Location-tracking turns your smartphone into your stalker

It knows when you are sleeping. It knows when you're awake.

And it's not Santa Claus. It is your increasingly smart smartphone, loaded with processors and apps that you acquired voluntarily, with "location services" that broadcast where you are and, in some cases, what you are doing.

[Android malware steals location data from mobile devices]

These services are promoted -- and successfully sold -- as tools to make your life easier and more interesting. And they do. The apps help you get where you want to go, or let you stay connected with your circle of family, friends and associates. You can check in with your friends on the way to the hot new club downtown, so they know where you are and you know where they are. With the help of an app, you can find the restaurant your friends have all given rave reviews.

Then there is Apple's own description of its latest iPhone M7 coprocessor, which notes that it is, "designed specifically to measure motion data from the accelerometer, gyroscope, and compass," so fitness apps can monitor your workouts.

"M7 knows when you're walking, running, or even driving," the company says, so that if you stop driving and start walking, its Maps app will switch to walking turn-by-turn navigation. "And if your phone hasn't moved for a while, like when you're asleep, M7 reduces network pinging to spare your battery."

With apologies to Sting, your mobile device is now in the realm of knowing, in essence, "every breath you take, every move you make."

So, along with that easier and more interesting life comes a problem security experts have been talking about for years: If your phone knows, it isn't just your circle of selected friends, associates and family members who know. While teen users may be mostly concerned about their parents monitoring them, the companies that provide those magical conveniences are also collecting that information. And that opens the door to surveillance not only by advertisers but governments as well.

Indeed, the New York Times recently reported on police departments in cities around the country using federal grant money meant to combat terrorism to collect and analyze general surveillance data, including monitoring, "a fire hose of social media posts to look for evidence of criminal activities."

U.S. appeals court upholds warrantless collection of phone location data]

That reality is making its way into the consciousness of mobile users, albeit slowly. A recent survey on location-based services by the Pew Research Center's Internet Project found that while a large majority of mobile device owners use location services, they are increasingly aware that this allows them to be tracked.

The survey found that, "74 percent of adult smartphone owners ages 18 and older say they use their phone to get directions or other information based on their current location." It also found that 30 percent of social media users aged 18 or older include their location in their posts. That is up from 14 percent in 2011.

But the use of "geosocial" services to "check in" to certain locations or share one's location with friends dropped from 18 percent in early 2012 to 12 percent a year later. And as of September 2012, 46 percent of teen app users reported that they had turned off the location-tracking feature in their device or in an app on that device.

Privacy experts say all mobile users should disable location tracking unless they are actively using an app, like a map program giving them directions. "I generally disable location services except for specific apps at specific moments, such as I'm trying to use Google maps to find a specific place," said Hanni M. Fakhoury, a staff attorney at the Electronic Frontier Foundation (EFF).

They also advise strongly against allowing social media posts to include location. It's not just the obvious risks of publishing the fact that you may be far from home, offering an invitation to burglars. It is also the cumulative impact of thousands of little details about your associations, your beliefs, your habits -- your life.

Every move you make...]

"Mobile apps are of special concern because smartphones tend to get exceptional data about us -- what time you wake up, when you go to the doctor's office and when you go to McDonald's, whether you drive above the speed limit, and on and on," said Ben Edelman, a privacy expert and an associate professor at Harvard Business School.

"Individually, this data might seem unimportant. But add it up -- millions of users, over months and years -- and it's a portrait of humanity. Never before has so much data been collected about so many. And to what end?"

Rebecca Herold, CEO of The Privacy Professor, warns that, "whenever data is posted online, such as through the auto-location-sharing apps, that data is subject to a wide range of surveillance."

Hanni Fakhoury agrees. "Detailed information about a person's location reveals a lot about that person's associations and activities. And law enforcement is eager to get its hands on that information," he said.

The companies that make the apps and provide the services that use location tracking generally make a point of promising that the user has control over what is shared. Google recently amended its Terms of Service to include what it calls a "shared endorsements" setting that, starting Nov. 11, will show Google+ users' -- including their profile picture -- product preferences alongside ads within their social network.

Google's pitch is that the new setting will, "make it easy for you to get great recommendations from your friends." But it emphasizes that, "You're in control: Your content is only shared when you choose, and shared."

The problem with promises like this, Ben Edelman says, is that they are not always kept. "What should happen if a site promises not to track users in a particular way, or not to store or analyze that data in a particular way?" he asked.

"Time and time again, sites break those promises, then users sue, then sites claim, 'Well, you weren't damaged, so you should get zero.' It's true that users struggle to demonstrate actual damages from these violations. But privacy has intrinsic value, and so does honoring your word."

There is also the reality, illustrated by the ongoing revelations from former National Security Agency (NSA) contractor Edward Snowden, that government agencies can and do get access to online activity of individuals. With location tracking, that means not only sites they visited, posts they made or emails they sent. It also means where they went, who else might have been there, how long they stayed and reams of other information.

"We have seen that the NSA, law enforcement, and other government agencies, can get access to basically anything online under FISA (Foreign Intelligence Surveillance Act) and the USA PATRIOT Act," said Rebecca Herold.

Supreme Court: GPS tracking needs court warrant]

"And, very disappointingly, there is no accountability for their actions. I can understand the need to sometimes gain access to some specific individuals who are true terrorists or criminal suspects. However, without requiring the government and law enforcement to be accountable for their actions, it is a huge risk to privacy, and personal security."

Major internet service providers like Google, Microsoft, Skype, Yahoo!, Facebook, YouTube, AOL and Apple have acknowledged providing personal data on their customers when the government demands it. And it is not only the major players. Just this week, Snapchat acknowledged in a blog post that it has been compelled, by the Electronic Communications Privacy Act (ECPA) to provide information on its servers to law enforcement.

Robert Siciliano, CEO of IDTheftSecurity, is one of many privacy experts who recommend not only disabling tracking features unless they are in use and keeping privacy settings and permissions "locked down," but also for users to be careful about what they share, what information they provide and what they download.

In an interview, Siciliano said the material he has seen people share on social media, including details like documenting their last months of life or chronicling the dalliances of a cheating spouse, is enabling ever more intrusive surveillance. "Unlimited data storage has become manageable and search software has been refined to explore all the data being produced. Government has been implementing this for over a decade," he said.

And while the companies that collect and store all this data may want it secured as much as their customers do, leaks are as inevitable as death and taxes. "There will always be leaks no matter what," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitymobile

More about AOLAppleEFFElectronic Frontier FoundationFacebookGoogleHarvard Business SchoolMcDonald'sMicrosoftNational Security AgencyNSASkypeYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts