Can I Stalk You? An Intro to Location-Based Service Security

Have you been invited to use Foursquare or Gowalla? Or has one of your friends checked you into a restaurant or a club using Facebook Places? Congratulations, you’re now on the new frontier of social media: location.

Location-based services are sites available through mobile devices that use your exact geographical location to connect you to friends and businesses.

So now you have to decide: Do I need everyone to know where I am?

Okay. Maybe you aren’t letting “everyone” know where you are. Many services limit your information to your friends. But when you share your information with a network, you’re trusting everyone on that network to protect your privacy. So there’s always the potential when using location-based social media that someone you don’t want to see could find your exact location.

Background on Location Services

Google Latitude, which allows you to broadcast your location twenty-four hours a day using GPS  (global positioning system) technology, has been around for more than a year. And once it got over some initial privacy concerns, it basically became another one of Google’s innovative yet obscure services that not too many people use.

To date, only 4% of Americans have tried one a location-based service, and only 1% use one on a weekly basis, according to Gartner. People are not showing much interest in leaving digital breadcrumbs wherever they go.

So why do you have to decide now if you’re ready to start sharing your location?

First of all, more and more people are getting GPS -enabled smartphones. This makes cool apps like our free Anti-Theft for Mobile possible, and it makes it easy to broadcast your location. And more importantly, Facebook is getting into the location game.

How Will Facebook Places Change Your Life?

Facebook Places is now live in the United States, Canada, United Kingdom, Japan, France, Italy and Australia and has already sparked so much interest in location-based social networking that its competitor Foursquare just passed the 4,000,000 registration mark, which means it’s only 546,000,000 users behind Facebook.

With a user base of more than half a billion active users around the globe, Facebook intends to push location networking into the mainstream. It also has added another level to these types of services by allowing users to check their friends into locations. And of course, this could allow for some mischief.

The Potential for Mischief

Using Places, your Facebook friends could check you into places you shouldn’t be like a bar during your lunch hour. That could be a problem with your boss.

But this potential for mischief is inherent in Facebook. Your friends can already lie about you in status updates. Even worse, any of your friends could also easily tag your name in an embarrassing photo you may or may not be in.

(To prevent anyone on Facebook seeing you tagged in friends’ photos and videos you may not approve of, go to “Privacy Settings”>  “Customize Settings”> “Photos and videos I’m tagged in”> “Customize”> “Only Me”)

The best way to minimize risk whenever you’re on Facebook for any reason is to keep your friends list limited to the people you really trust. (If you need a fan club I’d suggest a Facebook fan page. That way you can broadcast Twitter-style without having to worry about sharing personal information and media with strangers.)

Get Your Settings Right

Facebook Places is perfect for two types of Facebook users: Those who have no fear about sharing the most intimate details of their lives and those who have mastered the privacy settings.

No matter who you are, Places should force you to take a good look at who is on your Facebook friends list. Facebook Places is at its safest when you share your location with the people you really trust. And if you don’t know and trust everyone you’re connected with, you need to control exactly who has access to your information every time you post.

Here’s some good advice from a Facebook representative about how to use Places:

“I would recommend creating friend lists to separate people you really trust from others. Then, use the publisher privacy control to send status updates to appropriate groups (and only them). I actually think it may make sense to tell people you really trust that you are gone through Facebook just as you would in person. Then, they can watch your place for you, feed your cat, etc… As for everyone else, if you wouldn’t tell them in person you were leaving town, you probably shouldn’t use Facebook to tell them. As always, we also recommend people only accept friend requests from others they actually know.”

You may want to start by limiting your Places to friends only. Go to “Privacy Settings”.  You can either set all of your “Sharing on Facebook” settings to “Friends Only” . Or click on “Customize Settings” and set “Places I check into” as “Friends Only”.

On this page (“Account”> “Privacy Setting”> “Customize Settings”), you can also decide if you want your friends to see you in a location’s “People Here Now” after you check in that location.

If you click the box to enable “Include me in “People Here Now” after I check in” you’re making it easy for your friends (and strangers, depending on your settings) to find you. Being found is kind of the whole point of places.  And it can be fun if you are open to being contacted by everyone on your friends list. The average person on Facebook has 130 friends and growing. That’s a long list to consider every time you check into a place.

That’s why Facebook and I recommend organizing your friends into lists and only sharing with the people you trust most. You can create lists of people you share with when you’re in town, and those very trusted people you share with when you’re on vacation. But you have to remember to limit your publishing settings every time you check into a place.

To publish your location only to specific people or a specific list, click on the button with a lock next to the “Share” button.

Select “Customize”.

Then select the list friends you want to share your location with. Again, you’ll have to repeat this every time, until Facebook comes up with a “Make this my default setting for Places” check box.

Are You Broadcasting Your Location Now Without Even Knowing It?

The website ICanStalkU.com is trying to make people aware that many smartphones are automatically tagging photos with location data.

You can turn off location tagging on your phone, using ICanStalkU’s handy guide.

The Potential for Physical Danger

Most of us were brought up to be deathly afraid of strangers being able to find us. So you are probably wondering: could using location-based services be dangerous?

It’s possible to imagine a scenario where a stranger could stalk you using the data you’re sharing on Foursquare or Facebook Places. But if you’re using Facebook at all, especially without practicing safer Facebooking, you’re making a stalker’s life easier.

USA Today’s Kim Komando describes a scary real-life scenario. Using Foursquare, a stranger found and contacted a woman as she was eating dinner in a restaurant . That’s the kind of scenario most of us would like to avoid.

If you have any concerns about being profiled or stalked, be very careful about any sort of geolocation services, and social media in general. A recent case suggests that, at least in the U.S., restraining orders are valid in cyberspace. But “better safe than sorry” is a good mantra to repeat while using the mobile Internet.

If you’re living in Mexico City where kidnapping occurs at “alarming rates“, using a service that broadcasts your exact physical situation would be insane. However, if you’re living somewhere where you feel safe in general, geolocating probably won’t add any more danger into your life than any social network would.

If that’s worth the risk of running into someone you didn’t want to see, give it a try. But don’t expect Foursquare to protect your privacy. Here’s a good source of information on how to secure your “check-ins” for Foursquare. You can these basic privacy concepts—like checking in to a destination as you leave—to most any location service.

If you’re an adult who is smart about what you share online, there aren’t many new security risks inherent in using location services. It comes down to this: if in the pit of your stomach you feel any concern about making your location known, don’t do it.

Property Theft

You may have heard about a crime ring in New Hampshire that allegedly targeted more than 50 victims based on their Facebook postings.  It’s a scary revelation that’s easy to sensationalize. The truth about this case is that the victims in this case were friends with the alleged perpetrators. And the victims were not using Facebook Places.

However, F-Secure Security Advisor Sean Sullivan points out that a thief is going to learn a lot more staring at your driveway than at your Facebook page. By using a location service you are making your schedule public, but you’re hopefully not publishing an exact record of who is at your home at any given time. The bad guys may know you’re out, but they don’t know who else is home.

It’s true.  Facebook has been used to facilitate crimes. But the same could be said for the white pages.

Again, Facebook becomes most dangerous when you “friend” people or make information available to people who you may not trust. Social networks make it easy to connect with people from your past or people who you’d never meet. Your information is only as safe as the most questionable member of your network.

Privacy

What you probably think most when you think about privacy is: How will this affect my ability to get a job I want?

Do you need your next boss to know that you at Taco Bell 5 times in March? Will being the “mayor” of a local pub help you during salary negotiations?

Will employers ever check applicants Foursquare accounts. Maybe not. But if they may well check your Facebook page, unless you’re in Finland or possibly Germany. And there they could find your Facebook Places data, unless you’ve carefully set your privacy settings.

This is something you need to think about before you start publishing your whereabouts. While most services intend to limit your data to your chosen friends, there is always a possibility that your social media data can go public.

The privacy of young people is a much more serious concern. Children with cell phones need to be instructed on how to use location-based services safely, if at all.

Experts have said that said teenage girls are most likely to be the victims of cyberextortion. Not too surprising. “Jailbait” websites specialize in gathering provocative pictures of young girls, which may or may not have been posted by the girl herself.

What if your child’s pictures ended up in a lurid site like that with the location information tagged to the image? That’s a privacy problem that could escalate into something much more dangerous. So let know your children know how to disable the geotagging settings on your their phones now.

Conclusion

We are at the dawn of a new era in social networking. Perhaps in a few short years we’ll all know where everyone is all the time. And as that happens, you know that the bad guys will come up with ways to use this technology against us. But for now, it’s a new frontier that might be worth exploring. Perhaps location-based fun will add  layers to your life you never imagined, the way Facebook and Twitter have.

Or you just may want to check out. Disable Facebook Places now and forget that you ever were invited to join a location-based service.

CC image by: David Fisher

More posts from this topic

Unbenannt-3-1

How should we deal with defamation and hate speech on the net? – Poll

Everybody probably agree that the net has developed a discussion culture very different from what we are used to in real life. The used adjectives vary form inspiring, free and unrestricted to crazy, sick and shocking. The (apparent) anonymity when discussing on-line leads to more open and frank opinions, which is both good and bad. It becomes especially bad when it turns into libel and hate speech. What do you think about this? Read on and let us know in the poll below. We do have laws to protect us against defamation. But the police still has a very varying ability to deal with crimes on the net. And the global nature of Internet makes investigations harder. Most cases are international, at least here in Europe where we to a large extent rely on US-based services. This is in the headlines right now here in Finland because of a recent case. The original coverage is in Finnish so I will give you a short summary in English. A journalist named Sari Helin blogged about equal rights for sexual minorities, and how children are very natural and doesn’t react anyway if a friend has two mothers, for example. This is a sensitive topic and, hardly surprising, she got a lot of negative feedback. Part of the feedback was clear defamation. Calling her a whore, among other nasty things. She considered it for a while and finally decided to report the case to the police, mainly because of Facebook comments. This is where the really interesting part begins. Recently the prosecutor released the decision about the case. They simply decided to drop it and not even try to investigate. The reason? Facebook is in US and it would be too much work contacting the authorities over there for this rather small crime. A separately interviewed police officer also stated that many of the requests that are sent abroad remain unanswered, probably for the same reason. This reflects the situation in Finland, but I guess there are a lot of other countries where the same could have happened. Is this OK? The resourcing argument is understandable. The authorities have plenty of more severe crimes to deal with. But accepting this means that law and reality drift even further apart. Something is illegal but everybody knows you will get away with the crime. That’s not good. Should we increase resourcing and work hard to make international investigations smoother? That’s really the only way to make the current laws enforceable. The other possible path is to alter our mindset about Internet discussions. If I write something pro-gay on the net, I know there’s a lot of people who dislike it and think bad things about me. Does it really change anything if some of these people write down their thoughts and comment on my writings? No, not really. But most people still feel insulted in cases like this. I think we slowly are getting used to the different discussion climate on the net. We realize that some kinds of writing will get negative feedback. We are prepared for that and can ignore libel without factual content. We value feedback from reputable persons, and anonymous submissions naturally have less significance. Pure emotional venting without factual content can just be ignored and is more shameful for the writer than for the object. Well, we are still far from that mindset, even if we are moving towards it. But which way should we go? Should we work hard to enforce the current law and prosecute anonymous defamers? Or should we adopt our mindset to the new discussion culture? The world is never black & white and there will naturally be development on both these fronts. But in which direction would you steer the development if you could decide? Now you have to pick the one you think is more important.   [polldaddy poll=8293148]   Looking forward to see what you think. The poll will be open for a while and is closed when we have enough data.   Safe surfing, Micke  

Sep 8, 2014
BY Micke
Connecting people

Why is social media called antisocial?

You have all seen the pictures circulating on the net. A bunch of people all tapping at their smartphones and paying no attention to the world around them. With the title: ANTISOCIAL. And you have probably also seen this is real life. Sometimes a friend just seems to be more interested in the phone than in you. And maybe it has been the other way around sometime? ;) Most of these people are probably using social media. I do agree that it is rude to ignore persons who are physically present and pay more attention to the phone. Especially if you are alone with someone. And yes, that behavior seems antisocial from other’s point of view. But the funny thing is really that social media and our mobile devices form the most social system invented so far. Think about it. You can be in contact with people everywhere in the world. You can send and receive messages instantly and follow what others do right now. You can share your own feelings spontaneously. You can have a pure peer-to-peer exchange of thoughts not curated by any outsiders. You can select to communicate with a single person or a larger group. You are not limited to written text, you can use pictures and video as well. The real point here is that those “antisocial” types aren’t just tapping their phones, they are communicating with real people. Our traditional definition for the word social was formed before we had Internet. People associate it with personal face-to-face contact and are slow to update their mindsets. Or to be precise, we already have a younger generation who have grown up with the net and social media services. Their definition is up to date, but many of us older persons still see the net as less social or not social at all. Let’s all agree to never call someone who is concentrating on the phone antisocial. But the word rude may be justified. Let’s also agree to not be rude against others by ignoring them in favor of the phone. It’s of course OK to check the phone now and then at the party, but always prioritize people who are present and want to talk to you. And why not take it one step further? Turn off the phone and try to be without it for a couple of hours. Can you do it? Next time you go out for dinner with someone is a good time for that experiment. You may be less social on the net for a while, but your company will see you as much more social.   Safe surfing, Micke   PS. If you must be able to take urgent calls and can’t turn off the phone, at least turn off the data connection. That will mute the social media apps.  

Aug 21, 2014
BY Micke
alice

1,2 billion passwords stolen, but does it affect me?

You have heard the news. Russian hackers have managed to collect a pile of no less than 1,2 billion stolen user IDs and passwords from approximately 420 000 different sites. That’s a lot of passwords and your own could very well be among them. But what’s really going on here? Why is this a risk for me and what should I do? Read on, let’s try to open this up a bit. First of all. There are intrusions in web systems every day and passwords get stolen. Stolen passwords are traded on the underground market and misused for many different purposes. This is nothing new. The real news here is just the size of the issue. The Russian hacker gang has used powerful scripts to harvest the Internet for vulnerable systems and automatically hacked them, ending up with this exceptionally large number of stolen passwords. But it is still good that people write and talk about this, it’s an excellent reminder of why your personal passwords habits are important. Let’s first walk you through how it can go wrong for an ordinary Internet user. Let’s call her Alice. Alice signs up for a mail account at Google. She’s lucky, alice@gmail.com is free. She’s aware of the basic requirements for good passwords and selects one with upper- and lowercase letters, digits and some special characters. Alice is quite active on the net and uses Facebook as well as many smaller sites and discussion forums. Many of them accepts alice@gmail.com as the user ID. And it’s very logical to also use the same password, it sort of belongs together with that mail address and who wants to remember many passwords? Now the evil hackers enter the scene and starts scanning the net for weak systems. Gmail is protected properly and withstands the attacks. But many smaller organizations have sites maintained on a hobby basis, and lack the skills and resources to really harden the site. One of these sites belongs to a football club where Alice is active. The hackers get access to this site’s user database and downloads it all. Now they know the password for alice@gmail.com on that site. Big deal, you might think. The hackers know what games Alice will play in, no real harm done. But wait, that’s not all. It’s obvious that alice@gmail.com is a Gmail user, so the hackers try her password on gmail.com. Bingo. They have her email, as well as all other data she keeps on the Google sites. They also scan through a large number of other popular internet sites, including Facebook. Bingo again. Now the hackers have Alice’s Facebook account and probably a couple of other sites too. Now the hackers starts to use their catch. They can harvest Alice’s accounts for information, mail conversations, other’s contact info and e-mails, documents, credit card numbers, you name it. They can also use her accounts and identity to send spam or do imposter scams, just to list some examples. So what’s the moral of the story? Alice used a good password but it didn’t protect her in this case. Her error was to reuse the password on many sites. The big sites usually have at least a decent level of security. But if you use the same password on many sites, its level of protection is the same as the weakest site where it has been used. That’s why reusing your main mail password, especially on small shady sites, is a huge no-no. But it is really inconvenient to use multiple strong passwords, you might be thinking right now. Well, that’s not really the case. You can have multiple passwords if you are systematic and use the right tools. Make up a system where there is a constant part in every password. This part should be strong and contain upper- and lowercase characters, digits and special characters. Then add a shorter variable part for every site. This will keep the passwords different and still be fairly easy to remember. Still worried about your memory? Don’t worry, we have a handy tool for you. The password manager F-Secure Key. But what about the initial question? Does this attack by the Russian hackers affect me? What should I do? We don’t know who’s affected as we don’t know (at the time of writing) which sites have been affected. But the number of stolen passwords is big so there is a real risk that you are among them. Anyway, if you recognize yourself in the story about Alice, then it is a good idea to start changing your passwords right away. You might not be among the victims of these Russian hackers, but you will for sure be a victim sooner or later. Secure your digital identities before it happens! If you on the other hand already have a good system with different passwords on all your sites, then there’s no reason to panic. It’s probably not worth the effort to start changing them all before we know which systems were affected. But if the list of these 420 000 sites becomes public, and you are a user of any of these sites, then it’s important to change your password on that site.   Safe surfing, Micke  

Aug 7, 2014
BY Micke