Outsmarting Waze, Together

Outsmarting Waze, Together

Waze is the world's largest community-based traffic and navigation app but creating a personal account can kill your privacy. The Waze app provides turn-by-turn navigation and crowdsourced information collected from other Waze users in the area. Users can submit road hazards including stopped vehicles, construction, pot holes, and police activity which is then shared with other users who approach the tagged location.

The service is a wonderful idea and is definitely useful. I use it almost daily in my travels. However, if you create an account, things can get hairy and sticky pretty quickly. For starters, if you use the same username you use elsewhere, people can see when you're nearby. As with all location-based services, this provides an opportunity for someone who might be targeting you to gather more information. Waze has taken some precautions to protect your privacy such as adding a time delay to sharing another Wazer's location so as to prevent using real-time location for stalking purposes. However, it still leaves a few gaps that could bite any privacy aficianado in the ass.

For starters, we'll consider the most feasible threat - access to your data by a third party. This can be accomplished illegally by hackers if they discover a security flaw in the service or app, or through legal process such as a court order if a judge decides information in your account could be useful to a case.

Waze, by design, gathers information from users - both those who create an account and those who use it "anonymously." Those who create an account, however, have their information linked to their accounts like any other service. If your account information is leaked, either through legal process or a data breach, you can bet at least some of your location history will still be connected to your account. If you, like most people, use the same username everywhere, it will be fairly easy to connect this location data to your actual identity. An adversary could easily generate a heat map to see how often and when you visit a given location and could determine if that location might be your home, workplace, or other particular place of interest to you. As always, this information could be used for nefarious purposes.

Did you connect your contacts or Facebook account to your Waze account? Waze allows you to connect with your friends so you can see each other on the map and share routes and ETA with one another. That's cool but it also means more information available to an adversary. Perhaps you've fallen for the classic Facebook scam where a fraudster creates a profile identical to that of someone you know and adds you as a friend. What if you share your location with them through Waze?

Ok so you aren't the target of a legal battle, you take reasonable precautions to ensure your identity would still be safe by using a unique username, and you're diligent enough to know that your Facebook friends are truly legit. There's still one more way that Waze can kick you where it hurts. Waze is designed to delay your information from being displayed to other Wazers. However, their terms of use and their privacy policy allow them to share information with law enforcement as they see fit. It is entirely possible that Waze could share real-time location and speed information of Wazers with law enforcement agencies to assist in everything from speed traps to DUI checkpoints to spying on the location of persons of interest regardless of whether or not a crime has been committed. Remember, warrant-less surveillance is at an unprecedented high and shows no signs of stopping any time soon. There is nothing stopping Waze from partaking in such surveillance activities.

While I have yet to find solid evidence of this possibility, just remember that Waze IS owned by Google and Google has a horrible track record when it comes to spying on users. If you've ever created an account with Waze, I'd say your privacy, as far as they're concerned, is gone. Even if you nuke your account and use the app anonymously, you can still potentially be identified if your home, work, and other usual locations are the same as they where when you were a registered user. This is where meta data can become dangerous.

At the end of the day, if you have a smartphone that's tied to your identity in any way, you've already given up some degree of privacy as the carrier can always be targeted for your location information. However, apps like Waze can further reduce your privacy by recording and storing your exact GPS coordinates and linking them to other information they have on you. As always, you must decide what is right for you and if the privacy loss is worth the convenience of having an account. For most people, it would see using Waze anonymously would suffice for navigational purposes and I highly recommend retaining that anonymity.