Even people who avoid online services can find their lives affected by them. For example, one morning you might wake up to find your usually quiet local street has become a busy highway. You can blame satellite navigation services for that.
Satnav services optimize routes for their users by considering traffic jams, accidents, and roadwork. Such apps get data from municipal services and also from user reporting.
Perhaps the best known service of this kind is Waze. Acquired by Google in 2013, Waze may serve as a perfect example of how online services can impinge on real life. While making users’ life easier, they can also create safety and privacy problems.
For example, in making the route from A to B faster for its users, Waze has brought intense road traffic to previously quiet streets. The app reroutes cars, trucks, and even tourist buses to quiet streets and alleys to minimize users’ traffic delays.
Humans fight back
In Maryland, one neighborhood is trying to subvert Waze by using its own methods. Attempting to make their quiet alleys and streets less appealing to Waze, locals submit fake road accident reports to the service. Waze discards single road accident reports if the data says the real speed on this segment of the road hasn’t decreased, so to overcome that obstacle, resistance groups combine efforts with their neighbors and submit identical fake notifications, thus fooling the app.
Waze redirects cars from clogged highways to local streets. So neighbors are reporting fake accidents to stop it. http://t.co/azf6TawN1T
— Alex Goldmark (@alexgoldmark) November 14, 2014
Do such tactics work? There are no figures to say one way or the other. Wired suggests more robust measures to ease neighborhood traffic, such as installing speed bumps, replacing simple intersections with roundabouts, narrowing lanes, and more. These methods work, but you can’t deploy them based solely on a goodwill agreement with neighbors.
It is not just local residents who are enraged. The police are as well — by a feature alerting drivers to police ambushes. Back in 2014, Los Angeles Chief of Police Charlie Beck went as far as writing a letter to Google CEO Larry Page after two police officers were shot in New York by a person who had used Waze to track their location.
Another outraged letter to Page came from the head of the New York Police Union, Edward Mullins, who demanded Google remove the police-tracking feature from the app, threatening legal action. Google did not acquiesce: the feature is still there.
The face-off between the police and Waze made other players look closely at the app. Civil rights organizations such as the Electronic Frontier Foundation sided with the service, citing the police’s extensive use of face- and license-plate-recognition technologies and other tools that encroach on people’s right to privacy. The EFF pointed out that law enforcement was asking for privacy that it denies citizens.
The dark side of facial recognition? https://t.co/7I6B8MAZuW pic.twitter.com/j2O7QkmlF0
— Kaspersky Lab (@kaspersky) August 22, 2016
Another use of Waze is to bypass police checkpoints. To counteract that use, Miami police reportedly submitted fake police locations to Waze to obscure their actual whereabouts. A spokesperson for the department denied the claim, so, at least officially, the practice is not supported.
The nature of Waze has also led to public perception that the service is responsible for some types of incidents. In 2015, for example — although there have been others — the service directed an elderly couple in Brazil to a dangerous neighborhood. They were looking for Quintino Bocaiúva Avenue, in São Francisco; Waze took them to Quintino Bocaiúva Street, in Caramujo. They were caught in a hail of gunfire and one was shot dead.
To help users stay safe during the 2016 Olympics in Rio, Waze started to show notifications whenever a person entered a criminal neighborhood. (That data came from anonymous criminal activity reports from local citizens.)
Waze’s incipient ride-sharing feature may provoke a surge in public criticism as well. Take Uber, which Waze intends to compete with. The media coverage of all Uber incidents (from ordinary road accidents to kidnapping) highlights that when something goes wrong, the driver is blamed.
Renting a car abroad: survival guide – http://t.co/cpWBwubEbx pic.twitter.com/Pm8QCie0Zp
— Kaspersky Lab (@kaspersky) May 30, 2015
A resource called WhoIsDrivingYou.org lists all incidents related to Uber and its rival Lyft. It is owned by Taxicab, Limousine & Paratransit Association, an organization representing traditional transportation services in the US.
In contrast with Uber’s approach, Waze’s administrators do not plan to check their drivers for “trustworthiness.” The selection will be based purely on user ratings.
And finally, we come to our constant concerns: leaks, threats, and vulnerabilities. What is special about Waze, and how could cybercriminals take advantage of it? We’re not talking about server-level hacks — those are pretty much the same for everyone. But how about “ghost” cars in the crowd-sourced navigation tool? Researchers from the Technion – Israel Institute of Technology ran such an experiment back in 2014.
The scientists first created bots, which gained Waze’s trust by seeming to drive around the area, and then started to simulate traffic jams, which the system marked as legitimate. The apparent traffic jams caused the service to plan detours to avoid those areas.
Now, the potential evolution: Hackers use nonexistent traffic jams to cause cars to avoid certain routes, thus provoking a total traffic standstill.
Last spring, researchers at the University of California, Santa Barbara and the University of Tsinghua, in Beijing, offered another method of compromising Waze. The service plots users’ avatars with names and other user profile attributes against the map. By automating requests to show nearby users to Waze’s server, the researchers could track their movements.
#ICYMI How to stop #iOS location tracking https://t.co/xaJZkP8udi #mobile #privacy pic.twitter.com/vaMnK52KAd
— Kaspersky Lab (@kaspersky) August 20, 2016
Waze’s administration was quick to deny such privacy threats. Users can enable invisible mode and hide their whereabouts from other drivers, they pointed out. However, the developers nevertheless enhanced their privacy efforts by taking users’ names out of the freely available data pool (although their friends’ names remained visible on the map).
After this update, however, the researchers were still able to reproduce the experiment — using not names but instead the date on which a profile was created as their baseline for tracking. This date is precise to the second and makes a corresponding user identifiable. Later, the developers fixed the issue.
As a result of the new ride-sharing feature Waze is testing, rumors once again are surfacing that Google is secretly developing a fully automated taxi service that will use Waze data to pick optimal routes. At present, you can override the driver’s or app’s route suggestions, but with driverless taxis, that might no longer be the case. We hope that before rolling out driverless cabs (if that is indeed the plan), Google will be able to fix the flaws in Waze to ensure a smooth and safe user experience.