Pointr Deep Location® - user privacy by design

Have you ever wondered how the apps in your phone collect your personal data and how organizations and companies are handling that data? Data privacy awareness is increasing among digital users these days. According to Cisco's consumer privacy survey in 2019,  48% of the privacy-active respondents indicated they had already switched companies or providers because of their data policies or data sharing practices.

In this article, we will:

  • Look at how easy it is to re-identify seemingly impersonal de-identified data.
  • Explore who wants this data and for what purposes.
  • Show how Pointr's Deep Location® has privacy by design "built-in," making it impossible for users' data to be compromised.
  • Discuss vulnerabilities present in modern apps and how developers design them.
  • Expose who are the most active companies when it comes to collecting personal data and who in the top ten also collect location data.
  • Re-confirm our commitment to close collaboration with our major customers to underpin continuous improvement in everything we do.
user-privacy-03

Personal data protection is a hot topic that was once again thrust into the spotlight in a recent opinion piece in the New York Times following the storming of the Capitol in Washington DC. Protesters’ smartphone apps tracked their movements and individuals were able to be identified when their smartphone data was leaked.

Certain services such as mapping apps, ride-sharing (Lyft, Uber, Lime, Bird), weather apps, and dating apps rely on knowing your location data to offer enhanced, personalized functionality. Pointr Deep Location®, for example, needs location data to serve up blue dots and other functionality when users are navigating a corporate campus, a hospital, a shopping mall, or any other complex building.

But simply gathering location data is not really the issue. That single nugget of data is not the whole story; it’s what’s done to enhance the information that becomes problematic.

In this article, we’ll investigate how easy it is to re-identify and enhance seemingly de-identified data and the part big data plays in the process. We’ll discuss who wants users’ personal data and for what purposes.

We’ll also explore Pointr’s best practices and how we ensure location data can never threaten our users’ privacy because we don’t collect device IDs or use vulnerable technologies such as WiFi. We’ll illustrate why we can confidently stand behind our promise of location privacy by design - the very principle our indoor location technology is founded on.

Apps have “built-in” location vulnerabilities

Modern app developers need to develop their offerings quickly and get them to market. This means it’s not practical, cost-effective, or even within their skill set to build apps from the ground up. App developers make use of free SDKs (Software Development Kits) supplied by third parties to speed up the process.

For example, if an app needs to log into Facebook as part of its build, the developer wants Facebook’s login SDK. Because an SDK is only essentially a set of tools to enhance an app’s functionality and does not have communication capabilities per se, the developer also needs Facebook’s API (Application Programming Interface) to enable communication. Similarly, Google Maps needs to communicate with your device to understand where you’re located in order to plan a route to your desired destination (and communicate it back to you).

The issue comes from the fact that the developer doesn’t know, or even care, about what information is sent back to Facebook in our example. Considering Facebook’s revenue from ads was in excess of $84 Bn in 2020 (source: Statista) their interest in collecting personal data for targeting and retargeting ads is obvious.

How to re-identify anonymous data

The key to understanding the part trackers hidden in mobile device apps play in helping to re-identify a supposedly anonymous device ID lies with big data. Data brokers and companies such as Facebook, Instagram (a Facebook company), Uber, etc. have access to huge amounts of personal data which they can slice and dice at will.

So, for example, device ID x will be at a certain point at a certain time and the information is collected courtesy of the previously discussed SDK and API. Now, these companies have many databases in their possession, so as long as another database containing, say, your name, contains the same device ID they can instantly cross-reference. Another database contains your device ID and your email, so they have that too. By aggregating data in this way, it’s possible they know virtually everything about you and therefore target you with advertising relevant to your current location, and your preferences based on previous browsing and other online activity.

Companies that produce SDKs will cover their tracks by saying they only collect an anonymous, unidentifiable device ID. But, as we have clearly seen, that’s just the start of piecing together a complete profile of exactly who is where and when.

Who consumes what personal data?

Overall, social media platforms consume the largest amount of personal data. While that may come as no surprise, the percentage of the overall types of data they collect is interesting. In a study conducted by clario.co that analyzed the types of personal data collected such as email, name, age, race, and more (in excess of 35 data points), live location data was gathered by 7 of the 10 companies that collect our personal information the most. The top ten looked like this:

#

Company

% Data Personal Data Collected

Live Location Collected

1

Facebook

79.49%

Yes

2

Instagram

69.23

Yes

3

Tinder

61.54

Yes

4

Grindr

58.97

Yes

5

Uber

56.41

Yes

6

TikTok 

46.15

No

7

Strava

43.59

Yes

8

Tesco

35.9

No

9

Spotify

35.9

No

10

Myfitnesspal

35.9

Yes

Source: clario.co
 

Pointr Deep Location® - privacy by design “built-in”

At Pointr we take our users’ personal data security extremely seriously. Our users can be fully confident they are in complete control of their data at all times, here are just a few personal security highlights of  Pointr Deep Location®.

user-privacy-01

  • Built from the ground up

Pointr Deep Location® was built from the ground up and is radically different from how apps using free SDKs in conjunction with APIs function to collect and distribute device IDs. Pointr is built on enterprise-grade systems such as Microsoft Azure, which meets all modern security standards.

  • User IDs

We do not collect device IDs at all. A user with the Pointr app installed is assigned a unique ID by our app which is totally unrelated to the ID of the device they’re using. It’s impossible, therefore, to cross-reference data to build a user profile, no matter how much big data you have at your fingertips. The process can’t even begin as there is no common reference point across data sets.

  • We don’t store customer data on our own servers

Pointr does not store customer data on its own servers, and therefore data is anonymous by default. Venues, where Pointr Deep Location® is deployed, own the data.

  • Data Security

We employ strong data security processes - data is secured, encrypted, and is never shared with external people or companies.

  • Anonymity assured

Pointr Deep Location® collects all personal information anonymously. Pointr’s SDKs do not collect any data through apps without a user’s permission. We equip people and businesses with transparent consent and preference management tools to help them stay in better control of their location data.

  • Protection against unauthorized access

We use effective measures to protect data against unauthorized access, use, modification, or loss. All servers and systems are kept up to date with recent patches in line with Microsoft Azure standard policy, including virus scanning of files for all employees with access to our secure VPN.

  • Strong encryption

Data is secured and encrypted in transmission to the database and when stored on the database, with no access possible from the internet (only through our secure VPN and with the right credentials).

  • Suspicious activity 

All-access to the system, both internally and externally, is logged to prevent malicious interactions and Pointr has reported on unexpected access, both based on password hacks and on unexpected endpoints.

  • Client collaboration for continuous improvement

We work closely with our clients to ensure all the latest data privacy policies and requirements are up to date. We work with major customers in healthcare, smart workplace, retail, and aviation across North America, Europe, and Asia including UCHealth, international corporations (CBRE), the U.S. Department of Homeland Security, U.S. Airports (Washington Regan and National), two major U.S. Airlines and one of the major U.S. department store retailers across 1,000 locations with millions of mobile application users. Pointr’s information security has been approved by Cisco, Siemens, Extreme Networks, CBRE, ISS, DHS, and many others.

FAQs

  • Does Pointr Deep Location® send device IDs to third parties like many location-based apps available on the market?
    Absolutely not. In fact, we use a completely different system that is device ID agnostic, so a user’s device ID and location are never in danger of being revealed.
  • Is user’s personal information used for marketing purposes or sold to data brokers to be sold on?
    Never. We have very strict protocols in place to ensure this never happens and any information collected is completely anonymous and unable to be re-identified through a common reference point.

  • Is Pointr Deep Location® vulnerable to attack over an internet connection (a common attack vector for many businesses)?
    It’s not possible to compromise our platform through an internet connection. Our databases are only accessible through our secure VPN and with the right credentials. Additionally, we are constantly monitoring for any unusual or suspicious activity.
  • How can less scrupulous companies get away with selling customer data? Legislation to ensure the protection and privacy of personal data is still fragmented. The GDPR (General Data Protection Register) in Europe does a good job of protecting data, but the US is still very hit and miss in many states. California is a notable exception with its Consumer Privacy Act.

About Pointr 

Pointr is a global leader in indoor location. Pointr's Deep Location® technology uses machine-learning techniques to create the best performing and the most scalable indoor location technology available today. Our technology is ISO 27001 and ISO 27017 certified and used by Cisco, Microsoft, Siemens, Extreme Networks, CBRE, ISS, DHS, and many others.

Deep Location® enables location-based services such as digital mapping, navigation, location tracking, geofencing, and powerful location-based analytics. We work with major retail, smart workplace, aviation, and hospitality across North America, Europe, and Asia. 

If you're interested in finding out more about Pointr Deep Location®, please contact our team.

Contact us

Author: Les Blythe