Can I Stalk You? An Intro to Location-Based Service Security

Have you been invited to use Foursquare or Gowalla? Or has one of your friends checked you into a restaurant or a club using Facebook Places? Congratulations, you’re now on the new frontier of social media: location.

Location-based services are sites available through mobile devices that use your exact geographical location to connect you to friends and businesses.

So now you have to decide: Do I need everyone to know where I am?

Okay. Maybe you aren’t letting “everyone” know where you are. Many services limit your information to your friends. But when you share your information with a network, you’re trusting everyone on that network to protect your privacy. So there’s always the potential when using location-based social media that someone you don’t want to see could find your exact location.

Background on Location Services

Google Latitude, which allows you to broadcast your location twenty-four hours a day using GPS  (global positioning system) technology, has been around for more than a year. And once it got over some initial privacy concerns, it basically became another one of Google’s innovative yet obscure services that not too many people use.

To date, only 4% of Americans have tried one a location-based service, and only 1% use one on a weekly basis, according to Gartner. People are not showing much interest in leaving digital breadcrumbs wherever they go.

So why do you have to decide now if you’re ready to start sharing your location?

First of all, more and more people are getting GPS -enabled smartphones. This makes cool apps like our free Anti-Theft for Mobile possible, and it makes it easy to broadcast your location. And more importantly, Facebook is getting into the location game.

How Will Facebook Places Change Your Life?

Facebook Places is now live in the United States, Canada, United Kingdom, Japan, France, Italy and Australia and has already sparked so much interest in location-based social networking that its competitor Foursquare just passed the 4,000,000 registration mark, which means it’s only 546,000,000 users behind Facebook.

With a user base of more than half a billion active users around the globe, Facebook intends to push location networking into the mainstream. It also has added another level to these types of services by allowing users to check their friends into locations. And of course, this could allow for some mischief.

The Potential for Mischief

Using Places, your Facebook friends could check you into places you shouldn’t be like a bar during your lunch hour. That could be a problem with your boss.

But this potential for mischief is inherent in Facebook. Your friends can already lie about you in status updates. Even worse, any of your friends could also easily tag your name in an embarrassing photo you may or may not be in.

(To prevent anyone on Facebook seeing you tagged in friends’ photos and videos you may not approve of, go to “Privacy Settings”>  “Customize Settings”> “Photos and videos I’m tagged in”> “Customize”> “Only Me”)

The best way to minimize risk whenever you’re on Facebook for any reason is to keep your friends list limited to the people you really trust. (If you need a fan club I’d suggest a Facebook fan page. That way you can broadcast Twitter-style without having to worry about sharing personal information and media with strangers.)

Get Your Settings Right

Facebook Places is perfect for two types of Facebook users: Those who have no fear about sharing the most intimate details of their lives and those who have mastered the privacy settings.

No matter who you are, Places should force you to take a good look at who is on your Facebook friends list. Facebook Places is at its safest when you share your location with the people you really trust. And if you don’t know and trust everyone you’re connected with, you need to control exactly who has access to your information every time you post.

Here’s some good advice from a Facebook representative about how to use Places:

“I would recommend creating friend lists to separate people you really trust from others. Then, use the publisher privacy control to send status updates to appropriate groups (and only them). I actually think it may make sense to tell people you really trust that you are gone through Facebook just as you would in person. Then, they can watch your place for you, feed your cat, etc… As for everyone else, if you wouldn’t tell them in person you were leaving town, you probably shouldn’t use Facebook to tell them. As always, we also recommend people only accept friend requests from others they actually know.”

You may want to start by limiting your Places to friends only. Go to “Privacy Settings”.  You can either set all of your “Sharing on Facebook” settings to “Friends Only” . Or click on “Customize Settings” and set “Places I check into” as “Friends Only”.

On this page (“Account”> “Privacy Setting”> “Customize Settings”), you can also decide if you want your friends to see you in a location’s “People Here Now” after you check in that location.

If you click the box to enable “Include me in “People Here Now” after I check in” you’re making it easy for your friends (and strangers, depending on your settings) to find you. Being found is kind of the whole point of places.  And it can be fun if you are open to being contacted by everyone on your friends list. The average person on Facebook has 130 friends and growing. That’s a long list to consider every time you check into a place.

That’s why Facebook and I recommend organizing your friends into lists and only sharing with the people you trust most. You can create lists of people you share with when you’re in town, and those very trusted people you share with when you’re on vacation. But you have to remember to limit your publishing settings every time you check into a place.

To publish your location only to specific people or a specific list, click on the button with a lock next to the “Share” button.

Select “Customize”.

Then select the list friends you want to share your location with. Again, you’ll have to repeat this every time, until Facebook comes up with a “Make this my default setting for Places” check box.

Are You Broadcasting Your Location Now Without Even Knowing It?

The website ICanStalkU.com is trying to make people aware that many smartphones are automatically tagging photos with location data.

You can turn off location tagging on your phone, using ICanStalkU’s handy guide.

The Potential for Physical Danger

Most of us were brought up to be deathly afraid of strangers being able to find us. So you are probably wondering: could using location-based services be dangerous?

It’s possible to imagine a scenario where a stranger could stalk you using the data you’re sharing on Foursquare or Facebook Places. But if you’re using Facebook at all, especially without practicing safer Facebooking, you’re making a stalker’s life easier.

USA Today’s Kim Komando describes a scary real-life scenario. Using Foursquare, a stranger found and contacted a woman as she was eating dinner in a restaurant . That’s the kind of scenario most of us would like to avoid.

If you have any concerns about being profiled or stalked, be very careful about any sort of geolocation services, and social media in general. A recent case suggests that, at least in the U.S., restraining orders are valid in cyberspace. But “better safe than sorry” is a good mantra to repeat while using the mobile Internet.

If you’re living in Mexico City where kidnapping occurs at “alarming rates“, using a service that broadcasts your exact physical situation would be insane. However, if you’re living somewhere where you feel safe in general, geolocating probably won’t add any more danger into your life than any social network would.

If that’s worth the risk of running into someone you didn’t want to see, give it a try. But don’t expect Foursquare to protect your privacy. Here’s a good source of information on how to secure your “check-ins” for Foursquare. You can these basic privacy concepts—like checking in to a destination as you leave—to most any location service.

If you’re an adult who is smart about what you share online, there aren’t many new security risks inherent in using location services. It comes down to this: if in the pit of your stomach you feel any concern about making your location known, don’t do it.

Property Theft

You may have heard about a crime ring in New Hampshire that allegedly targeted more than 50 victims based on their Facebook postings.  It’s a scary revelation that’s easy to sensationalize. The truth about this case is that the victims in this case were friends with the alleged perpetrators. And the victims were not using Facebook Places.

However, F-Secure Security Advisor Sean Sullivan points out that a thief is going to learn a lot more staring at your driveway than at your Facebook page. By using a location service you are making your schedule public, but you’re hopefully not publishing an exact record of who is at your home at any given time. The bad guys may know you’re out, but they don’t know who else is home.

It’s true.  Facebook has been used to facilitate crimes. But the same could be said for the white pages.

Again, Facebook becomes most dangerous when you “friend” people or make information available to people who you may not trust. Social networks make it easy to connect with people from your past or people who you’d never meet. Your information is only as safe as the most questionable member of your network.

Privacy

What you probably think most when you think about privacy is: How will this affect my ability to get a job I want?

Do you need your next boss to know that you at Taco Bell 5 times in March? Will being the “mayor” of a local pub help you during salary negotiations?

Will employers ever check applicants Foursquare accounts. Maybe not. But if they may well check your Facebook page, unless you’re in Finland or possibly Germany. And there they could find your Facebook Places data, unless you’ve carefully set your privacy settings.

This is something you need to think about before you start publishing your whereabouts. While most services intend to limit your data to your chosen friends, there is always a possibility that your social media data can go public.

The privacy of young people is a much more serious concern. Children with cell phones need to be instructed on how to use location-based services safely, if at all.

Experts have said that said teenage girls are most likely to be the victims of cyberextortion. Not too surprising. “Jailbait” websites specialize in gathering provocative pictures of young girls, which may or may not have been posted by the girl herself.

What if your child’s pictures ended up in a lurid site like that with the location information tagged to the image? That’s a privacy problem that could escalate into something much more dangerous. So let know your children know how to disable the geotagging settings on your their phones now.

Conclusion

We are at the dawn of a new era in social networking. Perhaps in a few short years we’ll all know where everyone is all the time. And as that happens, you know that the bad guys will come up with ways to use this technology against us. But for now, it’s a new frontier that might be worth exploring. Perhaps location-based fun will add  layers to your life you never imagined, the way Facebook and Twitter have.

Or you just may want to check out. Disable Facebook Places now and forget that you ever were invited to join a location-based service.

CC image by: David Fisher

More posts from this topic

5825408292_11759e3304_o

Only 10% protected – Interesting study on travelers’ security habits

Kaisu who is working for us is also studying tourism. Her paper on knowledge of and behavior related to information security amongst young travelers was released in May, and is very interesting reading. The world is getting smaller. We travel more and more, and now we can stay online even when travelling. Using IT-services in unknown environments does however introduce new security risks. Kaisu wanted to find out how aware young travelers are of those risks, and what they do to mitigate them. The study contains many interesting facts. Practically all, 95,7%, are carrying a smartphone when travelling. One third is carrying a laptop and one in four a tablet. The most commonly used apps and services are taking pictures, using social networks, communication apps and e-mail, which all are used by about 90% of the travelers. Surfing the web follows close behind at 72%. But I’m not going to repeat it all here. The full story is in the paper. What I find most interesting is however what the report doesn’t state. Everybody is carrying a smartphone and snapping pictures, using social media, surfing the web and communicating. Doesn’t sound too exotic, right? That’s what we do in our everyday life too, not just when travelling. The study does unfortunately not examine the participants’ behavior at home. But I dare to assume that it is quite similar. And I find that to be one of the most valuable findings. Traveling is no longer preventing us from using IT pretty much as we do in our everyday life. I remember when I was a kid long, long ago. This was even before invention of the cellphone. There used to be announcements on the radio in the summer: “Mr. and Mrs. Müller from Germany traveling by car in Lapland. Please contact your son Hans urgently.” Sounds really weird for us who have Messenger, WhatsApp, Facebook, Twitter, Snapchat and Skype installed on our smartphones. There was a time when travelling meant taking a break in your social life. Not anymore. Our social life is today to an increasing extent handled through electronic services. And those services goes with us when travelling, as Kaisu’s study shows. So you have access to the same messaging channels no matter where you are on this small planet. But they all require a data connection, and this is often the main challenge. There are basically two ways to get the data flowing when abroad. You can use data roaming through the cellphone’s ordinary data connection. But that is often too expensive to be feasible, so WiFi offers a good and cheap alternative. Hunting for free WiFi has probably taken the top place on the list of travelers’ concerns, leaving pickpockets and getting burnt in the sun behind. Another conclusion from Kaisu’s study is that travelers have overcome this obstacle, either with data roaming or WiFi. The high usage rates for common services is a clear indication of that. But how do they protect themselves when connecting to exotic networks? About 10% are using a VPN and about 20% say they avoid public WiFi. That leaves us with over 70% who are doing something else, or doing nothing. Some of them are using data roaming, but I’m afraid most of them just use whatever WiFi is available, either ignoring the risks or being totally unaware. That’s not too smart. Connecting to a malicious WiFi network can expose you to eavesdropping, malware attacks, phishing and a handful other nasty tricks. It’s amazing that only 10% of the respondents have found the simple and obvious solution, a VPN. It stands for Virtual Private Network and creates a protected “tunnel” for your data through the potentially harmful free networks. Sounds too nerdy? No, it’s really easy. Just check out Freedome. It’s the super-simple way to be among the smart 10%.   Safe surfing, Micke   PS. I recently let go of my old beloved Nokia Lumia. Why? Mainly because I couldn’t use Freedome on it, and I really want the freedom it gives me while abroad.   Image by Moyan Brenn  

August 24, 2015
BY 
suicide

Forget the personality tests – Ask Facebook instead (Poll)

It’s amazing how advertising can power huge companies. Google has over 57 000 employees and some 66 billion US dollars in revenue. And Facebook with 12 billion and 10 000 employees. These two giants are the best know providers of ad-financed services on the net. And modern advertising is targeted, which means that they must know what the users want to see. Which means that they must know you. Let’s take a closer look at Facebook. We have already written about their advertising preferences and I have been following my data for some time. Part of the data used to target ads is input by yourself, age, gender, hometown, movies you seen etc. But Facebook also analyzes what you do, both in Facebook and on other sites, to find out what you like. It’s obvious how the tracking works inside Facebook itself. Their servers just simply record what links you click. Tracking in the rest of the net is more sinister, it’s described in this earlier post. Your activity record is analyzed and you are assigned to classes of interest, called “Your Ad Preferences” by Facebook. Advertisers can then select classes they want to target, and the ad may be shown to you based on these classes. You can view and manage the list using a page that is fairly well hidden deep in Facebook’s menus. Let’s check your preferences in moment, but first some thoughts about this. Advertising may be annoying, but it is the engine that drives so many “free” services nowadays. So I’m not going to blame Facebook for being ad-financed. I’m not going to blame them for doing targeted ads either. That can in theory be a good thing, you see more relevant ads that potentially can be of value to you. But any targeted ad scheme must be based on data collection, and this is the tricky part. Can we trust Facebook et al. to handle these quite extensive personal profiles and not misuse them for other purposes? It’s also nice that Facebook is somewhat open about this and let you view “Your Ad Preferences” (Note. Not available in all countries.). But that name is really misleading. The name should be “Facebook’s Ad Preferences for You”. Yes, you can view and delete classes, but that gives you a false sense of control. Facebook keeps analyzing what you do and deleted classes will reappear shortly. I made a full clean-up a couple of months ago, but now I have no less than 210 classes of interest again! This is really amazing if you take into account that I block tracking outside of Facebook, so those activities are not contributing. And I have a principle of not clicking ads in any on-line media, including Facebook. And liking commercial pages in a very restrictive manner. But the thing is that Facebook has realized that people dislike ads. “Suggested posts” or “Sponsored posts” are in fact masqueraded ads and any interaction with them will record your interest in the classes they represent. I have to admit that I do click this kind of content regularly. And where did that suicide thing come from? No, I’m fine. I’m not going to jump off a bridge and I’m not worried about any of my dearests’ mental health. I have not interacted with any kind of Facebook content related to suicide. Except that I can’t know that for sure. Facebook tries to give an open and honest image of itself when presenting its Ad Preferences settings and the possibilities to manage them. But this rosy picture is not the full truth. The inner workings of Facebook advertising is in reality a very complex secret system. When you interact with something on Facebook, you have no way of knowing how it affects your profile. Something I have clicked was apparently associated with suicides even if I had no clue about it. Ok, time to take the Facebook personality test. Let’s see what kind of person they think you are. Follow these instructions: Go to Facebook and locate an ad, a “sponsored post” or a “suggested post”. These items should have a cross or a down-arrow in the upper right corner. Click it. Select “Why am I seeing this?” from the pop-up menu. This screen contains some interesting info but proceed to “Manage your ad preferences”. Review the list and come back here to tell us what you think of it. Delete the inappropriate classes. Deleting all may reduce the number of ads you see.   So let’s see what people think about this test’s accuracy:   [polldaddy poll=9023953]   So using Facebook’s Ad Preferences as a personality test may be entertaining, but not very accurate after all. You should probably look elsewhere for a real test. The catch is that you can select what test to take, but not how others collect data about you. Someone else may rely on this test when evaluating you. You have actually granted Facebook the right to share this data with basically anyone. Remember this clause in the agreement that you read and approved before signing up? “We transfer information to vendors, service providers, and other partners who globally support our business, such as providing technical infrastructure services, analyzing how our Services are used, measuring the effectiveness of ads and services, providing customer service, facilitating payments, or conducting academic research and surveys.” You did read it before signing, didn’t you?   Safe surfing, Micke   Image: Screenshot from facebook.com  

August 13, 2015
BY 
AshleyMadison

Is it OK to cheat on the AshleyMadison cheaters? (Poll)

The user register of AshleyMadison has been hacked. You don’t know what that is? Well, that’s perfectly fine. It’s a dating site for people who want to cheat on their spouses. Many dislike this site for moral reasons, but there is apparently a demand for it. The Canadian site has some 37 million users globally! Some user data has already been leaked out and the hackers, calling themselves Impact Team, have announced that they will leak the rest unless the site shuts down. So this hack could contribute to many, many divorces and a lot of personal problems! "We will release all customer records, profiles with all the customers' sexual fantasies, nude pictures and conversations and matching credit card transactions, real names and addresses." The Impact Team This is one hack in a long row, not the first and certainly not the last site hack where user data is leaked. But it is still remarkable because of the site’s sensitive nature. Think about it. What kind of information do you store in web portals and what bad could happen if that data leaks out? If you are cheating on your spouse, then that is probably one the most precious secrets you have. Disclosure of it could have devastating effects on your marriage, and maybe on your whole life. Millions of users have put their faith in AshleyMadison’s hands and trusted them with this precious secret. AshleyMadison didn’t misuse the data deliberately, but they failed to protect it properly. So it’s not that far-fetched to say that they cheated on the cheaters. What makes the AshleyMadison hack even worse is the site’s commercial nature. Users typically pay with a credit card issued in their own name. They can appear anonymously to their peers, but their true identities are known to the site owner, and stored in the database. So any leaked information can be linked reliably to real people. The sad thing is that the possibility of a leak probably never even crossed the mind of these 37 million users. And this is really the moral of the story. Always think twice before storing sensitive information in a data system. You must trust the operator of the system to not misuse your data, but also to have the skills, motivation and resources to protect it properly. And you have very poor abilities to really verify how trustworthy a site is. This is not easy! Refraining from using a site is naturally the ultimate protection. But we can’t stop using the net altogether. We must take some risks, but let’s at least think about it and reflect over what a compromised site could mean. This hack is really interesting in another way too. AshleyMadison is a highly controversial site as cheating is in conflict with our society’s traditional moral norms. The hack is no doubt a criminal act, but some people still applaud it. They think the cheaters just got what they deserved. What do you think? Is it right when someone takes the law in his own hands to fight immorality? Or should the law be strictly obeyed even in cases like this? Can this illegal hacking be justified with moral and ethical arguments? [polldaddy poll=8989656]       Micke   Image: Screenshot from www.ashleymadison.com  

July 21, 2015
BY