Location-aware Devices, Privacy, and UI Design
By Howard Rheingold, Tue Dec 09 14:00:00 GMT 2003

Location-aware devices and services are emerging at the intersection of empowerment and surveillance: the same technology that could let you know if a good Chinese restaurant or old friend is in the vicinity could also betray your location to a totalitarian government, neighborhood spammers, and your vindictive ex-spouse.

One of the aspects of this dilemma that someone could actually do something about is user interface design, because many of the social and political problems associated with locative tech also pose user interface design problems. If we are going to walk around with devices that tell the world where we are, will there be an "off" switch? Will that switch be easy to locate and use? And, perhaps most important, will the default position for the privacy switch when the devices are shipped from the factory be set for "off" or "on?"

Of course, not all of the important questions about locative technologies are UI design problems. Arguably, the decision to leave the factory privacy setting switched on is a marketing decision, not a user interface feature. At least two of the most important questions have nothing to do with the technicalities about how you use a privacy switch: Will it cost you more to have one than to operate a no-privacy model? Will everyone be permitted use privacy switches, or will use be restricted to elites of one striep or another?

I've met a few people around the world who have been thinking about the intersection of UI, locative capabilities, and social impacts of mobile devices. Paul Rankin and Theo Kanter are two I've met personally; both of them understood the engineering complexities underlying their work, but both of them were researchers, not designers or engineers. Most recently, a member of TheFeature responded to something I posted and mentioned that he had designed user interfaces for locative devices. I was intrigued when he noted:

"I designed the location privacy management tools for one of the big telcos, and the privacy will be pretty granular- you'll be able to control exactly who can see your location at any given time, and you'll know when they try to retrieve it, even if you don't give it to them. I built in what I consider to be a clever feature: people never know if you choose to hide your location from them, because the error message is the same for any location failure -- location hidden, system down, phone doesn't support location, out of range, etc. (This is only for GPS and cell-site location, not bluetooth.) Once this is up and running smoothly - maybe 2 years - people will count on your location and (especially) your status to decide how to communicate with you. If your status is "tired and cranky" you won't recieve many chat requests; if it's "busy" you will only recieve important calls."

That struck me immediately as a brilliantly libertarian social policy decision - in the sense of maximizing the ability of individuals to make their own choices - manifested as a UI decision. It doesn't do you much good to have a "hide my location" mode on your telephone if you are going to answer to some authority about why you were hiding your location. If nobody can tell whether a phone is out of range or hiding its location, the suspicion of unauthorized activity associated with masking one's location becomes moot.

We started emailing back and forth. I learned that Grubb started his first software job the day after he graduated from high school -- producing graphics for educational CD-ROMs. A few years later he found himself designing mobile services for Vodafone, a UK-based carrier that operates in 26 countries. Shortly after he started, he became involved with Vodafone Live!, a suite of services for next-generation mobile phones with big color screens, digital cameras, Java support, fast data connections, and "something amorphous called 'location based services.'" When the company moved his department from the US to Germany, Grubb took a contract at Yahoo!, designing their new mobile products, the first of which, Yahoo! Photos for J2ME, launched on December 1. According to Grubb, everyone thinks it would be cool to get maps of the neighborhood they are in or find a nearby ATM, and then "they worry about the privacy implications of having their location publicly available, and many of them hate the idea," Grubb wrote me, adding "I think we need to look at it a little more closely before we reject or accept the idea of location tracking."

Since armchair observers like me spin scenarios of how technology practices might affect our lives, I was particularly interested in how an experienced designer of locative services saw it. The rest of this article quotes Grubb's thought-experiment about privacy issues:

I see three groups with whom our sample user, Wireless Wally, would want to share and/or not share his current location.

1) Wally's Friends, Family, and Associates, e.g. wife, parents, kids, boss

2) Businesses that provide Wally with some location-specific service, e.g. restaurants, maps, towing, taxis

3) Law Enforcement & Emergency, e.g. Ambulance, police, traffic re-routing, tracking of potential terrorists

Each has a set of conditions where Wally wants to show or hide his location.

1) Friends

a) Show

- Wally wants to go get a drink with friends, so he checks to see who's near him then contacts them personally.

- Wally gets lost on his way to a friends house, and he wants to ask the friend if he is headed in the right direction.

- Wally is traveling and wants to know if friends or associates are in the town he is visiting.

b) Hide

- Wally is having an illicit affair and doesn't want his wife to know he's not really at the gym.

- Wally is creeped out by the idea of his friends tracking his location.

- Wally's boss is always snooping into his personal business, and he doesn't want to give him another method to do so.

2) Businesses

a) Show

- Wally is working as a taxi driver and wants potential customers to see that he is nearby so they can hire him.

- Wally is looking for a good restaurant in his area.

- Wally wants a Starbucks in his neighborhood, so he volunteers to share his location data to help them decide on a location.

b) Hide

- Wally hates corporations gathering data on him to help their own marketing efforts.

3) Law Enforcement

a) Show

- Wally is injured and wants an ambulance to come help him.

- Wally's phone has been stolen and he wants the police to find it.

- Wally is stuck in traffic and wants to know what alternative routes he can take. He also wants his location information to help other drivers avoid bad traffic.

b) Hide

- Wally doesn't like the government keeping tabs on his location.

- Wally has been labeled a domestic terrorist because of his religious beliefs, and doesn't want to be tracked, arrested, deported, and imprisoned in secret without a hearing or any legal representation (oops, did I reveal my political bias?)

What do you think? Does the potential convenience of these services outweigh the privacy dangers? (Jonathan's answer: "The question of one side outweighing the other may be moot since, at least in the US, location tracking is required by law. The legislation was passed before most of us understood its implications, and now the question is how we will react to it and build it into our lives. It should also be noted that a user's privacy settings have no affect on government surveillance; if the police have a warrant they can track a user's location however they please.")

Do you think intelligent UI design could protect users from privacy invasion?

Or will widespread knowledge of the privacy implications slow or prevent the spread of commercial location-based services?