Mobile Location Services – A Closer Look at Privacy and Security Issues

finjanmobileBlog, Mobile Security

Location Services

Technologies enabling your real-time location to be established by your mobile and automotive devices (Yes, a car is a mobile device as well, when you think about it) make life easier and more enjoyable in any number of ways: Predicting the local weather so you’ll know to take an umbrella when you saunter off for that important lunch meeting at your nearest Starbucks (the route helpfully mapped out for you on your tablet screen), discount offers from that furniture warehouse close to you as a targeted follow-up on that coffee table you had delivered to your apartment last week… The list goes on.

Convenient and clever. But in the desire to reap the benefits of location-based services, or in the simple act of taking them for granted (Hey, everyone uses them. They’re built into my phone. They’ve got to be safe, right?) users may be unaware of the potential dangers posed by these technologies – and the implications of how their location is being determined, and who is being permitted access to that information.

Location Services – The Technology

In-car navigation systems and mobile devices can determine your location using a number of mechanisms, including GPS technology (Global Positioning System – using satellite relays and bounced signals), the triangulation of signals from cell phone towers in various locations, Bluetooth, aggregating the position of WiFi internet access points, and crowd-sourcing (calculating positions from statistics gathered from a number of sources). Combinations of techniques such as A-GPS or Assisted-GPS are also used.

As with internet security, these technologies may be prone to signal interception and hijacking for the purposes of stealing or corrupting the data streams which pass through them. So adequate safeguards need to be put in place to ensure the integrity and smooth passage of signals and information.

Beyond this, there are other issues – chiefly dealing with the manner in which your location data is handled by those responsible for providing the services.

Location Services – Matters of Consent

It’s something of a legal requirement for mobile applications and providers to elicit your consent before you agree to subscribe to a service or install/activate an app that can record or broadcast your current location and related data. Only “something”, as there are as yet no globally binding legal frameworks to police this – although the European Union’s recent adoption of stringent rules on data privacy are going some way towards establishing this.

The usual practice is for your consent to be delivered in the form of an “I Agree” check box or button click at the end of an application or service’s Terms & Conditions, statement of Permissions, or End-User License Agreement (EULA). Fine in theory, but such documents are often obliquely worded or so lengthy as to discourage users from actually reading them, before providing their consent to what they imagine will be a life-enhancing service or app.

Location Services – Questions of Privacy

The truth of the matter is that such agreements are sometimes deliberately misleading, and contain only veiled references to practices such as the selling on of customer location data to third parties like advertising networks or market research bodies – some or all of which may have lax procedures for data handling. And there’s no guarantee that your location data won’t be passed on to government agencies (foreign and domestic), rival corporations, or worse.

Users of iOS applications have been feeling this acutely, as an increasing number of apps are bypassing safeguards such as the deactivation of Location Services to record their location and related data without either their knowledge or consent. Apps have been able to circumvent the programming guidelines laid down by iOS Location Services, and the application vetting procedure at the iTunes App Store doesn’t include a check on the handling of location data – even though this information is held on devices and transmitted in an unencrypted form.

Profiling and Identity Theft

As well as being shared with unknown third parties, location service information may be used inappropriately to track a user’s travel patterns, buying habits, and general behavior. At one level, this monitoring could extend to the building up of a profile of activities and movements that includes not only your business and commercial dealings but also the schools that your kids attend, and the location and nature of any political gatherings or religious services you might attend.

At another, more sinister level, enough information could conceivably be gathered via location services for a complete personality profile to be drawn up, and a user’s identity then sold on to third parties for criminal or other purposes.

Stalking and Personal Security Issues

A location service could quite easily provide criminal elements with a comprehensive picture of an individual’s activities and movements which, together with personally identifiable information (PII, which may be included in the location service data) could give them an accurate indication of where a person currently is, where they aren’t, and/or where they’re likely to be in the near future.

This has obvious implications for those wishing to perpetrate thefts or burglaries, personal assaults, or even assassinations. It’s also a serious weapon in the armory of the potential stalker.

Surveillance Culture

It’s not just other individuals who can use location services to trace your steps. Law enforcement agencies with the proper court orders may be empowered to access location data from various sources. Beyond this, they may even exercise the privilege to use location service information in ongoing investigations, suspect profiling, and a range of other activities.

Strategies for Safety

There are a number of measures which individual and corporate users may take to limit the extent of their exposure to the risks posed by mobile location services.

  • If disabling location services altogether will negatively impact your life or business operations, then use them selectively – and with caution.
  • Share your location only with people or institutions that you trust – and disable any options that allow others to share your location.
  • Consider disabling geo-tagging features, which can add location tags to your posts and interactions on social media.
  • Before downloading, installing, or activating a location-enabled app or signing up for a location-based service, carefully study the paperwork (EULA, permissions, etc.) for suspicious references or outright admissions of dubious use of your personal data.
  • Enterprise administrators should perform a risk assessment of all mobile apps to be used on their corporate network, using a dedicated network protocol analyzer.
  • Traffic analysis should be coupled with data loss prevention (DLP) technology to safeguard information on corporate networks.

Share this Post