Protecting Mobile Data: Just Kill Me Now

Today’s smartphones certainly promise more convenience and functionality, but for IT, they promise new nightmares about protecting that data. It’s not merely contact data, but files, slides, traffic history, E-mail records, chat transcripts and almost anything else that can be done on a desktop. Then there’s the Grand Poobah of data protection night terrors: Geolocation.

Geolocation is the phone’s ability to tell any app on the phone—or anyone at all, really—the exact location of the phone virtually every minute it has power. That data is relatively small in size and yet—tied into various other datapoints (especially time and date)—could be monstrously helpful to some while being stunningly destructive to others.

But fear not, IT execs are thinking, there’s no way such data could ever get out to unauthorized places, right?

Beyond stating the age-old IT maxim that anything that can be stored can—and will—be stolen, there’s a bigger issue here and it involves keeping a secret. This is a lesson I learned many years ago covering Congress. Consider the most legitimately secret secrets in our country: NSA code-breaking achievements, CIA plots, military plans that we need to keep other countries from learning, etc.

A stunner I quickly learned was the huge number of people who were required to know such plans, far beyond those directly involved. There were layers of clerical support (and supervisor oversight) at the Pentagon, the White House and other parts of the Executive branch. Even worse was the Legislative Branch, where even the most sensitive details were known by select members of the House and Senate, plus their key aides and sometimes their own clerical support. Add it all up and it’s a huge number. It’s quite impressive that we can successfully keep any secrets at all.

With that in mind, consider a report last week that, over the last year alone, Sprint had granted some 8 million law enforcement requests for geolocation information about its American customers. The Wired story quotes Paul Taylor, manager of Sprint’s Electronic Surveillance Team, telling a conference (in a panel discussion that was recorded) that Sprint created VPN access for law enforcement so that Sprint’s people wouldn’t have to be bothered processing every request.

“We turned it on the web interface for law enforcement about one year ago last month and we just passed 8 million requests,” Taylor is heard saying, according to Wired. “So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy.”

There are quite a few privacy and legal reasons to be concerned about this process, not the least of which is that the easy access that Sprint—and presumably other carriers—has created allows for far fewer records, which means much less accountability. A few years ago, was involved in a security project with another major carrier and their security people spoke freely of the absence of any documentation—or oversight at all—when someone claiming to be law enforcement asked for geolocation and other cellphone intercept data.

All that was needed was for them to say that they were inactive pursuit of a suspect and sometimes the mere term “terrorism” was sufficient for immediate access to be granted. There also were no personnel assigned to check back in days later, to verify that it was indeed a legitimate request. With Sprint’s VPN access, there would potentially be far fewer lawyers for someone to clear. The lack of verification also extended to even authenticating someone as actually being with law enforcement.

But those are privacy issues. There are much more powerful retail and security issues. Today, retailers and search engines are treating geolocation requests carefully. Requests for permission are made loudly and often. That said, those requests are often vague and open-ended, seeking permission for location use without specifying how—and for how long—that data can be used and retained.

As the number of entities with this access grows—the 8 million requests revealed by Sprint is barely a rounding error compared with the total number of geolocation data points being gathered globally from governments, carriers, retailers, search engines and every other business—the sensitivity of the data will be viewed as diminishing. That view will quickly become reality. Anything that widespread, human nature dictates, can’t be that secret.

The IT security impact? Protecting all of that geolocation data. Tracking one phone can generate a satellite’s worth of data, with a data point created every time the phone moves and/or at a requested time duration (such as “every five minutes”). What about historical location data? Will phones pinging back to the mothership become commonplace? Expected? Will the U.S. expectation of privacy be forever changed?

As anyone who is now managing payment card data has discovered the hard way, the security merited to protect a piece of data has to be dictated by the value of that data. A traffic study determining the number of cars that use a particular strength of highway might merit minimal—if any—protection, while full credit card numbers (with expiration dates and CVV/CVV-2/CID/CVC2) and PINs merit extremely strong protection. And telecom carriers are hardly known for strict protection of data.

Geolocation data may be viewed as harmless, bits of data to help a customer find the nearest CVS. But complete data points on a consumer’s precise current whereabouts—as well as a history of that customer’s prior whereabouts—is remarkably valuable today. That’s going to mean a radical change in security thinking. So wherever your data security thinking is at today, it’s going to have to soon be in a very different place. And your phone—without a warrant—will know exactly where.

Evan Schuman is a guest blogger on the McAfee Security Insights blog. Evan is the founder and Editor-in-Chief of StorefrontBacktalk.com, a global site that tracks retail IT and E-Commerce issues for readers. He also writes the weekly Retail Realities column for CBSNews.com. More on Evan can be read on his author page.

Tags: Data Protection, mobile security, privacy, smartphones