Mobile Device Geo-location and Privacy Spencer Wilco x @ brasscount

1. Mobile Device Geo-location and Privacy Spencer Wilcox @brasscount These slides are available at Securiplay.com

2. Lack of controls on the use of geolocation services have resulted in proposed legislation, and interesting court cases. What are the ramifications of government, businesses and advertisers knowing the whereabouts, and having access to the contents of the metadata produced by you or your employees? Abstract

3. I am not an attorney. I am not providing a legal opinion, or offering legal advice. I am providing information regarding my research on this topic, which may include law or case law. My views are my own, any opinions expressed in this presentation are mine, and do not necessarily reflect the opinions of my employer. Please consult your attorney before adopting any of the practices discussed in this presentation. If you choose to implement any of the ideas expressed in this presentation, please mention the inspiration that this presentation provided. Disclaimer

4. Geo-location RISK

5. Tools and technologies that use geo-loc • Mobile Device Management • Camera photo coordinates (Exif) • GPS driving directions. • Social Geo-location • Yelp • Placely • Foursquare • Facebook • Twitter > Stream API

6. Use cases for mobile device geo-loc • Use twitter feeds to monitor for live events in specific locations: • Tweet-to-map • Itsatwap • Twee.py – Python library. • Jasmine • Intelligence search within a geo-fence surrounding a critical location. • During an open house what are people tweeting? • Are there a larger than normal number of tweets occurring around your facility > demonstration>#flashmob

7. What are the risks associated with geo-location? • Legal Risks – GPS Trackers, Stingers, Cell phones • Public Information – • Location of Sensitive Facilities • Side-Channel attacks – employee tracking by govt, thieves, PI’s journalists, etc. • City Data Warehouses – Ownership of sensitive locations, security and fire POC’s, location of municipal infrastructure facilities. • Competitive Intelligence • Tracking of your employees by competitors • GPS Jamming • Timing attacks • Industrial Control Systems

8. What are the risks associated with geo-location? • Personal Privacy Risk • Find my cheating spouse • Find my iPhone • Children • COPPA • HIPAA / HITECH / OMNIBUS • Is knowing what kind of Dr. your employee is visiting a violation, if your company issued mobile device or MDM solution tracks location? • Driving Habits / (The 7 habits of highly uninsurable people) • Progressive Snapshot – Log Miles, Hard Brakes, Time of Day • Waze – Social Media GPS app – Logs where you were, length of travel, and other things.

9. Are your whereabouts protected information? • Statutory Law • Texas Bill – HB No. 2268 – warrant requirement for access to stored communications and customer data. • Proposed Statutory Law • Federal • GPS Act – Geo-location Privacy and Surveillance act (HR 1312, SB 639 – referred to judiciary and intelligence committee. • Online Communications and Geolocation Privacy Protection act (HR 983, referred to house intel and judiciary committee) • Location Privacy Protection act (S. 1223 – 112th congress) – Not yet reintroduced in 113th. • States proposing laws – Maryland, NJ, • Regulation • GPS Jamming • Case law • US vs. Antoine Jones • US vs. Melvin Skinner • State vs. Earls

10. On January 23, 2012, the U.S. Supreme Court announced its unanimous decision in United States v. Antoine Jones (No. 10-1259), a case addressing the constitutional privacy rights of American citizens in the face of modern tracking systems based on GPS and other technologies. The Court ruled that law enforcement must obtain a warrant prior to attaching a GPS device to a suspect's vehicle in order to monitor its movements. In this case, the FBI and District of Columbia police affixed a hidden GPS device to the vehicle of suspected drug dealer Antoine Jones in a public parking lot. The device recorded and transmitted the vehicle's movements for 28 days. U.S. v. Antoine Jones

11. A man convicted of marijuana trafficking had no reasonable expectation of privacy with the mobile phone he was using when apprehended, a U.S. appeals court ruled. Federal agents tracked Melvin Skinner to Abilene, Texas, using the global positioning signals emitted by his mobile phone, found him in possession of more than 1,100 pounds (498 kilograms of marijuana and arrested him in July 2006, the court said in its 2-1 ruling today. Skinner appealed his convictions for trafficking and other federal crimes as well as a lower court ruling that the GPS tracking was lawful and that evidence found in the ensuing search was admissible. “If a tool used to transport contraband gives off a signal that can be tracked for location, certainly the police can track the signal,” U.S Circuit Judge John M. Rogers wrote. “The law cannot be that a criminal is entitled to rely on the expected untrackability of his tools.” U.S. v. Skinner. 09-6497, U.S. Circuit Court of Appeals for the Sixth Circuit

12. STATE of New Jersey, Plaintiff–Respondent, v. Thomas W. EARLS, Defendant–Appellant. Argued Oct. 22, 2012. | Reargued Jan. 29, 2013. | Decided July 18, 2013. Users of cellular telephones had a legitimate expectation of privacy in information revealing the location of the telephone, and, thus, under state constitution, police officers were required either to obtain a search warrant or be able to show existence of an exception to warrant requirement, requirement, such as exigent circumstances, in order to obtain location information from defendant’s cellular telephone service provider; even if telephone users were required to disclose information to providers in order to obtain service, such disclosures were not made in order enable telephone to serve as a tracking device, and users were reasonably entitled to expect confidentiality in large amount and revealing nature of information available through telephone records. N.J.S.A. Const. Art. 1, par. 7. State of NJ vs. Thomas Earls