Anne Toomey McKenna,*i Amy C. Gaudion,**ii Jenni L. Evans***iii
ABSTRACT
Strava, a popular social media platform and mobile app like Facebook but specifically designed for athletes, posts a “heatmap” with consensually-obtained details about users’ workouts and geolocation. Strava’s heatmap depicts aggregated data of user location and movement by synthesizing GPS satellite data points and movement data from users’ smart devices together with satellite imagery. In January of 2018, a 20-year-old student tweeted that Strava’s heatmap revealed U.S. forward operating bases. The tweet revealed a significant national security issue and flagged substantial privacy and civil liberty concerns.
Smart devices, software applications, and social media platforms aggregate consumer data from multiple data collection sources, including device-embedded sensors, cameras, software, and GPS chips, as well as from consumer activities like social media posts, pictures, texts, email, and contacts. These devices and apps utilize satellite data, including GPS, as a fundamental component of their data collection arsenal. We call this little understood, across-device, across-platform, and multi-sourced data aggregation the satellite-smart device information nexus. Given the nature of the technology and data aggregation, no one escapes the satellite and smart device information nexus. We explain the technology behind both satellites and smart devices, and we examine how the satellite-smart device information nexus works. We also address how private industry’s aggregation of data through this nexus poses a threat to individual privacy, civil liberties, and national security.
In so doing, we work to fill a marked gap in the privacy and cyber-related legal literature when it comes to analyzing the technology, surveillance capabilities, law, and regulation behind government and commercial satellites together with private industry’s aggregation, use, and dissemination of geolocation and other data from the satellite-smart device information nexus. This lack of awareness about the satellite-smart device information nexus has adverse consequences on individual privacy, civil liberties, and the security of nation states; it impedes informed legislation; and it leaves courts in the dark.
A contributing factor to the lack of awareness is that commercial remote sensing and government satellites are regulated by a byzantine scheme of international laws, treaties, organizations, and domestic nation states’ laws that combine to control access to satellite data, sharing of satellite data, licensing, ownership, positioning in space, technical requirements, technical restrictions, and liability for harm caused by satellites. Although the satellite-smart device information nexus involves staggering quantities of personal information, we examine how the nexus falls outside the U.S. electronic surveillance and data legislative scheme and why it is unimpeded by privacy decisions due to a disconnect in U.S. Supreme Court decisions treating aerial surveillance differently than location tracking.
We breakdown the complex yet opaque regulatory structure governing commercial remote sensing and government satellites. We examine why the Strava event and others like it are—and will continue to be—the new norm, absent significant legislative and regulatory change. We conclude by providing a suggested roadmap for that legislative and regulatory change.