GPS-enabled mobile devices are a quickly growing market and users are starting to share their location information with each other through services such as Google Latitude. Location information, however, is very privacy-sensitive, since it can be used to infer activities, preferences, relationships, and other personal information, and thus access to it must be carefully protected. The situation is complicated by the possibility of inferring a users' location information from previous (or even future) movements. We argue that such inference means that traditional access control models that make a binary decision on whether a piece of information is released or not are not sufficient, and new policies must be designed that ensure that private information is not revealed either directly or through inference. We provide a formal definition of location privacy that incorporates an adversary's ability to predict location and discuss possible implementation of access control mechanisms that satisfy this definition. To support our reasoning, we analyze a preliminary data set to evaluate the accuracy of location prediction.