July 02, 2009

Death by Firefox: Bullets and Geolocation

Greetings. I had a nightmare last night. A real doozie, that joins the pantheon of the half-dozen or so worst dreams of my life. This wasn't a typical confused mashup of creepy sounds and plunging elevators, but rather a short and horrifyingly realistic visit to a hell on Earth. Unlike most dreams, whose origins seem to be random neural garbage collection more than anything else, I know with absolute and specific certainty what triggered this phantasia.

It started out quietly enough. I was in a small, dimly lit room, apparently invisible to the single occupant. The walls were covered with posters emblazoned with slogans, written in a language I couldn't even recognize.

At a small wooden table sat a figure covered by an all-encompassing black burka, typing rapidly at the keyboard of a laptop computer, the brightness of its screen providing most of the light in the room.

Suddenly there was a loud commotion outside and a gang of men -- soldiers of some kind it appeared -- burst in. The burka was stripped from the figure, revealing a young woman. She was thrown against the wall by one man, while another kept screaming at her in words I couldn't understand, as another kept alternately pointing to a printout map on a piece of paper and to her computer.

One more official entered the room, apparently of higher rank. He walked straight to the laptop, typed a few keys, then looked back at his underlings who were holding the terrified woman.

He nodded his head once. Another man pulled a pistol from a holster, placed it against the woman's temple, and pulled the trigger.

Blood splattered everywhere and the woman fell to the floor. I watched as blood sprayed onto the table where the laptop sat, and dripped down the power cable.

The official pulled a rag from his pocket, smeared some of the blood off the laptop, slammed it closed, carefully unplugged the power cable, then marched from the room with the laptop under his arm. The rest of the men followed and slammed the door shut behind them.

A beautiful white cat that I now saw had been cowering in a corner, gingerly stepped forward. It looked directly at me -- was I no longer invisible? -- and gave me a quizzical meow. It sniffed at the pooled liquid on the floor, and started to lap up the blood with its tongue.

I awoke in a cold sweat.

I knew who to blame for this nightmare. A couple of days ago, a reporter called me with what seemed at the time to be a somewhat fanciful question -- could using the new version of Firefox get you killed?

His specific concern was the geolocation capabilities built into Firefox 3.5 -- could these be used to target the population in oppressed nations?

I had deferred answering specifically, noting that I needed time to research the issue and ponder it for a bit.

Then came last night's uninvited visit to the Twilight Zone ...

I'm actually a fan of geolocation capabilities in many circumstances. I love 'em on my G1 cell phone, though I'm still selective about which geolocation aspects I do or don't enable.

However, it's fair to say that while many people have become aware to one degree or another of the tracking capabilities inherent in cellular phones, the concept of their ordinary laptop computers revealing their locations is still largely a new concept to most users.

Tracking IP addresses is old hat, of course. They provide varying degrees of accuracy, dependent on a bunch of factors, and have driven the rise of anonymous proxy systems as mechanisms to make IP-address-based tracking more difficult.

After all, it was less than two weeks ago that many observers (including myself) were praising patriots in Iran who were using proxies to maintain "safe" Internet connectivity in the face of post-election government crackdowns.

But what if your laptop could squeal your location irrespective of your using proxies for your Internet connections?

The geolocation capabilities built into the new Firefox 3.5 and other applications -- with more such apps appearing seemingly every day, make this no mere academic question.

PCs are appearing with built in GPS capabilities -- Dell just announced a netbook with built in A-GPS, in fact.

But even without the ability to receive GPS satellite data, applications can use external geolocation services, such as Google's Geolocation API and/or Skyhook, to determine your location -- often to a startlingly accurate degree.

In the absence of true GPS, these systems rely on cell phone tower and Wi-Fi mapping data to pinpoint users' locations.

By and large, the legitimate applications that access these services are opt-in by design. But that begs an important question. In the essentially insecure OS environment of most PCs, exactly who or what is doing the opting-in?

For example, could a virus or other rogue program enable geolocation tracking in ways that could be easily missed, overlooked, or otherwise misinterpreted by users, so that tracking info could be transmitted without their knowledge or explicit permission?

I'm not sure about the answer to this question for any given case. My gut suspicion though is that there is at least real reason to be concerned about such
possibilities, if not now -- given the current state of these systems in much of the world -- then certainly in a short while as the systems develop further.

None of this matters too much in a relative sense when we're just talking about sharing your location with friends, or being presented with locally-relevant targeted advertising.

But the specter of such geolocation technologies being leveraged by oppressive regimes to the detriment of their citizens could have implications ranging from long prison terms to summary executions, especially if computer users aren't aware of the potential risks.

How best to control these risks is not entirely clear to me. Geolocation is an enabler for an array of very worthwhile user services. Nobody is suggesting (not me, anyway) that geolocation be demonized or banned.

On the other hand, I believe that we need to immediately begin pondering how these technologies (especially PC-based ones that don't need additional hardware) may potentially be abused as they become broadly deployed.

In particular, what will these systems mean in oppressed countries and locales where an innocent person's ability to use the Internet -- without unknowingly revealing their location -- could literally be a matter of life and death?

I usually dream in color. The girl was very dead, and the blood spewed around the room was very red indeed.


Posted by Lauren at July 2, 2009 02:25 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein