Posts Tagged ‘agps’

As Location Goes Mainstream, So Does The Potential For Abuse

Geolocation isn’t really anything new. In a lot of cases we’ve come to expect it. Most smartphones sold today have an on-board GPS receiver and it’s considered a selling point for a handset to have one. Today’s mobile mapping applications and Location Based Mobile Services make use of the location fix that GPS provides. We’re used to our technology saying “you are here“. Without this there’d be no Ovi Maps, no Google Maps, no Foursquare and no Facebook Places.

Long before we put up a network of over 20 satellites a less accurate version of geolocation was available. Pretty much anything that puts out a signal in the radio spectrum can be used to triangulate your position, if there’s enough radio sources spead out over a wide area and if someone’s done the leg work needed to geolocate you based on the position and strength of those radio sources. This can be done with mobile cell towers, with radio masts and more recently with the proliferation of wifi enabled access points, both in people’s homes, in offices and in public areas.

No matter where you go, there you are - Buckaroo Bonzai

The process of wifi geolocation, sometimes called Wifi Positioning System or WPS, is sometimes combined with GPS, known as Assisted GPS or A-GPS, and sometimes provides geolocation facilities for devices which don’t have onboard GPS. WPS is what allowed the first iPhones and the iPad, both of which lack GPS, to position themselves relatively accurately and WPS also forms part of the W3C Geolocation system which allows web browsers to get a location fix. WPS isn’t as accurate as GPS but most of the time it’s good enough. Both SkyHook Wireless and Google maintain WPS databases, which allow you to geolocate based on the publicly accessible unique address (the MAC address) that every wifi access point broadcasts, regardless of whether the access point is open, closed or encrypted. This isn’t a flaw or a vulnerability, it’s how your laptop or mobile phone seeks out and connects to a wifi network.

Again this is nothing new. But the crucial part is that either implicitly or explicitly this is done by opting into the service. Either by configuring a service, by installing an application or by saying “yes it’s OK to use my location“.

But what is new is that by going “mainstream“, location sharing is now also ripe for abuse.

One indication of this abuse is the recent news that free apps on the Android platform are secretly sharing A-GPS location without the user being aware of it. One could argue that when installing the app this is listed as one of the capabilities …

This application can access the following on your phone:
Your location
coarse (network based) location, fine (GPS) location

… but just like the EULA, or End User License Agreement, people rarely read the small print and simply click through to get to the “good stuff“.

Another indication is the recent proof of concept that allows a malicious web page to exploit a user being logged into their wifi access point’s web based administration console, grab the MAC address of the access point and utilise a third-party WPS web service to geo-locate the user. Admittedly this is a proof of concept; it requires a very specific set of circumstances to be in place in order to work … a vulnerable wifi router, visiting a malicious site with the exploit installed, being logged in as an administrator on the wifi access point’s console at the time of visiting the malicious site.

But we should all be warned. As location goes mainstream and becomes ubiquitous, so does the attention of those who would abuse and exploit this.

As a footnote, the inspiration for this post came from Paul Clarke, who spotted the geolocation exploit proof of concept. In addition to taking a damn fine photograph, Paul also writes equally as well. If you don’t read his blog, you should.

Photo Credits: Stefan Andrej Shambora on Flickr.
Written and posted from the Nokia gate5 office in Berlin (52.53105, 13.38521)

Where 2.0 – Hype (or Local?)

Sometimes writing a talk and putting together an accompanying slide deck is an education in itself. You set out with a point you want to make and in researching the evidence to back up your assertions you find out that the point you originally wanted to make isn’t actually correct. You could give up at this point, which is not to be recommended as you’re already on the conference schedule, or you could accept that your reasoning was flawed in the first place and make your talk instead centre on why you were wrong.

Thus it was with the researching and background behind my talk at Where 2.0 in San Jose on Wednesday. Originally entitled as a declaration, it soon became obvious that “Ubiquitous location, the new frontier and hyperlocal nirvana” was missing a very significant question mark.

The audience seemed a trifle bemused when I told them that the talk was brought to them “by the number three and the word local (hyper and micro)“, but when I mentioned that it included “a theory” a Mexican wave of shoulder slumping swept the (packed) room, followed in short succession by a long sigh.

I couldn’t blame them.

Luckily attention perked up when I mentioned that it was my Theory of Stuff (Stuff? Stuff? Huh?) and illustrated this point with a scene from the classic Monty Python Anne Elk (Miss) and her Theory sketch.

you may well ask, chris, what is my theory?

So, to the talk. Just as “the wonderful thing about standards is that there are so many of them to choose them” (apocryphally attributed to Grace Hopper), the wonderful thing about hyperlocality is that it has so many definitions, but a summation of these seem to agree on:

  1. entities and events located in a well defined, community area
  2. intended for consumption by residents of or visitors to that area
  3. created by a resident of or visitor to that area

That’s three elements and continuing the number three, hyperlocality needs to overcome three matching hurdles, three geo hurdles and three location hurdles

  1. the ability to have scannable, parseable content
  2. the ability to join users to the content
  3. the ability to determine what is local and what isn’t in that content
  1. the ability to scan and parse content for geographic references
  2. the ability to determine where a user is located
  3. the ability to determine what is local to a user and what isn’t relative to the user
  1. the ability to use IP location
  2. the ability to use GPS
  3. the ability to use A-GPS

(the third one there is an artifact of the need to make the “number three meme” work and I throw my hands up in surrender for that piece of artifice. Mea culpa)

what is it for and why would anyone use it?

While we’re on the subject of the “number three meme” there’s also three genera of hyperlocality

  1. “classic” hyperlocal; taking, refining and creating local news (, Patch)
  2. “corporate” hyperlocal; where a corporation removes their brand to fit in with the local community (Starbucks and the 15th Avenue Coffee and Tea in NYC)
  3. “user” hyperlocal; creating and delivering localised content and information based on checking in (Foursquare, Gowalla, Rummble, etc)

The meme continues with the level of granularity at which hyperlocal services operate:

  1. “local”, at county level (Washington Post / Loudon)
  2. “hyperlocal”, at city of neighbourhood level (Placeblogger)
  3. “microlocal”, at block level (Everyblock)

So far, so (hyper)local. There’s good exemplars of all of the above, in operation, right now. But there’s also several elephants in the room, looming large and waving their trunks for attention.

Is location that ubiquitous? We all say it is but where’s the proof? So 21% of mobile handsets are classed as smartphones (though not all of those have location capabilities), what about the remaining 79%. That’s not that ubiquitous is it?

Then there’s the issues of location and privacy; when location enablers such as Yahoo’s Fire Eagle and Google’s Latitude were launched we had lots of hand waving, foot stamping and Big Brother references from privacy activists, some of which was warranted, some of which were just pleas for publicity.

Most matching of users and content and ad inventory is dependent on technologies which derive location from an IP address. That’s simply not good enough for hyperlocal coverage where the difference between an IP location and a GPS location can be over 10 miles; that’s not even local let alone hyper or micro local.

User hyperlocal isn’t without problems either. Gowalla won’t let you check in unless your GPS lock agrees with the location of a place, eliciting cries of “but I’m here dammit”. Yelp has … issues on how it undertakes hyperlocal. Foursquare allows you to become Mayor of The North Pole from the confort of your own sofa and Fake Mayor on the iPhone bypasses Foursquare altogether.

So the outlook for hyperlocal is all hype then, obviously?

Well not quite. The number of location capable smartphones will continue to grow with 5 million mobile handsets predicted by 2011. Foursquare is growing at a phenomenal rate hitting the 1 check in per second mark recently. 33% of us now read and consume news from a mobile handset and we seem to be quite happy with displaying our location history via check ins, a far cry from the location hysteria of 2 years ago.

This year at Where 2.0 the view of the geo-scape was significantly different from the previous year; I don’t doubt that will be the same for Where 2.0 in 2011. See you all there.

Written at Where 2.0 2010 in the San Jose Marriott (37.330323, -121.888363) and posted from home (51.427051, -0.333344)

The Location Battle Between You and Your Phone

Whenever I talk about the privacy implications inherent in sharing your location with an app or service, I keep coming back to the idea that it’s essential to be your own source of truth for your location. This is a slightly verbose way of saying that you need to be able to lie about your location or that you need to be able to say “no, I really am here” despite what other location contexts such as GPS, cell tower triangulation or public wifi MAC address triangulation may have to say on the matter.

Of course, it’s never quite as straightforward as that and here’s why. The two location based mobile services that are getting a lot of coverage at the moment are FourSquare and Gowalla. They both rely on their users checking into a location by saying “here I am” and as a neat side effect they’re generating a geo-tagged set of local business and POI listings, thus verifying and adhering to my Theory of Stuff. But more about that in my next post, for now let’s concentrate on their user’s location.

Much has been made of FourSquare’s approach to checking in; you’re presented with a list of places nearby, generated according to your A-GPS location, for you to check into. But you can also search for places and check into them as well. Some commentators view this as a failing in their model, allowing for someone to check in to a location and maintain their Mayor status, from their comfort of their own sofa. Now granted if you wish to game FourSquare this will allow you to do so, but it also allows you to be your own source of truth. I’ve lost count of the number of times I’ve stood in the middle of the concourse in London’s Waterloo Station and Waterloo has not been amongst the choices of place that FourSquare presents me to check into, yet I’ve been able to do so by searching for the place and then forcing FourSquare to accept that “yes, I really am here“.

Gowalla takes a different approach and relies entirely on the accuracy of the A-GPS system on my phone. If your phone doesn’t agree with you on the matter of location then you can’t check in, as the screen capture below shows.

I’m currently in California visiting the Yahoo! mothership; at the time when I took this screenshot I was seated in Yahoo! Building E, which already exists as a spot in Gowalla. My iPhone disagreed with me and insistent I was some 120 meters away in the middle of the Lockheed Martin parking lot on nearby Moffett Field and as a result it just wouldn’t let me check in. FourSquare, also taking its cue from the A-GPS on my iPhone had the same problem but was quite happy to let me override this and check in to its version of the Yahoo! Building E place.

So which approach provides the best user experience? I’d strongly argue that the Gowalla approach frustrates users by effectively saying I know better than you, whilst FourSquare’s approach, whilst able to be gamed and abused, allows the user to insist that they do know best in these circumstances. Only time will tell which approach will succeed, but being your own source of  truth continues to be of major significance when sharing your location with the world at large.

Written at the Sheraton Hotel, Sunnyvale, California (37.37159, -122.03824) and posted from the Yahoo! campus, Sunnyvale, California (51.5143913, -0.1287317)

Posted via email from Gary’s Posterous