You know those geotagged tweets and Instagram posts you’re publishing from your mobile phone? It turns out anyone can access them to find out where you are and where you’ve been. You know, just in case they want to stalk you, rob you or otherwise annoy you.
In order to highlight what’s possible, a group of researchers from the International Computer Science Institute has released a new tool called “Ready or Not” that lets you enter any Twitter or Instagram username and see every place that user has been and what they’ve tweeted while there. It also includes a chart that shows how frequently users are at certain locations at certain times of day. The thought of this information getting into the hands of the wrong person — or, if you’re just into having some semblance of a private life, the thought that it exists — is a pretty troubling proposition.
The Ready or Not tool, ICSI researcher Gerald Friedland acknowledged, certainly engages in a bit of fear-mongering; but that’s the point. Friedland and his partners on a National Science Foundation-funded project called Teaching Privacy want to alert people to the dangers they might not realize exist. “Most people,” he said, “do not know that if you tweet something this location data is actually publicly available.”
Presently, though, geotagging is only turned on if you allow it for most services, and the data is only accessible (albeit without any authorization process) via a service’s API. That means anyone wanting to gain access to someone’s location data would have to be able to build an application that’s able to ingest that API data and display it. However, that’s hardly rocket science.
And, Friedland said, it’s not as if criminals haven’t used social media to find targets before. He pointed to a 2011 survey of convicted burglars from U.K. security firm Friedland (with which he is not affiliated), in which 78 percent said they believe thieves are using social media to target properties where no one is home. Fifty-four percent of the burglars called placing one’s status and whereabouts on social media a big mistake. Only 52 percent cited hiding spare keys next to the door as a big mistake.
Prior to that survey — which really coincided with the rise in popularity of Twitter and Foursquare — most of the work in what Friedland and his peers deemed “cybercasing” was largely academic, he said. They had proven in research papers it was possible to identify the locations of anonymous Craigslist listings by analyzing geotags on photos, and to identify YouTube users who were on vacation far from home. They even proved they could match voices across videos on Flickr using speech recognition technology.
But when it came to light that criminals really were using social media to find victims, “What happened then was the reality caught up,” Friedland said. “… This is not just a privacy bad feeling.”
Now, as a complement to its work on the Teaching Privacy website, the team is still conducting research. A recent study of theirs showed how it’s possible to track down the holder of an anonymous account on one service (Yelp, for example) by cross-referencing their reviews with posts, timestamps and location data on other services. It’s not 100 percent accurate, Friedland admitted, but they were able to get a lot of hits. (We’ve looked at the myth on anonymity before, too, highlighting numerous studies that have shown it’s possible to de-anonymize most user data fairly easily.)
Teaching Privacy targets high schoolers, Friedland explained, because they’re active social media users and perhaps a generation raised to be smart about online privacy will lead to smarter web usage over time. But we all need help. Friedland surveyed the attendees at a recent engineering conference in France and was surprised to see how few were actually aware that their photos and tweets might be geotagged.
“If Ph.Ds in computer science don’t know that,” he said, “the average person is going to have big trouble.”