Illinois poised to ban geolocation tracking without consent

The US state of Illinois is poised to pass a law that makes it illegal to track a phone’s location without the owner’s consent.

The law, the Geolocation Privacy Protection Act (HB3449), was passed in both houses of the state legislature last week. It’s now on the desk of Governor Bruce Rauner, ready to be signed into law.

The bill will make it illegal for a company to track a person’s geolocation without first getting permission. It sets criminal penalties and damages of at least $1,000, plus attorney’s fees and court costs, for working out a person’s whereabouts from their device without permission.

From the bill’s full text:

‘Geolocation information’ means information that: (i) is not the contents of a communication; (ii) is generated by or derived from, in whole or in part, the operation of a mobile device, including, but not limited to, a smart phone, tablet, or laptop computer; and (iii) is sufficient to determine or infer the precise location of that device.

IP addresses aren’t covered by the bill. It also includes exceptions for finding a missing child or to enable emergency responders to locate somebody. Breaking the new law will be considered a violation of the Consumer Fraud and Deceptive Business Practices Act.

Some question whether the bill will have any real-world impact, given that most devices, apps and websites now ask people for permission before they use location data.

True, and good for their developers. But there’ve been plenty of times when that permission wasn’t sought or granted, yet still our locations have been tracked. There are other times when our locations have been shared without our permission simply because some developer along the line introduced location-sharing by accident.

Here are a few such:

  • Apple got hit with a class-action lawsuit a few years back over tracking users without consent, allegedly using the location service function on its iPhones to track users, record their location, send it to Apple, and potentially give it to third parties.
  • Researchers in 2014 noticed that when WhatsApp shared their location, the app “called out” to Google Maps without using Secure HTTP, better known as HTTPS. WhatsApp thankfully fixed that glitch, given that attackers who can sniff network traffic between your phone and Google’s servers could have pinpointed users as soon as they shared location with other WhatsApp users.
  • We found out in September that Google Play tracks you even if other apps don’t, given that there’s no per-app choice. It can only be denied access to your location data if you turn location collection off entirely, unlike other apps such as Google Chrome or Sophos Mobile Security, where the per-app toggle works as expected.

Time will tell whether the bill have any impact on situations such as those. Good luck, after all, with trying to outlaw “Oops! We were sharing location by mistake!” glitches.

Besides penalizing those entities that fail to ask for permission to track people’s geolocation, the Illinois bill would also require that companies inform users of how they plan to use the information they collect (share it with third parties, etc).

At any rate, it’s not surprising that Illinois would pass a law to protect our geolocation privacy; the state has a history of strict data privacy legislation.

As we’ve reported in the past, the Electronic Privacy Information Center (EPIC) considers the Illinois Biometric Information Privacy Act – which prohibits companies like Snapchat, Facebook, or Google from using facial and eye scans, fingerprints, or voiceprints without prior, written consent — to be the toughest law of its kind in the US.

Besides the Geolocation Privacy Protection Act, the Illinois Senate has also passed the Right to Know Act. Approved in May but since put on hold, it requires companies such as Google, Facebook and Amazon to disclose what data has been collected on consumers and shared with third parties.

There are those who consider Illinois’ fixation on privacy to be an utter waste of resources: one that’s bound to produce little but “a tsunami of ‘gotcha’ litigation,” to quote Forbes contributor and University of Chicago law professor Omri Ben-Shahar.

The Illinois legislature — the nation’s most defunct lawmaker — is active these days not in resolving the state’s ongoing pension and budget crises (Illinois has the worst budget deficit in its history and has not managed to pass budget legislation for over a year*). Rather, exhibiting a stunning attention to minutiae, Illinois is worrying itself with so-called “privacy”.  Already the state with the most aggressive privacy protection law, the Illinois House is now considering three new privacy bills that would blaze a new trail of class action activity. Illinois, in other words, is solidifying its stature as the Mecca for privacy litigation pilgrimage.

(*On Tuesday, the Illinois Senate approved spending and revenue bills and then overrode the governor’s immediate vetoes of the legislation.)

At Naked Security, we tend to be cheerleaders for privacy protection legislation, but Ben-Shahar raises some points that are worth considering.

Regarding Illinois’ biometrics law, for example. As Ben-Shahar frames it, users who sign on with their fingerprints, for one, know perfectly well that Apple et al are using their biometric information. Yet there are a slew of lawsuits alleging technical violations in the presentation of the consent forms, none of which have been prompted by consumer harm or complaint, and none of which have demonstrated concrete injury.

One of those suits is against Google. Two Illinois residents have filed a class action lawsuit over Google’s creation of face templates from their photographs. In March, the US District Court for the Northern District of Illinois ruled that the lawsuit could proceed.

What’s the big deal with Google creating face templates from photos uploaded to Google’s cloud-based Photos service, which enables sharing and storage? … And from creating face templates with users’ unique facial geometry?

For one thing, it was allegedly done without consent. Nor did Google publish a data retention or destruction schedule, as the plaintiffs allege.

As the Illinois General Assembly has noted, victims of identity theft can always change their taxpayer IDs, but barring violence or surgery, they can’t rearrange their face:

Biometrics … are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.

Is Illinois’ attention to the minutiae of data privacy, be it geolocation, biometrics or data collection, a waste of time? Or an (unfortunately) rare, but welcome, instance of attention being paid to potential avenues of identity fraud and privacy invasion?

I’m going with the latter. We don’t need concrete harm to be done before we take action to prevent it.

Readers, your thoughts?