Great GPS and its dark side

Another translation article about the privacy of our data. This time we will talk about GPS, the principles of its operation and unresolved security issues, so prepare the foil caps and go under the cat.

GPS provides us with fantastic opportunities, but there are no rules or restrictions on collecting data using it.

What is GPS?

Global Positioning Systems (GPS) consist of a set of mid-altitude satellites controlled from multiple ground stations.

Each satellite has an extremely accurate clock and sends data and a clock signal to Earth. GPS receivers use these signals to determine their location anywhere in the world in the form of latitude, longitude, and altitude.

Currently, there are three global systems: GPS (USA) , GLONASS (Russia) and GALILEO (European Union) .

In addition, China has a regional COMPASS system, which it plans to expand to global reach, and there are independent regional expansion systems operated by Japan and India .

A huge number of devices have built-in GPS-receivers, including in most modern vehicles, tablets, mobile phones and other equipment. These receivers are used to determine the user's location anywhere in the world with impressive accuracy.

For example, a GPS-enabled smartphone app can tell the difference between waiting in line and getting an order from a fast food restaurant counter.

Surprisingly useful if the devices provide location data only to you, but they are capable of transmitting them to someone else.

How it works?

The position of each satellite can be determined at any time with incredible accuracy. At the same time, measuring the transmission time of a signal from several satellites at your device, you can determine the distance at which your device is from each of them, as if you instantly stretched invisible roulettes.

To do this, simple geometry comes into play - triangulation to determine the position of the receiver on the ground with an accuracy of 2 meters or more. In the future, even greater accuracy is planned, sufficient to determine if you change hands while talking on the phone.

In special cases, additional ground-based transmitters can be installed to increase accuracy to one centimeter.

There are also two other methods for improving the quality of geolocation, when the GPS is complicated or simply impossible:

• A mobile device over cellular communications can be triangulated from neighboring towers with an accuracy of 20 meters, and sometimes much more accurately, using the increasingly common phased array antennas and the so-called multipath analysis.
• Wi-Fi devices can get geolocation from neighboring routers, even if they are not connected, by searching for router names (SSIDs) in surprisingly complete databases of known routers and locations.

The benefits are virtually innumerable

Geolocation technology allows you to automatically land your aircraft, guides you to unfamiliar places or continents, and helps emergency services find you as quickly as possible.

Of course, there is a military application, for which GPS was originally developed, including high-precision weapons.

It also provides a wide range of scientific and industrial applications, from measuring volcanic activity to automatically controlling agricultural equipment and cars.

GPS technology helps with the precise positioning of measuring instruments, directs flight paths and measures the movement of the earth's crust after earthquakes. With the help of GPS technology built into the car, you can lower (or increase!) Your insurance rates depending on how you drive. You can find lost or stolen items, or show the location of family members.

In short, GPS is a modern “miracle technology”. Unfortunately, like most things in life, he has a dark side.

Who do you trust?

Imagine if a curious neighbor installed a GPS tracking device in your car and monitored your every move. How would you feel?

Most likely not very good. Most of us would be very upset, because having detailed information about your whereabouts, such a person can cause great harm. Of course, the problem is not so much in the data itself as in the intentions of those who own it.

Almost everyone understands that the location of their device can be tracked and most people agree with this. They believe that if this happens at all, then it is done by well-controlled companies authorized to keep a constant record of their every minute route around the world every day.

They would be right if that were true, but that is not so.

So what?

Is the location of the person really sensitive enough to be disturbing?

For most people, the answer is no, not really. Do I really care that someone knows about my trip to the store, or what route did I take?

But what if my destination is a courthouse, a general practitioner’s office, or perhaps a specialized women's clinic?

What if accuracy is enough to say with whom and for how long I have been within one / two meters?

What deeply personal conclusions can they draw?

Or what if, in order to make ends meet, I work in a second job, which my employer would probably not approve, and my geolocation data show my constant presence there?

Now do you care?

But what if, instead of an authorized state body, hundreds of companies of all sizes will have access to your data? Each has its own goals and intentions ... for example, to sell or otherwise use your data.

What about the real problems encountered by a completely innocent farming family ? Or another case of people living in a house in Ashburn, Virginia , where 17 million IP addresses were mapped (because there were several large data centers nearby). A recent analysis shows that there are thousands of such “standard” comparisons.

Thus, in addition to the intentionally intrusive use of location information, there is also virtually no protection against errors, negligence, or intentional abuse.

GPS: global personal surveillance?

A Simple Myth: Confidential GPS information is only available to legally controlled organizations.

For example, a weather app I recently installed asked me to provide access to my location data to provide personalized forecasts. It sounded reasonable, and I agreed.

But then I thought: “ Hey, wait a minute ... is it true that my location is used ONLY to warn me about rain? ”

I wondered what else could happen, so I began to delve into all the technical documentation that I could only find, and also got acquainted with the 31 page of the license agreement. I found what I was afraid of: about once a minute, my location is sent to the owners of the application, and later to their business partners, no matter who they are.

Interestingly, the application is free, because they can earn money by selling information about me. Who am I and where am I, day or night, in the rain or heat.

It’s just that with the help of the weather application, my movements around the world are known with tremendous accuracy to the thousands of people who have access to this data. These are mainly advertisers who buy data from developers of similar applications, but in principle it can be anyone.

When I found out about this, I wondered what would happen if I change my settings to prevent the application from accessing the location services of my device.

And guess what? It was not difficult ... the next time I started the application, it asked for my location, and I entered it manually. Zip code - this is more than enough for weather forecasting.

Now, instead of instantly tracking my whereabouts, the only thing that goes back to their servers and therefore is sold to others is my zip code, which is fixed no matter where I go.

UPDATE March 3, 2017 : Senators Ron Wyden and Reps. Jason Chaffetz and John Conyers reintroduced the Privacy and Surveillance Surveillance Act ( HR 1062 ). We hope Congress passes this bill quickly to protect consumer privacy, but this decision is only for the United States.

Few or many?

If a simple weather application can do this, then who else? I decided to find out, so I devoted the evening to reading the license agreements for many applications that I have installed over the years.

It turns out that many applications periodically send information about me from the device to their servers. Sometimes this is anonymous (so that they can only see that someone a man aged 35-44 was in a particular place), but basically it is not, and they know my name, address, phone number and each specific the place i went to all the time.

The Pew Research Center checked this for a little over a million different Android applications and found that 217,304 were requesting approximate geolocation data from the devices on which they were installed, and another 247,420 applications were requesting accurate location data.

So this is not one weather application, but as many as 464,724 (44%) of different applications want to know where you are.

Even more strikingly, 859,684 (82%) of all Android applications request direct access from the application code to the Internet. Of course, some of them are completely innocent, but for free applications this is probably a chance to send data about you to the creators of the application, for monetization. Basically, this is the explanation why they provide the application for free or almost for free.

What does this mean for me?

Despite the simplicity of the scheme, it leads to the fact that a large number of people have unhindered access to an extremely detailed history of your movements.

For example, the fruit juice company I give to my children knows that I left work an hour earlier yesterday, and that my wife and I were at the bar on Saturday, and that I was at the medical clinic last Tuesday for 4 hours. The orange juice company knows everything.

Jokes aside? Yes.

Just noticing that I regularly visit another office two evenings a week, and that my wife is at home with the children exactly on the same days (yes, she has the same weather app), you can easily conclude that I work part time .

Although it is not prohibited by my employer, but still, if it becomes known, it can put me in a difficult position, despite the fact that this is my personal time.

I used to think that the chances of getting such information into the public domain, and as a result to my employer, were incredibly small. But now I’m not so sure about it, and I think that it may appear on some new site, legally or illegally.

My children also have smartphones. It’s good for me to know where they are, but is it right that companies of all kinds also know which street my daughter is walking at one time or another, or what kind of shelving with hygiene products is she looking at in the pharmacy?

Shopping centers are also in the game, using both GPS and supposedly free Wi-Fi to track your every move , analyze who you are and what you buy to make you spend more.

This list has no end ...

Beyond Smartphones

Under the bicycle seats, you can find similar devices the size of a coin sold under the TrackR brand:

This device is a smart integration of low-power Bluetooth technology and the GPS capabilities of nearby mobile devices. You can buy these inexpensive devices for $ 29 (or buy 4 and get 4 more for free) and attach them to valuable items to find them in case of loss.

Functionally identical technology is also sold under the Tile brand . Attach these little things to your values, and you will know where they are all the time - it sounds good.

But wait ... what if someone wants to track you down? How hard would it be to stick one of these things onto your car, motorcycle or bike covered in a strip of black tape? How often do you check under the seat? Even if you notice this, will you recognize him as he was, and not some ordinary element of the machine?

On the TrackR website, they say that it works everywhere and that it only makes sense because GPS works anywhere in the world. Devices are cheap and do not require additional expenses. According to them, they have created a powerful global collection of subscriber devices.

My concern is not “how the device SHOULD be used,” I think it’s a great product, but I’m worried about “how it MAY be used” by anyone with a couple of dollars. This is GPS surveillance for the masses, absolutely not controlled by anyone, but with a little advice from the company " ... we do not recommend using TrackR in public. We would recommend that you use the real-time tracking service instead ."

But this is just advice, not even a ban. From a practical point of view, what really prevents someone from abusing technology? In fact, anyone can become 007, and companies such as TrackR are the equivalent of a Q-branch.

Of course, for many years there were other means to achieve the same, but it was expensive (for example, here , here or here ).

But with the advent of such low-cost technology, it bothers me that anyone can secretly track another person with only negligible cost and effort.

Build it and they will come

We are seeing an increase in the number of applications with complex geolocation, which are used as the main "currency" in exchange for the ability to use the application for free. This is especially true for games like Pokémon Go, which this blog post says.

These applications are designed in such a way that geolocation is an integral part of what the developers hope will become a gameplay so exciting that you will want to lose sight of the fact that they are tracking you and selling this information.

They will do a lot to not mention that it is for this reason that they give you the game for free.

Do not buy it, this is an illusion. Nothing is free.

This is even in our pictures

Do you know that the pictures taken using a smartphone or the latest digital camera have GPS data, in addition to information about the camera or the smartphone itself?

Even today, most people do not know this and do not understand that this can have serious consequences when they upload or share photos on the Internet.

What's next?

It is interesting to think about the impact on these problems of progress or new technologies in the near future. Here are a few things that, in my opinion, deserve our attention:

• Increasingly accurate composite geolocation services can literally determine which pocket your phone is in.
• The type of low-power location detection and tracking used by TrackR is built right into the operating system of almost every device.
• Longer and more energy-intensive batteries can provide longer battery life for trackers.
• The richer and finer-grained cellular coverage ( microcell and pico cell ) is able to triangulate using terrestrial signals with much greater accuracy.
• A growing variety of applications, including in exciting areas such as virtual reality, is monetized by sales of user data .
• More comprehensive databases of mobile devices, routers and owners, allow you to compare GPS tracks of different people by place and time.

Remember that the servers to which these applications send your GPS data have the inexhaustible ability to keep your personal footprint for life, possibly for a very long time.

Almost none of them are protected by law, and at present most of them are extremely vulnerable to hacking, because it is not considered sensitive enough to deserve even the elementary protection provided by such things as credit card information or medical records.

This data will soon become so complete that in 10 years almost everyone will be able to find out where you were last Tuesday at 14:34, what you did and with whom you worked, with reliability much greater than you could possibly remember this .

What can I do?

The single most important action you can take is to revoke the geolocation permission for each application, which is not absolutely necessary for you, carefully considering which applications you really need in the first place. As I discovered in the weather app, this usually does not have much negative effect.

In addition, all we have to do is make our legislators acknowledge that geolocation tracks are considered confidential personal information and develop laws to better protect it.

Perhaps the biggest problem among all is also one of the most surprising: according to studies by the Royal Engineering Academy a few years ago - what will we do if the system crashes? This is quite possible if a sufficiently strong solar flare occurs or in the case of the action of military forces, physically or by hacking.

The simple truth is not to become too dependent on anything , but this is what happens. Use GPS, but do not discard old maps yet.

And finally ...

We often hear people say, “I don’t need privacy, I don’t do anything wrong,” but this is a confusion of the concepts of “confidentiality” with “crime”.

You do nothing wrong when you undress at night or use the toilet, but still close the door. Doesn't the information about where you go and who you are with deserve to be personal?