TechByter Worldwide

Listen to the Podcast


05 May 2019 - Podcast #641 - (18:38)

It's Like NPR on the Web

If you find the information TechByter Worldwide provides useful or interesting, please consider a contribution.

PayPal

Subscribe

05 May 2019

Google's Sensorvault Knows Where You Were

We carry smart phones around because they help us stay in touch with friends, allow us to purchase things without a credit card or cash, and guide us to where we're going. A lot of information is collected and stored. If you're planning to commit a crime, maybe you should leave the phone at home.

 Click any small image for a full-size view. To dismiss the larger image, press ESC or tap outside the image.

TechByter ImageThe old German Democratic Republic (GDR, also known as East Germany) developed what was essentially the gold standard in keeping track of people. Stasi, the State Security Service employed nearly 100,000 people full time and had more than 150,000 unofficial "informants" to spy on citizens. The GDR had a population of about 17 million, so the Stasi had one full- or part-time observer for every 70 people. Today, Google knows more about you than the Stasi could ever have hoped to know about citizens of the German Democratic Republic.

That could be bad or good, depending on how the information is used. New York City criminal-law attorney Robert Stahl says the use of geolocation technology allows law enforcement to locate suspects and potential witnesses to current and past crimes and raises several privacy concerns, as well as what he calls serious legal issues.

The problem Stahl sees is that warrants issued for this type of information can reveal people who have no knowledge of the crime being investigated.

If Location History is turned on (it's off by default), Google collects data when you are logged in to your account if the phone has any location-enabled Google apps. Information is collected even when you're not using the apps. Google uses the data serve ads and to note when people enter an advertiser's store. The information is also aggregated and used to establish the estimates Google provides about how busy a store might be when you search for the store on-line.

Knowing that a store is generally busy between 3 and 4 pm but not busy between 2 and 3 pm might help you to plan a shopping trip. And Google can show you where you've been. Maybe if you ever need an alibi, Google Location History might be your friend. The information is stored in Google's Sensorvault and you can see what it knows about you.

Let's see what it knows about me.

TechByter ImageThe red dots show places that I've been in the past several years. I don't always take my phone, so Google generally doesn't have a record of my visits to the gym, except for the few days that I had the phone with me when I went to exercise. I'm reminded that I occasionally go to Bexley for bagels, that the office used to be in Hilliard, and that most of the places I go are in the northern part of the city. This view is non-specific.

TechByter ImageLet's get a little more specific. Google knows that I went to a Kroger supermarket around 11:15 on the morning of 20 April and was home by 11:45. At 5:20, I left and drove for 29 minutes to Blacklick, stayed there until 9:13, and then drove home. The drive home took 28 minutes and I got there at 9:41. Now maybe you're worried. Who can see this information!?

Google is precise in specifying who has access: According to the Location History page, "Only you can see your timeline." And it explains that the information can help you by predicting commute time and helping to plan trips. You can also delete locations, days, or the entire timeline. It's not clear, though, that deleting your timeline really deletes all the data. And, although Google says "Only you can see your timeline," it is possible for law enforcement agencies to gain access to it. Don't get overly paranoid yet, though, because there are some limitations.

TechByter ImageBefore getting to the limitations, let's continue to explore my timeline. In 2015, Google knew that I went to the office and then went home again in mid June, but it didn't trace my route. That might be because Google's procedures weren't as robust four years ago or, more likely, because my phone wasn't as good back then. Even so, it knew that I left for the office at 5:19, arrived at 5:41, left at 3:02, and arrived home at 3:34.

TechByter ImageNearly two years ago, my older daughter suffered acute (and totally unexpected) liver failure and received a liver transplant at the Ohio State University Medical Center. The day of the transplant, Google knows that I was at the hospital nearly all day and tracked some of my movements inside the hospital. It knows that I went home to feed the cats around 5 o'clock, grabbed a quick dinner at Wendy's, returned to the hospital, and returned home by 10:05.

The surgery was a complete success and I've told the story before, so I won't repeat it here.

TechByter ImageYou can see your own Location History timeline. The timeline is essentially a "best guess" approximation that's based on the raw Sensorvault data. If you'd like to see the data, visit Takeout.Google.com where you'll find your history for all things Google. By default, Google offers to allow you to download everything from every service. That would be a lot of data, so it's a good idea to click "Deselect All" near the top of the page.

TechByter ImageThen scroll down to Location History where you can select KML (a variant of XML) or JSON format. Neither format is particularly easy to use unless you have the programming skills needed to deal with it. Click the checkbox, scroll to the bottom, and click Next Step. You can have Google send an email link or add the file to your Drive, Dropbox, OneDrive, or Box account.

The process of creating the file can take hours or, as Google notes, "possibly days" to complete. This depends on how much data you've requested. When the process is complete, Google will send an email to let you know.

What Police Can See and How

Attorney Stahl says that technology such as Sensorvault is being used in criminal investigations along with the practice of tracking phone locations based on input from towers, reviewing data from smart home devices that record internet searches, and examining images stored by security cameras.

But police can't launch a fishing expedition by calling Google and saying something like "Give me everything you have on this Blinn character." They can get to some of the information, but only when they provide sufficient justification for the request.

Let's say the police are investigating half a dozen crimes in various parts of the city. They can send a warrant to Google that specifies locations at specific times instead of usage patterns for individual users. What they will receive back from Google will be similar to the first image, the one with red dots. Each dot represents a phone and the phones are identified with code numbers.

The data may show dozens or hundreds of users, but maybe phones with code numbers A123, B777, and R984 are recorded as being near the scenes of all the crimes when the crimes occurred. Although hundreds of other people might be recorded as being at one of the scenes, they will be of less interest to the police than the three who were in the vicinity of all crimes. Detectives can then request information about those three specific users who might have witnessed the crimes, may have committed the crimes, or might have just been in the area. It's up to the police to figure that out.

Attorney Stahl says that courts have not yet addressed concerns about this use of data. "Determinations of probable cause, reliability, reasonableness, and privacy," he says, "are lagging."

If you want to turn Location History off, turn it on, or delete the data, visit Google's on-line help section.

It's up to you to decide whether the advantages Location History have for you outweigh the potential privacy concerns. For me, they do. In looking at just the few days that I reviewed for this article, a remembered the terror and relief of the week when Elizabeth was in a coma and received a liver transplant, I thought of some co-workers that I used to see daily at the Hilliard office, and I recalled the pleasant evening at a friend's home in Blacklick. Your calculations may vary.

Short Circuits

Reported Internet Crime Losses Neared $3 Billion in 2018

The Federal Bureau of Investigation has released its annual Internet Crime Complaint Center (IC3) report. Many, probably most, internet scams don't get reported, but the 20,000 that were reported caused losses $1.2 billion, an increase from just under $700 million the year before.

In 2018, the IC3 received more than 20,000 business email compromise (BEC) reports and this compares to about 15,000 reports the year before. A BEC attack usually involves a crook who pretends to be a high-ranking company official. A common approach involves an email from someone who impersonates the CEO. The message explains that the company is acquiring another organization, but the acquisition must be kept confidential, even within the company. The "CEO" then asks that the employee prepare a wire transfer.

Tech support fraud continues to work well and the IC3 received 14,000 complaints from people who lost nearly $39 million. These are the scams that usually involve either a phone call or an email from a "support" technician who claims that the victim's computer has been compromised. Most of the victims of this kind of fraud are individual computer users and many are over 60 years of age.

The Internet Crime Complaint Center is a website operated by the FBI where you can file a complaint if you have been victimized. Will you get your money back? Probably not, but at least the FBI can investigate and, if the crooks are located in the United States, make an effort to shut them down.

The number of complaints about scams purporting to be from the Internal Revenue Service or other government agency threatening immediate arrest unless a fine is paid by phone have increased significantly. The crooks usually want the victim to purchase a gift card and then provide the number to the scammer.

Another inventive scheme has crooks obtaining credentials that a corporate payroll manager uses to log on to a payroll processing service. They can then change account information for one or more employees and have salaries direct deposited to a crook's account.

The IC3 received about 900 complaints a day in 2018 and total losses for on-line crime was approximately $2.71 billion. If you'd like to read the IC3's annual report, it's on the website.

Frequent Password Changes Don't Improve Security

Common practice for years has been to force users to change their passwords frequently, but frequent password changes might actually reduce security instead of enhance it.

I'm familiar with a company that required password changes every 45 days. Microsoft's default system configuration gives users 60 days. Both of those periods are unfortunate. Take 45 day expirations, for example: Set a new password on Monday and it will expire 45 days later (Saturday) and the old password won't be accepted when you return to the office on Monday (day 47). Then you'd have to call the IT department and have someone reset the password. That wastes a lot of time for everyone.

A technique I developed started with a password change on Tuesday with a calendar reminder 42 days later, which would also be a Tuesday. Why Tuesday? Sometimes Mondays are holidays and I had enough vacation days to take about half of the Fridays off. Tuesday seemed like a good choice and it still left me with three grace days if I couldn't change the password on Tuesday.

That still left another problem: Coming up with a secure and memorable password every 42 days. I worked out a method for that, too, by creating passwords that had three discrete components -- three letters (upper and lower), a symbol, and a four-digit number. There were four sets of letters, four symbols, and four four-digit numbers. That gave me an array of 64 unique passwords. Each of the components could be referenced by a word that would be meaningful to me, but meaningless to anybody else.

What happens all too often, though, when people are forced to change passwords frequently is that they use their previous password an add a number at the end. Or they create a password that's too short or can be guessed. I've considered the safer method to have a long, complex password that's stored in a password manager and changed infrequently.

Microsoft has dropped the default requirement to change passwords every 60 days for Windows Server version 1903. Seems like a good idea to me!