Location-Aware Apps: Will We Lose Privacy Location Forever?

Are you a human homing beacon? Privacy risks skyrocket in proportion to the plethora of programs that share users’ real-time location information.

With the increasing popularity and expected market explosion of location-aware applications, the dangerous side effects of location-sharing should be addressed. This mean corporations need to put some effort into user-friendly privacy controls. Lip service and a generic privacy policy will not cut it. And yet, recent research shows that nearly 1/3 of location-aware applications have no published privacy policy at all -- let alone backing a policy with teeth.

Like lax security and the subsequent breach that inevitably follows, once someone's privacy has been victimized, it cannot be undone. That's when people start screaming about their data going public and pointing fingers. I urge location-aware developers and companies to be transparent and proactive about privacy. So I was especially interested in some research by Carnegie Mellon's CyLab Usable Privacy and Security Laboratory (CUPS). CUPS surveyed 587 American Internet users and analyzed the privacy policies of 89 location-sharing services.

According to The Location-Sharing Technologies: Privacy Risks and Controls research, 66% of location-aware applications have privacy policies. But those policies don't do much to protect the user. Most of them say they will be collecting and saving all location data, personal profile information, and identifying web information like IP addresses for an indefinite amount of time. Who do they share their information with? If we authorize service A to handle our data, but A talks to Service B which then connects to Service C, users have the right to know that Service B and C now also have their information. Service A might be extremely secure, but what if B or C is hacked?

76% of location apps do have privacy controls, but 70% lack immediately accessible privacy controls. That's unacceptable.

I'm not saying that there is no potential value of these location-aware applications at all. People that participated in the study said there are some applications that are worth the privacy risks. These include finding people in an emergency, finding information based on location that you actually want (like directions to the nearest coffee shop), and finding (and tracking) your teenagers.

The greatest expected harms from using location-based apps are revealing one’s home and being stalked, respondents said. The study revealed people also worried about being tracked by the government and didn't want to be annoyed by receiving ads based on one’s locations.

The Please Rob Me service initially pointed out the potential risks of over-sharing by aggregating publicly shared check-ins and tweeting who was where. The site stopped its social experiment after its creators were satisfied that they had freaked out a significant number of location-aware app users.

The EFF sounded a warning nearly a year ago On Locational Privacy, and How to Avoid Losing it Forever. I contacted the EFF about location-aware apps. EFF's Rebecca Jeschke pointed out, "A lot of location-based technologies are very useful and interesting. But it's important to ask a few key questions before you decide to interact with these applications. Location-based technologies often create and store records of your movements, so you should learn what a company's policy is about how long those records are kept, who can access them, and how they are protected. Location-based services can make it possible for others to know a lot about your life, and so we'd like to see more technologies created with privacy-protecting algorithms built in. Then we can enjoy their convenience without the privacy risk."

Geofencing is a virtual perimeter or "fence" around a location. When people carry cell phones across that perimeter, the system becomes aware of their proximity. It can then push information to the nearby phones. Applications in personal security through geofencing could range from alerting a mom that her child has left the school grounds, to alerting people that approach the perimeter of a looming natural disaster. But a coffee shop pinging your cell phone with a cappuccino bargain when you’re 300 feet away? Geofencing should provide a service, not an ad, and needs to have transparent settings to opt in and out.

The more people purchase smart-phones and other GPS-enabled devices, the more these services will grow. Unlike the Facebook privacy debacle with its third party apps full of potential holes to be exploited, users that try location-aware apps become human homing beacons. A "privacy catastrophe" could mean being mugged or raped. Why wait for that before pushing for privacy rights and addressing location-aware privacy issues?

Let's press for privacy controls before these location-aware apps misuse our trust. It's too late after that trust has been broken with location breaches which could have annoying to deadly consequences.

As much as it pains me to admit it, there are potential benefits, so this is a fight worth fighting. More security information about identifying privacy attacks and current defense techniques can be read here: Privacy in Location-Based Applications: Research Issues and Emerging Trends.

NEW! Download the Fall 2018 issue of Security Smart