GPS devices, geolocation data create privacy, security risks

By Linda Tucci, Senior News Writer 06 Oct 2009 | SearchCompliance.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

More data privacy resources Avoiding gotchas of security tools and global data privacy laws U.S., EU personal data protection laws make e-discovery risky Health care CIO tackles complex security, privacy mandates

Legislative action followed swiftly. Connecticut, California, New York and other states have since passed laws restricting the car rental industry's use of information gained from GPS devices to track location and behavior of its customers, as the American Bar Association reported in "Rent a Car, Rent a Spy."

Is this just a matter for the car rental industry? Hardly. The court's response and legislative action, experts said, should serve as a wakeup call to corporations about uses and abuses of geolocation data and the risks this information poses for their enterprises.

As applications and services for broadcasting a person's geographic location become more widespread, from Google Latitude and the GPS-enabled Garmin nuvifone to travel aggregation sites like TripIt, corporate policy questions and legislative action are bound to increase. Yet corporations, like most consumers, don't have a clue about how these technologies can lead to privacy violations or security breaches.

"Right now, enterprises do not have that risk plotted out -- anywhere," said Ian Glazer, a security analyst at Midvale, Utah-based Burton Group Inc.

Competitive advantage for rivals

Location-based data can be exploited for competitive advantage by rivals, Glazer pointed out, if, for example, a group of executives disclose location information that can be easily traced to sensitive business transactions, such as acquisitions or real estate sitings.

For multinationals doing business in politically unstable locations, geolocation can endanger employees. Then there are the privacy concerns. Can employers get access to the geolocation data associated with an employee but perhaps not directly related to the job if the device is company-owned?

"The upside is that these types of technologies and the challenges they present can be addressed with awareness training and policy. Educating employees to think about location as competitive intelligence or a safety issue is fairly straightforward," Glazer said.

Miriam Wugmeister, a partner in the New York office of Morrison & Foerster LLP and the head of the firm's global privacy and data security practice, agreed that employee training is key. Most devices with geolocation capabilities have a feature that allows users to turn them off. "CIOs need to educate the users, or they need to be cognizant of the notice given to employees," she said.

Active, passive and indirect geolocation technologies

Glazer divides geolocation data into three technology channels: active, passive and indirect. Active technologies actively disclose an employee's location. Google Latitude, which pulls data from the GPS in one's phone and makes a statement about it, is an obvious example. Geolocation information in pictures posted to Flickr.com is a less obvious example of an active channel, he said. "The data is right there for the taking, and it is also temporally linked … with a time stamp, so now I know when that person was there."

Passive channel technologies provide users with location capabilities. A travel aggregator site such as TripIt, for example, collects users' travel information in order to offer travel services but then can communicate it again to a social network or the public via Twitter.

Indirect channels are tools like Yelp "that allow users to get up on a soapbox and basically, say, 'Look at me, I am over here, having a great meal in Sheboygan,'" Glazer said.

When confronted with location data, particularly those that link to social media platforms, the instinct of some CIOs, understandably, will be, not my system, not my problem, said Glazer.

"CIOs now understand their relation to internal wikis and SharePoint. It's harder to wrap their brains around all these IT services outside the enterprise," Glazer said.

But turning a blind eye is probably shortsighted, he said, because corporate counsel and C-suite business executives will immediately get why location-based data is a risk, once they understand it can be used for competitive advantage. In fact, he and Wugmesiter recommend that CIOs take the geolocation data dilemma by the horns, educating C-level executives first about the possible risks and worrying about lower-level employees later.

Another avenue to follow? Wugmeister said the Federal Trade Commission will launch a series of roundtables in December to explore the privacy challenges posed by emerging technologies.

Issues and benefits of GPS devices

Larry Whiteside Jr., chief information security officer at the Visiting Nurse Service of New York (VNSNY), is not cowed by geolocation data. "It's an issue in some regards and it's a benefit in other ways. It's an issue if the technology is on and you don't have the capability to control whether it is on or off," Whiteside said.

Right now, enterprises do not have [geolocation] risk plotted out -- anywhere. Ian Glazer security analyst, Burton Group Inc.

In his business case, where nurses, nurses aides and many clinicians are mobile, geolocation can be a good tool for management, Whiteside said, "if it can be configured centrally and managed centrally. It's about ensuring your employees are doing what they say they are doing." When employees are on per-diem or hourly salaries, verifying how much time they actually spend on tasks can be a time-consuming process, requiring nurses to dial in from client homes, punching codes, etc. Nurse safety is also an issue.

VNSNY employees use Google Maps to plot out their stops in the most cost-efficient way possible. Whiteside is working on putting Google Maps and a geolocation feature on company-owned phones. "There is no added cost for these features. It's a management issue. We would even pay for an overlay or build something that would give the supervisor the ability to log in, and basically see where their nurses are," he said.

The push has come entirely from the business. Whiteside said he's working closely with legal counsel, human resources and "everyone else imaginable" in the greater Manhattan area to sort out the privacy and security concerns. But the working premise, so far, is that employees understand that when they are using company-owned equipment in the course of their jobs, they "are under the watchful eye" of the corporation.

As for keeping tabs on geolocation data employees broadcast from personal phones, he said he hasn't heard of any CISOs investing resources in this, with one exception. "I have heard that, if that information is easily available, HR may choose to look at that information, if they have other reasons to believe the employee is not doing what he says he's doing."

Tags: Risk management and compliance,  Industry-specific requirements for compliance,  Vulnerability assessment for compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Risk management and compliance Facing uncertainty, IT turns to governance, risk and compliance, ERM FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing Threat management for information systems relies on categorization Mass. data protection regulation passes big test in public hearing Does using ISO 27000 to comply with PCI DSS make for better security? FTC pursuing HIPAA violations as a matter of consumer protection Are mandatory business continuity management standards good business? PCI DSS compliance requires better management of vendor risk PCI DSS compliance requires new vendor management strategy Industry-specific requirements for compliance Poor application security creates supply chain risk, security threat Business Model for Information Security: Security right the first time Enterprise document management FAQ: IT operations and compliance Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more NERC CSO warns of cybersecurity threats, risk to electric grid FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing McCain answers new FCC net neutrality rules with Internet Freedom Act SAP sees green in sustainability software for carbon compliance Vulnerability assessment for compliance New evaluation criteria for Web application security scanners Security and compliance can go together, when done in the right order Steps toward making information security as important as data security Run encryption the right way to ensure wireless network security Security concerns may mean peer-to-peer file sharing days are over How CISOs can leverage the internal audit process How to build a mature information security program: A crisis helps A compliance officer, secure network aren't enough for real compliance How to mitigate operational, compliance risk of outsourcing services Applying risk assessment to your disaster recovery plan

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI compliance  (SearchCompliance.com) XBRL  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary