Location Based Marketing

Usage and Privacy

Jonathan Brown and Andrew Mitschke 12/6/2011

One of the fastest growing business sectors in the world is the data industry. Bits and bytes have been commoditized to the point that corporations will pay exorbitant amounts of money for this data particularly if it belongs to their consumers. The location data market in particular has grown dramatically and companies are increasingly using users mobile devices to track their whereabouts in hopes of generating more relevant ads, and consequently, more revenue. Although this is probably to the users benefit, many location based marketers are unethically selling this location based data to other companies for use in their own databases. As a users personally identifiable data gets propagated across multiple databases, their privacy exponentially diminishes and in the case of location-based data, this is dangerous. In fact, according to enterprise consultant Janet Jaiswal, a recent survey of over 4000 mobile users run by KPMG indicated more than 87 percent have concerns about both privacy and security on their mobile device. This discrepancy indicates that users want change in this department, and they want it fast And the speed with which their problem is dealt with is key, because the location based marketing business is a lucrative one for companies. According to a presentation given to Nokia employees by data expert Andrew Matthews, location based advertisements currently command a 610x premium on CPM (Cost per Mille). For companies with a large user base, the usage of consumers location based data represents a huge gain in profits. As such, it is essential that consumers have total control and a final say on what will ultimately happen to their data before it is siphoned out to third parties for dubious usage purposes. Many solutions to this issue have been proposed, but very few have had an impact and none have truly solved the problem to date.

In order to solve a problem such as one that affects the consumers privacy issues would be believed as one very important to consumers and companies. In fact, as important as this problem is, there have been no real solutions put forth that benefit both parties. Corporations that have media that utilize location-based data to gather information about consumers believe this to be a valuable tool for effective marketing to their target market. Consumer advocacy groups, on the other hand, believe this to be a blatant breach of privacy. Government legislations are also investigating the ethical and legal problems posed by this misuse of data, and are concerned that these data collection practices are in violation of consumer privacy laws. As one can see, this causes a huge clash between the two. If there were an effective data management method for marketers that benefitted both parties, this problem would be effectively solved. As with any large issue, there have been a slew of proposed solutions that have been implemented up to this point, only to be shot down by consumers or governing bodies. For example, one solution that was tried by companies and studied by researchers was to anonymize data in real-time by stripping the user data from all apps (often through a method called k-anonymization). This would include generalization and suppression of the data collection tactics. With these tactics, the information would still be available to access by the companies. The way to eliminate the specificity of each data point, according to the professional research paper by engineers Hui Zang and Jean Bolot, Anonymization of Location Data Does Not Work: A Large Scale Study, is summarized in the following statement: the [data] traces are at coarse granularity levels so that the anonymity sets are large enough to preserve privacy, for example the

location is granularity is at the city level or above. So therefore, the companies would ultimately still posses the data that would be stripped from the applications. Even with techniques such as collecting the data analyzing it and deleting it from serves with trusted and un-trusted servers. In the academic research paper, Privacy Preservation in the Dissemination of Location Data, noted expert Manolis Terrovitis states that as far as using a trusted server goes, the anonymization procedure involves removing direct identifiers from the request, and then applying some data transformation to the quasiidentifiers that are contained in the message. For users going through non-trusted servers Terrovitis notes that in this case, the user is responsible for obfuscating the message he sends to the server in order to protect his privacy. In other words, the users are responsible for all of their information and how it is used. There are still violations here, because the consumer still may not want their data to be analyzed in the first place, and if this preference is violated, even more privacy concerns will arise (and they already have to some extent). However, the companies argue that it is up to consumer to know that they are emitting all of this information. How is one supposed to be aware of this if one doesnt know in the first place that their devices give companies all kinds of information about their life? Any type of data collection and analyzing of that data without some kind of consumer consent would be considered a breach of consumer privacy. Still another argument poses the question of what would happen if the companies made the consumer opt-in to real time location based data (LBD) usage, while also making it clear how the data will be used to the customers. In most cases, people dont want their co-workers, friends, or neighbors to know where they are at any

given moment (as well as technologically savvy criminals that could access that information relatively easy if they so desired). Throughout a TRUSTe consultant briefing entitled Location Aware Mobile Applications: Privacy Concerns and Best Practices, the use of opt-in use in applications is analyzed in detail. Consultant Janet Jaiswal discusses how the government needs to get involved in what actions companies should take regarding privacy on a consumer level. Jaiswol confirms the need for accountability by referring to the FTCs Self Regulatory Principles for Behavioral Advertising, in which: Principle 4 specifically requires that companies get affirmative express consent when using sensitive data; furthermore, the Report classifies geolocation data as sensitive. This means that companies should strongly consider using opt-in notice for location apps - especially if the intended use is for targeted advertising or marketing efforts. Therefore, consumers could agree to have their information out in the world for open usage, or abstain. However, these app-by-app permissions are still not implemented because many companies dont want to inconvenience their customers with a notice every time they open the location-based application. If they were to do this, it would put the company in a position to lose potential profits. Another problem with companies sharing with their consumers about how their information will be used is that they are largely not regulated to what they can use, juxtaposed with what they would have to tell the customer. In fact, Professor Peter Swire of Ohio State University states in a recent presentation of his that most mobile applications are written by service providers for that company, and those providers in turn are able to access all different kinds of user data. Following this, the mobile app company can then go to them for this data, which

is not hard to access. Even if the consumer does share and give consent to the company (though Swire states that todays consumers get real advantages from publishing their location), a given company could potentially receive more information very quickly and could also take more than what the customer originally intended to give out. Although a few companies seem to be working towards implementing the strategy of giving the consumers greater control over their own privacy, it appears that that consumers would respond better to companies being straightforward and honest about how these progressions are going. There are some companies who are trying to remedy this by working with consumer and public advocate groups, as well as the government, to figure out a formula that truly works. The ultimate goal is to get customers to a comfort level with a given companys usage of that specific data, as well as how it is accessed and what will it be used for. Even though this process could work for some companies, it has not applied to the industry as a whole thus far. All of the aforementioned ideas have been tried and ultimately have failed - and while some have worked for a short time, most of the studies show that there is still a significant problem with the relationship between consumer privacy and location-based data used for marketing. Many mobile application companies have attempted to utilize location-based marketing using some of the methods noted earlier. Though a slew of them have experienced some commercial success, there has never been a solution that has completely solved the privacy issues that accompany location-based marketing. One of the biggest concerns regards privacy, so that is the first element that needed to be

addressed in the following proposed solution. It states that all mobile application makers and operating system developers must follow a set privacy standard for any locationbased software they create. In order to uphold this standard, legislation would be put into place that would make data anonymization required by all companies, while also providing full data transparency to consumers. This innovative solution would benefit both the marketer and the user by providing a middle ground where the marketer gains consumer trust, with the user still retaining complete data control. The legislation would stipulate that users have access to all stored location data, as well as decide whether or not it can be retained for future use by marketing sources. It would also require that companies maintain an activity log of any action performed by the consumer whilst editing or deleting their location-based data. After the user stops actively using a given service, their location data must be wiped from the server and the previously recorded data may not be used for any form of location based marketing (unless the consumer has given prior consent). Subsequently, any location data that is still retained by the marketer must be anonymized using an acceptable anonymization process. To ensure that all of these privacy measures are being met, every developer that utilizes locationbased data in their software must submit their mobile applications to an FTC-reviewed audit process that checks for loopholes and workarounds that the company could in theory exploit in their own interests. If the application passes the audit process, then it can be made available to the consumer where they can then begin utilizing locationbased services without fear of privacy infringement. Our groups idea is built off of previous individuals attempts at creating a solution for the aforementioned privacy issues with location-based marketing. In creating this

solution for marketers, we implemented situational creativity to modify previous data from many different sources to make a new and better solution. By researching many industry trade journals, we were able to determine that ultimately, users do not like to share data unless they know how it is being used and what it is being used for. They also are more likely to share data if they are given the option to look at it and remove it whenever they please. In addition, it was determined that marketers are very interested in this data, but their current approaches are invasive and are hurting consumer trust at the expense of profits. Through research, it was also discovered that although there is currently legislation in place that effects privacy and location based data, it often does not directly apply or leave much room for enforcement on the part of the government. Our solution utilized this previous research in conjunction with current solutions to innovate and discover a new and better way to solve the industries problem. The solution proposed above provides a new and better approach to solving the current issues with location-based marketing. It offers better results for location based marketers as a result of granular data control by the user, which means that there will be less strain on data centers that would normally be processing much larger amounts of information this will increase efficiency, lower data redundancies, and save the company money. Over time, these marginal savings of reduced equipment and data storage costs will accumulate to a sizeable amount year over year. Another benefit of this solution is the increased accountability location based marketers will have towards consumers, as this will almost certainly instill a higher degree of trust within the average user of location based services. Current legislation only resolves very specific issues and should not be considered a true solutions as it simply does not address every

consumer issue in detail. In many of the trade journals we referenced, it was found that a significant amount of organizations were searching for solutions, but they all seemed to be focused on a single issue such as anonymization, or opt-in prompts. This is why the decision was made to create a solution that synthesized ideas from multiple vantage points and infused them with our new ideas to form a complete and well-rounded solution. One issue that must be addressed regarding our solution is its implementation. Because this solution involves the passing of a federal bill, it cannot be implemented right away. It would first need to go through the legislative system and be passed. This would most likely be the most time-consuming step of the implementation, but if it passes, it would become law and consequently immediately enforced. This process could be expedited by forming an alliance. The FTC would be informed of the new policies and would begin utilizing our approval process. All application and operating system developers will send in their software and it will be checked by trained FTC employees. This may end up being a time constraint on the quick implementation of this solution, but it is necessary to include. This project was a transformative process that drastically changed the way one looks at privacy, particularly in the realm of location-based data. The problem of how to ethically and effectively market using location-based data is an issue that can owe its importance to the genesis of the smartphone industry. As this sector has grown, the usage of this kind of data has become mainstream, bringing with it all of the age-old privacy issue, as well as some new ones. By proposing that all companies be held accountable to these newer and better privacy guidelines, we hope to have struck an

even balance between well-rounded benefits for both the marketers and the consumers. As the location data business becomes ever more lucrative, one can anticipate that companies more than ever will be vying for the advertising dollars of this medium sometimes obtaining said profits through unethical means. However, for the foreseeable future, one can safely assume that the solution proposed within this paper will remain effective in its protection of consumers and fine-tuning of advertisers.

Works Cited Bolot, Hui Zang & Jean. "Case Studies." March 2009. Computer Science and Engineering. November 2011 <http://www.cse.sc.edu/~srihari/csce815/fall11/readings/mobi13k-zang.pdf>. Choudhury, Joseph Meyerowitz & Romit. "Synergy Papers." February 2011. Duke Technology. December 2011 <http://synrg.ee.duke.edu/papers/cachecloak.pdf>. Jaiswal, Janet. PDF's. January 2010. November 2011 <http://www.truste.com/pdf/Location_Aware_Mobile_Applications.pdf>. Lynch, Brendon. Technet Blogs. 26 January 2011. October 2011 <http://blogs.technet.com/b/microsoft_on_the_issues/archive/2011/01/26/location-andprivacy-where-are-we-headed-on-data-privacy-day-natural-user-interface.aspx>. Ray, Nayot Poolsappasit & Indrakshi. "Location Based Services ." 2009. Transactions on Data Privacy. November 2011 <http://www.tdp.cat/issues/tdp.a021a09.pdf>. Swire, Peter. Wrap Up On Privacy and Location Based Services. 8 June 2011. October 2011 <http://transition.fcc.gov/presentations/06282011/peter-swire.pdf>.