There has been debate recently on questions about personal privacy that can arise from “geotagging” photographs or videos — embedding GPS location data — and then publishing those photos on Web sites or social-networking services such as Twitter or Facebook. A report from researchers at the University of California at Berkeley’s International Computer Science Institute and the Lawrence Berkeley National Laboratory takes a closer look and the privacy and security problems that can come from geotagging: “Cybercasing the Joint: On the Privacy Implications of Geotagging” (pdf at ICSI or archive).
This article aims to raise awareness of a rapidly emerging privacy threat that we term cybercasing: using geo-tagged information available online to mount real-world attacks. While users typically realize that sharing locations has some implica- tions for their privacy, we provide evidence that many (i) are unaware of the full scope of the threat they face when doing so, and (ii) often do not even realize when they publish such information. The threat is elevated by recent developments that make systematic search for specific geo-located data and inference from multiple sources easier than ever before.
In this paper, we summarize the state of geo-tagging; estimate the amount of geo-information available on several major sites, including YouTube, Twitter, and Craigslist; and examine its programmatic accessibility through public APIs. We then present a set of scenarios demonstrating how easy it is to correlate geo-tagged data with corresponding publicly-available information for compromising a victim’s privacy. We were, e.g., able to find private addresses of celebrities as well as the origins of other- wise anonymized Craigslist postings. We argue that the security and privacy community needs to shape the further development of geo-location technology for better protecting users from such consequences.