Security and location

Written By: and
Content Copyright © 2011 Bloor. All Rights Reserved.

Location-based mobile applications such as Facebook, Google and others are used by a large percentage of adults and teenagers. Applications that pinpoint a user’s physical location introduce unprecedented new risks. The potential threats range from fraud and identity theft to crimes such as burglary or physical violence.

Geolocation is your physical location and is derived by technology using data from your computer or mobile device. It could relate to your physical location (position on the earth’s surface) or the virtual (internet) environment. Both can be collected in many ways:

  • Web browsing via your computer (IP[1] address is your identification)
  • Mobile phone usage
  • GPS (Global Positioning System) devices
  • Credit/debit card transactions
  • Tags in photographs and postings (Facebook and Twitter).

Location can be collected in an active or passive mode. The active mode is a user device that provides the Geolocation using software to determine the user’s position by wireless, GPS[2] or by “request and response”. The passive mode is server-based and determines the position via IP (internet protocol), 3G or 4G and wireless positioning.

What are the benefits location brings?

  • To the Customer: optimal request routing or navigation, instant purchasing decisions (shopping, restaurants), nearest station or bus stop and social networking opportunities.
  • To Business: targeted marketing, delivery and asset management, insurance risk management, logistics etc. The list is endless.

Location, combined with other personally identifiable information, can be used or abused. The capabilities of this technology empower social networking, support law enforcement, enable many mobile services and also provide a serious concern in the hands of criminals.

Location information can be seriously abused. For example, an individual who announces holiday plans or activities on a social networking site may be signalling to a criminal that their house is currently unoccupied, leading to a higher risk of being burgled, whilst more general personal information could be used in social engineering attacks against them.

For organisations, location information can lead to unwarranted surveillance of their current activities. An example could be tracking the location of a company’s executives. This could provide its competitors with pointers regarding ongoing business negotiations, such as potential mergers or acquisitions. This could affect the organisation’s brand and reputation, or even dent it financially if the competitor were able to scupper the deal. Organisations must also be wary themselves when using location-based services. They should be careful that information collected regarding the location of their employees does not constitute illegal tracking of their activities outside of business hours. In addition, any location-based services offered to customers or suppliers should take into account the privacy and ethical concerns of those parties.

In dealing with such risks, ISACA[3], which provides issues and guidance with regard to the governance, security and audit of information systems, cautions that the legal obligations of users and developers of geolocation data are currently unclear. In the absence of legal guidelines, it cautions that organisations need to carefully consider what controls are appropriate. These could be strong access controls and anonymisation techniques or the use of encryption for all personally identifiable information. It urges all organisations using geolocation to develop its own framework to address privacy and security locations, making use of existing information security frameworks such as CobIT[4].

How to safeguard yourself? We quote the ISACA recommends this 5-step practice:

  1. Read your mobile application agreements to see what information you are sharing.
  2. Only enable Geolocation when the benefits outweigh the risks.
  3. Understand that others can track your current and past locations.
  4. Think before posting tagged photos to social-media sites.
  5. Embrace the technology, and educate yourself.

With such safeguards in place, you will be in a much better position to embrace the exciting benefits that are offered by geolocation technologies.

This article was prompted by the discussion within “Why geolocation apps can be dangerous” and the ISACA’s new white paper, “Geolocation: Risk, Issues and Strategies.”

[1] IP – Internet Protocol
[2] GPS – Global Positioning Systems
[3] ISACA – Information Systems Audit Control Association
[4] CobIT – Control objectives for Information and related Technology