CAT | GeoLocation
Last week I did an interview on a San Diego news program about issues with many cameras and smart phones in particular embedding very accurate location information in your pictures. If your camera (smart phone or whatever) has GPS, then the EXIF meta data in the picture will contain your location to within about 20 feet. This can be disabled, but is typically on by default.
While this can be useful when you are trying to sort and organize the pictures on your computer, the risk shows up when you start to share the pictures. By combining date and time information in the pictures I can tell if they are recent. If you are on vacation and posting on the road, an attacker can tell that you are away from home and your home probably unguarded. Pictures of your home and family can provide the exact location of your house as well.
The good news is that major sites for sharing pictures like Facebook and Flickr seem to strip out that information from the photos. It is unclear if that is intentional or just a byproduct of how they are processing and displaying the images. In any case, the data is certainly available to the sites themselves.
I strongly encourage everyone to download an EXIF editor to be able to strip this information from pictures before uploading, and to turn off location tracking in their cameras and mobile phone photo applications to prevent the capture of that information in the first place.
The story is about a german politician Malte Spitz who sued to obtain the retained cell tower records for his own phone, then provided them to the newspaper. The newspaper has created a nice map and timeline tool to allow you to play Spitz’s movements over 6 months. The resolution is impressive and should be a real wake up call about the level of detailed information being gathered on us all.
Of course, if the phone company was capturing GPS or WiFi based location information the data would be much more accurate. While GPS would quickly drain the battery, many modern phones have WiFi enabled all the time, so that information would be readily available without any additional impact on the phone’s performance.
There has been a lot of excitement in the privacy community around the introduction of a social location service by Facebook. Having blown the dust off my test account, I don’t really understand all the fuss.
It appears that this capability only applies to mobile devices right now (although I have blogged in the past about the ability to locate your computer). When using the mobile site, or the FaceBook app, there is a button that allows you to “Check In” at your current location. It appears that this is exclusively an overt act, and that nothing is taking place passively in the background.
The privacy defaults (at least for me) were fairly restrictive. My check-in is only shared with “friends” by default. The only really interesting setting was that it defaults to show your location to others who are checked-in at the same location around the same time, but that was easily changed.
The FAQ talks about and links to the privacy settings in a prominent way. It feels strange to say this, but I don’t think they have done a bad thing here. Obviously there are major privacy and security implications to telling people where you are all the time, and it may lead to stalking and/or home robberies, but you really have to ask them to do it to you. Caveat emptor.
Of course, none of this should suggest that I have any intention of ever using the service myself.
I note that most of the other social location players, like Gowalla, Yelp, Booyah and Foursquare were at the announcement. This could certainly impact them in a big way, either for good or ill. That seems like the real story, and my thoughts on that are well out of scope for this blog.
This very short article describes a really simple attack that enables someone to discover your physical location with a very high degree of reliability and accuracy.
Given that information, it is easy to pass this information to a Location Services API which returns a location good to a few hundred feet, sometimes much closer. Here is a website that does this for you.
In an interesting CNET article Google CEO Schmidt talks about how new technologies are going to impact society. One of his comments really struck me. Schmidt said that the only way to handle the new technologies is “much greater transparency and no anonymity.”
I have not seen the arguments and evidence behind such a bold claim. I would have argued exactly the opposite. We need MORE anonymity for users and more transparency and accountability from data collectors like Google.