You Are Here: Scary New Location Privacy Risks

Who's following your every geographic move when you use Facebook, Foursquare or even just your smartphone? New security research shows you should worry about more than Google Street View with regards to location-based data and privacy.

By Bill Snyder
Mon, June 28, 2010

CIO — Location-based services on a mobile phone are terrifically helpful when you need to find a nearby business or directions to the freeway. They're also terrifically helpful to advertisers, government agencies and even stalkers who can use them to track your every move.

[Google (GOOG) now faces a multiple-state privacy investigation regarding its Street View data collection effort. For more on the privacy brouhaha, see this backgrounder and timeline. ]

"If you are publishing your location to the world, anyone, including a stalker or a thief or the government or an advertiser or anyone else, can go and look at that information, and hence, the threat," says Kevin Bankston, an attorney with the Electronic Frontier Foundation.

The danger isn't just theoretical. At the SchmooCon security conference in Washington D.C. last winter, a hacker demonstrated an application that tricks a user into clicking on a poisoned link and then surreptitiously downloads a spyware program that tracks the smartphone's exact location. The results are displayed as an overlay on a Google map on the hacker's Web site, says Mike Greide, a security researcher at Zscalar who witnessed the demo.

That code, he says, has since been made public and is now on the Web for anyone to use. With a little effort, it could be adapted to work on iPhones or Android-based devices, Greide told me.

Less overtly threatening, but still invasive, are privacy holes created when social networking sites share information with third parties such as advertising and analytics companies. "I may not intend it, but once I check in with a mobile social networking site it's quite possible that the whole world will then know where I'm at," says Craig Wills, a professor of computer science at the Worcester Polytechnic Institute, who has studied the issue of "privacy leakage" from social networking sites. (More about Prof. Wills's work in a bit.)

What Your Phone Says About Your Locale

And don't think that your basic cell phone, which doesn't have a GPS function, won't give you away. It will, since it's always in touch with cell phone towers, whose location can give away yours via triangulation. And once again, the threat is not theoretical.

Last year, the FBI obtained secret permission (but didn't actually get a warrant) to monitor the location of 180 cell phones in the course of an investigation into a bank robbery, according to a court filing by the American Civil Liberties Union and the Electronic Frontier Foundation. The difference between the order obtained by the FBI and a warrant isn't just a technicality. Obtaining a warrant requires a much higher standard of proof that a crime has been committed or will be in the near future.

Continue Reading

Our Commenting Policies