11-02-2009, 03:54 PM
Privacy international identifies major security flaw in Google’s global phone tracking system
05/02/2009
One day after the global launch of Google’s “Latitude” phone tracking system, Privacy International has identified what appears to be a fundamental design problem that could substantially endanger user privacy.
After studying the system documentation, PI has determined that the Google system lacks adequate safeguards to protect users from covert opt-in to Latitude’s tracking technology. While it is clear that Google has made at least some effort to embed privacy protections, Latitude appears to present an immediate privacy threat.
Latitude is based on a reciprocal opt-in system. That is, before a person can be tracked, a sharing arrangement must be agreed with a requesting party. After this process has been executed, location data is made available on a time-to-time or continuous basis. On the face of it, this arrangement might seem an adequate protection. However this safeguard is largely useless if Latitude could be enabled by a second party without a user’s knowledge or consent. Privacy International believes this risk is substantial and could in the future adversely affect millions of phone users.
In summary, the danger arises when a second party can gain physical access to a user’s phone and enables Latitude without the owner’s knowledge. At present we are unaware of a way this could be achieved remotely.
We have considered the following five scenarios:
An employer provides staff with Latitude-enabled phones on which a reciprocal sharing agreement has been enabled, but does not inform staff of this action or that their movements will be tracked.
A parent gifts a mobile phone to a child without disclosing that the phone has been Latitude-enabled.
A partner, friend or other person gains access to an unattended phone (left on a bar on in the house) and enables Latitude without the other person’s knowledge.
A Latitude-enabled phone is given as a gift.
A phone left unattended, for example with security personnel or a repair shop, is covertly enabled.
Once the phone has been enabled, the second party will be able to mask his phone’s presence, thus ensuring that the victim is unaware that her phone is being tracked. According to Google’s FAQ:
"From the Google Latitude privacy menu, you can choose to either detect and share your location automatically, set your location manually, hide your location from all friends, or turn off Latitude altogether."
The only means of minimizing this threat might be a regular message sent to a phone advising that it has been Latitude enabled.
However according to Google, this function is available only in certain circumstances. Again, quoting from the Google FAQ:
"After Google Maps for mobile with Latitude is installed and running on some (our emphasis) mobile devices, you may receive prompts on your device reminding you that you have enabled Latitude to share your location with selected friends.
These reminders allow you to continue or stop sharing your location with Latitude and will appear a limited number of times if you have enabled Latitude but have not used it recently" (our emphasis).
This means that only some users with certain unspecified phone types will receive a notification, but only in circumstances where Latitude has not been used for an unspecified period. If the tracked party is unaware that her phone has been enabled, the Latitude settings could indefinitely be set to continuous tracking, thus ensuring that the alert message is never sent from Google.
Conclusion
Privacy International believes Google has created an unnecessary danger to the privacy and security of users. It is clear the company is aware of the need to create a message alert on Latitude-enabled phones but has chosen to launch the service without universal access to this safeguard. The Director of Privacy International, Simon Davies, said:
"Many people will see Latitude as a cool product, but the reality is that Google has yet again failed to deliver strong privacy and security. The company has a long way to go before it can capture the trust of phone users."
"As it stands right now, Latitude could be a gift to stalkers, prying employers, jealous partners and obsessive friends. The dangers to a user’s privacy and security are as limitless as the imagination of those who would abuse this technology."
05/02/2009
One day after the global launch of Google’s “Latitude” phone tracking system, Privacy International has identified what appears to be a fundamental design problem that could substantially endanger user privacy.
After studying the system documentation, PI has determined that the Google system lacks adequate safeguards to protect users from covert opt-in to Latitude’s tracking technology. While it is clear that Google has made at least some effort to embed privacy protections, Latitude appears to present an immediate privacy threat.
Latitude is based on a reciprocal opt-in system. That is, before a person can be tracked, a sharing arrangement must be agreed with a requesting party. After this process has been executed, location data is made available on a time-to-time or continuous basis. On the face of it, this arrangement might seem an adequate protection. However this safeguard is largely useless if Latitude could be enabled by a second party without a user’s knowledge or consent. Privacy International believes this risk is substantial and could in the future adversely affect millions of phone users.
In summary, the danger arises when a second party can gain physical access to a user’s phone and enables Latitude without the owner’s knowledge. At present we are unaware of a way this could be achieved remotely.
We have considered the following five scenarios:
An employer provides staff with Latitude-enabled phones on which a reciprocal sharing agreement has been enabled, but does not inform staff of this action or that their movements will be tracked.
A parent gifts a mobile phone to a child without disclosing that the phone has been Latitude-enabled.
A partner, friend or other person gains access to an unattended phone (left on a bar on in the house) and enables Latitude without the other person’s knowledge.
A Latitude-enabled phone is given as a gift.
A phone left unattended, for example with security personnel or a repair shop, is covertly enabled.
Once the phone has been enabled, the second party will be able to mask his phone’s presence, thus ensuring that the victim is unaware that her phone is being tracked. According to Google’s FAQ:
"From the Google Latitude privacy menu, you can choose to either detect and share your location automatically, set your location manually, hide your location from all friends, or turn off Latitude altogether."
The only means of minimizing this threat might be a regular message sent to a phone advising that it has been Latitude enabled.
However according to Google, this function is available only in certain circumstances. Again, quoting from the Google FAQ:
"After Google Maps for mobile with Latitude is installed and running on some (our emphasis) mobile devices, you may receive prompts on your device reminding you that you have enabled Latitude to share your location with selected friends.
These reminders allow you to continue or stop sharing your location with Latitude and will appear a limited number of times if you have enabled Latitude but have not used it recently" (our emphasis).
This means that only some users with certain unspecified phone types will receive a notification, but only in circumstances where Latitude has not been used for an unspecified period. If the tracked party is unaware that her phone has been enabled, the Latitude settings could indefinitely be set to continuous tracking, thus ensuring that the alert message is never sent from Google.
Conclusion
Privacy International believes Google has created an unnecessary danger to the privacy and security of users. It is clear the company is aware of the need to create a message alert on Latitude-enabled phones but has chosen to launch the service without universal access to this safeguard. The Director of Privacy International, Simon Davies, said:
"Many people will see Latitude as a cool product, but the reality is that Google has yet again failed to deliver strong privacy and security. The company has a long way to go before it can capture the trust of phone users."
"As it stands right now, Latitude could be a gift to stalkers, prying employers, jealous partners and obsessive friends. The dangers to a user’s privacy and security are as limitless as the imagination of those who would abuse this technology."
