More than a Privacy Breach: Security Implications of Personal Geospatial Data Leakage

By Alexander Nocks

Earlier this month the New York Times published another article noting how widely personal geospatial data is shared and how easily identifiable it is. It features the usual spokespeople, consumers who thought they understood their privacy risks only to be shocked by the granularity of information The Times readily discovered about their lives: how long they spent at a doctor’s office, how frequently they spent the night at an ex’s house, and when they flew out of town.

This investigation is one of many sounding the alarm about the privacy breaches created by widespread location tracking and data publication. The privacy threats are valid and can manifest in physical harm, especially in stalking incidents and thefts. However, the dangers of widespread access to personally-identifiably geospatial information extend beyond individual privacy breaches to also exacerbate more alarming, but less discussed broader security vulnerabilities.

Some of the national security dangers of personal geospatial data falling into the wrong hands were exposed by the Strava incident last spring. The fitness tracking service published a global heatmap showing the routes its users took when exercising. While Strava allows its users to disable sharing to the heatmap, enough military personnel failed to do so, marking their routes at secure facilities. In July, a similar leak was discovered, this time from a fitness app called Polar. Since Polar showed all of an individual's’ exercise routes on one map, collected data more frequently, and allowed data to be scraped (which makes it much more accessible), it exacerbated security vulnerabilities even more than its rivals. Even after the Strava hubbub and responding policy changes, investigative journalists were able to use Polar data to identify nearly 6,500 unique users, over 200 of whom exercised at secure sites.

At first, the natural response to these privacy concerns and security exposures is to encourage end users to increase their privacy settings and cut back usage of these location tracking services. In August, the Pentagon banned commercial GPS software in combat zones and other sensitive areas. Those can be effective stopgap solutions, but the ever-increasing volume, granularity, and temporal resolution of geospatial information will soon overwhelm the ability to successfully turn the tracking’s dangers off.

Geospatial information’s widespread growth is being driven by the rise of two types of data: volunteered geographic information (VGI) and ambient geographic information (AGI). VGI is location-based content that a user actively chooses to share with the world. Whether for location-based special offers or to contribute to a shared map, people frequently produce VGI. As sharing one’s location becomes more normalized, the social pressures to do so build, and improving technology makes sharing location-based content more intuitive, the volume and granularity of VGI will only grow.

Even more widespread than the geospatial information that users are volunteering is the information they’re sharing passively—for example when location data inadvertently collected by a user’s cell phone is sold. That ambient geographic information is primarily generated by devices connected to the internet like insulin pumps, fitness trackers, and connected cars. As the internet of things takes off, more and more devices are producing AGI and mapping the world at a more granular level than ever before. With over five billion smartphones globally, a large part of the population is constantly connected to at least one location-aware computer, making continuous tracking an accepted norm. From dating apps to augmented reality platforms, location tracking and AGI is only becoming more prevalent. As technology improves the data being collected becomes more revealing too, especially as its temporal resolution increases to the point of providing nearly real-time insights.

Together, technology’s improving ability to collect and distribute geospatial information and society’s increasing reliance on it mean this problem will not go away. In fact, the problem is already bigger than it is perceived to be. Rather than just being a privacy issue or an avoidable security issue, the rise of publicly available geospatial information is creating a broader security threat by improving adversary’s, especially terrorist’s ability to select targets and plan and execute attacks.

Not only does widespread, real-time geospatial information reveal vulnerabilities about potential targets that would not otherwise be apparent, it also reduces the need for in person surveillance of targets. In person surveillance is one of the best opportunities for an attack to be discovered before it comes to fruition. For example, increased surveillance of potential targets was one of the few indicators of a pending attack that President Bush saw before 9/11. As the geospatial information environment continues to develop, adversaries will be increasingly equipped to forgo in person reconnaissance, making it far more difficult to detect attacks before they occur.

Non-state actors have already used publicly available geospatial information to plan attacks, as Lashkar-e-Taiba did in preparation for its 2008 Mumbai attacks. In that incident, Lashkar-e-Taiba also used real-time data to adapt as the attacks progressed. As the caliber and volume of real-time geospatial information increase, so too will the security vulnerabilities they exacerbate. The new geospatial world we’re entering has profound privacy implications, but those individual concerns cannot continue to overshadow the broader security implications.