Johannes Ullrich, chief research officer for the SANS Institute, an organization that operates an Internet security service called the Internet Storm Center, confirms that location information is commonly posted with photos online. Aside from the sort of stalking that Jackson and Pesce describe, he says, the practice can also increase risk of theft. Sites that allow users to post items for sale often include photographs, which thieves could use to locate the items.
At a security conference last year, Gerald Friedland and Robin Sommer, researchers at the International Computer Science Institute in Berkeley, California, released a study on “cybercasing“—using online geotagged information to mount real-world attacks. “We found that people really did put the geotags in unintentionally,” says Friedland. For example, he says, they found cases where people had clearly made an effort to keep an account anonymous, only to give away key location information. The problem is especially troubling because today’s Web services offer powerful application programming interfaces that could enable an interested party to rapidly correlate information from multiple services.
Friedland notes that geotags are not all bad—the information can be useful for personalization and other services. However, he says, “there is a responsibility in terms of making it clear what information is being released. People should have a choice.”
“Services should [remove] this information,” Ullrich says. He adds that this is not technically difficult and stands to benefit the sites themselves: stripping photographs of their metadata prevents attackers from using this information to launch exploits on a site’s server. Some sites, such as Facebook, already do it.
Regardless of what sites decide to do, users need to pay attention to their devices’ capabilities, says Alex Levinson, chief technology officer and lead engineer for Katana Forensics, a company that makes an application that can analyze the data stored on iPhones, iPads, and other devices running Apple’s mobile operating system. Levinson has studied the location information stored on these devices and is currently researching how they share that information when users post on a public site. “If you buy a piece of technology, read about it,” he says. “It comes with a manual, and you can understand what the device is doing about location information and how it’s being used. If you don’t like what you find out, return the device.”