Transcript Orthus WLAN
Every Step You Take: Geo-Location Security Issues “Her father had taught her about a dog's paws. Whenever her father was alone with a dog in a house he would lean over and smell the skin at the base of its paw. This, he would say, as if coming away from a brandy snifter, is the greatest smell in the world! A bouquet! Great rumours of travel! It's a cathedral! her father had said, so-and-so's garden, that field of grasses, a walk through cyclamen--a concentration of hints of all the paths the animal had taken during the day.” Michael Ondaatje, The English Patient • Where you go • Where you went • What you do • What you did • Where you will go • What you will do Geo-Shadow How Satellite tracking Web browsers Mobile phones GPS devices RFID tags Credit / debit card transactions Geo tags photos / postings Proximity readers Browser-Based The geo-location API is default in the following desktop browsers: • • • • • • Firefox 3.5+ Chrome 5.0+ Safari 5.0+ Opera 10.60+ Internet Explorer 9.0+ And for updates on earlier versions for all of the above Application-Based And the W3C geo-location API on mobile devices: • • • • • • Android 2.0+ iPhone 3.0+ Opera Mobile 10.1+ Symbian (S60 3rd & 5th generation) Blackberry OS 6 Maemo “Of the over 750,000 applications currently available in the iTunes iStore: over 90% record and transmit user geo-location data.” Wired 2014 Code-Based In Our Devices In Our Friends Why? = Geo-Location Data = Cash Increase Revenue Direct contextually relevant marketing to: Any one Any time Any where Reduce Costs Centralised task management of: Any employee Any time Any where Keeping Track • • • • • Tracking customers Tracking employees Tracking competitors Tracking subjects Tracking… Business Uses A US-based car rental company started using deployed GPS tracking devices to monitor driving speeds of its customers. If a customers car exceeded 79 miles per hour for 2 continuous minutes, they were charged an additional $150 (without their consent). Example A French Insurance company used both mobile phone and car GPS data to track sales executive locations and cross reference to their expense accounts. Policy resulted in 21 employee dismissals and the identification of over .5 million euro in false claims. Example Last year, a large New York-based charity used geo-location data from Grindr to identify homosexuals working in their offices. 4 employees were fired for “inappropriate behavior.” A Entire Industry Now Based Big Bang • Location based marketing industry has consistently increased 10-fold over the last 3 years • Facebook: “Friends” geo-location app launch • Bing, Yahoo & Google “geo-location searches” • Disney: “MyMagic” wearable geo location tech • MasterCard: Geo-location authentication • Best Western Hotel: “Geo-fencing” strategy • KooZoo: Live “geo-video” feed Bringing It Home Because… = Cartography Lesson Can Vendor Own My Location? Leadership? "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place," Former Google CEO: Eric Schmidt Problem • How the data exposes the users is not the problem. • How the vendors expose the users without their knowledge is the problem. • Opt out is the default - not opt in - and even then… • Social media model = get everyone to share everything means our personal information (whereabouts) becomes their product • Convenience traded for privacy sold for cash • With only a “buyer beware” market approach What Separates… Tracking a customer Tracking a victim Non-Commercial Data Value • • • • • • • • Stalking Rape Kidnapping Assault Bullying Robbery Burglary And bad stuff The Future: Boggles The Mind Data Captured Static Mobile Geo-Scary Geo-Creepy Geo-Escape And I’ve Even Heard… Geo-location data taken from more than 7 billion devices across the planet every day. How Big Is This Party? Tracking customers Tracking victims Tracking citizens Easy to Obtain Browser Secrets SaaS Freeware Down Load It Caution: Geo-Malware Ahead “Over 95% of all geo-location data stored in cloud platforms” Wired 2014 Stop. Think. • • • • • • Where you go Where you went What you do What you did Where you will go What you will do Data Classification + = SPII Regulatory Challenges Geo-location data falls under special category of data subject to EU Privacy Directive. To comply you must: – Not store data outside of EU – Obtain prior consent from subject - or: – Process the data anonymously Our Industry Location? We Don’t Understand • • • • • • • • • • • • • This data is sensitive personal identifiable information Data presents vast commercial opportunities to decreases costs & increase revenue Sought by businesses Sought by criminals Sought by governments User devices easy to hack and obtain location information Processed in cloud platforms without security frameworks Industry approach = buyer beware Default: opt in versus opt out Presents real and immediate privacy and safety concerns Revenue trumps privacy Revenue trumps security This is personal Did I Mention ? = ? Today there are 75 attendees at this conference 78 SSIDs are broadcasting geolocation data. What’s Your Next Step? A Different Perspective From 26 Dover Street London United Kingdom W1S 4LY +44 (0)20 3586 1025 www.riskfactory.com