Home & Office

Shared user info increases geolocation risks

Security experts say users of geolocation-based applications and Web sites should be conscious of posting seemingly innocuous information, as ability of these apps to collate and share a set of information is increasing users' security risks.
Written by Kevin Kwang, Contributor on

There is no doubt that geolocation technology is good and here to stay, but users should broadcast information such as their whereabouts with discretion as cybercriminals are looking to exploit such data, according to security experts.

Anthony Ung, country manager of Southeast Asia region for security organization Trend Micro, said that as social networks such as Twitter increase "enormously" in size and number, most of these sites and the applications that access them--foursquare and Gowalla are among the more popular ones today--allow users to relay messages seamlessly between sites.

Because of these sites and applications, it is easy to lose track of just how much information they may be giving away and how many people have free access to the data, he added.

"The issue with location-based information is that it exposes another layer of personal information that most people would not think about--such as [users'] exact physical location at anytime, anywhere," said Ung in his e-mail to ZDNet Asia.

He also noted that the company has seen geolocation-aware malware for "several years now", where these malicious codes glean information off users' broadcasted data and use this for social engineering. Ung cited the Waledac worm as one instance of social engineering as the virus spammed users during key dates such as Valentine's Day to expand its reach.

However, another security expert pointed out to ZDNet Asia in an e-mail that it is not the broadcasting of sensitive information in isolation that is the problem. Instead, the ability of geo-based apps to collate and share a set of information is increasing users' security risks, said Hon Lau, senior security response manager at Symantec Security Response.

He said that while it is "fine" to tell people the duration of your holiday, it becomes a security issue when that information is combined with the location of your house and your real-time whereabouts in a foreign land.

"Burglars used to have to [conduct] stakeouts at people's homes for this kind of information before they broke in. But now, all this information is available at their fingertips if they know where to look," said Lau.

An earlier ZDNet Asia report highlighted such security risks after a security researcher revealed how photographs taken from mobile devices such as Apple's iPhone and posted up on Twitter allow people to extract the exact longitude and latitude coordinates embedded in these photos without users' permission.

The researcher, Ben Jackson of Mayhemic Labs, said in the report that the most recent generation of mobile phones can geotag photographs by injecting location coordinates into the EXIF metadata of images taken with the camera. The information is precise enough to allow individual houses to be located, sometimes to the extent of the general area inside a home, and is different from the geolocation feature that Twitter and other similar services offer, the report stated.

In order to manage such risks, users should take time to think before publishing personal information on such apps and social-networking sites as these tend to aggregate and share information, Symantec's Lau said.

"While these link-ups offer greater convenience, there is also a downside to aggregating information that would have been safe in isolation, but when combined together poses a security risk," he added.

He also advised users to check the settings on their applications and services to restrict the availability or granularity of geolocation information where possible.

Trend Micro's Ung concurred, saying that it ultimately boils down to "user awareness and responsibility". He said that if users adopt the right precautions, they should be able to safeguard their privacy to "a reasonable degree".

One foursquare user whom ZDNet Asia interviewed online agreed with the need to be conscious about broadcasting personal data. Foursquare is an online service that allows users to share their observations and discoveries about the city they live in or are visiting on-the-go.

Dominic Leong, who claimed to use the service daily where checking in to the site has become "second nature", said that even though he broadcasts his whereabouts frequently, he is usually "quite careful" about the information he puts out.

"As contradictory as it may sound, if I don't want others to know where I am, I'd definitely check in 'off the grid'," he said. An "off the grid" check-in is a private check-in where the user is able to hide his location, according to the Web site.

When asked if he ever feels he is giving out too much information, Leong said he has "no worries" as nobody will be "interested in stalking him".

Editorial standards