Mobile phone

ISACA urges smartphone users to avoid geolocation risk

A white paper has warned smart phone users accessing location-based applications on their phones to protect their information.

The findings from information system body ISACA says that regulating the use of geolocation data used in applications like Facebook and Google Maps is still in its infancy, and that both individuals and companies must be careful about the information they are sharing and collecting.

“Geolocation is becoming more and more a real source of commercial and financial benefits for organisations, but unfortunately as with any technology that becomes popular, geolocation becomes also more and more interesting for hackers, scammers and spammers,” said Marc Vael, chair of the Knowledge Board and Cloud Computing Task Force at ISACA.

Geolocation uses data acquired from a computer or mobile device to identify a physical location.

Applications using this technology offer consumers greater convenience, discounted prices and easy information sharing, and enable enterprises to deliver more personalized customer service and offers.

As geolocation services become more common, the need for data management and enterprise controls increases significantly and the ISACA points out that malicious use of geolocation data can put both an individual and an enterprise at risk. 

When a person’s personal information, such as gender, race, occupation and financial history, is combined with information from a GPS and geolocation tags, the data can be used by criminals to identify an individual’s present or future location.

“This raises the potential of threats ranging from burglary and theft to stalking and kidnapping,” said Vael.

“That is why this ISACA white paper is right on time to bring an independent but constructive view on the risks and issues, as well as strategies to follow in order to use geolocation in a sensible manner.”

Marios Damianides, past international president of ISACA and partner at Ernst & Young, said: “As the number of geolocation users grows and the proliferation of mobile devices continues, the prospect of individual or enterprise information becoming available to hackers or other unauthorized users is a significant concern.

“We need policies that will establish ‘privacy by design’ to instill trust across the enterprise and guard against malicious use of location information.”

U.S. regulators now are moving to enact rules on geolocation data, with proposed legislation restricting whether companies can store individual location data obtained from mobile devices, and a proposed amendment to children's online privacy laws looks at the collection of geolocation data from children under age 13.

“In Europe, regulators are aware of such concerns and are referring to the existing data privacy legislation for rules regarding how companies can use geolocation data from individuals, customers and employees since this is also considered as personal data,” said Ramsés Gallego, member of ISACA’s Guidance and Practices Committee and security strategist and evangelist at Quest Software.  

“All principles and rules from the European data privacy law remain valid, such as proportionality, purpose limitation, transparency and security."

Vael added:  “EU regulators are focused on how you collect the data and for what use.

“Geolocation data is no different than other personal data and any PII (Personal Identifiable Information) needs to have a purpose and limitation.”

“There are great consumer advantages of geolocation services, such as photos being tagged with the correct location or assisting you with directions to the location you are travelling,” said Robert Stroud, past international vice president of ISACA and vice president, Strategy and Innovation, at CA Technologies.

“However, as with all technologies, individuals and enterprises must consider their risk tolerance level and they need to educate themselves in order to make informed decisions.”

Further information:

Download the ISACA white paper

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them