Gowalla location spoofing
Gowalla is an application that claims to be “the easiest way to share places you go with friends”. The application runs on iPhone and Android devices, and uses your GPS location to create “Spots”, and allow you to Check In at a Spot. You can tie your gowalla account to your twitter account, or your facebook account, so that updates are automagically posted to these services. When Adam pointed out the research he had done with decloaking a user’s private checkins, I noticed that part of the information posted was the GPS lat and long. This got me wondering if I could go ahead and post a false lat and long to checkin from someplace other than where I was currently sitting (which is usually my couch). Some discussion ensued, and shortly Adam sent me a couple scripts he had hacked up that would allow me to create a Spot, then checkin from that Spot. All I need to provide is GPS coordinates, and associated trivia like a comment, a name for the spot, etc.
So I took a trip to Mt. Everest. One of my followers on twitter (Hi Adam!) retweeted my checkin, and within a very short time (definitely less than 30 minutes, but I can’t be more exact than that), my account had been removed, along with my Spot for Mt. Everest. This irritated me a little bit. In my eyes it would have been appropriate to at least contact me and say “Hey, you’re bending the rules, knock it off,” but they didn’t, it was just wholesale account-slaughtering time. After reading through the Terms of Service and not finding anything that I could see that I had violated, I went ahead and created a new account, “gowalla sucks”, using the same email address and twitter account I had used on my previous account. Then I went to Antarctica.
After confirming that the spot was created, checking in, and making sure it posted to my twitter feed, I went about my business for awhile. A short time later I came back to gowalla, to see if they had trashed my new account, only to discover that my name was now “gowalla isyournewbestfriend”, which I think was a much more appropriate response than just removing the account, and pretty funny, to boot.
It is worth noting at this point that I don’t have an iPhone, nor an Android device. These scripts interact with the Gowalla API directly from the webpage. Which brings us to the moral of the story: much has been said about the wisdom of advertising your location to the whole wide world (check out pleaserobme.com if you haven’t yet), but little so far about advertising false locations, which could be just as problematic. The day is not far off when a criminal will try to use a facebook status update, or a gowalla post as an alibi, stating “I couldn’t have killed my wife, I was across town, here is proof!” (if it hasn’t happened already). Of course, the flipside actually adds a layer of obfuscation: Need to fool your stalker? Just post a bunch of bogus updates, and she’ll run herself ragged trying to track you down. Food for thought, nothing more…
Thanks to Adam, Adam, and the penguins in McMurdo Sound for their support and assistance bringing this (sort of)important issue into the light.
UPDATE: While I was typing this up they removed my spot for McMurdo Station Ice Runway. Shame on you gowalla! There’s nothing in your terms of service that says I have to check in from WHERE I ACTUALLY AM.
