From Instagram. Original creator not known.
Tag Archives: geolocation
“Somewhat You Why” and Geolocation Stalkerware
Geolocation and “somewhat you why” (my proposed sixth factor of identity verification and authentication) can not only be used to identify and authenticate people.
They can also be used to learn things about people already authenticated, via the objects they might have in their possession.
Stalkerware
404 Media recently wrote an article about “stalkerware” geolocation tools that vendors claim can secretly determine if your partner is cheating on you.
Before you get excited about them, 404 Media reveals that many of these tools are NOT secret.
“Immediately notifies anyone traveling with it.” (From a review)
Three use cases for geolocation tracking
But let’s get back to the tool, and the intent. Because I maintain that intent makes all the difference. Look at these three use cases for geolocation tracking of objects:
- Tracking an iPhone (held by a person). Many years ago, an iPhone user had to take a long walk from one location to another after dark. This iPhone user asked me to track their whereabouts while on that walk. Both of us consented to the arrangement.
- Tracking luggage. Recently, passengers have placed AirTags in their luggage before boarding a flight. This lets the passengers know where their luggage is at any given time. But some airlines were not fans of the practice:
“Lufthansa created all sorts of unnecessary confusion after it initially banned AirTags out of concern that they are powered by a lithium battery and could emit radio signals and potentially interfere with aircraft navigation.
“The FAA put an end to those baseless concerns saying, “Luggage tracking devices powered by lithium metal cells that have 0.3 grams or less of lithium can be used on checked baggage”. The Apple AirTag battery is a third of that size and poses no risk to aircraft operation.”
- Tracking an automobile. And then there’s the third case, raised by the 404 Media article. 404 Media found countless TikTok advertisements for geolocation trackers with pitches such as “men with cheating wives, you might wanna get one of these.” As mentioned above, the trackers claim to be undetectable, which reinforces the fact that the person whose car is being tracked did NOT consent.
From consent to stalkerware, and the privacy implications
Geolocation technologies are used in every instance. But in one case it’s perfectly acceptable, while it’s less acceptable in the other two cases.
Banning geolocation tracking technology would be heavy-handed since it would prevent legitimate, consent-based uses of the technology.
So how do we set up the business and technical solutions that ensure that any tracking is authorized by all parties?
Does your firm offer a solution that promotes privacy? Do you need Bredemarket’s help to tell prospects about your solution? Contact me.
Instagram Maps is a Stupid and Dangerous Feature
I stand by what I said. Someone’s gonna get killed.
Geolocation, Privacy…and Abuse
(Imagen 4)
I’ve frequently talked about geolocation as a factor of authentication, and have also mentioned the privacy concerns that rise with the use of geolocation for identification.
But sometimes it’s not just an issue of privacy, but something more sinister.
Authentic Living Therapy is a counselor specializing in trauma, abuse, emotional abuse, anxiety, depression, self-harm, parenting, and relationship difficulties. The page recently shared an image post on Facebook with the title
“Tracking someone’s location isn’t always about care. Sometimes, it’s about control.”
I encourage you to read the entire post here.
As with many other privacy-related issues, it all resolves around consent.
- If Agnes wants Bob to track her location to ensure she is safe, it is fine if Agnes freely consents for Bob to track it.
- If Bob wants to track Agnes’ location, you need to ensure that Agnes is not being forced to consent.
- If Bob wants to track Agnes’ location but refuses to let Agnes track Bob’s location, there are many red flags.
If you are a tech marketer and want to share how your identity solution protects individual privacy, I can help you write the necessary content. Let’s meet. Before your competition shares ITS story and steals your prospects and revenue.
GeoComply, Geolocation, and First-Party Fraud
(Imagen 4)
As you may know, I am a fan of including geolocation as a factor of identity verification and authentication.
So I was delighted to learn that last Wednesday’s Liminal’s Demo Day on First-Party Fraud started with a demonstration from GeoComply.
How does GeoComply use geolocation to reduce first-party fraud?
1. Collect data from a user’s device: GPS, GSM, WiFi, plus IP addresses.
2. Verify location accuracy. Our rules engine runs hundreds of location data, device integrity, and identity fraud checks on every geolocation transaction to detect suspicious activity.
3. Combine real-time and historical data to detect and flag patterns of location fraud. Our models are constantly updated with the use of machine learning and human intelligence.
In his demonstration, Matthew Boland showed an example of someone who had filed numerous chargeback requests in a short period. That’s a red flag in itself.
But when Boland combined the real-time and historical data to analyze the geolocations of the chargeback requests, he found that many of the requests were filed from the same location as the person’s mailing address. So at least that was legit, and the chargeback requests weren’t being filed from China.
In addition to first-party fraud, GeoComply handles geofencing for gambling operations. To see an example of Super Bowl 2024 attempted gambling transactions in Kansas (good) and Missouri (bad), watch this video.
How Many Authentication Factor Types Are There?
(Imagen 4)
An authentication factor is a discrete method of authenticating yourself. Each factor is a distinct category.
For example, authenticating with fingerprint biometrics and authenticating with facial image biometrics are both the same factor type, because they both involve “something you are.”
But how many factors are there?
Three factors of authentication
There are some people who argue that there are only really three authentication factors:
- Something you know, such as a password, or a personal identification number (PIN), or your mother’s maiden name.
- Something you have, such as a driver’s license, passport, or hardware or software token.
- Something you are, such as the aforementioned fingerprint and facial image, plus others such as iris, voice, vein, DNA, and behavioral biometrics such as gait.
Five factors of authentication, not three
I argue that there are more than three.
- Something you do, such as super-secret swiping patterns to unlock a device.
- Somewhere you are, or geolocation.
For some of us, these are the five standard authentication factors. And they can also function for identity verification.
Six factors of authentication, not five
But I’ve postulated that there is one more.
- Somewhat you why, or a measure of intent and reasonableness.
For example, take a person with a particular password, ID card, biometric, action, and geolocation (the five factors). Sometimes this person may deserve access, sometimes they may not.
- The person may deserve access if they are an employee and arrive at the location during working hours.
- That same person may deserve access if they were fired and are returning a company computer. (But wouldn’t their ID card and biometric access have already been revoked if they were fired? Sometimes…sometimes not.)
- That same person may NOT deserve access if they were fired and they’re heading straight for their former boss’ personal HR file.
Or maybe just five factors of authentication
Now not everyone agrees that this sixth factor of authentication is truly a factor. If “not everyone” means no one, and I’m the only person blabbering about it.
So while I still work on evangelizing the sixth factor, use the partially accepted notion that there are five factors.
There Are Patches to Protect from the PerfektBlue Automotive Vulnerability
(Imagen 4)
Why is the “PerfektBlue” (with a K) automotive vulnerability in the news?
And why are people more likely to read the cyber press alarms that emphasize the vulnerability, then the reports that emphasize the fix?
Unlike the cyber press, I will report the fix first.
OpenSynergy
For example, OpenSynergy, author of the Blue SDK for remote Bluetooth access to automobiles, issued this statement on July 9, 2025:
“OpenSynergy was notified In May 2024 by PCA Cyber Security (formerly PCAutomotive) about a couple of potential vulnerabilities (named PerfektBlue) in Blue SDK.
“We are pleased to confirm that corrections were applied and fixed the potential vulnerabilities, and relative patches were supplied to our customers in September 2024.”
PCA Cyber Security
Why was OpenSynergy addressing a 2024 vulnerability in 2025? Because the cybersecurity press is just now reporting on the vulnerability…because PCA Cyber Security intentionally refrained from publicizing it.
“[W]e reported all the findings to OpenSynergy in May, 2024. They acknowledged, and rolled out patches to the customers of BlueSDK in September, 2024. It was decided to wait until all of OpenSynergy customers applied the patches before this publication.
“To protect against PerfektBlue, you can update your system or disable the Bluetooth functionality entirely.”
CyberScoop
What can happen if you don’t patch your car? Here is what CyberScoop said:
“Successful exploitation of the infotainment system could theoretically provide attackers with access to GPS tracking, audio recording capabilities, and contact information. Researchers also note that weak network segmentation could potentially allow attackers to access other vehicle systems, though this would depend on additional vulnerabilities and the specific architecture of each vehicle.”
CyberScoop also clarified why the vulnerability wasn’t revealed back in September 2024 when the patches were released:
“[T]he complex nature of automotive supply chains has created challenges in patch distribution. Some original equipment manufacturers had not received the necessary updates as late as June 2025, nearly a year after the initial disclosure. This delay prompted the researchers to proceed with public disclosure while withholding the identity of the fourth manufacturer.”
The three identified manufacturers and systems are Mercedes-Benz’s NTG6 system, Volkswagen’s MEB ICAS3 unit, and Skoda’s MIB3 system.
Mercedes-Benz, Skoda, and Volkswagen
Oddly enough, I can’t find any statements from the three known manufacturers. You would think they would jump in front and say “here’s how to apply the patches”…or better still, “we have already applied the patches.”
But so far I haven’t found any manufacturer statements.
A missed opportunity.
Why?
People are more likely to read the cyber press alarms that emphasize the vulnerability, then the reports that emphasize the fix.
After all, gotta get those clicks.
Four Time-bound Geolocations = Identity?
(Imagen 4)
(Part of the biometric product marketing expert series)
Some don’t believe that geolocation is a valid factor of identity/verification/authentication.
Some do.
If you ignore what Yves-Alexandre de Montjoye et al said about the validity of 12 fingerprint minutiae points in their 2013 study (cited in phys.org), their conclusions about cell phone locations deserve consideration.
“By analyzing 15 months of cell phone mobility data from 1.5 million people, researchers have found that only four spatio-temporal points (an individual’s approximate whereabouts at the approximate time when they’re using their cell phone) are all that’s needed to uniquely identify 95% of the individuals.”
Why?
“[T]he researchers’ data shows that just four spatio-temporal points are needed to uniquely identify the mobility trace of an individual. In other words, it’s not likely that someone else will be in the same locations as you are at four different times of day.”
And once you perform multi-factor authentication by combining geolocation with another factor, such as an address or a social media post, privacy disappears.
And now a word from our sponsor.
Xona Space Systems and 3 Inch Geolocation Accuracy
Our existing GPS is good enough (when not jammed) for a person to drop a bomb, but not good enough for a non-person entity (NPE) to be behind the wheel of a large automobile. And you may ask yourself, “Where is that large automobile?”
“The satellite is the first of a planned constellation called Pulsar, which is being developed by California-based Xona Space Systems. The company ultimately plans to have a constellation of 258 satellites in low Earth orbit. Although these satellites will operate much like those used to create GPS, they will orbit about 12,000 miles closer to Earth’s surface, beaming down a much stronger signal that’s more accurate—and harder to jam.
“Reid and Manning began to think about how to build a space-based PNT [positioning, navigation, and timing] system that would do what GPS does but better, with accuracy of three inches (10 centimeters) or less and ironclad reliability in all sorts of challenging conditions.”
Quote from https://www.technologyreview.com/2025/06/06/1117978/inside-the-race-to-find-gps-alternatives/
Xona Space Systems website: https://www.xonaspace.com/
Deepfakes Slipping Through the Silos
(Imagen 4)
Sometimes common sense isn’t enough to stop deepfake fraud. Marc Ricker of iValt asserrts that a unified response helps also.
“Too often, network teams focus on availability, while security teams chase threats after the fact. That separation creates gaps — gaps that attackers exploit.”
Ricker’s solution:
“iVALT unifies remote access and identity security through:
Instant, passwordless biometric authentication
AI-resistant technology that stops deepfake and synthetic identity fraud”
iVALT trumpets the use of 5 factors: device ID, biometrics, geolocation, time window, and “app code.”
- I was curious which biometric modalities and vendors iVALT supported, so I looked it up.
- iVALT appears to use PingOne DaVinci, which orchestrates everything.
- The only biometrics specifically mentioned by iVALT are those captured on a mobile phone.
- But it’s unclear to me whether these are the biometrics captured by the phone’s operating system (for example, TouchID or FaceID on iOS), third party biometrics, or all of the above.
Of course, most people don’t care about the minutiae of supported biometric modalities.
But some do…because all biometric algorithms do NOT provide the same accuracy or performance.
Bredemarket 