Featured Research: Geo-Tagging
Photos and videos posted on Web sites such as Craigslist, Twitter, and YouTube can carry detailed information about where the images were taken. According to Speech Group researcher Gerald Friedland and Networking researcher Robin Sommer, this may leave those who post the images vulnerable to "cybercasing," the use of geo–tagged information available online to mount attacks in the real world.
While geo–tags — information about where a photo or video was taken — have been in use for years, the increasing amount of data available on the Internet, combined with easy–to–use search programs now offered by Web sites such as YouTube, make geotags an emerging threat.
It doesn't help, say the researchers, that people are unaware that this information is easy to find and that the geo–tags are extremely accurate.
Geo–tags are automatically embedded in images by higher–end digital cameras and smart phones, such as the iPhone and the Android. Friedland and Sommer cross–referenced the latitude and longitude contained in images' files with publicly available information, such as Google Maps Street View, to quickly find street addresses.
The researchers estimate that 4.3 percent of Flickr photos and 3 percent of YouTube videos are geo–tagged. This means that approximately 180 million Flickr photos and 3 million YouTube videos are tagged with longitude and latitude coordinates.
In one case study, the researchers monitored the Bay Area's For Sale section on Craigslist, where many users choose to hide their real names and email addresses. In four days, they collected over 900 images that were tagged with GPS coordinates.
To verify the accuracy of coordinates embedded in these photos, they took a picture of a bike against a garage with an iPhone 3G camera as though they were going to sell it on Craigslist. Putting the photo's location metadata into Google Maps Street View, the researchers were able to pinpoint, within one meter, the actual location of the bike.
Some Web sites allow users to search images' metadata through publicly available application programming interfaces (APIs). In one search of YouTube's API, the researchers looked for homes near downtown Berkeley by searching embedded geo–location data and including the search term "kids," since many home videos are of users' children. They then searched for videos posted by the same users that had been filmed over 1000 miles away. Within fifteen minutes and using a simple 240–line Python script, the researchers were able to find a resident of Albany, California who was vacationing in the Carribbean, along with a dozen other users who might be vulnerable to burglary given the subject matter of the videos they had posted.
The researchers warn that if technology such as text and image recognition continues to be improved, such processes could be automated.
The results were presented at the USENIX Workshop on Hot Topics in Security in August, and also featured by ABC's Good Morning America, New York Times, and New Scientist magazine.