You Are Here: Scary New Location Privacy Risks

The danger isn't theoretical

Location-based services on a mobile phone are terrifically helpful when you need to find a nearby business or directions to the freeway. They're also terrifically helpful to advertisers, government agencies and even stalkers who can use them to track your every move.

[Google now faces a multiple-state privacy investigation regarding its Street View data collection effort. For more on the privacy brouhaha, see this backgrounder and timeline. ]

"If you are publishing your location to the world, anyone, including a stalker or a thief or the government or an advertiser or anyone else, can go and look at that information, and hence, the threat," says Kenneth Bankston, an attorney with the Electronic Frontier Foundation.

The danger isn't just theoretical. At the SchmooCon security conference in Washington D.C. last winter, a hacker demonstrated an application that tricks a user into clicking on a poisoned link and then surreptitiously downloads a spyware program that tracks the smartphone's exact location. The results are displayed as an overlay on a Google map on the hacker's Web site, says Mike Greide, a security researcher at Zscalar who witnessed the demo.

That code, he says, has since been made public and is now on the Web for anyone to use. With a little effort, it could be adapted to work on iPhones or Android-based devices, Greide told me.

Less overtly threatening, but still invasive, are privacy holes created when social networking sites share information with third parties such as advertising and analytics companies. "I may not intend it, but once I check in with a mobile social networking site it's quite possible that the whole world will then know where I'm at," says Craig Wills, a professor of computer science at the Worcester Polytechnic Institute, who has studied the issue of "privacy leakage" from social networking sites. (More about Prof. Wills's work in a bit.)

What Your Phone Says About Your Locale

And don't think that your basic cell phone, which doesn't have a GPS function, won't give you away. It will, since it's always in touch with cell phone towers, whose location can give away yours via triangulation. And once again, the threat is not theoretical.

Last year, the FBI obtained secret permission (but didn't actually get a warrant) to monitor the location of 180 cell phones in the course of an investigation into a bank robbery, according to a court filing by the American Civil Liberties Union and the Electronic Frontier Foundation. The difference between the order obtained by the FBI and a warrant isn't just a technicality. Obtaining a warrant requires a much higher standard of proof that a crime has been committed or will be in the near future.

The government's contention that warrants aren't needed to monitor the location of cell phone users disturbs me, and it apparently disturbed U.S. Circuit Judge Dolores Sloviter who said this during a court hearing in Philadelphia: "You know there are governments in the world that would like to know where some of their people are or have been. Can the government assure us that it will never try to find out these things?" she asked.

Social Networking Your Privacy Away

By now, most of us know that the privacy settings on sites like Facebook can be difficult to use, and it doesn't take much of a mistake to widely disseminate information we meant only for our close friends. What's more, many social networking sites transmit personal information to third parties, particularly advertisers, unless a user has opted out.

Being subjected to ads keyed to your browsing habits can be intrusive, but the potential for harm isn't great. But when that personal information includes your current location, or addresses you've visited in the recent past, the issue becomes more serious.

Wills, the Worcester Polytechnic researcher, looked at 13 mobile online social networks, including popular services like Brightkite, Buzzd, Flickr, Foursquare, Gowalla, Loopt, Radar, and Urbanspoon and seven older social networking services such as Facebook, LinkedIn and Twitter.

Wills and his colleague, AT&T Labs researcher Balachander Krishnamurthy, tested the sites using a "sniffer" that allowed them to see all network traffic to and from mobile phones they were testing. (You can read their research paper here.)

With the exception of Loopt, all 20 leaked some kind of private information to third-party tracking sites. Buzzd, for example, shared the user's location with Pinch Media, a seller of Web analytics services and tools, without overt permission or disclosure, the researchers found.

Foursquare passes the user's latitude and longitude to the Google map service to show his or her current location. That's what you'd expect, of course, but Wills found that the geographic data is also shared with a dozen or so other sites.

How to Keep the Snoops at Bay

It shouldn't be news to you, but I'll repeat it anyway: The most common way to get in trouble on the Web is by clicking on a link or attachment from someone you don't know.

That's been true on the desktop for some time, and now it's true on the mobile Web. The hackers who use the spyware shown at SchmooCon can't mess with your phone if you don't take the bait.

Staying out of the clutches of advertisers or shadier types who want to know where you are via your social networking habits is a bit harder. You absolutely have to spend time figuring out Facebook privacy settings and using them correctly. I think it's ridiculous for that burden to fall on the user, but until social networking sites yield to pressure, your safety is in your own hands.

[For expert tips on Facebook's privacy settings and step-by-step instructions on how to strengthen yours, see Facebook Privacy Fix. ]

speaking of pressure, I'd suggest visiting the sites of the ACLU and the Electronic Frontier Foundation and see what they have to say about cell phones and privacy.

San Francisco journalist Bill Snyder writes frequently about business and technology. He welcomes your comments and suggestions. Reach him at

STRONG> Do you Tweet? Follow everything from on Twitter @CIOonline.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitysmartphonesPhonessocial networkingtwittersocial mediainternetprivacyFacebookMobile handsetsconsumer electronics

More about BillElectronic Frontier FoundationFacebookFBIGoogleUrbanspoon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bill Snyder

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place