Stalker Apps? “Girls Around Me” Highlights the Privacy Perils of Geolocation Apps

Many of us like the convenience of geolocation on our smartphones; it enables us to look up nearby restaurants or gas stations, for example.  But it’s one thing to use your phone to find the closest slice of pizza, and another to use it to look for people.

Just last week, Apple pulled an app called “Girls Around Me,” which had generated a lot of buzz, out of the iTunes app store.  (For brevity, I’ll call the app “GAM”.)  GAM accessed user data that people posted on their Facebook and Foursquare sites, and alerted the user as to which “girls” were nearby.  Concerns were raised that GAM could compromise privacy, and enable stalkers and voyeurs to easily harass women.

In this column, I will highlight how GAM works, and consider the larger concerns it raises regarding (1) geolocation applications and privacy, (2) the unclear Terms of Use for certain web platforms; and (3) the extent to which third-party application developers can use, harvest, and manipulate data.  As I have noted in earlier columns, when it comes to information on social networking sites, there needs to be more respect for context; one use of certain information may be innocuous, but another use of that very same information may be pernicious.  Moreover, we need a federal consumer privacy bill of rights that is passed into law to ensure that privacy protection truly has teeth.

The “Girls Around Me” App, and How It Works

“In the mood for love, or just after a one-night stand? Girls Around Me puts you in control!” the GAM webpage boasts.  The page also boasts that GAM “is a revolutionary new city scanner app that turns your town into a dating paradise!”  The app allows users to “[b]rowse photos of lovely local ladies and tap their thumbnail to find out more about them.”

How, exactly, does GAM work?  It trawls Facebook and Foursquare for information that women have posted on these services’ public pages; aggregates that information; and links it to the women’s current geolocation as provided on Foursquare, a mobile platform that allows users to post their geolocation in real time.

When you “check in” to Foursquare via a smartphone application or SMS, your friends are instantly informed of your current location.  GAM then collects this information and let you view it on your phone by accessing an Application-Programming Interface (API) from Foursquare.

API is a set of programming instructions and standards for accessing a web-based software application.  A software company releases its API to the public so that other software developers can design apps that are powered by its service.

An API is a “software-to-software” interface, not a user interface. With APIs, applications talk to each other without any user knowledge.  That’s how GAM was able to—by agreement—pull data from Foursquare.

Once that data is pulled, GAM users can see a list of the women in their vicinity, whose smiling faces (and at times, scantily-clad photos) pop up on a map of the user’s locale.  GAM  also let users attempt to contact the women whose faces they see via Facebook—even if the women are strangers to the GAM user.

Fears About GAM:  Why the App Was Pulled by both Foursquare and the iTunes App Store

Some accounts have described GAM as creepy and have likened what it does to stalking. Ultimately, the controversy led both Foursquare and the iTunes App Store to pull the GAM app.

Recently, a posting on the Cultofmac blog site warned of the perils of GAM.  The concern was that many Foursquare users may be unaware of how their publicly-available geographic postings are being aggregated with their publicly-available Facebook postings and republished by GAM in a new format and context that enables dating, hooking up, and potentially even stalking.

Other privacy and consumer advocates have noted that GAM makes it easier for thieves and scammers to phish—that is, to make it appear that an email is from a friend, when it is really from a person who is seeking to steal financial and/or personal information, or who is otherwise acting under false pretenses.  GAM makes it possible for a user who would have had to use the old line, “Haven’t I met you somewhere before?” to now email, “Hey, I saw you at Bar Z on Friday.”).

The Response From the GAM Developer to the Criticisms of GAM

GAM was developed by the Russian company I-Free Innovations.  I-Free has defended GAM, claiming that it has done nothing wrong, as it only pulls together freely available information.  I-Free likens GAM to other apps such as Ban.jo and Sonar that also use APIs from social networks to provide user-location data.

I-Free issued a statement to The Wall Street Journal saying that it is  “unethical to pick a scapegoat to talk about the privacy concerns. We see this wave of negative [sic] as a serious misunderstanding of the apps’ goals, purpose, abilities and restrictions.”

I-Free added, “GAM shows to the user only the data that is available to him or her through his or her accounts in Foursquare, and gives the user nothing more than Foursquare app can provide itself . . . .  The aim of the app is to make the usage of this data more convenient and more focused on finding popular and crowded venues.”

I-Free also noted that the GAM app has been online since December and, until last week, no one had raised a privacy concern, despite the fact that GAM had been downloaded more than 70,000 times.

I-Free’s statement concluded, “We understand that privacy is a serious matter. We were planning to continue developing the app and limit it to showing only public places and venues.”

Part of the Problem Is The Lack of Clarity in the Terms of Service for Third-Party Apps

In addition to raising fears about how GAM might be used by stalkers, the GAM controversy also raises larger issues.  In particular, the GAM controversy underlines the lack of clarity regarding the Terms of Service and other contractual policies that exist between social-networking sites and the apps that access API to provide new services on top of existing networks.

Consumers, especially, are unlikely to know what uses of a given app are permissible and which are not.  But at times, appmakers, too, may be in the dark.  For example, according to Foursquare, I-Free violated Foursquare’s policy by aggregating information across venues, and that policy violation got the app’s API access yanked.  But Foursquare may not have been policing API use, because the app had launched in December and seems to have gone unnoticed until bad press brought it to light.

According to a senior Foursquare developer, the specific problem with the interaction of Foursquare and GAM was the part of the Foursquare API called “herenow” that shows which users are currently checked in at a given location by displaying small user faces.  Logged-in Foursquare users can see those faces when they look up any place within the system.

Outside developers, however, aren’t allowed to aggregate that information across multiple venues.  Thus, GAM should not have been able to provide users with data on “girls” at more than one location, on a map.  That is the type of “aggregation” that is forbidden.

According to Foursquare, GAM violated Foursquare’s API policies in four different ways, because Foursquare’s policy:

1. Does not permit aggregating of “herenow” information across multiple venues
2. Does not permit apps that are determined to be threatening or invasive of another’s privacy (See “Rules and Conduct”)
3. Requires developers to have a privacy policy if they use/display user data
4. Prohibits unauthorized use of Foursquare’s trademarks (Use of “foursquare” in the app name)

Despite these rules, however, it took a blog post to clarify what must have previously been unclear, given that the app had been in use for months.  Fortunately, Foursquare plans to make the restrictions around this “herenow” data clearer in the future.

Other Geolocation Programs That Use Foursquare Data: Why Their Terms of Use Need To Be Clearer, Too

More generally, Foursquare needs to make its data restrictions and policies clearer.  Currently, a user has to work hard to figure out the differences between the various geolocation apps, and how those apps use Foursquare data.

Foursquare’s privacy policy on “Using Third Party Apps” states that “Use of third party apps developed using our API are subject to the terms of use and privacy policies of such third party developers. Certain Personal Information may be made available to third party developers if you or your ‘friends’ use these third party apps. You should review the policies of third party apps and websites to ensure that you are comfortable with the ways in which they use the information you share with them. We do not guarantee that they will follow our rules or our Privacy Policy.”

However, the intersection of Foursquare and third-party apps  can get very confusing.  For example, the various geolocation apps that build on Foursquare data each do something a bit different: Ban.jo only aggregates Foursquare check-ins when they are openly cross-posted to Twitter.

Meanwhile, according to Foursquare, Sonar.me does use “herenow,” but only on a venue-by-venue basis, and seemingly more tastefully than GAM.  Sonar  describes itself as “a mobile application that uncovers the hidden connections you share with people nearby.”  The main interface for Sonar is a list of nearby venues with the number of people at them, but you have to click on each place separately to see the people there, so that seems to be the key distinction for Foursquare. There’s also no map view.

But the programs keep coming.  There is another app called “Wheretheladies.at“ that is also built around women’s Foursquare check-ins.  This app avoids the problems with GAM by counting the number of women at different venues, but not disclosing the women’s identities.  If you visit the related website, you might find out that there are 10 women currently at the Westfield Mall, for example.

Ultimately, the issue here isn’t just about Foursquare or GAM; it is about the perils of geolocation and the aggregation of social networking data, more generally.  Other apps are also problematic. For instance, the aptly named “Creepy” is a software package that allows users to find out where a person lives, works, and hangs out, based on the shared photos they post online.  The app can retrace your tracks using geographic data embedded within shared photos.

If you type in a person’s Twitter or Flickr username, and hit the “Relocate Target:” button, the app will gather all the geographic information available, via photos that the “target” has shared online.  Where does Creepy’s geolocation information come from?  The answer is that whenever someone shares a photo that was taken with his or her smartphone, services like Flickr, Yfrog, and Twitpic already automatically record where the picture was taken, and store that geo-tag in the image’s data.  Creepy simply uses APIs to scan this data, and display it on a map. Of course, the location in which a single photo was taken typically wouldn’t reveal too much about the person at issue.  But the more photos a person shares, the more exposed his or her life becomes. 

What We Can Learn from the GAM Controversy

What should the GAM controversy teach us?  First, we may need to revisit how we use apps – especially ones that relate to relocation.  Second, we need to keep in mind that any data posted online that is publicly available—be it a photo, a description of a trip, or a tweet sent as one boards a plane—can be stored and used to develop geographic profiles of where we live and how we move.

Sometimes this kind of data can be helpful to us.  But when the data is used in new ways and contexts, especially unanticipated ones, those uses may prove concerning, as both the Creepy and GAM apps demonstrate.  Of course, lesson number one is always, “Think before you post,” but users should also read the privacy polices of social networking and other sites more carefully.

And if the policies aren’t clear, users should demand that the relevant companies and/or operators be clearer about how other apps can use API, and what the limits or permissible uses are.  Policies that are written in general terms don’t often make much sense until a new and shocking application is provided to us—like GAM.

In sum, we need better disclosure, and we need social media, to better police how app developers are using data.  And finally, as I have said in several previous columns, we need the White House’s proposal for a consumer privacy bill of rights—one that establishes rights that include a respect for limits on data use, and take into account the context of use—to be passed into law.