but that they always remain aware that data can be manipulated, or even simply not collected accurately.21

Aguiton et al go one step further. Not only should users be able to have insight into the manner in which information about them is collected, they should also be able to manipulate that information. Users have the right to lie to the system about their actual whereabouts in order to protect their privacy, they claim.22

The above-mentioned examples show that our thinking about privacy has to be reconsidered. The sensor data collected by mobile phones can play an important social role, for example in the area of public health. Such data can – as in the ‘citizen science’ instances – play a role in civil society projects. And some people will experience sharing data with others as an enrichment of their lives.

Involved parties point out that many of the present regulations are inadequate. On the one hand, the positive aspects of sharing data anonymously should be given more attention. At the same time, the awareness must also grow that privacy is not a binary affair in which something is either completely public or completely private. Between the two extremes lie many gradations that by no means are always taken into consideration in the design of new technologies. And providers of location services and social networks, for example, should also be stimulated to give the many nuances of privacy in everyday life a place in their services.

1. See: senseable.mit.edu/wikicity/rome/senseable.mit.edu/wikicity/rome/ for a summary of the project and, for an extensive analysis of the project, Francesco Calabrese, Kristian Kloeckl and Carlo Ratti, ‘WikiCity: Real-Time Location-Sensitive Tools for the City’, in: Marcus Foth (ed.), Handbook of Research on Urban Informatics: The Practice and Promise of the Real-Time City (London/Hershey, PA: Information Science Reference, 2009).

2. For example, see Eric Paulos, who maintains that there is an ‘important new shift in mobile phone usage – from communication tool to “networked mobile personal measurement instrument”’. Eric Paulos, ‘Designing for Doubt: Citizen Science and the Challenge of Change’, lecture for the conference ‘Engaging Data’, Cambridge, MA: SENSEable City Lab, 2009. http://senseable.mit.edu/engagingdata/program.html

3. www.eff.org/wp/locational-privacy.

4. web.media.mit.edu/~sandy/.

5. Alex Pentland, ‘Reality Mining of Mobile Communications’, The Global Information Technology Report 2008-2009. World Economic Forum, 2009.

6. See Nathan Eagle, ‘Engineering a Common Good: Fair Use of Aggregated, Anonymized Behavioral Data’, lecture for the conference ‘Engaging Data’, Cambridge, MA: SENSEable City Lab, 2009.

7. www.cityware.org.uk.

8. See: research.cens.ucla.edu and http://biketastic.com/.

9. Paulos, ‘Designing for Doubt’, op. cit. (note 2). Also see Jason Corburn, Street Science: Community Knowledge and Environmental Health Justice (Cambridge, MA: MIT Press, 2005).

10. Paulos, ‘Designing for Doubt’, ibid.

11. Christophe Aguiton, Dominique Cardon and Zbigniew Smoreda, ‘Living Maps: New Data, New Uses, New Problems’, lecture for the conference ‘Engaging Data’, Cambridge, MA: SENSEable City Lab, 01. Also see recent lectures by Antoine Picon and Nanna Verhoeff, in which they respectively describe how digital maps can be understood as ‘media events’ or ‘performance of space’ instead of only a ‘systematic geographic representation’. http://www.themobilecity.nl/2008/01/22/mediacity-conference-weimar-the-design-of-urban-situations/ and http://networkcultures.org/wpmu/urbanscreens/2009/12/05/nanna-verhoeff-mobile-digital-cartography-from-representation-to-performance-of-space/.

12. See, among others, Mark Shepard and Adam Greenfield, Urban Computing and Its Discontents (New York: The Architectural League of New York, 2007); Jerome E. Dobson and Peter Fischer, ‘Geoslavery’, in: IEEETechnology and Society Magazine, Spring 2003.

13. Pentland, op. cit. (note 5).

14. Eagle, ‘Engineering a Common Good’, op. cit. (note 6).

15. www.bof.nl/2009/12/18/hoe-anoniem-zijn-anonieme-gegevens-eigenlijk/.

16. Aguiton et al, ‘Living Maps’, op. cit. (note 11).

17. www.eff.org/wp/locational-privacy.

18. Danah Boyd, ‘Do you See What I See? Visibility of Practices through Social Media’, LeWeb, Paris, 2009.

19. Danah Boyd, ‘Facebook’s Privacy Trainwreck: Exposure, Invasion, and Social Convergence’, in: Convergence, vol.14 (2008) no. 1, 13-20.

20. Katie Shilton, ‘Four Billion Little Brothers? Privacy, Mobile Phones, and Ubiquitous Data Collection’, in: Queue, vol. 7 (2009) no. 7.

21. Paulos, ‘Designing for Doubt’, op. cit. (note 2).

22. Aguiton et al, ‘Living Maps’, op. cit. (note 11).

Martijn de Waal is a writer and researcher. He is part of the New Media, Public Sphere and Urban Culture research project in the Department of Practical Philosophy at the University of Groningen. He is cofounder of TheMobileCity.nl – an international think-tank for new media and urban culture. See further: www.martijndewaal.nl.