Location Stalking Via Your Tweeted Photos

Careful what photos you tweet--and where you were when you snapped the shot. There's another site designed to warn you against the hazards of over-sharing. This time it's not related to active location-sharing, but instead accidental. The meta-data stored in your photos may be giving away where you live.

Awhile back, Please Rob Me was promoted awareness about Foursquare check-ins by scanning Twitter for Foursquare tweets. Then the site jokingly listed that user as available to rob, as they were likely not home. I Can Stalk U is a new cautionary site, in the same vein as Please Rob Me, using the EXIF location data your smartphone attached to your uploaded images, instead of Foursquare or Gowalla check-ins. The site works as you would expect, scanning popular Twitter-centric photo sharing services like Twitpic and yFrog (our Twitpic API profile), grabbing the images, and then scanning the images for their EXIF data and sharing the location data.

I Can Stalk U - Raising awareness about inadvertent information sharing.jpg

With geo-tagged tweets, Foursquare check-ins and now Facebook Place checkins, it's clear that many users don't mind letting people know where they are. The issue here is that the images being analyzed for location information may not have explicitly asked you if you wanted to share your location or not.

It's not particularly difficult to scan an image for EXIF location data, either, so this doesn't necessarily count as some sort of elite hacker skill. And with a quick pass through the Google Maps API, you can easily make GPS coordinates into a human-readable address.

What can developers do?

For now, I've yet to hear many people being concerned about EXIF location data, but privacy issues are always an ongoing concern when dealing with the web in general. As a developer, you may be able to help by removing the EXIF location data upon upload. If your application requires the location data, consider storing it in a secure database along with the other upload information. Otherwise, if you don't need it, try to remove it.

Also, if your application uploads images, as always, ask the user if they want to attach their location to the upload. Ask again and again until the user tells you to never ask them again.

What can users do?

As with everything you post online, always be mindful of what you're posting. Maybe it's not a big deal if people can figure out what restaurant you're at, but it may be an issue if strangers know where you live.

Be sure to read the next Security article: OAuth-only Twitter: What it Means for JavaScript Apps


Comments (0)