X

Researcher: Photos from your gadget can leak your location

At Next HOPE hacker conference, researcher shows how he scanned photo links posted to Twitter and extracted exact latitude and longitude coordinates embedded in the photos.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
See full bio
Declan McCullagh
2 min read
Ben Jackson speaking at the Next HOPE hacker conference in New York on Friday.
Ben Jackson speaking at the Next HOPE hacker conference in New York on Friday. Declan McCullagh/CNET

NEW YORK--Be warned: If you take a snapshot with your iPhone or other camera-enabled gadget, it may divulge more information about you than your photographic abilities.

At the Next HOPE hacker conference here on Friday, a security researcher demonstrated how he scanned over 2.5 million photo links posted to Twitter and extracted exact latitude and longitude coordinates embedded in over 65,000 photos -- typically without the user's knowledge.

"It's a privacy fail," says Ben Jackson of Mayhemic Labs, who plans to release the software and data collection this evening.

It works this way: the most recent generation or two of cell phones can geotag photographs by injecting the location coordinates into the EXIF metadata of images taken with the camera. This is precise enough to allow individual homes to be located, and sometimes even the general area inside a home, and is different from the geotag-this-message feature that Twitter and similar services offer.

To let Twitter users know that they may be inadvertently telling the world about their daily perambulations, Mayhemic Labs created ICanStalkU.com, an in-your-face approach to raising awareness about inadvertent location-sharing. A Perl script samples a subset of image links from Twitter, including Twitpic, Yfrog, and Sexypeek, and examines the EXIF metadata to see if latitude and longitude coordinates are embedded.

If they are, the coordinates are converted to a street address if possible (or a city name if not) and posted on ICanStalkU.com. About 3 percent of images posted to Twitter are geotagged through EXIF, Jackson says.

"It's completely random," he says. "We freak people out."

Jackson said one geotagged photograph from an anonymous Twitter account showed a man engaging, while naked, by himself in certain behavior that can not be described adequately in a family publication. Mayhemic Labs were able to identify the street address of the house and identify the names of the man and woman who lived there.

The iPhone and other phones offer the ability to disable geotagging of photos (on the iPhone, visit the Location Services settings menu), but not everyone has that privacy setting activated.