CEO & Founder, Tala Security
It’s one thing to share user geolocation data deliberately without consent, but what if you’re inadvertently giving it away?
The Federal Communications Commission is proposing over $200m in fines for wireless carriers who knowingly shared, sold or otherwise mishandled their customers’ location data. Significant press investigations and reports have raised public awareness of the risks associated with this kind of breach. We’re now seeing calls from privacy advocates to strengthen legislation, add teeth to existing privacy regulations and even hold CEOs personally responsible for making promises they can’t keep on customer privacy.
If a website wants to access your geolocation, the browser will prompt the user with a pop-up question.
There are two issues with the pop-up. First, this pop-up only shows up the first time the website is trying to access geolocation. If the user clicks ‘Allow Once,’ that preference is recorded, and the website can now access geolocation data any time in the future.
Secondly, if the user clicks ‘Allow’, it provides the entire website with permission to access the user’s geolocation. So in this case, if the user clicks on the ‘Allow’ button, scripts loaded from the primary domain (in this example it would be scripts loaded from w3cschools.com) as well as scripts loaded on the site from any other third-party domain, can access the user’s location information. In essence, malicious or adware scripts can now use a website’s permission levels to access sensitive user geolocation data.
The good news is that modern web browsers (PC and mobile) provide fine-grained security controls to monitor and block unauthorized access by third-party scripts.
In particular, a new and upcoming feature within browsers called feature-policy allows website owners to specify which domains can access sensitive user information and resources. For example, feature-policy allows a website to block a third-party script from accessing the user’s microphone or camera.
Feature-policy also provides websites with the ability to control access to user geolocation data. Using the feature-policy geolocation directive, a website can control which domains can access location information, including cross-domain iFrames.
For example, with the following policy, the website will only allow its own domain to access the location information. Any other domains trying to access the geolocation information will return an error.
Feature-Policy: geolocation 'self'
If the website wants to allow a second domain, let’s call it trusted-domain.com, to access the location information, it can do so using the following policy:
Feature-Policy: geolocation 'self' https://trusted-domain.com
With new privacy laws in place, website owners should prioritize restricting access to sensitive user data so that their websites don’t become conduits for data breaches or privacy violations. Browser-native controls like Content Security Policy (CSP), Subresource Integrity (SRI) and Feature-Policy are freely available for websites to enforce the right security and privacy policies.