What does In Loco do for their users’ privacy?

Hello dear readers, my name is Rafael Gouveia, and I work at In Loco for a little more than three years. For the past few months, I have been creating our R&D team about anonymization. I am also, together with our legal, coordinating efforts with the whole engineering team to achieve GDPR/LGPD Compliance (European and Brazilian data protection laws). I want to describe here what In Loco has been doing in the past three years to achieve privacy.

Privacy was a choice since the beginning

I joined In Loco in 2016, and at the time, even before Cambridge Analytica scandals, privacy was already a value at In Loco. In Loco was a start-up growing fast, and as such, did not have many resources: little money, few people (around thirty people). At this point, our speech was the most important thing, because it guided business decisions. In my first year alone, we denied contracts that would include personal identifiers, e.g., telephone numbers, CPF (Brazil’s equivalent to an SSN), emails on our database. We also rejected large deals with political parties during the elections. Denying these contracts made us grow at a slower rate literally, at least in the short term perspective. Jumping a few years into the future, I appreciate the hard decisions. Avoiding these identifiers made our lives more comfortable to achieve compliance with the new regulations.

In 2017 In Loco received its series A investment. Here we start an investment in security and culture. The environment produced critical awareness about the sensibility of our users’ data and vulnerabilities of social engineering, one of the most significant security vulnerabilities of the present. The company grew in size, the worries about security spread beyond the directors and a few experts. The investment year was an exploratory year for our products, and we reinvented the business.

Place visits: how to handle them?

In Loco stopped worrying about indoor location, and started to worry about visits, which was a breaking change in the company at this point. We changed our tech to be able to infer at which place the user is. This tech will be able to scale globally a lot easier. We faced a huge privacy problem here: Would it be possible to know someone’s medical condition and sexual orientation? Would it be possible to discover political preferences, religion, and more by the places they attend? Well, In theory, yes, in practice, we have a bunch of smart engineers that created a better solution to avoid this.

Lets now describe how this solution effectively works. To start, let’s go to the premises:

1 — To classify a visit we collect data from smartphone sensors that apply them to our classification algorithm;

2 — We do not know the users’ location (his place) until we collect data and classify;

3 — There are places like hospitals and clinics that might reveal sensitive information about a person. Here called sensitive places;

4 — The classified visits are used to improve the future classifications

We could modify our places database to exclude all potential sensitive places; this way, a visit to a hospital would not be taken into account. But that is not a good idea since the sensorial data is also stored, so if a potential attacker later augments the database, they would be able to reclassify the visit to the sensitive place.

To solve the problem, when we receive a visit, and classify it in any of the places tagged as sensitive, we then remove all identifiable data from the visit and store it only as “a visit occurred at sensitive place A”. Without the information of who visited it, and with no way to link with other visits, the information became anonymous. This solution allows us to deny the sensitive data and further improve our classifications to avoid sensitive information when collected in the future via misclassification.

Our list of place categories that are considered sensitive are:

Hospitals, clinics, dentists, laboratories, cemetery, mortuaries, daycare centers, political headquarters, religion-related places (ex: churches, temples, etc.), penitentiaries.

Regulations get prominent

In 2018, the buzz about GDPR started. Our user base was slowly spreading through countries in Europe. We were not ready to make the changes quick enough to be compliant, and there was no revenue there for us. Our decision was easy: we must not collect data from Europe. We have blocked all requests coming from European IPs and remotely deactivated our SDK on devices inside the EU. We’ve turned EU territory into a black hole; if you enter there, we immediately stop data gathering from your device. We then replicated this strategy to any country we are not compliant. This choice was not about fear of a fine. Instead, it shows our commitment to the regulations.

Continuing in 2018, it got to our attention that visits were not the only kind of data that could reveal sensitive information. Apps that people have installed and might contain our SDK might show this info. Examples are infant apps, dating apps, and bible apps. They may reveal you are a kid, your sexual preferences, your religion, and more. We promptly searched for sensitive apps in our database. Then remotely deactivated all apps related to these categories and communicated to them that because of our new privacy restrictions, we could not work with them any longer.

GDPR was essential for us; many of the law concepts made a lot of sense to us and helped us evolve our notions of privacy. However, by 2018, series A money was close to an end, while In Loco faced another massive transformation (recreation of its media platform). The company ended up with fewer resources available to be fully compliant by the end of the year.

A great year

And here we are in 2019: with series B money! A lot of things happened this year:

• We have built a multidisciplinary team with engineers and lawyers to focus on compliance.
• We defined our goal to be LGPD compliant by the end of this year, eight months ahead of the deadline (august, 2020).
• We also defined the goal to be GDPR compliant in January of 2020.
• The security team is also growing.
• We have started to educate the market about privacy. We promoted two events we called “Privacy Week” (one in São Paulo and one in Recife).
• We also stopped all tech team (around 80 people) for a whole week in July to work on privacy-related tasks on our products.
• We have created an R&D team to develop anonymization studies and techniques to be used on our products and databases.
• We chose to allocate the most significant budget of the company for Privacy-related tasks.
• We are spreading privacy worries not only product and tech, but also to HR, recruiting, finance, etc. Our employees and hiring candidates deserve the same privacy requirements we have for our users.
• We have decided we must remove all plain advertising id from all our databases. We are in the migration process to hash and encrypt all incoming ids, to avoid direct linkability with external databases.

We created a definition of privacy to work so all teams are aligned with the same view.

An application is considered private if it gives the user full control and transparency about how the data is collected and how it is used. This control means that the user can quickly opt-out altogether or select the usages of their data they want to allow. There are many rights granted by LGPD and GDPR that augment this definition; for instance, users have the right to delete and to request every data the company has on them.

Also, an application private by design will use every resource available to guarantee the security of the data while also using anonymization and pseudo-anonymization techniques to control the data relatability with other databases.

Last but not least, In Loco’s privacy definition requires the ethical usage of data, and data collection and processing should be used in benefit to the user, never against him!

Right now, me and every person of the company are working to make sure we achieve the privacy vision created by In Loco. Reading from the beginning, you may have realized that any privacy definition can be outdated quickly. We will keep it up, updating our definition to the highest standards as they evolve.

To the Infinity and Beyond

Are you interested?

If you are interested in building context-aware products through location while preserving the user's privacy, check out our opportunities. Also, we’d love to hear from you! Leave a comment and let us know what you would like us to talk about in the upcoming posts.