UW Computer Security Research and Course Blog

A recent article on slashdot purports that Google will soon release new software, dubbed ‘Latitude’ enabling users to broadcast their geographic location via Google Maps.  This information can be gathered either from mobile phones, via GPS or local cell phone towers, or from laptop computers, via WIFI access points.  Once the data is uploaded, users can decide with whom to share their location, and to those lucky few their location is shown as an icon with their chosen picture on top of a Google Map display.  The initial release will support Blackberry, Android, and Windows Mobile phones, with likely updates to include iPhones and iPod touches.

Google has long had the ability to locate its users, a function predominantly featured on the iPhone.  What distinguishes ‘Latitude’, however, is the ability to take this information and share it with others.  Location data will thus have to be stored on Google’s servers, in order for others to access that information and display it on their screens.   Obviously this generates numerable privacy concerns, however Google attempts to address these by claiming the feature will be limited in that it will only display information to other people the user chooses, and that it can be easily disabled at any time.  Google also claims that the company will not collect a large database of geographic information, and the only location data stored on the servers will be the most recent location uploaded.

Asset/Security Goal

• The system must ensure that a users privacy is not violated by disseminating their location data to unintended parties.  Wherever the geographic data is stored it must be protected such that only those with allowed access can read it.  Google staff should also be restricted from this information.
• Another asset of the system is the actual location data itself, and its accuracy.  Given that this location data is valuable to users, the system must also ensure that it cannot be corrupted, or altered by malicious users.

Adversaries

• The most obvious adversary to this system is a dark and mysterious stranger, whom the user does not want to share information with, yet somehow comes the entity still gains access to it.  This party could then use this information to cause direct harm to the user.
• Another less obvious adversary is Google themselves, or a similar company with the ability to mine this information.  This party could create a large database of a persons geographic locations over time and sell this information to the highest bidder.

Weaknesses

• A malicious user could use the system to look up geographic data for another user, and then proceed to locate the user and cause physical harm to that person.  Notice that this attack could happen by”friends” who have free access to each others data, or by a dark and scary “hacker” who infiltrates the system and looks up data it has no right to.
• Another weakness could be if a company farms this information, and creates a database of users and their movement patterns.  This company could then sell this data, to either the dark and scary malicious user previously described, or to an even darker and scarier advertising company.

Defenses

• Obviously Google should do its best to encrypt the data, and store it in as secure locations as possible to prevent data leakage.  Furthermore, to reduce the potential damage of an information leak, Google could store less precise locations, so a malicious user could not pinpoint exactly where a potential victim is at any time.
• Google should delete old location data as soon as new data is received, making it less likely for large records to leak to other parties.  This does not prevent trusted parties, friends one willingly shares information with, from creating their own databases.  To reduce these risks a user should be careful whom they share data with.

Social networking sites have proven that people are willing share large volumes of personal information at great risk to their personal privacy.  Google could work day and night to make ‘Latitude’ as secure as possible from random attackers attempting to steal private information, but this would do nothing to protect careless users who share information with too many.  Ultimately users probably face the greatest risk from the friends they choose to share location data with, rather than unknown strangers.  Users should also mind their privacy from Google itself.  I believe that ultimately this technology will follow the facebook model, and be stored in large databases and used for advertising purposes; the data is simply far too valuable to let slip away.  If this tool becomes popular, I expect to see slowly more and more features be added, and consequently more and more opportunities for users to relinquish their privacy.

Link: http://www.foxnews.com/story/0,2933,487629,00.html