[ NNSquad ] Death by Firefox: Bullets and Geolocation

NNSquad - Network Neutrality Squad
NNSquad Home Page
NNSquad Mailing List Information
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ NNSquad ] Death by Firefox: Bullets and Geolocation
To: nnsquad@nnsquad.org
Subject: [ NNSquad ] Death by Firefox: Bullets and Geolocation
From: Lauren Weinstein <lauren@vortex.com>
Date: Thu, 2 Jul 2009 14:35:24 -0700

                 Death by Firefox: Bullets and Geolocation

                http://lauren.vortex.com/archive/000590.html


Greetings.  I had a nightmare last night.  A real doozie, that joins
the pantheon of the half-dozen or so worst dreams of my life.  This
wasn't a typical confused mashup of creepy sounds and plunging
elevators, but rather a short and horrifyingly realistic visit to a
hell on Earth.  Unlike most dreams, whose origins seem to be random
neural garbage collection more than anything else, I know with
absolute and specific certainty what triggered this phantasia.

It started out quietly enough.  I was in a small, dimly lit room,
apparently invisible to the single occupant.  The walls were covered
with posters emblazoned with slogans, written in a language I couldn't
even recognize.

At a small wooden table sat a figure covered by an all-encompassing
black burka, typing rapidly at the keyboard of a laptop computer, the
brightness of its screen providing most of the light in the room.

Suddenly there was a loud commotion outside and a gang of men --
soldiers of some kind it appeared -- burst in.  The burka was stripped
from the figure, revealing a young woman.  She was thrown against the
wall by one man, while another kept screaming at her in words I
couldn't understand, as another kept alternately pointing to a
printout map on a piece of paper and to her computer.

One more official entered the room, apparently of higher rank.  He
walked straight to the laptop, typed a few keys, then looked back at
his underlings who were holding the terrified woman.

He nodded his head once.  Another man pulled a pistol from a holster,
placed it against the woman's temple, and pulled the trigger.

Blood splattered everywhere and the woman fell to the floor.  I
watched as blood sprayed onto the table where the laptop sat, and
dripped down the power cable.

The official pulled a rag from his pocket, smeared some of the blood
off the laptop, slammed it closed, carefully unplugged the power
cable, then marched from the room with the laptop under his arm.  The
rest of the men followed and slammed the door shut behind them.

A beautiful white cat that I now saw had been cowering in a corner,
gingerly stepped forward.  It looked directly at me -- was I no longer
invisible? -- and gave me a quizzical meow.  It sniffed at the pooled
liquid on the floor, and started to lap up the blood with its tongue.

I awoke in a cold sweat.

I knew who to blame for this nightmare.  A couple of days ago, a
reporter called me with what seemed at the time to be a somewhat
fanciful question -- could using the new version of Firefox get you
killed?

His specific concern was the geolocation capabilities built into
Firefox 3.5 -- could these be used to target the population in
oppressed nations?

I had deferred answering specifically, noting that I needed time to
research the issue and ponder it for a bit.

Then came last night's uninvited visit to the Twilight Zone ...

I'm actually a fan of geolocation capabilities in many circumstances.
I love 'em on my G1 cell phone, though I'm still selective about which
geolocation aspects I do or don't enable.

However, it's fair to say that while many people have become aware to
one degree or another of the tracking capabilities inherent in
cellular phones, the concept of their ordinary laptop computers
revealing their locations is still largely a new concept to most
users.

Tracking IP addresses is old hat, of course.  They provide varying
degrees of accuracy, dependent on a bunch of factors, and have driven
the rise of anonymous proxy systems as mechanisms to make
IP-address-based tracking more difficult.

After all, it was less than two weeks ago that many observers
(including myself) were praising patriots in Iran who were using
proxies to maintain "safe" Internet connectivity in the face of
post-election government crackdowns.

But what if your laptop could squeal your location irrespective of
your using proxies for your Internet connections?

The geolocation capabilities built into the new Firefox 3.5 and other
applications -- with more such apps appearing seemingly every day,
make this no mere academic question.

PCs are appearing with built in GPS capabilities -- Dell just
announced a netbook with built in A-GPS, in fact.

But even without the ability to receive GPS satellite data,
applications can use external geolocation services, such as Google's
Geolocation API and/or Skyhook, to determine your location -- often to
a startlingly accurate degree.

In the absence of true GPS, these systems rely on cell phone tower and
Wi-Fi mapping data to pinpoint users' locations.

By and large, the legitimate applications that access these services
are opt-in by design.  But that begs an important question.  In the
essentially insecure OS environment of most PCs, exactly *who* or
*what* is doing the opting-in?

For example, could a virus or other rogue program enable geolocation
tracking in ways that could be easily missed, overlooked, or otherwise
misinterpreted by users, so that tracking info could be transmitted
without their knowledge or explicit permission?

I'm not sure about the answer to this question for any given case.  My
gut suspicion though is that there is at least real reason to be
concerned about such possibilities, if not now -- given the current
state of these systems in much of the world -- then certainly in a
short while as the systems develop further.

None of this matters too much in a relative sense when we're just
talking about sharing your location with friends, or being presented
with locally-relevant targeted advertising.

But the specter of such geolocation technologies being leveraged by
oppressive regimes to the detriment of their citizens could have
implications ranging from long prison terms to summary executions,
especially if computer users aren't aware of the potential risks.

How best to control these risks is not entirely clear to me.
Geolocation is an enabler for an array of very worthwhile user
services.  Nobody is suggesting (not me, anyway) that geolocation be
demonized or banned.

On the other hand, I believe that we need to immediately begin
pondering how these technologies (especially PC-based ones that don't
need additional hardware) may potentially be abused as they become
broadly deployed.

In particular, what will these systems mean in oppressed countries and
locales where an innocent person's ability to use the Internet --
without unknowingly revealing their location -- could literally be a
matter of life and death?

I usually dream in color.  The girl was very dead, and the blood
spewed around the room was very red indeed.

--Lauren--
Lauren Weinstein
lauren@vortex.com
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
   - People For Internet Responsibility - http://www.pfir.org
Co-Founder, NNSquad
   - Network Neutrality Squad - http://www.nnsquad.org
Founder, GCTIP - Global Coalition 
   for Transparent Internet Performance - http://www.gctip.org
Founder, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Twitter: https://twitter.com/laurenweinstein
Prev by Date: [ NNSquad ] Broadband a Civil Right?
Next by Date: [ NNSquad ] NYTimes: Internet videos getting longer
Previous by thread: [ NNSquad ] Broadband a Civil Right?
Next by thread: [ NNSquad ] NYTimes: Internet videos getting longer
Index(es):
- Date
- Thread