Location-based services on a mobile phone are terrifically helpful when you need to find a nearby business or directions to the freeway. They’re also terrifically helpful to advertisers, government agencies and even stalkers who can use them to track your every move.
[Google now faces a multiple-state privacy investigation regarding its Street View data collection effort. For more on the privacy brouhaha, see this backgrounder and timeline. ]
“If you are publishing your location to the world, anyone, including a stalker or a thief or the government or an advertiser or anyone else, can go and look at that information, and hence, the threat,” says Kevin Bankston, an attorney with the Electronic Frontier Foundation.
The danger isn’t just theoretical. At the SchmooCon security conference in Washington D.C. last winter, a hacker demonstrated an application that tricks a user into clicking on a poisoned link and then surreptitiously downloads a spyware program that tracks the smartphone’s exact location. The results are displayed as an overlay on a Google map on the hacker’s Web site, says Mike Greide, a security researcher at Zscalar who witnessed the demo.
That code, he says, has since been made public and is now on the Web for anyone to use. With a little effort, it could be adapted to work on iPhones or Android-based devices, Greide told me.
Less overtly threatening, but still invasive, are privacy holes created when social networking sites share information with third parties such as advertising and analytics companies. “I may not intend it, but once I check in with a mobile social networking site it’s quite possible that the whole world will then know where I’m at,” says Craig Wills, a professor of computer science at the Worcester Polytechnic Institute, who has studied the issue of “privacy leakage” from social networking sites. (More about Prof. Wills’s work in a bit.)
What Your Phone Says About Your Locale
And don’t think that your basic cell phone, which doesn’t have a GPS function, won’t give you away. It will, since it’s always in touch with cell phone towers, whose location can give away yours via triangulation. And once again, the threat is not theoretical.
Last year, the FBI obtained secret permission (but didn’t actually get a warrant) to monitor the location of 180 cell phones in the course of an investigation into a bank robbery, according to a court filing by the American Civil Liberties Union and the Electronic Frontier Foundation. The difference between the order obtained by the FBI and a warrant isn’t just a technicality. Obtaining a warrant requires a much higher standard of proof that a crime has been committed or will be in the near future.
The government’s contention that warrants aren’t needed to monitor the location of cell phone users disturbs me, and it apparently disturbed U.S. Circuit Judge Dolores Sloviter who said this during a court hearing in Philadelphia: “You know there are governments in the world that would like to know where some of their people are or have been. Can the government assure us that it will never try to find out these things?” she asked.
Social Networking Your Privacy Away
By now, most of us know that the privacy settings on sites like Facebook can be difficult to use, and it doesn’t take much of a mistake to widely disseminate information we meant only for our close friends. What’s more, many social networking sites transmit personal information to third parties, particularly advertisers, unless a user has opted out.
Being subjected to ads keyed to your browsing habits can be intrusive, but the potential for harm isn’t great. But when that personal information includes your current location, or addresses you’ve visited in the recent past, the issue becomes more serious.
Wills, the Worcester Polytechnic researcher, looked at 13 mobile online social networks, including popular services like Brightkite, Buzzd, Flickr, Foursquare, Gowalla, Loopt, Radar, and Urbanspoon and seven older social networking services such as Facebook, LinkedIn and Twitter.
Wills and his colleague, AT&T Labs researcher Balachander Krishnamurthy, tested the sites using a “sniffer” that allowed them to see all network traffic to and from mobile phones they were testing. (You can read their research paper here.)
With the exception of Loopt, all 20 leaked some kind of private information to third-party tracking sites. Buzzd, for example, shared the user’s location with Pinch Media, a seller of Web analytics services and tools, without overt permission or disclosure, the researchers found.
Foursquare passes the user’s latitude and longitude to the Google map service to show his or her current location. That’s what you’d expect, of course, but Wills found that the geographic data is also shared with a dozen or so other sites.
How to Keep the Snoops at Bay
It shouldn’t be news to you, but I’ll repeat it anyway: The most common way to get in trouble on the Web is by clicking on a link or attachment from someone you don’t know.
That’s been true on the desktop for some time, and now it’s true on the mobile Web. The hackers who use the spyware shown at SchmooCon can’t mess with your phone if you don’t take the bait.
Staying out of the clutches of advertisers or shadier types who want to know where you are via your social networking habits is a bit harder. You absolutely have to spend time figuring out Facebook privacy settings and using them correctly. I think it’s ridiculous for that burden to fall on the user, but until social networking sites yield to pressure, your safety is in your own hands.
[For expert tips on Facebook’s privacy settings and step-by-step instructions on how to strengthen yours, see Facebook Privacy Fix. ]
speaking of pressure, I’d suggest visiting the sites of the ACLU and the Electronic Frontier Foundation and see what they have to say about cell phones and privacy.
San Francisco journalist Bill Snyder writes frequently about business and technology. He welcomes your comments and suggestions. Reach him at firstname.lastname@example.org.
STRONG> Do you Tweet? Follow everything from CIO.com on Twitter @CIOonline.