• United States



I Can Stalk U: Geotagged Pics Worth More Than 1,000 Words

Aug 24, 20105 mins
Data and Information SecurityEnterprise ApplicationsMicrosoft

When Twitter users post a picture, I Can Stalk U site tweets the exact geotagged location. The new site exposes the danger of sharing photos online.

Have stalkers found paradise at the “I Can Stalk U” site which reveals exact geotagged locations when people tweet their photos?

Imagine taking a break from your busy life and heading out for a little surfing excursion. When you reach the beach, you discover it’s deserted except for you and your friend. Thrilled to find it so private, you snap a shot with your smartphone and post it on Twitpic. After all, a picture is worth a thousand words, certainly more than 140 characters that Twitter allows. You then tweet this message with a link to your photo, “Secluded Kinard beach. No one here except us 2 surfers.”

It’s like a solitary slice of heaven, at least until you find out what was scraped and posted on I Can Stalk U. Instead of what you actually tweeted, by scraping geotagging information, posts what your tweet really says. The Kincaid Beach photo and tweet turns into this: I am currently nearby,-10.2072805556.

To raise awareness of geotagging and other hidden metadata added to smartphone pictures, security researchers created the I Can Stalk U website. The site explains that people who post pictures on Twitter “are allowing their movements to be recorded and analyzed by anyone: from a government to a nosy neighbor.” If a cyberstalker wanted to, he or she could analyze your life after analyzing your photos. A stalker could discover where you live, how you commute, where and with whom you go to lunch, and even “why you and your attractive co-worker really like to visit a certain nice restaurant on a regular basis.”

I blurred the usernames on the below screenshot, but does not.

The people who created I Can Stalk U are trying to raise awareness about inadvertent information sharing. They are not actually stalkers; just as you may not actually be a person who intended to over-share. The site explains how to disable geotagging in most cell phones.

I asked two of the I Can Stalk U creators, Ben Jackson of Mayhemic Labs and Larry Pesce of NWN Corporation: How well has your work at I Can Stalk U been received?Larry Pesce replied, “It took a little while to take off, but once it did, it has been overwhelmingly good.  Of course when we tweet the folks with their location, the reaction is mixed. Some are saying the, yes they knew that they just told their location. Some are saying ‘Wow, that’s creepy, stop bothering me’ or ‘I had no idea, thanks for helping.’ I think at this time most fall into the first and last category.”Ben Jackson added, “When we started @-ing people on Twitter, I’d say the following types were:

(60%) People who didn’t know but read up and figured it out: (e.g. ‘Wow! Thanks!’)

(30%) People who didn’t know and did not read up (e.g. ‘WHO ARE YOU?!?! HOW DO YOU KNOW THAT?!?!’)

(10%) People who knew, but didn’t care. (e.g. I know about that).”

When I asked them if they had received any kind of reverse stalking-type threats, Pesce explained, “Not so much reverse stalking, but folks have definitely tried to figure out who we are. The domain is registered in Ben’s name, with publicly available addresses. I think folks think that they are clever when they discover that and tell Ben that he had a privacy fail. Ben full well knew that the information was public, or was available through other means such as public property records.”

Pesce remarked, “The intent of the project is not to be creepy, but to let people know that the information that they may be inadvertently sharing could be used in a manner that is harmful. We want folks to be able to make an informed decision with their own information.”

It’s not only the I Can Stalk U site which reveals hidden metadata. The Firefox add-ons FxIF (Firefox exIF) and Exif Viewer (Exchangeable Image File) display data in local and remote JPEG images with a simple right-click. That’s not nearly as dramatic, or scary, as a public tweet with your GPS coordinates. I Can Stalk U is doing a great job of raising awareness of the potential dangers exposed when sharing photos online.

You may be very wise about protecting your privacy, but what if a friend takes a picture at your house and posts it? Did that same friend remember to strip out the geotagging data? Although there are plenty of people who have no privacy issue about their location being made public, there are even more people who simply have no clue that their pictures reveal personal location information and tell much more than 1,000 words.

Like this? Check out these other posts:

  • All of today’s Microsoft news and blogs
  • Privacy Wars: How to Hide While Google is Watching You
  • EFF Warns of Untrustworthy SSL, Undetectable Surveillance
  • Big Brother’s Creepy Little Brother Snoops as Productivity Tool
  • Verizon’s 2010 DBIR: Rise in Misuse, Malware and Social Engineering
  • The Next Big Privacy Concern: RFID “Spychips”
  • Certified Lies: Big Brother In Your Browser
  • Google CEO Schmidt: No Anonymity Is The Future Of Web
  • Research: Unusual, Unpopular Passwords Are Simple and Most Secure

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.