Can I Stalk You? An Intro to Location-Based Service Security

Have you been invited to use Foursquare or Gowalla? Or has one of your friends checked you into a restaurant or a club using Facebook Places? Congratulations, you’re now on the new frontier of social media: location.

Location-based services are sites available through mobile devices that use your exact geographical location to connect you to friends and businesses.

So now you have to decide: Do I need everyone to know where I am?

Okay. Maybe you aren’t letting “everyone” know where you are. Many services limit your information to your friends. But when you share your information with a network, you’re trusting everyone on that network to protect your privacy. So there’s always the potential when using location-based social media that someone you don’t want to see could find your exact location.

Background on Location Services

Google Latitude, which allows you to broadcast your location twenty-four hours a day using GPS  (global positioning system) technology, has been around for more than a year. And once it got over some initial privacy concerns, it basically became another one of Google’s innovative yet obscure services that not too many people use.

To date, only 4% of Americans have tried one a location-based service, and only 1% use one on a weekly basis, according to Gartner. People are not showing much interest in leaving digital breadcrumbs wherever they go.

So why do you have to decide now if you’re ready to start sharing your location?

First of all, more and more people are getting GPS -enabled smartphones. This makes cool apps like our free Anti-Theft for Mobile possible, and it makes it easy to broadcast your location. And more importantly, Facebook is getting into the location game.

How Will Facebook Places Change Your Life?

Facebook Places is now live in the United States, Canada, United Kingdom, Japan, France, Italy and Australia and has already sparked so much interest in location-based social networking that its competitor Foursquare just passed the 4,000,000 registration mark, which means it’s only 546,000,000 users behind Facebook.

With a user base of more than half a billion active users around the globe, Facebook intends to push location networking into the mainstream. It also has added another level to these types of services by allowing users to check their friends into locations. And of course, this could allow for some mischief.

The Potential for Mischief

Using Places, your Facebook friends could check you into places you shouldn’t be like a bar during your lunch hour. That could be a problem with your boss.

But this potential for mischief is inherent in Facebook. Your friends can already lie about you in status updates. Even worse, any of your friends could also easily tag your name in an embarrassing photo you may or may not be in.

(To prevent anyone on Facebook seeing you tagged in friends’ photos and videos you may not approve of, go to “Privacy Settings”>  “Customize Settings”> “Photos and videos I’m tagged in”> “Customize”> “Only Me”)

The best way to minimize risk whenever you’re on Facebook for any reason is to keep your friends list limited to the people you really trust. (If you need a fan club I’d suggest a Facebook fan page. That way you can broadcast Twitter-style without having to worry about sharing personal information and media with strangers.)

Get Your Settings Right

Facebook Places is perfect for two types of Facebook users: Those who have no fear about sharing the most intimate details of their lives and those who have mastered the privacy settings.

No matter who you are, Places should force you to take a good look at who is on your Facebook friends list. Facebook Places is at its safest when you share your location with the people you really trust. And if you don’t know and trust everyone you’re connected with, you need to control exactly who has access to your information every time you post.

Here’s some good advice from a Facebook representative about how to use Places:

“I would recommend creating friend lists to separate people you really trust from others. Then, use the publisher privacy control to send status updates to appropriate groups (and only them). I actually think it may make sense to tell people you really trust that you are gone through Facebook just as you would in person. Then, they can watch your place for you, feed your cat, etc… As for everyone else, if you wouldn’t tell them in person you were leaving town, you probably shouldn’t use Facebook to tell them. As always, we also recommend people only accept friend requests from others they actually know.”

You may want to start by limiting your Places to friends only. Go to “Privacy Settings”.  You can either set all of your “Sharing on Facebook” settings to “Friends Only” . Or click on “Customize Settings” and set “Places I check into” as “Friends Only”.

On this page (“Account”> “Privacy Setting”> “Customize Settings”), you can also decide if you want your friends to see you in a location’s “People Here Now” after you check in that location.

If you click the box to enable “Include me in “People Here Now” after I check in” you’re making it easy for your friends (and strangers, depending on your settings) to find you. Being found is kind of the whole point of places.  And it can be fun if you are open to being contacted by everyone on your friends list. The average person on Facebook has 130 friends and growing. That’s a long list to consider every time you check into a place.

That’s why Facebook and I recommend organizing your friends into lists and only sharing with the people you trust most. You can create lists of people you share with when you’re in town, and those very trusted people you share with when you’re on vacation. But you have to remember to limit your publishing settings every time you check into a place.

To publish your location only to specific people or a specific list, click on the button with a lock next to the “Share” button.

Select “Customize”.

Then select the list friends you want to share your location with. Again, you’ll have to repeat this every time, until Facebook comes up with a “Make this my default setting for Places” check box.

Are You Broadcasting Your Location Now Without Even Knowing It?

The website is trying to make people aware that many smartphones are automatically tagging photos with location data.

You can turn off location tagging on your phone, using ICanStalkU’s handy guide.

The Potential for Physical Danger

Most of us were brought up to be deathly afraid of strangers being able to find us. So you are probably wondering: could using location-based services be dangerous?

It’s possible to imagine a scenario where a stranger could stalk you using the data you’re sharing on Foursquare or Facebook Places. But if you’re using Facebook at all, especially without practicing safer Facebooking, you’re making a stalker’s life easier.

USA Today’s Kim Komando describes a scary real-life scenario. Using Foursquare, a stranger found and contacted a woman as she was eating dinner in a restaurant . That’s the kind of scenario most of us would like to avoid.

If you have any concerns about being profiled or stalked, be very careful about any sort of geolocation services, and social media in general. A recent case suggests that, at least in the U.S., restraining orders are valid in cyberspace. But “better safe than sorry” is a good mantra to repeat while using the mobile Internet.

If you’re living in Mexico City where kidnapping occurs at “alarming rates“, using a service that broadcasts your exact physical situation would be insane. However, if you’re living somewhere where you feel safe in general, geolocating probably won’t add any more danger into your life than any social network would.

If that’s worth the risk of running into someone you didn’t want to see, give it a try. But don’t expect Foursquare to protect your privacy. Here’s a good source of information on how to secure your “check-ins” for Foursquare. You can these basic privacy concepts—like checking in to a destination as you leave—to most any location service.

If you’re an adult who is smart about what you share online, there aren’t many new security risks inherent in using location services. It comes down to this: if in the pit of your stomach you feel any concern about making your location known, don’t do it.

Property Theft

You may have heard about a crime ring in New Hampshire that allegedly targeted more than 50 victims based on their Facebook postings.  It’s a scary revelation that’s easy to sensationalize. The truth about this case is that the victims in this case were friends with the alleged perpetrators. And the victims were not using Facebook Places.

However, F-Secure Security Advisor Sean Sullivan points out that a thief is going to learn a lot more staring at your driveway than at your Facebook page. By using a location service you are making your schedule public, but you’re hopefully not publishing an exact record of who is at your home at any given time. The bad guys may know you’re out, but they don’t know who else is home.

It’s true.  Facebook has been used to facilitate crimes. But the same could be said for the white pages.

Again, Facebook becomes most dangerous when you “friend” people or make information available to people who you may not trust. Social networks make it easy to connect with people from your past or people who you’d never meet. Your information is only as safe as the most questionable member of your network.


What you probably think most when you think about privacy is: How will this affect my ability to get a job I want?

Do you need your next boss to know that you at Taco Bell 5 times in March? Will being the “mayor” of a local pub help you during salary negotiations?

Will employers ever check applicants Foursquare accounts. Maybe not. But if they may well check your Facebook page, unless you’re in Finland or possibly Germany. And there they could find your Facebook Places data, unless you’ve carefully set your privacy settings.

This is something you need to think about before you start publishing your whereabouts. While most services intend to limit your data to your chosen friends, there is always a possibility that your social media data can go public.

The privacy of young people is a much more serious concern. Children with cell phones need to be instructed on how to use location-based services safely, if at all.

Experts have said that said teenage girls are most likely to be the victims of cyberextortion. Not too surprising. “Jailbait” websites specialize in gathering provocative pictures of young girls, which may or may not have been posted by the girl herself.

What if your child’s pictures ended up in a lurid site like that with the location information tagged to the image? That’s a privacy problem that could escalate into something much more dangerous. So let know your children know how to disable the geotagging settings on your their phones now.


We are at the dawn of a new era in social networking. Perhaps in a few short years we’ll all know where everyone is all the time. And as that happens, you know that the bad guys will come up with ways to use this technology against us. But for now, it’s a new frontier that might be worth exploring. Perhaps location-based fun will add  layers to your life you never imagined, the way Facebook and Twitter have.

Or you just may want to check out. Disable Facebook Places now and forget that you ever were invited to join a location-based service.

CC image by: David Fisher

More posts from this topic


A temporary profile picture but permanent app permissions

We are all sad about what’s happened in Paris last Friday. It’s said that the terrorist attacks have changed the world. That is no doubt true, and one aspect of that is how social media becomes more important in situations like this. Facebook has deployed two functions that help people deal with this kind of crisis. The Safety Check feature collects info about people in the area of a disaster, and if they are safe or not. This feature was initially created for natural disasters. Facebook received criticism for using it in Paris but not for the Beirut bombings a day earlier. It turned out that their explanation is quite good. Beirut made them think if the feature should be used for terror attacks as well, and they were ready to change the policy when Paris happened. The other feature lets you use a temporary profile picture with some appropriate overlay, the tricolor in this case. This is a nice and easy way to show sympathy. And it became popular very quickly, at least among my friends. The downside is however that it seemed so popular that those without a tricolor were sticking out. Some people started asking them why they aren’t supporting the victims in Paris? The whole thing has lost part of its meaning when it goes that far. We can’t know anymore who genuinely supports France and who changed the picture because of the social pressure. I changed my picture too. And it was interesting to see how the feature was implemented. The Facebook app for iOS 9 launched a wizard that let me make a picture with the tricolor overlay. Either by snapping a new selfie or using one of my previous profile pictures. I guess the latter is what most people want to do. But Facebook’s wizard requires permissions to use the camera and refuses to start until the user has given that permission. Even if you just want to modify an existing picture. Even more spooky. The wizard also asked for permission to use the microphone when I first run it. That is, needless to say, totally unnecessary when creating a profile picture. And Facebook has been accused of misusing audio data. It’s doubtful if they really do, but the only sure thing is that they don’t if you deny Facebook microphone access. But that was probably a temporary glitch, I was not able to reproduce the mic request when resetting everything and running the wizard again. Your new profile picture may be temporary, but any rights you grant the Facebook app are permanent. I’m not saying that this is a sinister plot to get more data about you, it may be just sloppy programming. But it is anyway an excellent reminder about how important the app permissions are. We should learn to become more critical when granting, or denying, rights like this. This is the case for any app, but especially Facebook as its whole business model is based on scooping up data about us users. Time for an app permission check. On your iOS device, go to Settings and Privacy. Here you can see the categories of info that an app can request. Go through them and think critically about if a certain app really needs its permissions to provide value to you. Check Facebook's camera and microphone permissions if you have used the temporary profile picture feature. And one last thing. Make it a habit to check the privacy settings now and then.   [caption id="attachment_8637" align="aligncenter" width="169"] This is how far you get unless you agree to grant Facebook camera access.[/caption]   [caption id="attachment_8638" align="aligncenter" width="169"] The Settings, Privacy page. Under each category you find the apps that have requested access, and can select if the request is granted or denied.[/caption]     Safe surfing, Micke   PS. The temporary profile picture function is BTW simpler in Facebook's web interface. You just see your current profile picture with the overlay. You can pan and zoom before saving. I like that approach much more.   Photo by Markus Nikander and iPhone screen captures    

November 16, 2015
facebook login

Using Facebook to log in – safe or not?

Open up your favorite web site and you can see what this is about right away. There are in many cases two options, an ordinary log-in and “Log in with Facebook”. Have you been using the Facebook option? It is quite convenient, isn’t it? I was talking to a journalist about privacy a while ago. One of the hints that ended up in the final story was that it isn’t necessary a good idea to link your other accounts to Facebook. And that raised questions. Some people have wondered why it is so, and pointed out that we at F-Secure also provide that option in our portal for F-Secure SAFE, MY SAFE. So let’s take a closer look. Is it good, bad or ugly? Here’s the important points: Facebook acts like an authentication service in this scenario. One single password opens the door to many services. This is indeed convenient and reduces the need to remember a lot of different passwords. But you should use different passwords on every service to reduce the damage if a password is leaked. That could happen for example in a phishing scam. Using Facebook’s log-in everywhere is putting all your eggs in the same basket. The worst thing you can do is to use the same user ID and password on all your sites, but *not* the Facebook function. A leak in any of them could give the attackers access to all your systems. Using the Facebook login instead is in this case a way to *improve* security. Facebook's servers are well secured, a leak from them is highly unlikely. It may reveal private info from Facebook to the other service unnecessarily. Most of us just click OK when Facebook asks for permission to give data to the other service, without thinking about what we really approve. Facebook will get yet another sensor to profile you. They will know that you use a certain service, when and how often you use it, and on what kind of device and where in the world you are when using it. Most people are on Facebook under their real name, but you may want to use other services more anonymously. If you don’t want it to be publicly known that you use a particular service, then you shouldn’t use your real-name Facebook account to log in. Remember that privacy on-line is not just about how much private data you reveal. It’s also very much about whom you reveal it to and how fragmented your digital footprint is. Preventing different services from consolidating your data improves your privacy. So should I use this feature at all? Maybe, it depends. There are some downsides, but it's a convenient way to log in, that can’t be denied. But first, the security-savvy approach is to instead use separate strong passwords on every site and a password manager. It’s a little bit of work when you set it up, but it is really the most secure approach. Don't use Facebook log-in for critical services. Those are sites containing sensitive information or where you make payments. They always deserve a strong unique password. But there's also a large number of sites that aren't that critical. Your on-line newspaper for example. If crooks get your Facebook password then your compromised newspaper account will be the smallest of your problems. Go ahead and use Facebook log-in for those if you find it convenient, but keep in mind the privacy concerns listed above. It's all about how picky you are about privacy. And don’t forget to review the permissions you have givens to apps and sites in Facebook. Go to Settings / Apps and you see the list of approved apps. Remove anything that sounds fishy, that you can’t remember approving or that you aren’t using frequently. Don’t be afraid to remove too much. The worst thing that can happen is that an app or site stops working and asks you to give it Facebook permissions again. Open all remaining apps and review what permissions they have. Think about what they do for you and if they really need all their permissions. Fix the permissions if needed. To wrap up. The Facebook log-in feature is not a security problem. Facebook's security system is solid and your security is not in jeopardy if you use it. But I still recommend separate passwords for the critical sites. The question marks are on the privacy front instead. Linking sites together contributes to forming a more comprehensive digital footprint. It's up to you to decide how worried you are about it. With this info you should be able to make an educated decision about where Facebook log-in can and can't be used.   [caption id="attachment_8629" align="aligncenter" width="266"] Jamendo's permissions in Facebook. This is the basic permissions most well-behaving apps/sites ask for. If the site asks for more, consider carefully if it really is needed.[/caption]   Safe surfing, Micke     Images by C_osett and Facebook screen capture

November 12, 2015

Are you using Facebook at work? (Poll)

I’m sure you have run into it if you work at a company with an organized IT function. They provide you with a computer, but they control it and set restrictions on what you can do with it. This is justified. Keeping the systems patched and updated is necessary to maintain security. Not to talk about maintenance of the anti-malware. But security is not the only driver for controlling the computers. Productivity is another. The web is usually wide open and employees can surf wherever they like. Entertainment, social media, news, hobbies, work-related issues, they are all there in the same web. Trying to limit web access to just work-related content is a really hard task. Practically impossible in most cases. And on top of that, you can always pull out your smartphone, if the mean IT-folks have created nasty restrictions on the employer-owned device. Employers’ worries about security and productivity are demonstrated in a Bloomberg article. It’s a bit dated already, but probably still quite accurate. The list of banned apps can be divided in three groups. Cloud services makes it easy to share company secrets. Entertainment is time-consuming and addictive. And finally Facebook representing social media. Banning Facebook is interesting. Social media has quickly grown to be one of our most commonly used communication platforms. Is it really fair to shut this off for the whole workday? But Facebook can on the other hand be very addictive. I’m sure there are employees who spend far too much time there. But the question is if an effective ban of Facebook really would improve productivity? No-one can work 8h flat out without any breaks. Personally I feel that micro-breaks, like checking Facebook, helps me stay focused and get the work done. So let’s see what you think. What’s your relation to Facebook at work time?   [polldaddy poll=9172266]   Safe surfing, Micke   Photo by momo  

November 10, 2015