1 / 74

Locational Privacy and Wholesale Surveillance via Photo Services

Locational Privacy and Wholesale Surveillance via Photo Services. Ben Jackson, Mayhemic Labs The Next HOPE July 18 th , 2010. Agenda. Locational Privacy Geo-tags Privacy Fail Tools and Data Solutions. Locational privacy. Locational Privacy.

deana
Download Presentation

Locational Privacy and Wholesale Surveillance via Photo Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Locational Privacy and Wholesale Surveillance via Photo Services Ben Jackson, Mayhemic Labs The Next HOPE July 18th, 2010

  2. Agenda • Locational Privacy • Geo-tags • Privacy Fail • Tools and Data • Solutions

  3. Locational privacy

  4. Locational Privacy “Locational privacy (also known as "location privacy") is the ability of an individual to move in public space with the expectation that under normal circumstances their location will not be systematically and secretly recorded for later use.” • Electronic Frontier Foundationhttp://www.eff.org/wp/locational-privacy

  5. PleaseRobMe.com • Used location based services such as FourSquare to show that sharing your location may have unintended consquences • When you’re at work, the bar, club, gym, landromat, pie factory, or wherever…. • …you’re not at home.

  6. But it goes beyond robbing people… • I want to steal something from your corporate network… • Thanks to your sharing habits I know • Where you live… • That you’re telecommuting today… • That you “check into” a Starbucks every day around 10AM… • Boy, lets hope you logged out of your VPN before you left!

  7. Or how about… • What if I want something stored on your laptop? • Thanks to your sharing habits I know • That you “check into” a Panera Saturday afternoons • That your code repository for your personal project gets updated before your “check in” at your home • What happens if I sit at that Panera and poison their WiFi connection? • Or if I just take your laptop when you go for a refill?

  8. A few other scenarios… • Why do you and your attractive co-worker both go to dinner the same fancy restaurant every Tuesday after work? • Doesn’t your spouse have Yoga that night? • Why are you in a coffee shop nowhere near your house every Friday night? • Isn’t that close to a local AA meeting?

  9. But Wait! There’s More! • Stalking • OK, someone might not be stalking you, but what about your friends? • Can I establish a pattern of their behavior from information you post? • Surveillance • People love routines, why did you break yours?

  10. Geo-tags

  11. Threats to your Locational Privacy (From the EFF) • Monthly transit swipe-cards • Electronic tolling devices • Traffic Cameras • Mobile Telephones • Electronic swipe cards for doors • Services telling you when your friends are nearby

  12. However, they did miss one…

  13. GeoTags • Small bits of EXIF (Exchangeable image file format) data that encodes the latitude, longitude, altitude, and relative direction of where the photo was taken • A lot of phones have this turned on by default • Why? Someone thought it was a good idea, I guess • Already a bad idea if you’re taking photos for later publication, but what happens when you’re instantly publishing them?

  14. The Tweet that started it all

  15. Uh oh…

  16. Small Scale Test: Successful!

  17. Google Street View anyone?

  18. Moving Day?

  19. Nice house Adam!

  20. One good turn deserves another • Johannes Ullrich of the SANS institute followed this up with some more research on the Internet Storm Center blog • Analyzed 15291 images from TwitPic • Over 10000 had EXIF tags • 5297 had camera information • 389 had GPS tags • About 2.5% of the total sample • This may have been an incorrect calculation

  21. Cybercasing? • “Cybercasing the Joint: On the Privacy Implications of Geo-Tagging” • Gerald Friedland and Robin Sommer, International Computer Science Institute, Berkeley, California • TR-10-005 released May 3, 2010 “While users typically realize that sharing locations has some implications for their privacy, we provide evidence that many are unaware of the full scope of the threat they face when doing so, and often do not even realize when they publish such information.”

  22. Public awareness

  23. Well, this is silly… • Let’s try to inform people of what information they’re really posting

  24. Initial outreach efforts • Thought it would a great idea to use Twitter • Hell, that’s where everyone is posting these damn things! • There are enough things that reply to you when you post messages containing words and phrases • Ponies… • Zombies… • Birthdays… • “Oh Snap!” • Among many, many, many, many, many, others…

  25. So we set up our own bot…

  26. Initial results were promising!

  27. And then… Within two hours of going live…

  28. Back to the drawing board I guess…

  29. ICanStalkU.com

  30. Eventually, Twitter relented • After pleading our case and having Twitter review our suspension, they relented • Way to go Twitter! • For a while we just posted statistics of the amount of photos analyzed • Then we decided to resume replying to people at a rate of one per hour

  31. How it works • Perl script searches Twitter for URLs • Twitpic • YFrog • MobyPicture • SexyPeek • Once picture URLs are discovered they are fed to a Google App

  32. How it works… (cont) • Google App downloads the photo and reads the EXIF Data • If GPS tags are found, • Reversed geo-coded • Posted to the website, • If it’s time to post some stats… • We drop the docs on the last user stalked • If GPS tags aren’t found, we are sad 

  33. How it works… (cont) • Website users can then view photo, a map of the location, and the original tweet • Website users can also tell the person that they know where they are

  34. Some stats • Trawler averages around 15GB of downloads per day. • 35000 Tweets scanned • 20000 Pictures reaped • And we’re only doing a small portion of pictures uploaded to Twitpic • Intially tried to brute force URLs, could average about 5-10 downloads/sec, and we couldn’t keep up

  35. Privacy fail

  36. A nice day out with the kidlet…

  37. Whoops…

  38. Even celebrities are not immune

  39. Al Yank0wn3dvic

  40. The unfortunate story of Mr. X…

  41. Sadly… For Mr X…

  42. I love public records, don’t you?

  43. Y HALLO THAR!

  44. Speed Bump • No Facebook for that name • No Twitter for that name • Google Searches came up empty • What’s next?

  45. Pipl!!!

  46. On to Spokeo…

  47. Brian, who the #@$^ is Brian?

  48. Back to Facebook!

  49. Jackpot! • From Facebook we were able to find: • His Birthday • His marriage status • Did not however, list a spouse • His friends • Two usernames

  50. Googling username #1 gives us • His Tumblr • His Flickr • His GPSed.com account • GPSed.com account, what’s that you ask?

More Related