Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

Privacy is found in the user’s hands
SECURITY SHELF

Privacy is found in the user’s hands 

The basic user experience is simple. Install the Tile iOS or Android app, add one or more Tiles, and the device starts keeping track of them. As long as the Tile app is running, it tracks the last time and location that it saw each Tile. For example, as I write this article, my iPhone indicates that it is connected to the Tile on my keyring and another in my backpack. If I needed to locate my keys, I could click the find button and listen for the distinctive Tile tune.

Users can install the Tile app on multiple devices. Since only one of the devices can connect to the Tile at a time, the results can be a bit confusing. For example, the Tile app on a user’s phone may report that one Tile is connected, signified by a green circle, and that a second isn’t. Drilling down into the user interface might reveal that second Tile is connected to the user’s tablet and was seen 8 minutes ago; the map will show it is nearby. Users who carry all their devices with them will probably find the multiple device feature more trouble than it is worth. However, those who leave a device such as a tablet at home or at the office may find the ability to locate Tiles at multiple locations very helpful.

In the event of a lost item, a Tile owner’s first line of defence is to look at where and when the Tile was last seen by the app. The integrated map makes it easy to check where it may have been left. Tile’s second line of defence is to mark the item lost, which invokes the “Community Find” feature. In addition to connecting to the user’s own Tiles, every running Tile app listens for all Tiles and silently reports their locations to the company.

From a privacy perspective, Tile presents two interesting issues. First, each Tile is an inexpensive Bluetooth 4.0 tag with a unique identifier. They are easy to detect. Over time, scanning for Tiles (and other Bluetooth devices) could reveal patterns, or identifiers could be combined with other information to identify individuals.

The second issue is that Community Find, multiple apps, and Tile’s sharing feature require Tile apps to report their current location every time they encounter a Tile. Location information is provided by the mobile device; the Tile only has Bluetooth 4.0 functionality. As a result, California-based Tile, Inc. knows who their users are and where they are located each time their mobile device reports a Tile. They are accumulating a large geolocation dataset. Customers have to trust them to protect this information and use it wisely.

It is unlikely that Tile, Inc. would use the information in contravention of their privacy policy; they have too much to lose. However, in the event of a security compromise, hackers could find themselves with a treasure trove of user geolocation data. It is also possible that government agencies could begin to tap into this data, with or without a court order.

Tile is not the only product in this space. Other products include TrackR, Stick-N-find and Chipolo, each with similar, if not identical, privacy decisions to be made by their customers.

I really like Tile. The company sent me a free Tile to test, and I subsequently bought four more for our family. In doing so, I have chosen to allow the company track me, my wife, and some of our property. We accept the privacy risks. Of course, user can turn off the Tile app at any time, and leave their Tiles at home, but then the functionality that makes the product worth owning is lost.

It may be possible for Tile and their competitors to mitigate some of the privacy risks, but ultimately each individual must decide for themselves and accept responsibility for their decision. As is often the case, privacy is found in the user’s hands.

Have a security question you’d like answered in a future column? Email eric.jacksch@iticonline.ca

Related posts