We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not a subscriber? Subscribe now for unlimited access to online articles.

How People Broadcast Their Locations Without Meaning To

Smart phones include geotagging features that many people aren’t aware of.

People were up in arms this week about the privacy implications of news that the iPhone gathers location information and stores it in a file on the user’s computer. But experts say that smart-phone owners are unknowingly taking a much bigger risk with information about where they go all day. During a presentation at the computer security conference Source Boston, Ben Jackson of Mayhemic Labs and Larry Pesce, a senior security consultant with NWN, described the way photos taken by many phones are routinely encoded with latitude and longitude tags. When users post those photos online through services such as TwitPic, they often expose much more personal data than they realize.

Too revealing: Security researchers created the website ”I Can Stalk U,” above, to demonstrate that people often reveal their location when uploading photos taken on smart phones to social networking websites.

“It is definitely true that folks don’t [understand] the risk,” says Jackson.

For example, by looking at the location metadata stored with pictures posted through one man’s anonymous Twitter account, the researchers were able to pinpoint his likely home address. From there, by cross-referencing this location with city records, they found his name. Using that information, the researchers went on to find his place of work, his wife’s name, and information about his children.

A few smart phones, such as the BlackBerry, leave the geotagging feature turned off by default. In many devices, however, photos are tagged with this information unless users to go in and disable the feature themselves.

To make people aware of the dangers of this data, Jackson and Pesce launched a site called I Can Stalk U, which searches Twitter for posts that reveal location information and creates a map pinpointing the places where pictures were taken. “We wanted to inform people of what they’re really posting,” Jackson says.

The researchers have struggled to find an effective way to spread this message. Twitter has twice shut them down (though they were able to get themselves reinstated), and many users react with alarm when they see what I Can Stalk U is doing. Jackson and Pesce say they hope they’re educating people, and the site includes information about turning off location features, as well as links to organizations that work to protect user privacy, such as the Electronic Frontier Foundation.

So many pictures with location data get posted every day that when the researchers tried to analyze every picture posted to TwitPic, they couldn’t keep up. Now their site downloads an average of 15 gigabytes of photos per day, scans more than 35,000 tweets, and analyzes more than 20,000 pictures.

Johannes Ullrich, chief research officer for the SANS Institute, an organization that operates an Internet security service called the Internet Storm Center, confirms that location information is commonly posted with photos online. Aside from the sort of stalking that Jackson and Pesce describe, he says, the practice can also increase risk of theft. Sites that allow users to post items for sale often include photographs, which thieves could use to locate the items.

At a security conference last year, Gerald Friedland and Robin Sommer, researchers at the International Computer Science Institute in Berkeley, California, released a study on “cybercasing“—using online geotagged information to mount real-world attacks. “We found that people really did put the geotags in unintentionally,” says Friedland. For example, he says, they found cases where people had clearly made an effort to keep an account anonymous, only to give away key location information. The problem is especially troubling because today’s Web services offer powerful application programming interfaces that could enable an interested party to rapidly correlate information from multiple services.

Friedland notes that geotags are not all bad—the information can be useful for personalization and other services. However, he says, “there is a responsibility in terms of making it clear what information is being released. People should have a choice.”

“Services should [remove] this information,” Ullrich says. He adds that this is not technically difficult and stands to benefit the sites themselves: stripping photographs of their metadata prevents attackers from using this information to launch exploits on a site’s server. Some sites, such as Facebook, already do it.

Regardless of what sites decide to do, users need to pay attention to their devices’ capabilities, says Alex Levinson, chief technology officer and lead engineer for Katana Forensics, a company that makes an application that can analyze the data stored on iPhones, iPads, and other devices running Apple’s mobile operating system. Levinson has studied the location information stored on these devices and is currently researching how they share that information when users post on a public site. “If you buy a piece of technology, read about it,” he says. “It comes with a manual, and you can understand what the device is doing about location information and how it’s being used. If you don’t like what you find out, return the device.” 

Keep up with the latest in Privacy at EmTech Digital.

The Countdown has begun.
March 25-26, 2019
San Francisco, CA

Register now
Want more award-winning journalism? Subscribe to Print + All Access Digital.
  • Print + All Access Digital {! insider.prices.print_digital !}*

    {! insider.display.menuOptionsLabel !}

    The best of MIT Technology Review in print and online, plus unlimited access to our online archive, an ad-free web experience, discounts to MIT Technology Review events, and The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Unlimited access to all our daily online news and feature stories

    6 bi-monthly issues of print + digital magazine

    10% discount to MIT Technology Review events

    Access to entire PDF magazine archive dating back to 1899

    Ad-free website experience

    The Download: newsletter delivery each weekday to your inbox

    The MIT Technology Review App

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.