The New Statesman’s rolling politics blog

RSS

Need a new identity? Just steal someone else's

Wheretheladies.at highlights social networking security and privacy fears.

An opportunistic new website by the name of Wheretheladies.at should serve as a wake-up call to Foursquare and other social network users about the potential risks to their privacy and security -- especially those who are crazy enough to publish such personal details as their home address.

Wheretheladies.at uses publicly available information posted on social networking site Foursquare to find locations where a number of women are gathering -- from nightclubs to coffee shops. When it finds there's a correlation among a number of female Foursquare users it shows where they are and displays their Foursquare profile pictures so would-be stalkers -- sorry admirers -- can decide if it's worth turning up to 'meet' them.

It also sends the news out over a Twitter feed, for instance: "Bunch of ladies in yoga pants at The New Nail on Chestnut. They are talking about needing to find a man. Jackpot." Indeed.

I've written before about some of the potential risks with Foursquare, the social networking phenomenon adding 100,000 new subscribers every week, which encourages users to "check in" their location in order to win virtual badges. Users have the option of their precise location being shown on a Google map with an accuracy of a few feet, based on Foursquare's knowledge of their phone's co-ordinates via its GPS signal.

But while Wheretheladies.at may raise some eyebrows among women who didn't realise they were making quite so much information about themselves available to just anyone, what it actually highlights are the less obvious privacy and security risks of social networking sites in general.

Many Foursquare users opt to link their account with other sites such as Facebook or Twitter. This is particularly risky, because it makes it likely that even if you are careful about how much you give away on one site, anyone scanning two or three of them might find some worrying details about you and your movements unless you are very careful. Adjusting the privacy settings so that they work in concert across more than one social networking site requires a degree in astrophysics as well as a great deal of patience.

By way of illustration, I searched Foursquare for people who had "checked in" their home address -- telling the world exactly where they live and also displaying it on a handy map. I soon found an attractive 20-something year-old advertising agency executive, who had posted the address of her London flat. She had also "checked in" at her workplace, so I also knew where she worked and for whom.

She hadn't posted her full name on Foursquare, but I quickly found that on her Facebook page, along with her date of birth, which University she went to and what she studied. I also found that she likes house and trance music, her favourite film is Sex and the City 2 and she watches Louis Theroux and Come Dine With Me on telly.

I know from her Twitter feed about the trip she made to Paris for a couple of days last week, and where she goes to gym. I know, in fact, what she eats for breakfast, which bus she takes to work and when she is running late. I know that today she's at home in bed, with a heavy cold. Should I have some flowers delivered, or perhaps some cough medicine?

ID theft: not your dad's smash and grab

It's no laughing matter: identity theft is on the rise. It costs the British economy an estimated £1.7bn a year, with the number of Brits falling victim to identity theft jumping 23 per cent in the first quarter of this year alone, according to fraud prevention service CIFAS.

One factor behind the rise in ID theft is known to be the amount of personal information shared on social networking sites. As James Jones, consumer education manager at information services firm Experian puts it, "There is a huge disconnect between the privacy we crave and the information we give away on social networks. It's hardly surprising that identity fraudsters have been cashing in."

Fraudsters are still using more traditional techniques of scamming your identity such as going through your rubbish looking for bank statements and the like, which is another reason not to publish your address on any social networking sites like Foursquare.

So what does Foursquare have to say about all this? Here's what their spokeswoman told me:

We know that information related to location is more sensitive than a lot of other information shared through social networks, which is why we feel it's extremely important for our users to understand exactly where their information is being shared, and the implications of that sharing.

We never share a user's real-time check-in information with anyone that they haven't accepted as a Foursquare friend, and all of our sharing features can be opted into or opted out of. A user's location is never automatically shared -- they need to choose to check in when they're at a particular venue, and when they check in they can decide whether or not they want to tell their friends where they are, and whether or not they'd like to publish this information to Facebook or Twitter if they've chosen to link those accounts to their Foursquare account.

This summer, we launched some changes to our sharing settings to give users even more control over how they share their check-ins, and we posted some resources to further educate users on sharing through foursquare. We encourage all users to check their settings regularly to ensure that they're comfortable with where they're posting check-ins, and who can view that information.

You can access our privacy-related resources at http://foursquare.com/privacy. You'll find an overview of how we approach privacy/sharing on that page, along with a link to a detailed grid on our privacy settings and our privacy policy. Users with specific concerns can also contact privacy@foursquare.com.

Which is all well and good. But it seems that many users simply haven't understood the implications of their use of Foursquare and other social networking sites. The knowledge I easily found in a few minutes about one particular advertising agency exec could enable me to track her movements day and night to within a few feet, and could put her at a high risk of an identity theft attack or worse.

At the very least, it shows that knowing Wheretheladies.at is just the start.

Jason Stamper is NS technology correspondent and editor of Computer Business Review.