(C) Common Dreams
This story was originally published by Common Dreams and is unaltered.
. . . . . . . . . .



The Simple Way Apple and Google Let Domestic Abusers Stalk Victims [1]

['Andy Greenberg', 'Martin Cizmar', 'Nena Farrell', 'Lisa Wood Shapiro', 'Gear Team', 'Julian Chokkattu', 'Louryn Strampe', 'Simon Hill', 'Brenda Stolyar', 'Ryan Waniata']

Date: 2019-07-02 14:50:40.058000+00:00

So I went forward with my experiment. Here's what I found.

Day One, Glympse: After my wife handed my phone back to me and I left for work that first day, I pulled out my phone on the subway to send her some pictures of our toddler. I immediately saw that she had sent herself a text message from my phone that read "Here is a Glympse of my location," with a link to Glympse.com. That link-texting is the default method of sharing your location with the app Glympse, a popular location-sharing app that I keep on my phone (although I've rarely used it since Google Maps began offering the same feature). My wife could have easily deleted this text message, but I figured she was still warming up. I left the app running nonetheless, but it was so power-hungry that by that afternoon it sent me a notification that it was disabling itself to preserve the remaining 20 percent of my battery.

Meanwhile, my wife found that Glympse's location tracking was so low-resolution, it revealed only that I was at home and then at the office, before devouring my battery and turning itself off. Even if battery life was no issue, she would have had to access my phone again and reactivate location sharing after 12 hours, the maximum amount of time Glympse allows.

Day Two, Google Maps: After the same morning routine of handing my phone over to my wife, I got on a bike and headed to a hacker conference a few neighborhoods away in Brooklyn. As I rode, my wife sent me periodic text messages guessing at my destination, until she figured out it was the conference—despite my not having mentioned it. It was only that evening, while I was taking our kid to a playground and my phone was losing power, that I went hunting through various app settings to preserve my remaining battery and found that she'd turned on Google Maps location sharing. That entire day, I had seen no other sign that location sharing had been turned on in any app.

Days Three and Four, Apple Find My Friends: My wife's tracking continued, but now without any noticeable drain on my battery or any other hints of my phone's betrayal. I did not leave my apartment for the entire third day, perhaps an indictment of my life's excitement level. But on the morning of the fourth day, my wife watched me head into Manhattan on the subway for a two-hour meeting at NYU's journalism school—"or maybe having an affair!" as she described it later, a little too gleefully. I correctly guessed by process of elimination and then confirmed by looking at my phone's settings that she had turned on location sharing via Apple's Find My Friends app, a tool included by default in iOS for sharing your location with friends and family. Find My Friends seemed to offer me no warning whatsoever that its settings had been changed to beacon my location to her in real-time.

Weak Safeguards

Of course, it's simple to detect that someone is tracking you via one of these apps if you're suspicious enough to check in the first place. But if I hadn't knowingly been part of an experiment, I could easily have gone weeks or months without ever thinking to look at the location-sharing settings in Google Maps or Find My Friends. (See the bottom of this story for tips on how to check these settings yourself.)

After my experiment was over, I reached out to Glympse, Apple, and Google. A Glympse spokesperson pointed out that if notifications are enabled for Glympse—I had them turned off, apparently—it will display a small "G" icon at top of the user's screen. If notifications aren't enabled, it will still show a small arrow at the top of the screen that indicates location services are being accessed, although that same arrow displays any time location services are active.2 for As for Apple and Google, each company told me about measures it had taken to warn unwitting location sharers. Google wrote in a statement that it had consulted with the domestic violence group Community Overcoming Relationship Abuse about how to handle location sharing. As a result, it does start sending users email notifications that can't be unsubscribed from, sent at unpredictable intervals to foil abusers who might have the phone in hand. Those notifications, Google says, start 24 hours of their location sharing being turned on, and continue "frequently thereafter"—though clearly not frequent enough for me to have seen those notifications during the day my wife had used Google Maps to track me.1

"The traditional threat model is stranger danger. This kind of attack just hasn’t been on their radar." Damon McCoy, NYU

Apple, meanwhile, explained that when a new contact is added in Find My Friends, the location sharer sees a notification in their Messages history with that contact that can't be deleted. But in my wife's case, I had already added her as a contact in Find My Friends at some point in the past, but later turned off location sharing altogether in the app, since that seemed like the most straightforward on-off switch. When my wife flipped that switch back on during the experiment, it didn't generate a notification, allowing her to start snooping again with no warning.

Even worse, when my colleague Lily Hay Newman and I began testing Apple's notifications by adding and deleting each other from Find My Friends, we found a method that seemed to allow anyone to add themselves as a contact in Find My Friends without any notification to the phone's owner, circumventing Apple's safeguard. I won't reveal details here to avoid enabling stealthier stalking. Apple confirmed to me that it was aware of the issue but didn't acknowledge that it represented a problem and didn't respond to my question as to whether or how it intends to fix it.

[END]
---
[1] Url: https://www.wired.com/story/common-apps-domestic-abusers-stalk-victims/

Published and (C) by Common Dreams
Content appears here under this condition or license: Creative Commons CC BY-NC-ND 3.0..

via Magical.Fish Gopher News Feeds:
gopher://magical.fish/1/feeds/news/commondreams/

You are viewing proxied material from magical.fish. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.