Clicking 'yes' on your phone can cost you

Kate Drew, special to CNBC.com

Location, location, location

Source: Apple

The recent terrorism headlines have renewed a debate over use of encrypted technology. Whatever side of the debate you're on, there's an issue related to encryption that is more likely to pose a risk in your daily life than global terrorism.

If the indicator shaped like a tiny paper airplane is on your phone screen right now, you are being tracked. Part of the compact that smartphone users make with technology companies to benefit from the Internet's services is sharing data about themselves. Clicking "yes" on Location Services without pause when an application asks for your location is a prime example of this trade-off.

The more applications that users download, the more vulnerable you are to little-known app creators asking for permission. There is no way to monitor where the location data goes after that.

"I don't think people understand the bargain they're making," said Bruce Schneier, a cryptographer and security expert who serves as chief technology officer of Resilient Systems, a fellow at Harvard University's Berkman Center and a board member of Electronic Frontier Foundation.

Here are some of the issues you need to think about before clicking "yes" on Location Services when next asked by an app.

By Kate Drew, special to CNBC.com
Posted 24 November 2015

Show-and-tell

Lambert | Archive Photos | Getty Images

You don't have to be a Sherlock Holmes these days to do your sleuthing. Location data can be used to track behavioral patterns, such as where people eat or workout — even when they visit the doctor. If enough information is amassed, it takes only a little bit of extrapolation to pinpoint the most sensitive personal details.

For example, if someone is pinging off the same location every day between 9 a.m. and 5 p.m., that's probably where they work, explained Chris Wysopal, co-founder at Veracode. After 10 p.m.? It's where they live.

Google and Apple are NOT the problem

John Fedele | Getty Images

While larger companies, like Apple or Alphabet, have the resources to protect the information they collect through sophisticated encryption, smaller outfits don't. Often, applications end up transmitting information from smartphones that isn't encrypted, so anyone snooping on the network can have a look at it, explained Jason Hong, an associate professor at the Human-Computer Interaction Institute at Carnegie Mellon.

Google and Apple are actually pretty good at preventing this with advanced technology, he said, but others are likely to be more problematic. Although he declined to name any specific entities, Hong said that many apps and developers have this problem, and it's not going to get better anytime soon.

Privacy policies leave the door open

Facebook

Third parties, like advertisers, are able to access location data through companies in which a person has already granted permission. For example, according to Groupon's privacy statement, the online coupon company shares non-identifying information, which includes device data, with third parties.

Department-store chain Target states, "We may share non-identifiable or aggregate information with third parties for lawful purposes," in its privacy policy.

Third parties also lack the resources to protect the data they collect, Hong said. Facebook's current privacy policy — should you attempt to read it — runs to roughly 2,500 words. Facebook has been subject to several ongoing investigations in Europe related to its collection of information on people who are not even users of its service.

Who's got your back?

Anchly | Getty Images

According to security expert Schneier, many companies are willing to sell the data they've collected.

"There are thousands of data brokers in the U.S.," he said, explaining that larger companies, like Google and Yahoo, which tend to keep their data in house, are the exception.

Wysopal pointed to the advertisers, in particular, explaining that some might not feel much responsibility to protect anyone.

"As a consumer, it's really hard to tell." If those companies are aggregating information, he said, they might then sell it to other, no-name entities — or become compromised.

Gone phishing

Weerapatkiatdumrong | iStock | Getty Images

Dave Shackleford, the founder of Voodoo Security, said that with personal data, hackers can put together tailored phishing attacks by tracking someone's movements. And because of how specific it is, he said, people are more likely to click on links that are dangerous.

For example, he said that if someone frequents Starbucks and their location data shows it, a hacker might design a phishing attack asking them to click on a coupon for the coffee shop. Then that customer's personal information becomes compromised even further. Starbucks' privacy policy states that it shares your location information only with companies that help it provide services, but no names are given, and it is unclear how secure those parties are.


The big trade-off

Is the smartphone becoming extinct?
Manuel Faba Ortega | Getty Images

People don't necessarily trust companies to keep their data secure.

"Americans are worried," said Lee Rainie, the director of Internet, science and technology at Pew Research Center. "They're worried about the safety of their data in the hands of third parties." In 2013, a Pew survey showed that 35 percent of adult smartphone users have at some point turned the service off, due to privacy concerns.

But are people keeping it off? No. The same survey showed that 74 percent of adult smartphone users look for directions or other location-based information on their devices. Plenty of people are worried, but they're still giving it up.

It's important that people don't give away any more than they need to — places get breached, and then information gets stolen, Wysopal said. "That's sort of a worst-case scenario."

Tag: You’re not it

Yunus Kaymaz | Anadolu Agency | Getty Images

So what can you do?

Limiting the applications running location services can help; so can turning off the geotag option on photos. And downloading ad-blocking software will keep track of which companies are tracking a device. Above all, though, is users thinking long and hard before clicking "yes." Not all applications that request access to location data need it to run properly. Asking whether or not there is a strong reason for an application to demand such data can be helpful in making the right choices, Hong said.

Related Tags