Do Geotagging and Presence Put Your Enterprise at Risk?
Sometimes knowing who, what, where, and when is not such a good thing. Security consultant Diana Kelley explores the dangers of geo-location to your business's information security.
The National Weather Service (NWS) recently started a project that invites the Twitterverse to submit weather reports. The reports can be manually tagged with the Tweeters location, or automatically tagged using Twitters geotagging functionality. For anyone whos watched a local weather reporter explain that today will be cloudy with a remote chance of rain, and then looked out the window at an active downpour, the promise of more accurate location-based weather reporting is appealing. And on the surface, what possible harm could come from letting the world know youre in Old Orchard Beach, ME right now and the weather is perfect? Thinking beyond weather, though, consider an Executive retreat at a Twitter-friendly enterprise. Auto-geotagged Tweets could instantly update others on the precise location and current travel conditions for employees as they journey to the meeting. Add presence awareness to geotagging, and you can identify not only when one of your in-flight colleagues is back on the ground, but also if theyve landed safely at their target destination or were unexpectedly re-routed to another airport.
Geo-location and presence have a myriad of positive uses for individuals and enterprises. But, as with many things, there is another side to consider: privacy and risk. Specifically, what are the mis-use cases for presence and geotagging?
For private users, inadvertent telegraphing of whether or not your home is empty is one. Last year, Israel Hyman of Arizona believed that his vacation-related Tweets led to his home being burglarized while he was out of town. Its easy to recommend that users be more circumspect with their location informationfor example limiting their followers to a select trusted few, or using direct messaging (DM) for private information. But as John Hodgman, the PC in the infamous "I'm a Mac" Apple advertisements, found out last year, sometimes fingers slip and private messages with cell phone numbers get Tweeted to everyone. Auto-geotagging of messages means that in addition to the already obvious ways in which Tweeting can cause a breach of personal or corporate information, if location information is attached to the Tweet, it could expose the fact that the author is far from home (or the office), even if nothing explicit is Tweeted about his or her location.
Now you see me
Consider embedded geo-tags on photographs posted on social networking sites, such as Facebook, or on internal enterprise collaboration servers. With automatic geo-tagging, the latitude and longitude of where the picture was taken is stored along with the digital photo. Scoping out a new site for your companys next store? Dont share a picture of it, even without any descriptive text on a public server or your competition may be onto your plans. This scenario may sound a little far-fetched, but the use of public photo repositories, such as Flickr and Twitpic, is on the rise, and corporate users that dont understand geo-tagging may mistakenly believe that a picture without a text description is not traceable back to a specific location.
Presence is another feature that can result in unintended consequences. For anyone thats gotten a phone call within seconds of turning on their phone, or an IM right after switching profiles back to available, the power of presence is clear. And for companies that are making use of presence to ensure the right resources in first responder, medical, and customer service scenarios are available, the utility of presence is unmatched. Flipping to a mis-use case though, presence could lead to an invasion of an employees privacy or contribute to an always-on work environment. How? Consider an employee who is on vacation who logs in for a few moments to check e-mail and is immediately bombarded with urgent questions. A responsible worker might respond to the questions and end up diving into hours of work, thus depriving herself of restorative down-time and possibly leading to burn-out.
As with most things security- and privacy-related, the answer isnt to cover our heads with tin-foil and hide in a cement bunker. However, educating users and employees about what geo-tagging and presence are and apprising them of acceptable use policies is advisable. While itd be nice to know if it really is raining in Kansas City right now, itd also be nice to know that no one is using that information to rain on your corporate privacy parade.
Diana Kelley is Partner and co-founder of research and consulting firm SecurityCurve. She formerly served as Vice President at research firm Burton Group and Executive Security Advisor for CA. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.