When online services are accessed via a Web browser, geolocation technology can pinpoint the user’s position to within a few meters, employing a combination of the user’s IP address, the route taken by packets over the Internet, and any Wi-Fi networks that might be in range of the user’s computer. It’s even easier if a cell-phone app is used; the app can read the phone’s GPS and know, for example, every time the user walks in front of a Starbucks.

So why aren’t we already in an age of geospatial advertising, where companies like Facebook and Google send coupons to users’ phones as they pass by advertisers’ stores? One big problem is the difficulty of serving up such ads without compromising users’ privacy.

One possible solution is anonymization, scrubbing identifiers from personal data records so that advertisers get the absolute minimum of information they need—a trendy clothes retailer might care that a user is a woman aged 18 to 34, but it doesn’t need to know which 18-to-34-year-old woman she is. Or it might care that a user is near one of its stores without caring which store. Anonymization would let phones communicate with advertisers, providing location and general demographic information without revealing the user’s identity. However, it’s proved surprisingly easy to reassociate scrubbed records with specific individuals.

In response, researchers are developing new mathematical approaches to protecting identity. Efforts are under way at Microsoft to ensure that an individual’s contribution to, say, a demographic database cannot be isolated. Researchers at IBM are working on an encryption method that, in five to 10 years, could allow information to be analyzed without ever being decrypted (see “TR10: Homomorphic Encryption,” May/June 2011). That means companies could search for users whose location matches that of a store without ever getting access to personal details.