Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Gathering and use of location information fears - or is it all a bit too late - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Gathering and use of location information fears - or is it all a bit too late

With all the excitement in the media at the moment about vendors being able to track our every move*, Apple have released Q&A [1] on what data they actually track on the iPhone.

It's an interesting enough read and may calm the fears of some of being tracked. Or perhaps not.

The Internet Storm Center has published a number of stories on data being collected, in a delightful variety of ingenious ways, then sold to marketers to gain a better insight in to how to get the consumer to spend more money. This wealth of information from raw data has huge applications and, as an example, the Dutch Police took the initiative. They bought data from TomTom to place speed traps and cameras [2], which is a very sneaky idea and much more accurate for revenue generation that building them on busy roads. In case you were attempting new land speed records on Dutch roads, all the data purchase was anonymous, so you're safe from the digital arm of the law...

The part of this story that is thought-provoking comes from customer pressure on TomTom to stop doing this. TomTom have agreed and changed their policy on-selling the traffic data.

 When many raise their voices in complaint, threaten to leave the service and create negative publicity does it make a different to the mega corporations? Or have we simply lost this battle all ready as we signed, check-boxed or clicked "agree" a EULA [3] giving our acceptance to track, monitor, use and sell any data generated.

 I'll leave it up to you to decide if consumer power is one thing that can make a difference once you discover something is tracking your every move.

Of course, if you constantly updating your location in FourSquare, Facebook, Twitter et al while using your loyalty cards then you may not care in the first place.

[1] http://www.apple.com/pr/library/2011/04/27location_qa.html

 [2] http://www.engadget.com/2011/04/27/tomtom-user-data-sold-to-danish-police-used-to-determine-ideal/

 [3] http://www.webopedia.com/TERM/E/EULA.html

 

*Fancy that - I mean it's not like I'm carrying at least two items that bleat out my location every few seconds that are designed so people can get in contact wherever I am. Plus I pay a small fortune for the privilege to own the lovely, shiny devices - I could be my own privacy's own worst enemy. Hmmm.

Chris Mohan --- Internet Storm Center Handler on Duty

Chris

105 Posts
ISC Handler
What if the EULA/privacy policy doesn't tell the whole story?

TomTom's policy surely didn't tell device owners who TomTom is sharing data with.

Another example: recently Rovio was in the news with their "Angry Birds" game that supposedly sends all kind of info, including your location and the address book on your smartphone, to third parties.
Rovio's FAQ (http://www.rovio.com/index.php?page=angry-birds---frequently-asked-questions-faq) mentions that data is shared with a data collector called Flurry (Mr. Jobs disagrees with Flurry's policies, Google: Apple Flurry) but Rovio's privacy policy (http://www.rovio.com/index.php?page=privacy-policy) doesn't mention anything about sharing data with Flurry...
Erik van Straten

122 Posts
I am frequently amazed by the apathy of people in regards to private information being shared. There are many examples of our devices spying on us (TiVo, grocery store loyalty cards, smart phones, cookies, web bugs, etc) & to make matters worse, companies that collect the data cannot seems to keep hackers out their databases (Epsilon, Sony, etc). I don't see a lot of outrage about this. Now, along comes one of the first examples I have seen of this type of collection data being used legitimately for public good & there is outrage (at least in the comments of link #2 above.

The speed limit is an absurdly easy law to obey!
Erik van Straten
7 Posts
I actually disagree slightly with jwhitlow. The purpose of the police force should be to ensure public safety, not generate revenue. If they really were putting these cameras where they would generate the most revenue, instead of where speeding posed the most significant pubic safety threat, then they're gradually and insidiously turning into armed tax collection officers. You see this same kind of mission creep in parts of the U.S., where law enforcement agencies have used trumped-up drug charges in order to profit off property confiscation.
Anonymous
Welcome to 1984. With a camera at every intersection and everywhere else, if you do not like it, make lots of noise. What bothers me the most is how we can't seem to live without the things we've lived without since the beginning of time. "They're" now using that thinking against us.

Don't like the result, get rid of the problem (TiVo, grocery store loyalty cards, smart phones, etc). I disconnected from TV entirely, I do not feel like I'm going to die. Now I just need to rid myself of a few more non-necessities, like this computer.
Greg

25 Posts
The issue with Apple isn't so much that it was getting the data, but that it was storing it on the phone and the data were being seized w/o warrants or users knowing it was there and thus able to control access.

Your cell company would give the same info after receiving a warrant from your local police force (in the US.) Or a national security letter if it was a federal beef - but in either case, there would be at least some process to go through.

What Google is doing with its MAC address harvesting project, making a database of all MACs, whether or not the owners had signified by enabling encryption or disabling SSID broadcast that they did not want the data from their networks published, available to world+dog in order to make more money but at the same time exposing a unique identifier and its location -- this is a subtler but much worse intrusion.
peter

17 Posts
ISC says Dutch, URL for engadget says Danish.
peter
28 Posts
I guess engadget screwed up their URL
peter
28 Posts

Sign Up for Free or Log In to start participating in the conversation!