snapme if you can: privacy threats of other peoples‘ geo ......slide 3 requirements of a photo...
TRANSCRIPT
SnapMe if You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It Benjamin Henne, Christian Szongott and Matthew Smith Distributed Computing & Security Group Leibniz Universität Hannover, Germany [henne|szongott|smith]@dcsec.uni-hannover.de
6th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec‘13)
Slide 2
Motivation
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
2010 ~ 2 billion photos 2011 ~ 6 billion photos 2012 > 9 billion photos complex privacy settings
other sharing services‘ use also rises
but uploaded media also depicts others than the uploader and may raise concerns to them!
People upload photos that may
raise concerns to themselves,
GPS, WiFi
HQ photos w/metadata
Slide 3
Requirements of a photo causing harm to a person
1. Associate photo to person § Non-technical: person is recognizable on photo
§ Technical: photo is linked to a SNS profile or image metadata contains link
(name, unique identifier)
2. Photo contains objectionable content § Non-technical: image shows embarrassing actions or setting
§ Technical: image metadata contains objectionable entries like time, location, personal references
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
John McAfee in hiding
Marc Zuckerberg
Slide 4
Origin of Privacy Threats
§ Home-grown issues stem from photo uploaded by user themselves § Users create direct link between photos and their person by uploading § Examples
§ Upload to a public album § Share on Timeline with wrong permissions
§ Access Control may be effective countermeasure
! Foreign-grown issues § A friend or a foreigner uploads a photo of a person § Someone or something has to create a link to a person first
§ Rising use of metadata partially will do this § No effective countermeasures
§ Ex post legal actions may only limit damage, but not prevent it
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
Out of S
cope
Slide 5
Awareness about relevant media
§ Awareness about media is key issue to prevent from foreign-grown harm
§ How to become aware of relevant photos? – 3 cases
1. Photos linked to profiles at any social network
§ Initially met with great outcry of privacy concerns at Facebook § Simplifies access to photos of a person
§ But, if person is tagged, she usually is notified about that photo § She may take action, request removal or visibility restriction, etc. ! Linking like on Facebook also has positive values
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
Slide 6
Awareness about relevant media (2)
§ How to become aware of relevant photos? – 3 cases
2. Photos with personal tags but without profile link or notification
§ E.g. metadata contains names of photographer / depicted people
§ No automated notification § Photo might be found by special search engines
§ Used by depicted concerned people as well as offenders
§ Only way to combat such photos is pro-active search
3. No technical link in picture
§ Someone knowing concerned person must stumble across photo § No countermeasures
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
Slide 7
Users’ perception
§ Do users’ perceive foreign-grown issues as a threat? § How aware feel users concerning relevant photos on the Web?
§ Excerpt from online survey on photo sharing, awareness, …1
§ Invited 1,418 members of university-related mailing list § 414 valid and complete answers (from computer to social sciences) § 53.9 % male, 46.1 % female § Average age 23±4 years § 91.8 % privacy pragmatists,
6.0 % fundamentalists, 2.2 % unconcerned [Westin’s Privacy Segmentation]
1 complete survey published in Henne and Smith: Awareness about photos on the Web and how privacy-privacy-tradeoffs could help, 2013 Workshop on Usable Security associated with Financial Cryptography and Data Security Conference, Okinawa, Japan, 01.04.2013.
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
Slide 8
User survey: Origin of Privacy Threats
Estimate a possible privacy violation of photos shares by … on the 7-point scale from very low to very high.
§ Although less likely, participants consider privacy threats by
strangers’ photos to be worse § 47 % rated violation by strangers higher than by friends or foafs
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
count [%]
strangersfriends of friends
friends
50 0 50
Itemsvery low very high
m=3.64, sd=1.85 m=4.69, sd=1.66 m=5.23, sd=1.95
1 2 3 4 5 6 7
Slide 9
User survey: Awareness
How well do you feel informed about all photos of yourself on the Web?(7-point scale from completely sufficient to completely insufficient)
§ People do not feel sufficiently informed
§ nice / decent photos 22 % completely sufficient (1); 25 % insufficient (5-7)
§ bad / objectionable photos 11 % completely sufficient (1); 39 % insufficient (5-7)
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
m=3.2, sd=1.85 m=4.0, sd=1.66
1 2 3 4 5 6 7
count [%]
bad / unwantednice / decent
60 40 20 0 20 40
Itemscompletely sufficient completely insufficient
Slide 10
User survey: Becoming aware
§ How do people become aware today?
75 % via automatic notifications (94 % were Facebook users) 52 % by chance 39 % in conversations 30 % in friends’ messages 18 % by actively looking 4.6 % in messages of non-friends 3.4 % not at all
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
§ Would they like to use a service that helps them to find relevant photos, which entails the need to screen potential photos? (hypothetical)
53.1 % clear yes 48.1 % were interested 3.6 % costs overbalance benefits 1.5 % called on uploaders’ moral obligation or did not believe that any photos of them
were online
Slide 11
Don‘t forget about metadata
1. Associate photo to person § Non-technical: person is recognizable on photo
§ Technical: image metadata contains link (name, unique identifier)
2. Photo contains objectionable content
§ Non-technical: image shows embarrassing actions or setting § Technical: image metadata contains objectionable entries like
time, location, personal references
§ Metadata increasingly is automatically added and users may not be aware of embedded metadata. § User survey: 61 % knew concept of metadata and
29 % of those did not know what is stored in files
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
John McAfee in hiding
Slide 12
Awareness about metadata missing at skilled people A college published a photo I took including all metadata ... ... not publishing a bad photo this time, but my name + unique camera id
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
Slide 13
Service/Metadata Privacy Analysis – Summary
Flickr, Facebook, Picasa Web, Google+, SkyDrive, iCloud Photo Stream, Instagram
§ Bewildering number of different handling of metadata by services § Remove all metadata
§ Simplest solution to privacy (for user and especially provider) § But, rejects valuable data to keep mass of photos under control, either
for ordering/search by providers/user, or copyright issues § Keep all metadata
§ May raise privacy issues to unaware users § Partial removal
§ Inconsequent: Remove GPS coordinates, but keep postal address?
§ Privacy sometimes is opt-in, sometimes opt-out § Users have to consciously understand what really is shared and stored
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
Slide 14
Analysis of Photos on the Web (Flickr)
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
GPS Location City People Artist Description Tags Headline
0 %
20 %
40 %
60 %
80 %
100 %
20,000 random photos (left bar) vs. 3,000 mobile user random photos (right bar)M
eta
data
in r
andom
Flic
kr P
hoto
s
Flickr!stored EXIF Data
Original in!file Metadata
User!added Metadata
20k random photos; one photo per user 68 % were Pro users w/ original files containing metadata 23 % denied access to metadata in DB 19 % with GPS data 16 % with GPS data, people on photo, no person tag
3k mobile random photos; one photo per user 46.8 % were Pro users 2 % denied metadata access 34 % with GPS data 28 % with GPS data, people on photo, no person tag
§ Mobile users rarely denied md access – different behavior in mobile scenarios? § Little use of textual location data, but this is changing (geocoder APIs) § Little metadata other than GPS location in mobile photos, but this will change
§ textual locations, names & regions, unique camera ids, …
data from end 2011
Slide 15
Analysis of Photos on the Web (Flickr Pro users)
GPS Location City People Artist Description Tags Headline
0 %
10 %
20 %
30 %
40 %
50 %
5,761 random photos (left bar) vs. 1,050 mobile user random photos (right bar)
Me
tad
ata
in r
an
do
m F
lickr
Ori
gin
al P
ho
tos
Original in!file Metadata
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
§ Pro users’ photos are “as originally uploaded” § Reflect what photos and metadata people upload to the Web
GPS data uploaded within files
20k any: 3 % with GPS data only – extrapolated for all users: < 4.5 % 3k mobile: 32 % with GPS data – extrapolated for all users: 68 %
§ Mobile devices become dominant
type of camera (mostly iPhone 4 here) § 10 % of original mobile photos
contained at least GPS data and depicted people § Some of these might harm
privacy of those people
Slide 16
Summary
§ Photos uploaded by other people pose a serious threat to privacy § Users need to become more aware about shared photos of themselves
§ Metadata plays an integral role for linking photos to people § Metadata may include privacy-relevant information
§ Location is most prominent example
However
§ We propose leveraging location data for privacy enhancement § Use locating tracking capabilities of modern devices
§ Use location tags in uploaded media
§ Goal: make users aware especially of spontaneous photos that were imprudently uploaded, which were taken in their vicinity
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
Slide 17
media sharing portal w/ watchdog
R
R
[lat,lon], face recognition, ...
1
2
3R
SnapMe Photo Watchdog – Basic idea
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
§ Users define private areas on the map and if a photo is taken in such an area the corresponding user is notified and may screen it.
1. Registered black user takes a photo and uploads it to the service
2. Service locates photo in private area of green (2) and red (1) person and sends notifications (1) gets a false positive
(2) gets correct notification and may react
the blue one (3) is not a service user and hence is not notified about any photo
(1) uploadphoto
[lat, lon]
(2)alert/infophoto hasbeen shot
in your area
(2)alert/infophoto hasbeen shot
in your area
(3)maybereact
Slide 18
How SnapMe finds photos taken by others
1. Co-Location: a photo and a private area on the map match § Static private areas are defined by static coordinates and radius
§ home, work place, … § Using a location-based service via smartphone app, users can update
their current position to maintain their dynamic private area
2. Face Detection is used to filter out photos without any faces in it
3. Optional Face Recognition (enabled by users) lowers the number of false positive notification § Many people already share profile pictures with SNSs
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
Slide 19
SnapMe Technical Requirements and Privacy
§ Uploaded photos must have a geo-reference § Location must only be available to SnapMe and may be dropped
before publication of a photo § Location may be stored by publication service like SNS as well (optional)
§ Face recognition training data must be shared with SnapMe § Use profile pictures that are already online?
§ Dynamic locations and photo locations must be cached § Photo check wait for latest location updates to strive for best matches
§ Less than 1 hour should allow finding spontaneous imprudent photos § Flickr mobile dataset: 47% were uploaded within first hour
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
t
Slide 20
SnapMe Tradeoffs
Service § Service parameters
§ Cache duration of photos & LBS-based locations § The less data is cached, the less photos will be found – 1 hour?
§ Private area size & Location update interval § Proof-of-concept simulation of geometric setup and parameters:
update interval of 15 minutes and dynamic radius of 20 meters è people were notified about approx. half of all depictions
§ Service integration § Deep integration vs. app § Just as notification service: all photos are published § vs. Checks delay publication: some photos may be kept off from public
§ But disrupts habitual workflow
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
Slide 21
SnapMe Tradeoffs
User
1. Users have to trust SnapMe privacy service
2. Users trade some private data (location, profile photos) with SnapMe service for getting notified about questionable photos § They agree to a privacy-privacy-tradeoff:
They trade less private data to the trusted service to prevent others from becoming to know private and maybe objectionable photos User study @ Henne and Smith: Awareness about photos on the Web and how privacy-privacy-tradeoffs could help, 2013 Workshop on Usable Security associated with Financial Cryptography and Data Security Conference, Okinawa, Japan, 01.04.2013.
Ø Not all, but a notable percentage of users would agree to such a tradeoff Ø Those people could benefit from SnapMe service
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
Slide 22
SnapMe Restrictions and Location Privacy
§ Static areas’ size must be restricted due to service load and number of false positive notification
§ Obfuscation of dynamic locations breaks service functionality § Additional fake locations bug co-locations checks and do not not scale
§ Higher load for service provider § Service would have to support multiple simultaneous locations
if making any location interpolation, or interpolation breaks § Simple fake paths may be detected if not masking source IP, etc.
§ Enabling LBS client only if needed allows deducing private locations
Ø Mix may be a solution for users not really trusting the privacy service § Send real locations at private places and fake locations otherwise
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
Slide 23
Conclusion
§ SnapMe service helps users becoming aware of spontaneous uploads § Does not cover all uploads – works on best-effort base § However, it increases privacy – addresses foreign-grown issues
§ Users have to trust SnapMe service – as for any privacy service
§ Users have to agree to privacy-privacy-tradeoff § Interesting research idea: We cannot preserve privacy up to 100%,
so why not using the 20 % that are less private to a person to preserve the other 80 % that are strictly private
§ By example: better let your SNS knowing where you were, than private photos becoming public
§ Simulation proved basic idea in general
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
Slide 24
Future Work
§ Real world implementation and evaluation of SnapMe service § Work in progress
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
Users set up static private locations in Web UI
Android client sends single or periodical location updates and allows uploading image to service
Slide 25
Future Work
§ Real world implementation and evaluation of SnapMe service § Work in progress
§ Further evaluation of the topics awareness and privacy-p-tradeoffs § Currently: Get and compare user estimation and real number of
§ photos shared by friends (visible to apps) § location tags § person tags § comments
Facebook App: Photo Privacy Statistics https://www.facebook.com/appcenter/fbpps_app
Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It
a us
er w
ith a
bout
650
frie
nds
Slide 26
User survey: What users might trade
§ What information would you disclose to a photo-sharing service to find photos of yourself that you otherwise would not be able to find? (strongly agree è strongly disagree)
B. Henne & M. Smith: Awareness about photos on the Web and how privacy-privacy-tradeoffs could help
count [%]
LBS-based current location
pre-defined static locations
friends list
special profile photos
existing profile photos
50 0 50
itemsstrongly agree neutral strongly disagree
Information Agree Agree/Not mind
profile picture 67.5 % 82.6 %
guidelined photos 35 % 51.7 %
friends list 30.9 % 50.5 %
private locations 39.6 % 61.8 %
LBS-based location 19.1 % 31.2 %
Slide 27
User survey: Three assumed Tradeoffs
(1 = strongly agree è 7 = strongly disagree)
§ “I am less upset if someone finds out where I have been than if that person gets to see private photos of myself.” § mean 3.0 (sd=1.7); 66.2 % agreed, 15.7 % neutral
§ “I am less upset if my SNS knows where I have been than if my friends and strangers gets to see unwanted photos of myself.” § mean 3.3 ( sd=1.8); 60.4 % agreed, 16.2 % neutral
§ “If there is a privacy service that notifies me about unwanted photos in which I am depicted but needs to know where I have been, I would use it. I would tell it where I have been to get to see possible photos of myself.” § mean 3.7 (sd=1.8); 53.2 % agreed, 16.1 % neutral
B. Henne & M. Smith: Awareness about photos on the Web and how privacy-privacy-tradeoffs could help