Dislocation Based Services

I will be talking about some of our location based service research next week at Mashup events, and one of the areas I want to talk about is abuse of LBS - one of the issues I see is that people who drink the LBS Kool Aid assume that all participants will have good intentions at all times - ie these systems are woefully inadequately protected, and this is a major risk as history show that when money appears, human motives shift from benign and altruistic to power, greed and fear (to quote Machiavelli).

However, instead of me being boring and banging on about it, excerpts from this brilliant essay on how to pervert Foursquare should both amuse you and make the point. Jim Bumgardner first used the Foursquare API to create lots of new locations to make himself Mayor of:

At some point last week, I devolved into a 12 year old hacker, and I spent many spare hours (and my computer’s spare cycles) abusing the system with a set of scripts operating fake accounts. Not only did I add new venues like the North Pole, but I started persistently checking into coveted landmarks, like the Statue of Liberty.

What can I say? It was fun, and foursquare’s incentives (badges and mayorships) spurred me on. Incentives invite abuse, even from mild-mannered folks like me.

Then he started to use the API and a bit of hacking to bump off other people:

I created five “Java Monkeys” which grabbed about 120 different Starbucks in different regions (east, west, midwest, south, intl). I identified and targeted hotly contested Starbucks by searching Twitter for recent oustings. My script automatically visited those ones, to the consternation of the new mayors.

And then he started creating fake personae:

I created a fake Martha Stewart who checks into dollar stores and pawnshops when not visiting Martha Stewart Omnimedia and the set of her TV Show.

I created a fake Simon Cowell who visits massage parlors and gets lunch at Hotdog on a Stick when not visiting the Kodak theater.

I think you can start to see the potential for the damage that can be done, and he also covers how he started to use algorithms to monitor Foursquare activity to pick up behaviour patterns (he used it to get badges for creating swarms, though you can imagine less benign uses). My favourite abuse was when he started to re-categorise landlocked areas as boats:

Finally, I started giving people free sailboats. I found that if you checked into a venue tagged “boat,” you automatically get the awesome “I’m on a boat” badge; and unlike the other badges, it only requires a single check-in. So I started identifying high-traffic places via the above Twitter search, and then adding the tag “boat”. Suddenly, visitors to metropolitan airports and various sports arenas got free sailboats for Valentine’s Day.

Though its interesting what people value:

The “Java Monkeys” got the biggest reactions. Foursquare users get far more irate when they lose mayorship of a Starbucks, as compared to a Statue of Liberty or Mount Rushmore. People are much more attached to the small places they visit over and over, and have some personal investment in. The smaller the venue, the bigger the value.

Now, think of all that wonderfully funny creativity being used to subvert a service that is using real user data and making transactions. As you can see, just a few of these sort of raids would lead to a Google Buzz level of bad buzz.