Mobile Device Geo-location and Privacy

Spencer Wilcox@brasscount

These slides are available at Securiplay.com

ABSTRACT

Lack of controls on the use of geolocation services have resulted in proposed legislation, and interesting court cases. What are the ramifications of government, businesses and advertisers knowing the whereabouts, and having access to the contents of the metadata produced by you or your employees?

DISCLAIMER

I am not an attorney. I am not providing a legal opinion, or offering legal advice. I am providing information regarding my research on this topic, which may include law or case law. My views are my own, any opinions expressed in this presentation are mine, and do not necessarily reflect the opinions of my employer. Please consult your attorney before adopting any of the practices discussed in this presentation. If you choose to implement any of the ideas expressed in this presentation, please mention the inspiration that this presentation provided.

GEO-LOCATION RISK

Tools and technologies that use geo-loc• Mobile Device Management• Camera photo coordinates (Exif)• GPS driving directions.• Social Geo-location– Yelp– Placely– Foursquare– Facebook– Twitter > Stream API

Use cases for mobile device geo-loc• Use twitter feeds to monitor for live events in specific

locations:– Tweet-to-map– Itsatwap– Twee.py – Python library.– Jasmine

• Intelligence search within a geo-fence surrounding a critical location.– During an open house what are people tweeting?– Are there a larger than normal number of tweets occurring

around your facility > demonstration>#flashmob

What are the risks associated with geo-location?• Legal Risks – GPS Trackers, Stingers, Cell phones• Public Information –

– Location of Sensitive Facilities– Side-Channel attacks – employee tracking by govt, thieves, PI’s

journalists, etc.– City Data Warehouses – Ownership of sensitive locations, security and

fire POC’s, location of municipal infrastructure facilities.• Competitive Intelligence

– Tracking of your employees by competitors• GPS Jamming

– Timing attacks– Industrial Control Systems

What are the risks associated with geo-location?• Personal Privacy Risk

– Find my cheating spouse– Find my iPhone

• Children– COPPA

• HIPAA / HITECH / OMNIBUS– Is knowing what kind of Dr. your employee is visiting a violation, if your

company issued mobile device or MDM solution tracks location?• Driving Habits / (The 7 habits of highly uninsurable people)

– Progressive Snapshot – Log Miles, Hard Brakes, Time of Day– Waze – Social Media GPS app – Logs where you were, length of travel,

and other things.

Are your whereabouts protected information?

• Statutory Law– Texas Bill – HB No. 2268 – warrant requirement for access to stored communications and

customer data.• Proposed Statutory Law

– Federal• GPS Act – Geo-location Privacy and Surveillance act (HR 1312, SB 639 – referred to judiciary and intelligence

committee.• Online Communications and Geolocation Privacy Protection act (HR 983, referred to house intel and

judiciary committee)• Location Privacy Protection act (S. 1223 – 112th congress) – Not yet reintroduced in 113th.

– States proposing laws – Maryland, NJ, • Regulation

– GPS Jamming• Case law

– US vs. Antoine Jones– US vs. Melvin Skinner– State vs. Earls

U.S. V. ANTOINE JONES

On January 23, 2012, the U.S. Supreme Court announced its unanimous decision in United States v. Antoine Jones (No. 10-1259), a case addressing the constitutional privacy rights of American citizens in the face of modern tracking systems based on GPS and other technologies. The Court ruled that law enforcement must obtain a warrant prior to attaching a GPS device to a suspect's vehicle in order to monitor its movements. In this case, the FBI and District of Columbia police affixed a hidden GPS device to the vehicle of suspected drug dealer Antoine Jones in a public parking lot. The device recorded and transmitted the vehicle's movements for 28 days.

U.S. V. SKINNER. 09-6497, U.S. CIRCUIT COURT OF APPEALS FOR THE SIXTH CIRCUIT

A man convicted of marijuana trafficking had no reasonable expectation of privacy with the mobile phone he was using when apprehended, a U.S. appeals court ruled. Federal agents tracked Melvin Skinner to Abilene, Texas, using the global positioning signals emitted by his mobile phone, found him in possession of more than 1,100 pounds (498 kilograms of marijuana and arrested him in July 2006, the court said in its 2-1 ruling today. Skinner appealed his convictions for trafficking and other federal crimes as well as a lower court ruling that the GPS tracking was lawful and that evidence found in the ensuing search was admissible. “If a tool used to transport contraband gives off a signal that can be tracked for location, certainly the police can track the signal,” U.S Circuit Judge John M. Rogers wrote. “The law cannot be that a criminal is entitled to rely on the expected untrackability of his tools.”

STATE OF NJ VS. THOMAS EARLS

Users of cellular telephones had a legitimate expectation of privacy in information revealing the location of the telephone, and, thus, under state constitution, police officers were required either to obtain a search warrant or be able to show existence of an exception to warrant requirement, requirement, such as exigent circumstances, in order to obtain location information from defendant’s cellular telephone service provider; even if telephone users were required to disclose information to providers in order to obtain service, such disclosures were not made in order enable telephone to serve as a tracking device, and users were reasonably entitled to expect confidentiality in large amount and revealing nature of information available through telephone records. N.J.S.A. Const. Art. 1, par. 7.

STATE of New Jersey, Plaintiff–Respondent,v.

Thomas W. EARLS, Defendant–Appellant.Argued Oct. 22, 2012.

| Reargued Jan. 29, 2013. |Decided July 18, 2013.