Is Geolocation Finding Waldo?

November 17, 2016 Avani Desai

I’m sure you’ll have noticed in the last few years of using smart phones that every time you add a new app, no matter what that app is for, it asks if it can “use your location”.  Sure, you get a chance to allow or not, but how many of us just click that allow button without thinking what information that simple choice conveys?

Types of Geolocation and What Information They Give You

There are some ways that an application, on a mobile or a website, can find where you are in the world, aka, your geolocation. Websites accessed through a browser on a laptop/desktop, have fewer options than those accessed through a phone or a mobile app. In general, websites that require geolocation but that are accessed from a laptop or desktop can use Geo-IP whereas mobile devices, such as phones and tablets can use a wider set of location methods for finding out where you are. Here’s a look at the main methods:

Geo-IP: This is where the device or browser uses your IP address to identify your location. An API (software service) makes a call to a database, which stores IP addresses and resolves your IP address to a location. Geo-IP location methods are often inaccurate. This is because IP addresses are dynamic, i.e. the IP address changes over time. This is why, when you resolve a dynamically generated IP address it will often show the location of the ISP that is delivering the service. You can try it out yourself using this website, which shows some different IP databases, some more accurate than others: iplocation.net. If you are an individual you will see, along with your IP address:

  • The country you reside in
  • The region in that country you live
  • The city you live in
  • Your ISP provider
  • The Organization (if this is a business address)
  • Your latitude and longitude

Location Services: This method is the one you’ll know from using a smart phone, but you are also starting to see this technology used in, in-car navigation systems too. It is a useful technology. It can let you find local attractions like restaurants and what’s on at your nearest movie theater, that sort of thing. Both IOS and Android use four different methods to locate you:

  1. GPS (Assisted)
  2. Crowdsourced Wi-Fi
  3. Cell tower triangulation
  4. Bluetooth (using iBeacons)

If one fails, they move onto the next. For example, GPS isn’t very good indoors so the API will try Wi-Fi instead.

Compared to GEO-IP, Locations Services are pretty accurate, sometimes within tens of meters. If you’re outside your local K-Mart, location services will know you are.

The data that is revealed when you allow Location Services on your mobile includes: 

  • Accurate location data
  • Time stamp of when you were at a specific location

It can use both of these pieces of data to effectively track your very movement, across time and space.

If you take this to the next level, you can see that this type of information, seemingly innocuous data showing where you were at a given time, could be used to build up a picture of your daily habits. Where you shop, where you worship, aka your religion, where you work, your friends locations and even, potentially, your political leaning.

The problem is compounded when geolocation is used along with other data that is collected, such as email address, SIM card details and phone numbers. Many apps collect this data without expressly requesting consent. One of the issues you have when using location services with apps, is that it isn’t the privacy policy of Apple or Google you need to be concerned with, but the privacy policy of the third party app, collecting your data, that you need to be wary of. For example, Apple makes a statement regarding this:

“If you allow third-party apps or websites to use your data or your current location, you're subject to their terms, privacy policies, and practices.”

If you use lots of apps, which many of us do, then that is a lot of privacy policy reading that needs to be done.

The types of concerns we, as consumers, need to be aware of, include things like third party disclosure where the app vendors, using our location data, may also be selling it onto third parties. However one of the more sinister and intrusive aspects of location services is the tracking capability as mentioned previously – you literally can be tracked throughout your whole day, life habits being monitored and used for marketing and profiling, it is creepy tech at its most creepy.

Can we do anything about this?

Well you can turn location services off in apps, but many of them won't work as well, or have reduced functionality. And even if you do turn it off, the mobile phone itself can still collect location information using cell triangulation.

There is movement regarding legislation to try and stem the flow of our personal information, including geolocation data. The Consumer Privacy Bill of Rights Act of 2015, covers geolocation data as well as other personally identifying information. The bill is still in draft, but will give the Federal Trade Commission (FTC) the ability to impose fines on companies that violate the rights set out in the bill, however the maximum fine is currently set at $35,000.

About the Author

Avani Desai

Avani Desai the President at Schellman. Avani has more than 15 years of experience in IT attestation, risk management, compliance and privacy. Avani’s primary focus is on emerging healthcare issues and privacy concerns for organizations. Named as one of the 2017 Global Leaders in Consulting by Consulting Magazine she has also been featured and published in the ISSA Journal, ITSP Magazine, ISACA Journal, Information Security Buzz, Healthcare Tech Outlook, and many more.

More Content by Avani Desai
Previous Article
Upcoming Events
Upcoming Events

See what is coming up with Schellman and how you can be a part

Next Article
National Philanthropy Day
National Philanthropy Day

"No act of kindness, no matter how small, is ever wasted."- Aesop It shouldn’t come as a s...

×



Subscribe now
to receive content updates once a week

First Name
!
Success
Error - something went wrong!