EU Demands Explicit Geo-Location Permissions

judgecorp writes "Apple, Google and employers are already contravening new European Union rules that will require companies to get explicit permission from users before any geo-location data can be used to track them, whether for the purposes of targeted advertising or monitoring employee behavior. This could be the start of the next big privacy argument. The hopes of companies planning to use geo-location data to push products and services to mobile device users have taken a beating in the European Union, following a pronouncement from the European Data Protection Supervisor, Peter Hustinx."

Fucking Awesome

Fantastic news. I just hope Congress here in the US will take note and do the same. But given that most of them are owned by Big Corporate, I doubt it. Sad how Senators and some House members aren't MEN at all - just puppets.

Congratulations to the EU on another fine consumer protection law. Well done!

Re:Fucking Awesome

[Ihmhi]

So do I, but considering that we don't even have decent data protection laws like a lot of European countries yet I don't see it happening for a long time.

Re:Fucking Awesome

[Intrepid+imaginaut]

Sometimes I think the only rules that really need to be reformed in the US are those surrounding lobbyists, campaign contributions, and campaign funding.

Re:Fucking Awesome

[dave420]

All of the EU has decent data protection laws, as it's required by an EU directive.

Re:Fucking Awesome

[RockDoctor]

All of the EU has decent data protection laws, as it's required by an EU directive.

Neither you nor the GP are wrong.

"European" =/= "EU".

Switzerland, Norway, Iceland, the various former Yugoslavs are "European" (well, culturally for Iceland ; for geologically/ geographically, you buy the beers and I'll set out the arguments), but not EU. Parts of former "European Russia" (west of the Urals) are also separate countries that are not EU (though they want to be) but are arguably also "European" in a cultural and geological/ geographical sense (again, if you want that argument, set up the beers).

Just to add to the complications - if Turkey ever gets into the EU (against the racist desires of the majority of EU residents), the probably Morocco and some North African states would try to get in too. But that's unlikely to happen soon, for various reasons.

yea fuktard.

[unity100]

because eu + legislation is bad, people in europe have higher health standards, quality standards, and standard of living than the rest of the world.

http://en.wikipedia.org/wiki/Human_Development_Index

Re:yea fuktard.

[infolation]

Although hopefully, here in the UK, more attention will be paid to this ruling than the retention of innocent citizen's biometric data ruling made a short while ago.

They don't like the competition

Just because the EU wants to spy on its subjects doesn't mean they like companies doing the same.

Nice - this is going to be fun to watch

[WegianWarrior]

I like the wording of that directive: "If telecom operators want to use base station data in order to supply a value-added service to a customer, according to the revised e-privacy directive they must obtain his or her prior consent. They must also make sure the customer is informed about the terms of such processing."

Not simply consent, but informed consent. Nice... it's going to be fun to see Google, Apple et.al. trying to explain to users with no grip on the technical side of things the how and why of geo-location. Still, I'm sure most of them will happily sign up for targeted advertisements if it means their favorite app still work...

Also I note that "Company Devices" can no longer be used for anything but tracking. This will mean that companies can no longer check if truck drivers follows the rules about rest periods, nor can they check to see if they are speeding... which might (probably will) lead to more tired truckers driving way to fast to meet deadlines. Unintended consequence, I hope.

Re:Nice - this is going to be fun to watch

i can put your mind at rest concerning the truck drivers: trip recorders are mandatory for trucks and have been for decades (at least in Germany, but i'm pretty sure that this is an EU directive). police are allowed to check these anytime. these recorders do not store any geo data, but speed and driver working hours.

Re:Nice - this is going to be fun to watch

[ThunderBird89]

Also I note that "Company Devices" can no longer be used for anything but tracking. This will mean that companies can no longer check if truck drivers follows the rules about rest periods, nor can they check to see if they are speeding... which might (probably will) lead to more tired truckers driving way to fast to meet deadlines. Unintended consequence, I hope.

I think that still comes under the heading of tracking. It is, after all, just a matter of referencing the positions to timestamps to get the speed. Plus, this area is already covered by tachographs for professional trucking, and the new digital ones cannot be tampered with easily.
Having an extra layer of certainty always helps, though...

Re:Nice - this is going to be fun to watch

[angel'o'sphere]

Also I note that "Company Devices" can no longer be used for anything but tracking. This will mean that companies can no longer check if truck drivers follows the rules about rest periods, nor can they check to see if they are speeding... which might (probably will) lead to more tired truckers driving way to fast to meet deadlines. Unintended consequence, I hope.

For a company to track theri own truck you dont use the employers mobile device but a device built into the truck.
For checking the sleeping times and speed you have a tachograph (speed recorder) which can easyly be examined by the police and/or the company (and perhaps remotely).
Both has nothing to do with geo privacy under that directive.
angel'o'sphere

Re:Nice - this is going to be fun to watch

[lucian1900]

I'm pretty sure Google's opt-in on Android as it is now can be considered to offer informed consent.

Re:Nice - this is going to be fun to watch

[Inda]

Same in the UK but every lorry driver I've ever spoke to says these can be hacked and worked around.

Exercise for the reader: google tachograph hacks

Re:Nice - this is going to be fun to watch

[maxwell+demon]

If the drivers were taking naps, it's a clear indication that they were overworked, and the correct resolution would have been to employ more drivers.

Re:Nice - this is going to be fun to watch

[maxwell+demon]

Well, in Germany geo data is collected from trucks for street tolls.

I am very glad the EU is on this.

[Barryke]

Any argument that this stifles innovation is invalid, if the product is good enough people will gladly share their geo location.
I for one will share my location with Google, as long as it promises to not share it with 3th parties.

Disclosure: I am dutch.

Re:I am very glad the EU is on this.

[pla]

I for one will share my location with Google, as long as it promises to not share it with 3th parties.

I would say that forms the real problem here - Not controls on whether or not someone's Android can track them, but what Google can do with that data.

A handful of companies each knowing a bit about my day's activities doesn't add up to squat. When weak protections allow those companies to share data about us without our permission, BAM, suddenly every marketing scumbag in the world knows what time we shit in the morning and how long it takes.

"Would you like a free trial of Ex Lax?"

Re:I am very glad the EU is on this.

[thegarbz]

And as someone who looks up the traffic data on Google maps I thank you. I too share my location data with Google, and I remember many Slashdot readers being wooed by this when they first started.

Re:I am very glad the EU is on this.

[icebraining]

That's already included in the Directive on privacy and electronic communications of 2002:

Where the data may be transmitted to one or more third parties, the subscriber should be informed of this possibility and of the recipient or the categories of possible recipients. Any transmission should be subject to the condition that the data may not be used for other purposes than those for which they were collected. If the party collecting the data from the subscriber or any third party to whom the data have been transmitted wishes to use the data for an additional purpose, the renewed consent of the subscriber is to be obtained either by the initial party collecting the data or by the third party to whom the data have been transmitted.

Re:I am very glad the EU is on this.

[Talderas]

You don't shit in the morning. You take your shit at approximately 4:46pm every day after getting home for work. You spend 20 minutes shitting while reading your latest Kindle novel. You flush twice. Once at about 4:51pm and the other after the 20 minutes has passed. Your toilet's flush isn't full optimized suggesting that there may be a leak with your plumbing. We have sent a plumber to fix the problem. Enjoy his ass crack.

Idiotic resumé & poor coverage of the sub

[phayes]

"already contravening"? Does judgecorp work for a tabloid like the Sun? Try "The EU in creating new rules to cover a domain it had ignored up to now, has devised rules stricter than the current implementations in iPhones and Android". TFA Gives no information whether it is the on-device caching of geo-location information that is the problem or whether WinPhone7's PhoneHome behavior of the same info is also covered in the new rules.

Already in Android?

[AmiMoJo]

When you install an Android app it asks for permission if it wants to use your location data. Isn't that exactly what they are asking for?

Android itself asks for permission the first time you use the phone.

Re:Already in Android?

[Gideon+Wells]

Many apps on the iPhone do so as well. The phone itself, no.

Re:Already in Android?

[captainpanic]

There are always companies that are one step ahead of regulations. For example companies that are cleaner than strictly necessary.
Still, it's a good idea to have the regulations to protect citizens / consumers.

The fact that some companies already ask for consent now shows that this new regulations are totally reasonable.

Re:Already in Android?

[gnasher719]

Many apps on the iPhone do so as well. The phone itself, no.

Apps on an iPhone _cannot_ find out your location without asking you for permission and getting that permission. _Your_ phone is allowed to track your location, but if it does, then nobody except you is allowed to access that information without your permission.

Re:Already in Android?

[AmiMoJo]

Thinking about it a bit more Android asks more than once, and app permissions differentiate between knowing approximate location (via mobile masts) and exact location via GPS.

The following all have their own opt-in for using location data:

- Google search via the on-phone app
- Google's search website via in-browser location sharing
- Google Maps/Navigation app
- Anonymous wifi location reporting (to update their database of hotspots)

Re:Already in Android?

[Tharsman]

No. What happens if the carrier bundles an app? The app is already there, you never got to see if it has access to your location data unless you start digging through settings. Worse, what happens if some one that wants to spy on you manages to get his hands on your phone for 5 minutes? He has enough time to download and install tracking software that you may never know off (unless you are an above-average user.)

What is being requested here seems to be that every time the app starts asking for tracking permission every time tracking is initiated. iOS does something like this, but once you accept it wont ask for that same application for another 24 hours. (Note, you used to have to tell apps if they were able to use location every time they launched, this was a pain for many and was changed to 24 hours with iOS 4.) As a user I find that acceptable, not sure if the EU will. Also, iOS will never ask for permission to inform MobileMe of the phone's current location (not exactly log tracking, only current position.) Only a phone owner/administrator can get to this console (unless hacked) but employer tracking is noted among the entities that should not be able to track you without asking, so that may also be an issue for Apple. It's also a double edge sword, I would hate MobileMe location requests to ask confirmation. If my phone was lost, how will the bottom of my bed click "Accept tracking?" Worse, a thief would definitively decline the request for a stolen unit.

Some may say that a smart user would know how to track this, and a dumb user deserves any harm they get for being dumb, but that's precisely the point of these kind of movements: to make it harder for companies to take advantage of the dumb. At the end of the day there is no easy answer to this, but I think Apple's 24 hour grant is the closest we can get to a balance between usability and privacy.

Re:Already in Android?

[AmiMoJo]

The app is already there, you never got to see if it has access to your location data unless you start digging through settings.

Settings->Applications->Manage

Tells you the permissions of all apps including bundled ones. Best thing to do is not buy a carrier branded phone anyway.

Worse, what happens if some one that wants to spy on you manages to get his hands on your phone for 5 minutes?

He can't get past the lock code you put on it.

What is being requested here seems to be that every time the app starts asking for tracking permission every time tracking is initiated.

No, what seems to be being requested is that apps are up front about what they do with your location data.

Insane

[Jimpqfly]

"require companies to get explicit permission" => yes, and so what ? the user will see a nice popup when starting the phone, and if he doesn't accept the terms and conditions, he won't be able to use the phone ? crap...

Re:Insane

[rich_hudds]

The request would have to be pretty specific, not a catch all for any future application you install.

For a purchase such as a phone you would have to make the user accept the request before they made the purchase, or you'd have to make the phone work still work when the user said no.

Not crap. Good.

Re:Insane

[lucian1900]

Look at Android. If you refuse to share your location with google, you can still use your phone just fine. Google's mapping services do lose some accuracy in areas you frequent, and you may have slightly worse service for it. That's about it.

Government too?

So I can withhold right for the government or CCTV operators to infringe my privacy? No? Well what's the point then? Concentrate on the big privacy infringements first. If targeting ads based on position without consent is unacceptable, then gathering personal data by the government, or videoing individuals without their knowledge is unacceptable. Ban these before your worry about ephemera.

Re:Government too?

[peppepz]

It is assumed that data collected by governments will be stored according to the law, and that it will only be accessible to the public authorities, and only with a warrant from the judicial authority.

The same can't be said for the data collected by private entities: even if they do their best, as a corporation, to honour the privacy of user data, the risk of single malevolent employees abusing their position to access the data needs to be taken into account.

About surveillance filming: at least in my country, the presence of video-recording equipment is notified by signs, so in theory you are never filmed without knowing. By the way, sometimes the signs itself are as useful as the real cameras, as a deterrent; fake surveillance cameras are quite common, too.

Re:Government too?

[Gordonjcp]

I don't really see how CCTV infringes my privacy. If I'm in a public space, I don't really have any expectation of privacy, do I? At the moment there's a CCTV camera pointed at the area I'm working in (a quiet, low-traffic part of a very large industrial site). If the security guy wants to sit and watch me eat my lunch, that's fine with me. If I have an accident then they'll be able to send a first-aider round hopefully before I lose all eight pints...

Re:Government too?

[Midnight+Thunder]

Would you feel the same if the person at the next table stared at you the whole time you were eating your meal?

Re:Government too?

[Gordonjcp]

Wouldn't bother me particularly. As long as they weren't chewing with their mouth half-open or making disgusting slurping noises with their tea, they can stare at whatever the hell they want. It's a free country, over here at least.

Re:Oh, great, so when I lose my phone in Europe

I'm sure this was meant as a joke, but obviously you would pre-approve the "phone finder app" to always allow location requests. It's not like a GPS navigation app would ask to use your location every time it did a calculation to find out where you are.

Wanted: words with whiskers...

[AliasMarlowe]

When you install an Android app it asks for permission if it wants to use your location data. Isn't that exactly what they are asking for?

It's something, but it's not enough merely to say that it needs to access item X. The legislation requires that it also say what item X will be used for, and in an informative way. The consent given must be "specific and informed" in each case. Moreover, it was stated that "consent cannot be obtained freely through mandatory acceptance of general terms and conditions, nor through opt-out possibilities" which blows a hole in many of the current slimy practices involving EULAs and suchlike, or defaulting to opt-in.

Producing weasel words which look just enough like informing the customer, but without really doing so (or preferably cunningly misinforming or misleading the customer into complacency), is a skill which will likely be in greater demand.

Next step - repeal the data retention directive?

[Jeppe+Salvesen]

Good move, EU. Now you just gotta repeal the data retention directive, and then you'll regain some credibility on privacy matters!

It was about time

[peppepz]

They should have done it sooner. The corporations managing the server-side of our smartphones know everything about our lives, and somehow selling this information is their core business. I can't see how my physical position wasn't considered a sensitive information until now. Especially in an era where such information can technically be broadcast to the whole world in a matter of seconds.

I think this is going to get even more important with HMTL5 geolocation APIs. Have you ever tried them? They can give a web page a surprisingly accurate position of the visitor, who typically only has to click some kind of confirmation infobar. Useful, but creepy, too. (And they're surprisingly accurate even without GPS - I guess Android (or equivalent) phones do a very good job of sniffing WiFi access point positions and reporting them to Google (or equivalent)).

Re:What about EULas and TOSes

[peppepz]

A private contract can't override a law.

What bothers me...

[Jane+Q.+Public]

What bothers me about all this (and a number of other such measures) is that it is Europe doing them, but not the United States.

Whatever became of the United States as a world leader in personal freedom and privacy? Not that I have anything against Europeans, but this illustrates just how far down we in the US have been dragged by corporate and government collaboration against The People. Which also goes by another name: fascism.

Now, it may not be fascism as extreme as Nazi Germany during WWII, but it is fascism nevertheless. And it needs to end.

Probably the quickest way to make a good start at doing that would be to elect Ron Paul in 2012.

(I fully expect to take some flak for that statement, but I really don't care.)

Re:What bothers me...

[flaming+error]

Well said.

Except the only one who thought terrorists were after our freedom was Bush.

The terrorists would just like us to go away, preferably by being dead, but short of that, the self-destruction of our country through paranoia, ignorance, and financial insolvency is also acceptable.

So, yeah, the terrorists won. Congratulations, America, they couldn't have done it without you.

very nice

[__aazsst3756]

I like very common sense approaches to consumer protection, this seems like a good move. I am pro business (have MBA), but also recognize that part of governments job is to protect consumers from all out ruthlessness. How long before we can get this in the US?

This really is a bigger blow to Google than Apple. Apple is a hardware company, making software to complete the experience (and tidy profit). Google is in the business of selling information, and this hits them where it hurts. Google has been collecting and selling the location data from Android, Apple has been collecting it in a file and forgetting about it (until recent update that trims it). Although apps makers are another story.

Re:Next step - repeal the data retention directive

[cpghost]

I guess, the only way to repeal the data detention directive is some huge leak of such data to the public. Some hugely embarrassing data, if possible. Otherwise, there won't be enough political momentum because most people currently don't care (enough), or are even calling for even more data retention mania.

Waste of taxpayer money. iOS already has it.

[aristotle-dude]

The user is giving permission to iOS built-in apps when they look at the terms and conditions of every iOS upgrade and when they turn location services on. You need location services on in order to use Google maps if you want to find your location on the map and you need it turned on in order for "Find my iPhone" service to work.

If you don't want location services, you can turn it off in the preferences but then you also lose the ability to find your device through the "Find my iPhone" service.

I've got a much better idea, quit your pimp or drug dealer job and you won't have to worry about being tracked because you won't be interesting enough for anyone to bother tracking you.

Speaking as an EU citizen, I don't want to see member states paying money for this sort of foolishness. Individual third party apps already have to request access to location services on iOS.

Re:Oh, great, so when I lose my phone in Europe

[sabt-pestnu]

The GP might have a point: The permission is based on the user, not on the device. A thief might *conceivably* have a case on the privacy issue.

Whether that would interfere with his arraignment on theft is another matter, though.

Re:Next step - repeal the data retention directive

[shutdown+-p+now]

There's always Switzerland and Norway.

Re:Next step - repeal the data retention directive

[Jeppe+Salvesen]

Norway's parliament has passed the Data Retention Directive. We are members of the European Economic Area and are obliged to pass all EU directive into law. So don't come to Norway if you expect to escape EU law.