Location-tracking turns your smartphone into your stalker

It knows when you are sleeping. It knows when you're awake.

And it's not Santa Claus. It is your increasingly smart smartphone, loaded with processors and apps that you acquired voluntarily, with "location services" that broadcast where you are and, in some cases, what you are doing.

[Android malware steals location data from mobile devices]

These services are promoted -- and successfully sold -- as tools to make your life easier and more interesting. And they do. The apps help you get where you want to go, or let you stay connected with your circle of family, friends and associates. You can check in with your friends on the way to the hot new club downtown, so they know where you are and you know where they are. With the help of an app, you can find the restaurant your friends have all given rave reviews.

Then there is Apple's own description of its latest iPhone M7 coprocessor, which notes that it is, "designed specifically to measure motion data from the accelerometer, gyroscope, and compass," so fitness apps can monitor your workouts.

"M7 knows when you're walking, running, or even driving," the company says, so that if you stop driving and start walking, its Maps app will switch to walking turn-by-turn navigation. "And if your phone hasn't moved for a while, like when you're asleep, M7 reduces network pinging to spare your battery."

With apologies to Sting, your mobile device is now in the realm of knowing, in essence, "every breath you take, every move you make."

So, along with that easier and more interesting life comes a problem security experts have been talking about for years: If your phone knows, it isn't just your circle of selected friends, associates and family members who know. While teen users may be mostly concerned about their parents monitoring them, the companies that provide those magical conveniences are also collecting that information. And that opens the door to surveillance not only by advertisers but governments as well.

Indeed, the New York Times recently reported on police departments in cities around the country using federal grant money meant to combat terrorism to collect and analyze general surveillance data, including monitoring, "a fire hose of social media posts to look for evidence of criminal activities."

U.S. appeals court upholds warrantless collection of phone location data]

That reality is making its way into the consciousness of mobile users, albeit slowly. A recent survey on location-based services by the Pew Research Center's Internet Project found that while a large majority of mobile device owners use location services, they are increasingly aware that this allows them to be tracked.

The survey found that, "74 percent of adult smartphone owners ages 18 and older say they use their phone to get directions or other information based on their current location." It also found that 30 percent of social media users aged 18 or older include their location in their posts. That is up from 14 percent in 2011.

But the use of "geosocial" services to "check in" to certain locations or share one's location with friends dropped from 18 percent in early 2012 to 12 percent a year later. And as of September 2012, 46 percent of teen app users reported that they had turned off the location-tracking feature in their device or in an app on that device.

Privacy experts say all mobile users should disable location tracking unless they are actively using an app, like a map program giving them directions. "I generally disable location services except for specific apps at specific moments, such as I'm trying to use Google maps to find a specific place," said Hanni M. Fakhoury, a staff attorney at the Electronic Frontier Foundation (EFF).

They also advise strongly against allowing social media posts to include location. It's not just the obvious risks of publishing the fact that you may be far from home, offering an invitation to burglars. It is also the cumulative impact of thousands of little details about your associations, your beliefs, your habits -- your life.

Every move you make...]

"Mobile apps are of special concern because smartphones tend to get exceptional data about us -- what time you wake up, when you go to the doctor's office and when you go to McDonald's, whether you drive above the speed limit, and on and on," said Ben Edelman, a privacy expert and an associate professor at Harvard Business School.

"Individually, this data might seem unimportant. But add it up -- millions of users, over months and years -- and it's a portrait of humanity. Never before has so much data been collected about so many. And to what end?"

Rebecca Herold, CEO of The Privacy Professor, warns that, "whenever data is posted online, such as through the auto-location-sharing apps, that data is subject to a wide range of surveillance."

Hanni Fakhoury agrees. "Detailed information about a person's location reveals a lot about that person's associations and activities. And law enforcement is eager to get its hands on that information," he said.

The companies that make the apps and provide the services that use location tracking generally make a point of promising that the user has control over what is shared. Google recently amended its Terms of Service to include what it calls a "shared endorsements" setting that, starting Nov. 11, will show Google+ users' -- including their profile picture -- product preferences alongside ads within their social network.

Google's pitch is that the new setting will, "make it easy for you to get great recommendations from your friends." But it emphasizes that, "You're in control: Your content is only shared when you choose, and shared."

The problem with promises like this, Ben Edelman says, is that they are not always kept. "What should happen if a site promises not to track users in a particular way, or not to store or analyze that data in a particular way?" he asked.

"Time and time again, sites break those promises, then users sue, then sites claim, 'Well, you weren't damaged, so you should get zero.' It's true that users struggle to demonstrate actual damages from these violations. But privacy has intrinsic value, and so does honoring your word."

There is also the reality, illustrated by the ongoing revelations from former National Security Agency (NSA) contractor Edward Snowden, that government agencies can and do get access to online activity of individuals. With location tracking, that means not only sites they visited, posts they made or emails they sent. It also means where they went, who else might have been there, how long they stayed and reams of other information.

"We have seen that the NSA, law enforcement, and other government agencies, can get access to basically anything online under FISA (Foreign Intelligence Surveillance Act) and the USA PATRIOT Act," said Rebecca Herold.

Supreme Court: GPS tracking needs court warrant]

"And, very disappointingly, there is no accountability for their actions. I can understand the need to sometimes gain access to some specific individuals who are true terrorists or criminal suspects. However, without requiring the government and law enforcement to be accountable for their actions, it is a huge risk to privacy, and personal security."

Major internet service providers like Google, Microsoft, Skype, Yahoo!, Facebook, YouTube, AOL and Apple have acknowledged providing personal data on their customers when the government demands it. And it is not only the major players. Just this week, Snapchat acknowledged in a blog post that it has been compelled, by the Electronic Communications Privacy Act (ECPA) to provide information on its servers to law enforcement.

Robert Siciliano, CEO of IDTheftSecurity, is one of many privacy experts who recommend not only disabling tracking features unless they are in use and keeping privacy settings and permissions "locked down," but also for users to be careful about what they share, what information they provide and what they download.

In an interview, Siciliano said the material he has seen people share on social media, including details like documenting their last months of life or chronicling the dalliances of a cheating spouse, is enabling ever more intrusive surveillance. "Unlimited data storage has become manageable and search software has been refined to explore all the data being produced. Government has been implementing this for over a decade," he said.

And while the companies that collect and store all this data may want it secured as much as their customers do, leaks are as inevitable as death and taxes. "There will always be leaks no matter what," he said.

Tags securitymobile

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Secure Virtualization of Business Applications

Run your mission-critical applications in a secure and compliant virtual datacenter, or private cloud.

Latest Jobs
Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.