Friday, February 6, 2009

Privacy international identifies major security flaw in Google’s global phone tracking system

I want to continue my investigation into the privacy pro's and con's of the recently announced Google Latitude. For a backdrop on the issue, both in terms of the convenience of the tool as well as it's privacy protection shortcomings, check out Wednesday's and Thursday's posts.

I want to assure everyone that I'm no Luddite, and nor are any of the privacy advocates I know and work with. The vast majority of the time, the issue really isn't with the technologies themselves, but rather, the ways in which they COULD be used, and the lack of safeguards to ensure they aren't. I'm not just talking about protecting against identity theft, I'm talking about protecting that which makes us free: our civil liberties and right to privacy.

So the real question is that when such technological advancements are introduced into the marketplace, is someone asking the tough questions, and demanding the proper safeguards?

On that note, I want to reiterate a passage I posted yesterday as well from the Electronic Frontier Foundation that really articulates perfectly what I'm trying to say:

"Technology isn't the real problem, though; rather, the law has yet to catch up to our evolving expectations of and need for privacy. In fact, new government initiatives and laws have severely undermined our rights in recent years."

Now, when I first heard of Google Latitude my immediate reaction was, "Ok, how can this technology be abused? Who could abuse it and why? And what could be done to prevent this?"

As I suspected, Google has once again appeared to have failed the "privacy protection test". I'm not a technology expert, but I certainly know where to find them, and I found this article by Privacy International that raises a host of problems with Google Latitude as it relates to the protection of user privacy.

A few clips from the piece:

After studying the system documentation, PI has determined that the Google system lacks adequate safeguards to protect users from covert opt-in to Latitude’s tracking technology. While it is clear that Google has made at least some effort to embed privacy protections, Latitude appears to present an immediate privacy threat.

Latitude is based on a reciprocal opt-in system. That is, before a person can be tracked, a sharing arrangement must be agreed with a requesting party. After this process has been executed, location data is made available on a time-to-time or continuous basis.

On the face of it, this arrangement might seem an adequate protection. However this safeguard is largely useless if Latitude could be enabled by a second party without a user’s knowledge or consent. Privacy International believes this risk is substantial and could in the future adversely affect millions of phone users.


Privacy International believes Google has created an unnecessary danger to the privacy and security of users. It is clear the company is aware of the need to create a message alert on Latitude-enabled phones but has chosen to launch the service without universal access to this safeguard. The Director of Privacy International, Simon Davies, said:

"Many people will see Latitude as a cool product, but the reality is that Google has yet again failed to deliver strong privacy and security. The company has a long way to go before it can capture the trust of phone users."

"As it stands right now, Latitude could be a gift to stalkers, prying employers, jealous partners and obsessive friends. The dangers to a user’s privacy and security are as limitless as the imagination of those who would abuse this technology."

Check out the rest of the article, particularly the five scenarios Privacy International lays out in which a cover threat could arise.

No comments: