Mobile apps have the potential to do everything from bring you information just when you need it to brightening up a dull train journey - but many have the potential to collect more information than end users may expect, not least their location.
Location-based services are appealing both to individuals and businesses, whether for finding the best coffee shop in the area or for supporting logistics planning at an enterprise level - many delivery companies are now so dependent on systems using GPS that without them they could collapse.
Location data risks
Despite these benefits, the reality is that users are not always made aware of the purposes for which their location data is gathered and in some cases, not aware that this sharing is taking place.
The recent case of the Girls Around Me app demonstrates that the information we share can be used for purposes beyond users' initial intentions. In this case the app aggregated data from Foursquare and Facebook to identify women in the vicinity of an app user.
An extreme example of the need to restrict location-based services is the military world. The UK Ministry of Defence provides explicit guidance to troops and staff on the need to restrict the sharing of information via location services that could compromise ongoing operations or give information about past deployments.
Understandably, location functions need to be switched off, and in some cases mobile technology is completely banned.
Clearly, the military is an unusual environment, but there are lessons that can be applied to our commercial and personal lives. The inadvertent collection of personal data can result in serious privacy breaches and reputational damage. We need to manage how we share information, both personal and corporate.
At the opposite end, location information may not always be reliable and care should be taken in how it is used. For example, FakeLocation is a well-known app that runs on jailbroken iOS.
The looming threat: regulation
Data privacy is a hot topic on the agenda of regulators and government. In 2011, the EU issued recommendations on processing of geolocation data by service and app providers. Under this guidance, by collecting location information, an organisation is a data controller and therefore inherits all responsibilities associated with that status.
Back in January, the Technology Strategy Board - the UK's national innovation agency - held a conference on Location and Cyber Privacy in the Digital Age. The event report refers strongly to the need for better regulation of the collection of location information, as well as the possibility of fines for companies that are not diligent in protecting customers' location data. It should be emphasised that the report recognises that a balance must be struck between regulation and allowing scope for commercial innovation.
Location-based services: three actions for safer data handling
If you are an app or service provider that uses location-based services, you should be considering the following:
- Be measured Don't gather more information than absolutely required. Doing so increases your liability for what can be minimal business gain.
- Think globally This approach means not just considering market reach but also potential implications of different privacy legislations around the globe. This task is complex and in itself should make you reconsider the reward versus risk obtained from data gathered.
- Be transparent While mobile platforms will normally inform users of apps that will access sensitive functionality, such as location-based services, it is important that you provide end users with an explanation of why data is being collected and for what purpose - either via a screen on your app or a link to your website - ideally, do both.
For enterprises not publishing apps or providing services in this field, my main advice is that as the bring-your-own-device momentum continues, a common strategy is to provide the user base with apps that give access to some business functions - for example, email and calendars.
Ask whether you have considered the information that these applications are gathering. Is this process reflected in your policies and have you made your user base aware?
Malcolm Marshall is head of information protection and business resilience at services company KPMG in London.