Location services abound in apps everywhere. Your smartphone is constantly tracking your location whether to guage traffic, share with loved ones your whereabouts, or get the weather. However, this can lead to all sorts of abuses which are not immediately obvious to most.
Let’s delve into it and see what’s at stake.
The Power of Location Services
Have you ever thought of the negative impact from constantly sharing your location either by choice or default? It may seem like only a little can be discerned from a person’s location; however, the rabbit hole goes deep.
Imagine if you knew someone’s location every 15 minutes or so. Assume you do not know who the person is. How easy is it to discover their identity?
Combining location services data with publically available data sets can yield a lot of intelligence. Unmasking the identity would be very easy. In this case you could look for where the person is from maybe midnight to 6am. Unless they are couch surfing this will be their home. Walking over to Google Maps and then querying for the publically available real estate records tell us who they are.
Let’s continue this a little bit more. Big deal someone knows your location? Here are some things that would be rather simple to deduce from location and publically available data:
- I know where you work because I can tell where you are during business hours. If you work a night shift I’ll know that too.
- If you go to another house of say family or friends I can create a network of your associations.
- Deviations from patterns can cue suspicion during surveillance.
- I can know who your mistress is
- I can know who your drug dealer is
- I can guess at your medical situation by seeing that you went to a specialist.
- I know where you like to shop, vacation, etc.
As you can see – location alone can easily reveal huge amounts of information. Identifying the person is trivial. Worse still is deriving so much more contextual data about someone that you can build a profile of them.
But how often does this open disclosure of location services take place? More than you know…
Bounty Hunt Location Services
Major telecommunication firms are selling access to their customer’s data. In a few short hops it makes its way to bounty hunters, marketing firms, etc.
Read this article from Motherboard for a typical story. Basically for about $200 you can find the location of most any phone in the US. There isn’t even any hacking involved. It is real time location data straight from the telcos.
Data collectors such as Verizon, AT&T, Sprint, and T-Mobile all sell this information. What makes it extra ironic is the fact that law enforcement needs a warrant to track your phone – but private dealers can freely trade your data.
“Your mobile phone is constantly communicating with nearby cell phone towers, so your telecom provider knows where to route calls and texts. From this, telecom companies also work out the phone’s approximate location based on its proximity to those towers.”https://motherboard.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile
There are legitimate and uncontroversial reasons to track location. Your mobile phone needs to talk with cell phone towers to route your calls and texts. Financial companies use your location data as a form of fraud detection.
From the telcos your location data makes its way to what are called “aggregators”. This isn’t conjecture or supposition but rather established fact. Look at this letter between Senator Ron Wyden, a privacy advocate, and AT&T.
In short, AT&T confirms the authorize 3rd parties to access their customer data and location services. The consent is not as hard to argue for them. An aggregator – an intermediary company – typically manages the requests for data across multiple carriers.
This is all a form of OSINT – Open Source Intelligence.
Here’s another story about phone apps tracking a woman’s location. The New York Times reports about this.
Although targeted ads are the most common usage of location data, your privacy can be infringed upon once it gets out. This article is worth a read – just look at the infographics explaining what happened.
Weather Channel and Your Location
IBM recently acquired the Weather Channel. Why might a large IT consulting organization want to know your weather? Because there is big money in that location service and it has value in the market. Mining your private data can yield big bucks!
The Weather Channel app told users that sharing their locations would let them get personalized local weather reports. However, it did not tell them that the location data would be sold to who knows who.
“Unbeknownst to many users, the Weather Channel App has tracked users’ detailed geolocation data for years, analyzing and/or transferring that data to third parties for a variety of commercial and advertising purposes, including for targeted advertisements based on locations users frequent, and for hedge funds interested in analyzing consumer behavior,” the lawsuit said.
Hope Under the Law
People tend to stick to whatever default is set. If the above choice with the Weather Channel app were more stark then more people would opt-out and say no. From a technology standpoint, opt-out should be the default instead of opt-in.
In October 2017 the US Supreme Court issued an opinion in the case of Carpenter v. United States. The 5-4 ruling said that the Fourth Ammendment protects cell phone location information.
Perhaps the most significant part of today’s ruling for the future is its explicit recognition that individuals can maintain an expectation of privacy in information that they provide to third parties. The Court termed that a “rare” case, but it’s clear that other invasive surveillance technologies, particularly those than can track individuals through physical space, are now ripe for challenge in light of Carpenter.https://www.eff.org/deeplinks/2018/06/victory-supreme-court-says-fourth-amendment-applies-cell-phone-tracking
The EFF published the court document here to read. in the meanwhile stay vigilent!
If you liked this post then you might also like: Privacy Day 2019 – Awareness and Action