Many organizations may request geo-location information. For example, a delivery service organization may use an application that requires geo-location in order to delivery their service or product to the appropriate consumer. Mapping applications, such as the Maps application on iPhones, weather applications, or even couponing applications often require geo-location information in order to provide users with useful information depending on their geographical location. Many of these organizations or mobile applications require the user to consent to the collection of geo-location information, as a condition to obtaining the information provided by the application, device or website.
However, privacy concerns are founded. It is important that only the data providers, who have direct relationships with their own consumers, have access to a customer’s personal information. In a hypothetical example, location data can provide insight into victims’ whereabouts as well as their habits and lifestyle, helping an attacker get to know the victims, their interests, where they go and what they do. Armed with this type of information, an attacker can more easily script a personalized email that references the victim’s recent activities.
It seems like just about every mobile app you install these days requests access to your location data, and so it is important to know of your privacy rights. The vast majority of applications specify that location data is only used while the app is active, yet you still must be aware. One solution would be to disable the location tracking feature on your mobile device. But, if you do that you also give up the benefits and value that come with sharing that information. Thankfully, you don’t have to go that far if app developers just adhere to more secure coding practices. An alternative solution is precision limiting of geolocation data and limiting the speed and magnitude of user location changes to prevent attackers from harvesting the precise distance of a device from arbitrary points.
What to consider if your organization collects geo-location information:
- What is the purpose for which geo-location information is being collected?
- Are you collecting the least granular (i.e., most general) location information possible in order to effectively provide a product or a service to the consumer?
- How often do you need to collect geo-location information?
- Is the user aware that geo-location information is being collected?
- Does the user have the ability to disable the collection of geo-location information?
- Does the user have the ability to control how long that information is maintained, how it is used, when it is shared, and whether it is associated with their name?
- Will the geo-location information be shared with third parties such as advertisers? If yes, how much and how often will you share the information?
- Is the geo-location information encrypted in transmission from the consumer and/or at rest within your organization?