Business Issues -> Security & Risk
Location-based mobile applications such as Facebook, Google and others are used by a large percentage of adults and teenagers. Applications that pinpoint a user's physical location introduce unprecedented new risks. The potential threats range from fraud and identity theft to crimes such as burglary or physical violence.
Geolocation is your physical location and is derived by technology using data from your computer or mobile device. It could relate to your physical location (position on the earth's surface) or the virtual (internet) environment. Both can be collected in many ways:
Location can be collected in an active or passive mode. The active mode is a user device that provides the Geolocation using software to determine the user's position by wireless, GPS or by "request and response". The passive mode is server-based and determines the position via IP (internet protocol), 3G or 4G and wireless positioning.
What are the benefits location brings?
Location, combined with other personally identifiable information, can be used or abused. The capabilities of this technology empower social networking, support law enforcement, enable many mobile services and also provide a serious concern in the hands of criminals.
Location information can be seriously abused. For example, an individual who announces holiday plans or activities on a social networking site may be signalling to a criminal that their house is currently unoccupied, leading to a higher risk of being burgled, whilst more general personal information could be used in social engineering attacks against them.
For organisations, location information can lead to unwarranted surveillance of their current activities. An example could be tracking the location of a company's executives. This could provide its competitors with pointers regarding ongoing business negotiations, such as potential mergers or acquisitions. This could affect the organisation's brand and reputation, or even dent it financially if the competitor were able to scupper the deal. Organisations must also be wary themselves when using location-based services. They should be careful that information collected regarding the location of their employees does not constitute illegal tracking of their activities outside of business hours. In addition, any location-based services offered to customers or suppliers should take into account the privacy and ethical concerns of those parties.
In dealing with such risks, ISACA, which provides issues and guidance with regard to the governance, security and audit of information systems, cautions that the legal obligations of users and developers of geolocation data are currently unclear. In the absence of legal guidelines, it cautions that organisations need to carefully consider what controls are appropriate. These could be strong access controls and anonymisation techniques or the use of encryption for all personally identifiable information. It urges all organisations using geolocation to develop its own framework to address privacy and security locations, making use of existing information security frameworks such as CobIT.
How to safeguard yourself? We quote the ISACA recommends this 5-step practice:
With such safeguards in place, you will be in a much better position to embrace the exciting benefits that are offered by geolocation technologies.
This article was prompted by the discussion within "Why geolocation apps can be dangerous" and the ISACA's new white paper, "Geolocation: Risk, Issues and Strategies."
 IP - Internet Protocol
 GPS - Global Positioning Systems
 ISACA - Information Systems Audit Control Association
 CobIT - Control objectives for Information and related Technology
We have not received any comments against this entry. Why not be the first?
We automatically stop accepting comments 180 days after a post is published. If you would like to know more about this subject, please contact us and we'll try to help.
Published by: IT Analysis Communications Ltd.
T: +44 (0)190 888 0760 | F: +44 (0)190 888 0761