?? The Location Zone

Lucid folks,

Sometimes it feels like we are living in an overlong episode of The Twilight Zone. A historic Election Day has come and gone here in the States, and like many of you we wonder what the results will mean, including for location privacy issues we touch on below.

In this this issue:

• Mobile data tracking is a serious problem for civil servants
• Google’s Russian misadventure is stranger than fiction
• The NAI releases updated sensitive location guidelines

…and more.

From our bullpen to your screens,

Colin O'Malley & Lucid Privacy Group Team

With Alex Krylov (Editor/Lead Writer), Ross Webster (Writer, EU & UK), Raashee Gupta Erry (Writer, US & World), McKenzie Thomsen, CIPP/US (Writer, Law & Policy)

PS: In case you missed it, Lucid's Rashee Gupta Erry sat down with Ketch’s Jonathan Joseph to discuss marketing-privacy. Check out the recap and links here.

?? If this is the first time seeing our Privacy Bulletin in your feed, give it a read and let us know what you think. For more unvarnished insights, visit our Blog.

Your comments and subscriptions are welcome!

Nightmare at 364 Feet

Submitted for your disapproval, a world where your every movement is shadowed, logged, and sold as if it were little more than a loose nickel found on the sidewalk. This isn’t the plot of a science fiction reel.?

Meet Babel Street, a company in the business of data analytics. Their tool, LocationX, transforms everyday app and mobile advertising-related data into a precise map of human movement, available to corporations and government clients alike. It’s tracking wrapped in convenience, where privacy and safety become a shadow, barely visible against the glow of monetary gain.

The background

First reported by 404 Media and covered by Krebs, NOTUS and other notable scoop sheets, we learn that Babel Street sells access to a vast trove of location data, tapping into a $12 billion industry that has flourished in the shadow.

As government scrutiny into these pipelines intensifies, the once-hidden realm of surveillance-for-hire is getting new sunlight, prompting serious questions about unchecked business models and their visceral consequences in the real world.

What they do in the shadows

LocateX harnesses data collected from common apps, converting simple interactions into an interactive map of human behavior. Marketed to both government entities and private corporations, the platform offers an unnerving view into our daily lives -- our places of work and rest, the clinics we visit, the places we worship, and even the streets where we convene.?

As alleged in a lawsuit against Babel by Atlas Privacy, an anti-doxing company for public servants, in the wrong hands the data opens an unwelcome window into the movements of police officers and judges, and anyone else whose physical safety may be in danger.

Degree of resolution

Now, imagine,?if you will, that your mobile device has a license plate invisible to you, but visible to anyone else who knows to look for it. Indeed, the Mobile Ad Identifier, or MAID, is not just a snippet of unique code. No, it is a traceable identifier available not just to ad technologies or warrant-holding law enforcement agents, but to anyone who can pay, or in the case of LocateX speak the rights words.?

When combined with increasingly sophisticated location resolution capabilities, the platform can be used to triangulate and track devices over time at resolution that exceeds the state regulatory thresholds of 1,750 feet; 1,850 in California. As highlighted by the IAPP’s Cobun Zweifel-Keegan, GPS coordinates can be resolved to 364 feet, and further triangulated against other nearby devices. For plaintiffs represented by? Atlas Privacy, that could be an election official and her family sleeping at home.

Industry regulation

On the self-regulatory front, both Google and Apple gatekeep precise location data (GPS lat/long) behind user consent and by policy restrict how this data may be used, Google's MAIDs are easily accessible to third-party advertisers and developers until the user takes steps to reset or permanently delete this ID.

Just recently, the Network Advertising Initiative (NAI) has unveiled its updated Enhanced Standards for location data uses by the adtech industry, it is still a voluntary standard. What will compel non-members to truncate IP addresses? To Scrub sensitive points of interest like medical facilities and refugee centers? The FTC and State AGs appear open to a co-regulatory approach.?

Zooming out

Step back, if you will, and take in the broader scene. We find ourselves in a precarious juncture, where our cherished rights are as fragile as the illusion of true anonymity. A place where everyday citizens -- be they public servants or healthcare seekers -- find themselves as data points to be sold to the highest bidder. Until Congress catches up, privacy will remain as ephemeral as a shadow on a foggy night, in The Location Zone.

-AK

Russian Court Slaps Google With Ludicrous Fine for Youtube Bans

?Following Russia’s invasion of Ukraine, Google banned 17 state media channels (think RT) from Youtube. After refusing to reinstate those outlets or pay $390M in initial fines, Google now faces a very many zeroes in cumulative penalties.

• $2,500,000,000,000,000,000,000,000,000,000

In real terms: As reported by Fortune, “it would take Google 33.8 quintillion years to pay the current fine, a period that will continue to double in length the longer the fine is unpaid.” Apparently, Russia’s Administrative Offenses Codex does not cap such fines.

Why it matters: The sum is a fine example of Russia’s telecom regulator, Roskomnadzor, painting itself into a dodgy corner. Google can’t and won’t pay, but Russia can’t really afford to make good on its promise and ban Youtube outright. Setting aside the 95 million users, it is within Putin’s foreign and domestic policy interests to force Google to cave to its media policies. That is, to silence its critics, wherever, while protecting the ‘free speech’ of official and other useful propagandists.?

Dash of farce: Some developments are just too hard to explain without delving into complex geopolitics… or the crocodilian nature of Russia’s regulatory mechanisms. A poem will have to do. Here’s an homage to Korney Chukovsky’s absurdist Soviet children’s poem, Evil Pirate Barmaley, written nearly 100 years ago. (Synopsis, here.)

Donotplay

Little children, heed the call!

Don’t go browsing, not at all,

On Russian sites and feeds today,

For fines are hefty, so they say!

In Russia lurk the monitors,

With censorship parameters.

Traps and snares you can’t foresee,

Set by government decree.

Youtube faces heat and shame,

For banning lies the state disclaims,

In Putin’s web, beware the snare—

It’s no place safe to like or share!

A villain prowls the media scene,

A fearsome, lurking old machine,

For all who post without due care,

The "Do-Not-Play" hides... everywhere!

-AK

Other Happenings

Another stretch, another busy news cycle. Here's what caught our attention this time.

1. NAI Releases Updated Sensitive Location Best Practice Guidelines. The NAI has updated its Voluntary Enhanced Standards to reinforce privacy protections on precise location data, banning its use, sale, or transfer for sensitive Points of Interest (POIs). Notably, the guidelines restrict signatories from using, selling, or sharing any precise location information for law enforcement, national security, or bounty-hunting purposes except as necessary to comply with a valid legal obligation. In other words, no subpoena or warrant, no data. And no free data samples, either.? As a reminder, Sensitive POIs include places of worship, healthcare facilities, military bases, LGBTQ+ spaces, correctional and immigration centers, welfare sites, and locations primarily serving minors
2. Fitness Apps Leak Confidential Locations Too. When world leaders like Biden and Macron are using a fitness app, it’not just a workout tracker; it’s a GPS buffet for their adversaries. As officials parade their exercise routes, they’ve inadvertently invited potential threats to take a leisurely jog through their security details. In an age where your morning run could turn into a national security risk. Sometimes, the only thing more dangerous than an aide swinging a kettlebell is the data they’re leaving behind.
3. LinkedIn Dinged EUR 310M for Ads GDPR Violations. The Irish Data Protection Commission (IDPC) have fined LinkedIn €310 million for breaching GDPR. The charge? LinkedIn was found to have inadequately obtained user consent, prioritizing its own interests over users' rights, which violated fundamental GDPR standards. With the fine,? about 2% of annual revenues, LinkedIn received a reprimand and must now ensure full GDPR compliance. (Have your people call our people, LI.)
4. Germany's High Court Preps for a Precedential Decision on Scraping. The German Federal Court of Justice (BGH) is echoing the joint statement by 16 international data protection authorities on data scraping. BGH looks likely to issue a landmark ruling on Facebook cases following a 2021 data leak that affected 533 million users. The ruling will clarify if Meta's default settings for contact import violate the GDPR and if data scraping alone can constitute non-material damages, entitling users to compensation for stress and data control loss. Remember, per the EUCJ, fear resulting from a personal data breach counts.

-RW

Lucid Resources

• Tracking Technology Privacy Impact Assessment (TTPIA)
• Vendor Security & Privacy Impact Assessment (VSPA)
• Pan-US Data Protection Impact Assessment (US DPIA)
• Pan-US Readiness Record (US RR)
• China PIPL Readiness Record (CHN RR)?
• EU-US DPF Readiness Record (DPF RR)
• Transfer Impact Assessment (TIA)
• California Readiness Record (CCPA)
• Virginia Readiness Record (VCDPA)
• Colorado Readiness Record (CPA)
• Connecticut Readiness Record (CTDPA)
• Utah Readiness Record (UCPA)
• China Personal Information Processing Impact Assessment Template (PIPIA)