[LINK] PI discovers flaw in Google phone tracking system

Roger Clarke Roger.Clarke at xamax.com.au
Thu Feb 5 22:17:55 AEDT 2009 

From: Simon Davies <simon at 8020thinking.com>
>  Dear Advisory Board members,
>
>  Just a quick note to let you know that we have discovered a security
>  flaw in Google's new global phone tracking system that was launched
>  yesterday.
>
>  For anyone interested please read our report at
>  http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-563567
>  <http://www.privacyinternational.org/article.shtml?cmd%5B347%5D=x-347-563567>
>  and spread the word as much as you can.

"... the danger arises when a second party can gain physical access 
to a user's phone and enables Latitude without the owner's knowledge. 
At present we are unaware of a way this could be achieved remotely. 
...

"We have considered the following five scenarios:

*   An employer provides staff with Latitude-enabled phones on which 
a reciprocal sharing agreement has been enabled, but does not inform 
staff of this action or that their movements will be tracked.
     [or simply tells them it comes with the job, i.e. retrospective, 
unilaterally-imposed conditions of service]

*   A parent gifts a mobile phone to a child without disclosing that 
the phone has been Latitude-enabled.

*   A partner, friend or other person gains access to an unattended 
phone (left on a bar or in the house) and enables Latitude without 
the other person's knowledge.

*   A Latitude-enabled phone is given as a gift.
     [spouse, lover, etc.]

*   A phone left unattended, for example with security personnel or a 
repair shop, is covertly enabled.

...

>  Best wishes
>
>  Simon
>  ------------------------------------------------------------------------

[These are similar to aspects discussed on the APF Board list today.

[The design and the announcement make clear that Google is thinking 
more, and more constructively, about privacy than it used to.  And 
that's very welcome.

[But designing applications of inherently intrusive technologies is 
seriously challenging.

[The company has again invited negative comment by the public, 
consumer and privacy advocates, the media, and regulators, by failing 
to conduct prior consultations with the kinds of organisations that 
can provide insights.  That includes PI internationally, EPIC in the 
USA, and APF and EFA in Australia.]


-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW

More information about the Link mailing list