People were up in arms this week about the privacy implications of news that the iPhone gathers location information and stores it in a file on the user’s computer. But experts say that smart-phone owners are unknowingly taking a much bigger risk with information about where they go all day. During a presentation at the computer security conference Source Boston, Ben Jackson of Mayhemic Labs and Larry Pesce, a senior security consultant with NWN, described the way photos taken by many phones are routinely encoded with latitude and longitude tags. When users post those photos online through services such as TwitPic, they often expose much more personal data than they realize.
“It is definitely true that folks don’t [understand] the risk,” says Jackson.
For example, by looking at the location metadata stored with pictures posted through one man’s anonymous Twitter account, the researchers were able to pinpoint his likely home address. From there, by cross-referencing this location with city records, they found his name. Using that information, the researchers went on to find his place of work, his wife’s name, and information about his children.
A few smart phones, such as the BlackBerry, leave the geotagging feature turned off by default. In many devices, however, photos are tagged with this information unless users to go in and disable the feature themselves.
To make people aware of the dangers of this data, Jackson and Pesce launched a site called I Can Stalk U, which searches Twitter for posts that reveal location information and creates a map pinpointing the places where pictures were taken. “We wanted to inform people of what they’re really posting,” Jackson says.
The researchers have struggled to find an effective way to spread this message. Twitter has twice shut them down (though they were able to get themselves reinstated), and many users react with alarm when they see what I Can Stalk U is doing. Jackson and Pesce say they hope they’re educating people, and the site includes information about turning off location features, as well as links to organizations that work to protect user privacy, such as the Electronic Frontier Foundation.
So many pictures with location data get posted every day that when the researchers tried to analyze every picture posted to TwitPic, they couldn’t keep up. Now their site downloads an average of 15 gigabytes of photos per day, scans more than 35,000 tweets, and analyzes more than 20,000 pictures.
Johannes Ullrich, chief research officer for the SANS Institute, an organization that operates an Internet security service called the Internet Storm Center, confirms that location information is commonly posted with photos online. Aside from the sort of stalking that Jackson and Pesce describe, he says, the practice can also increase risk of theft. Sites that allow users to post items for sale often include photographs, which thieves could use to locate the items.
At a security conference last year, Gerald Friedland and Robin Sommer, researchers at the International Computer Science Institute in Berkeley, California, released a study on “cybercasing“—using online geotagged information to mount real-world attacks. “We found that people really did put the geotags in unintentionally,” says Friedland. For example, he says, they found cases where people had clearly made an effort to keep an account anonymous, only to give away key location information. The problem is especially troubling because today’s Web services offer powerful application programming interfaces that could enable an interested party to rapidly correlate information from multiple services.
Friedland notes that geotags are not all bad—the information can be useful for personalization and other services. However, he says, “there is a responsibility in terms of making it clear what information is being released. People should have a choice.”
“Services should [remove] this information,” Ullrich says. He adds that this is not technically difficult and stands to benefit the sites themselves: stripping photographs of their metadata prevents attackers from using this information to launch exploits on a site’s server. Some sites, such as Facebook, already do it.
Regardless of what sites decide to do, users need to pay attention to their devices’ capabilities, says Alex Levinson, chief technology officer and lead engineer for Katana Forensics, a company that makes an application that can analyze the data stored on iPhones, iPads, and other devices running Apple’s mobile operating system. Levinson has studied the location information stored on these devices and is currently researching how they share that information when users post on a public site. “If you buy a piece of technology, read about it,” he says. “It comes with a manual, and you can understand what the device is doing about location information and how it’s being used. If you don’t like what you find out, return the device.”