All the Risks of Search, Now With Locations, Too
Using Google Maps involves more than simply interacting with the display to locate areas of interest, or even printing, saving, or sharing maps. You can also search the map and jump immediately to addresses, zip codes, businesses, and cities of interest. Figure 3 shows a Google Maps search for "pizza in Poughkeepsie," the sample entry suggested on the Google Maps web page.
So what are the risks of combining search and mapping? Well, by doing so, you are combining the disclosure risks of search with specific geographic locations and the interaction revelations described in the previous section. For example, by clicking one of the results in the search pane on the left side of the display, you can bring up specific details about one of the locations marked on the map. However, you are also disclosing -- and, hence, strengthening -- the link between the search you performed and what you deemed as important in the results. Say you were searching on a specific person and returned a number of results. By clicking on the link corresponding to the specific individual you were interested in, you've yielded a clue to the most relevant result.
Privacy-Degrading Personalization
Enticed by such slogans as "Make Google Maps your maps," many users have personalized their maps. Google Maps supports the creation and sharing of personalized, annotated maps. Annotation includes marking favorite places and drawing lines and shapes to highlight paths and areas, as well as adding text, photos, and videos. Unfortunately, the more you personalize your maps, the more information you disclose. The potential disclosure risks are quite significant. Users have almost an unlimited ability to share sensitive information and tie it to specific locations on the map. Some users will likely add personal or sensitive locations, such as their friends' home addresses or facilities at their place of employment. Such disclosure could provide the information required to link disparate profiles contained in an online company's databases. Recall that Google possesses extensive address databases for individuals and business, which enables them to create many additional linkages. In short, personalization functions, almost by definition, help compromise your anonymity.Many personalization functions in Google Maps require you to log in using a Google account, uniquely identifying your activity.
Linking User Classes via Geographic Relationships
When using mapping and imagery services, you provide another vehicle to tie together individuals and organizations. As I mentioned at the start of this article, using mapping and imagery applications discloses locations you are interested in, but now consider that you can be linked with other people who are also interested in the same or similar locations. A great example is that of your parent's home. Chances are, you have looked at it using Google Maps. I'll bet your siblings have done the same. Now ask yourself how many other people have zoomed in to that exact same location.My guess is, not many. Bingo, a unique characteristic shared by you and your family.
Now consider your company. Let's say that it has 1,200 employees located at 10 locations, some not publicly known. Imagine mapping activity from the IP address ranges used by your corporate headquarters, as well as the other locations, all seeking directions from Ministro Pistarini International Airport in Buenos Aires to the street address of a meeting site at the outskirts of the city. Because this activity is out of the norm, you've just created a unique set of characteristics that ties together your various company offices with a potentially sensitive meeting. You've also disclosed, with a high probability, the travel plans of the meeting participants, as well as given a clue to the strategic importance of Argentina to your company's planning.
All Roads Lead to Rome
Using online services that provide directions reveals sensitive information. Typically, you enter a starting point and a destination, often using precise street addresses. As discussed in the preceding section, these addresses provide a very powerful means to tie together disparate individuals. The more specific and rarely used the addresses, the higher the possibility of creating a useful link between the two. Using direction-giving services (see Figure 4), you are also giving away your probable route of travel. By clicking the Print option, you indicate that you will probably be traveling the route in the near future. Similarly, if you used the e-mail or Link To This Page options, you've then linked yourself with a group of individuals who will likely be traveling over the same route after they click the link.
Now imagine all the directions that your employees have generated using your company headquarters as a starting location and leading to destinations throughout the surrounding area (see Figure 5).You may be giving away the commuting routes of your employees, the locations of their homes, their lunch meeting venues, and perhaps even your company's strategic intentions. Similar searches could identify the home IP addresses of these employees, as well as many visitors to your company. Finally, if cookies were enabled on these machines, all of their online activities with a company such as Google could be tied together despite movement around the world. This is a security risk indeed.
If you consider all such requests to your corporate headquarters, such tools represent a significant disclosure threat, particularly over long periods of time.