The United Kingdom’s Information Commissioner’s Office (ICO), has recently published some advice on crime-mapping and privacy, following the launch by the UK police of a “local crime and policing website for England and Wales” where users can enter their “postcode, town, village or street into [a] search box…, and get instant access to street-level crime maps and data, as well as details of [their] local policing team and beat meetings.”
ICO describes crime-mapping as “the process of producing a geographical representation of crime levels, crime types or the locations of particular incidents.” This process “can have an impact on individuals’ privacy where a link can be established between a particular location and a particular individual, allowing identification to take place.”
ICO warns about the danger of making public information about where a particular crime happened, even if the name of the victim is not released. This information, combined with “other sources of publicly available information” could allow for the identification of an individual. ICO cites online street- maps, newspaper reports, and postings on social networks and other sites as source of publicly available information.
One can also add to that list smart grid data, where smart meters, while allowing individuals to save energy, also gather data which can then be used to track an individual’s activity through the house: why you take a very long shower and run three laundry loads at 3:00 am? And, by the way, where is your wife? Why do you stay up late most nights, and use the bathroom frequently? Are you sick? Smart grid data can also be combined with other data, such as demographic data or credit history to provide interested parties, the police or a private entity, a rather precise picture of your profile, whether it be that of a criminal or a good business prospect.
Under prolonged private surveillance
After concerns over the proverbial government surveillance, there may be a greater volume of constant private surveillance, of “little brothers,” a neighbor, a casual acquaintance, an employer, or a business organization interested in adding us as clients. Indeed, some companies may be interested to use crime-maps for business purposes. ICO cites as an example real estate agents or insurance companies.
In United States v. Maynard, the Court of Appeals for the D.C. Circuit noted last year with respect to data gathered during a “prolonged (government) surveillance” that :
“These types of information can each reveal more about a person than does any individual trip viewed in isolation. Repeated visits to a church, a gym, a bar, or a bookie tell a story not told by any single visit, as does one‘s not visiting any of these places over the course of a month. The sequence of a person‘s movements can reveal still more; a single trip to a gynecologist‘s office tells little about a woman, but that trip followed a few weeks later by a visit to a baby supply store tells a different story.* A person who knows all of another‘s travels can deduce whether he is a weekly church goer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of particular individuals or political groups — and not just one such fact about a person, but all such facts.”
The same analysis can apply to a prolonged private surveillance…
ICO also notes the importance of recognizing the “increasingly sophisticated ‘data mashing’ techniques [which make easier] for the general public to combine information resources to produce a richer, and possibly more privacy-intrusive, picture of crime in their area.” Data, just like potatoes, can be mashed up. One starts by gathering data from various sources and then mashing them into a single representation, a report, or a web site. Business organizations may purchase tools to mash up data to produce reports.
What can be done to prevent personal data to be mashed, cooked, and served to business organizations?
Solutions may be topical, making sure that the privacy of personal data is protected. For instance, the privacy of smart grid data can be specifically protected. A report released today by the Information and Privacy Commissioner of Ontario, Canada, recommends that “Smart Grid systems should feature privacy principles in their overall project governance framework and proactively embed privacy requirements into their designs, in order to prevent privacy-invasive events from occurring.” On another front, social media users should be informed of the importance of keeping their privacy settings tight.
May any current U.S. law be of use? The Fair Credit Reporting Act (FCRA) defines a consumer report as “any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for… credit or insurance to be used primarily for personal, family, or household purposes.” A “consumer reporting agency” is defined as “any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.”
If business organizations, such as insurance companies, no longer use consumer reporting agencies, but instead put in place their own proprietary data mash up system, they no longer have to comply with the FCRA. Is it time to update the law?