Risk
8/20/2012
11:40 AM
Connect Directly
RSS
E-Mail
50%
50%

7 Facts About Geolocation Privacy

Recent ruling that upheld police remotely activating a phone's GPS tracking feature without a warrant highlights the legal gray area surrounding GPS data privacy.

Consumers currently enjoy little privacy protection from the GPS location information broadcast by their smartphones or automatically added by latest-generation cameras to their digital photographs.

But many legislators, consumer rights groups, as well as the Federal Trade Commission, are seeking clear guidelines about how police, application developers, online marketers, and other third parties can collect and share consumers' GPS data.

"Collecting personal data is increasingly easy for the government to do but hard for citizens to detect, so it's more important than ever for the American public to know the rules that law enforcement is operating under, especially when it comes to location tracking," American Civil Liberties Union (ACLU) attorney Catherine Crump said recently, commenting on a lawsuit that the ACLU filed to make the FBI reveal how and when its agents can use GPS tracking devices.

[ For more on this subject, see Privacy Questions Accompany Automated License Plate Scanners. ]

As that suit implies, many legal questions remain unanswered, and law enforcement practices are relatively ad hoc. Here are seven things we do know about the unfolding GPS data privacy debate.

1. Consumer Electronics Store Location Information
By default, numerous devices store GPS data in numerous ways. "While smartphone users may realize that their devices have the capability to track their whereabouts, what they may not know is that other devices, such as new cameras, also have the capability to know their location and add location information to a photograph," according to a new report from Kroll Advisory Solutions. Known as geotagging, the location-data-tracking feature recently caught a member of hacking group CabinCr3w by surprise, when he posted a provocative photograph of his girlfriend holding a written taunt to the FBI. The bureau then reviewed the EXIF-encoded GPS coordinates in the image, which corresponded with the girlfriend's house.

2. No GPS Sharing Notification For Consumers
Currently, consumers enjoy few protections on their GPS data, and remain unaware when such information is shared by third parties. "Part of the problem lies in the many different entities involved--wireless carrier, operating system provider, application developer--who may all have access to the consumer's personal information," according to Kroll. "A consumer may have some control through device settings and discretion in what types of applications he or she chooses to use on the device, but these measures cannot guarantee that data will not be shared with third parties."

3. International Approaches Vary
Different countries have been taking markedly different approaches to GPS data privacy. "Earlier this year in Mexico, revisions to federal law--dubbed the Geolocalization Law--provided law enforcement with a powerful ability to request and utilize real-time geographic data from mobile service providers in a wide variety of cases," according to Kroll. "On the opposite end of the spectrum, the European Commission's Article 29 Working Party released an opinion stating that geolocation information is personal data." As a result, in Europe such information can only be collected, shared, or stored with people's express consent.

4. FTC Urges Congress To Protect GPS Data
With the increased use of devices that track GPS data by default, in March the FTC released a report, "Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers," that urges Congress to protect mobile data, including mobile device users' geolocation data. To increase data transparency, the agency is also recommending that legislators craft a law that would require third-party data brokers to disclose to consumers all information that they hold on them.

5. Congress Debates Geolocation Data
Several bills have been introduced in Congress that would set clear standards for GPS data privacy. Last year, for example, Sen. Ron Wyden (D-Ore.) and Rep. Jason Chaffetz (R-Utah) introduced the Geolocation Privacy and Surveillance (GPS) Act. In a statement, they said the proposed law "requires the government to show probable cause and get a warrant before acquiring the geolocational information of a U.S. person, while setting out clear exceptions such as emergency or national security situations or cases of theft or fraud." Wyden and Chaffetz later attached their bill as an amendment to the Cybersecurity Act of 2012, which earlier this month appeared to have been defeated--at least for this year--by a Republican filibuster.

6. Malware Taps GPS Data
Always pushing the envelope, malware-coding scammers have also begun tapping geolocation data to lend their emails a greater air of authenticity. Earlier this month, for example, London police issued a warning over scamware that purported to be from the Police Central e-Crime Unit (PCeU), which locks a PC and then demands a fine for it to be unlocked. "This is a fraud and users are advised not to pay out any monies or hand out any bank details," according to an alert issued by London police. "This scam is now affecting many countries in Europe and further afield, with each email tailored to include the branding of that country's law enforcement agency."

The FBI also issued its own warning about the scam. "This malware is doing the rounds across a lot of different countries," said Brian Honan, an independent security consultant based in Dublin, in a security newsletter from the SANS Institute. "It is coded to use geolocation to detect which country the infected computer is in and to use the logos ... of the relevant law enforcement organization for that jurisdiction."

7. Police Can Activate Phone GPS Location Tracking
Can police access the GPS data on your phone? According to a recent court ruling, they can not only access it, but activate GPS location tracking if it's disabled. That's one takeaway from last week's U.S. Court of Appeals for the Sixth Circuit ruling in a case involving Melvin Skinner, who was convicted of drug trafficking--and sentenced to 20 years in jail. Skinner argued that the GPS data tracking, which DEA agents used to track a motor home he was driving that was filled with 1,100 pounds of marijuana, violated his Fourth Amendment right against unreasonable search. In addition, according to a close reading of the court ruling, it turns out that police may not have merely tracked Skinner, but actually instructed his prepaid phone provider to activate the GPS functionality. The court, however, ruled that the DEA had acted lawfully.

But according to Jennifer Granick, director of civil liberties for the Center for Internet and Society at Stanford University, the court erred--by applying the wrong statute. "The court authorized real time tracking based on a provision of the Stored Communications Act," said Granick in a blog post. But GPS data isn't stored data, which means that the DEA, which had failed to get a warrant, actually conducted "an illegal search," she said. Interestingly, "the Justice Department recommends that prosecutors obtain a warrant to get GPS location information from mobile communications service providers," according to a blog post by Gregory T. Nojeim, senior counsel at the Center for Democracy & Technology. But the DEA failed to do so for GPS data, which means that Skinner might be able to suppress the evidence.

Again, the related debate and uncertain ruling continue to highlight how, at least in the United States, important legal questions surrounding the collecting, storing, and tracking of GPS data remain unanswered.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2006-1318
Published: 2014-09-19
Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Office 2004 for Mac, and Office X for Mac do not properly parse record lengths, which allows remote attackers to execute arbitrary code via a malformed control in an Office document, aka "Microsoft Office Control Vulnerability."

CVE-2012-2588
Published: 2014-09-19
Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Enterprise 6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, or (3) Subject header or (4) body in an SMTP e-mail message.

CVE-2012-6659
Published: 2014-09-19
Cross-site scripting (XSS) vulnerability in the admin interface in Phorum before 5.2.19 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-1391
Published: 2014-09-19
QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding.

CVE-2014-3614
Published: 2014-09-19
Unspecified vulnerability in PowerDNS Recursor (aka pdns_recursor) 3.6.x before 3.6.1 allows remote attackers to cause a denial of service (crash) via an unknown sequence of malformed packets.

Best of the Web
Dark Reading Radio