snapme if you can: privacy threats of other peoples‘ geo ......slide 3 requirements of a photo...

SnapMe if You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It Benjamin Henne, Christian Szongott and Matthew Smith Distributed Computing & Security Group Leibniz Universität Hannover, Germany [henne|szongott|smith]@dcsec.uni-hannover.de

6th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec‘13)

Motivation

Henne et al.: SnapMe If You Can: Privacy Threats of Other Peoples‘ Geo-Tagged Media and What We Can Do About It

2010 ~ 2 billion photos 2011 ~ 6 billion photos 2012 > 9 billion photos complex privacy settings

other sharing services‘ use also rises

but uploaded media also depicts others than the uploader and may raise concerns to them!

People upload photos that may

raise concerns to themselves,

GPS, WiFi

HQ photos w/metadata

Requirements of a photo causing harm to a person

1.  Associate photo to person §  Non-technical: person is recognizable on photo

§  Technical: photo is linked to a SNS profile or image metadata contains link

(name, unique identifier)

2.  Photo contains objectionable content §  Non-technical: image shows embarrassing actions or setting

§  Technical: image metadata contains objectionable entries like time, location, personal references


John McAfee in hiding

Marc Zuckerberg

Origin of Privacy Threats

§  Home-grown issues stem from photo uploaded by user themselves §  Users create direct link between photos and their person by uploading §  Examples

§  Upload to a public album §  Share on Timeline with wrong permissions

§  Access Control may be effective countermeasure

!  Foreign-grown issues §  A friend or a foreigner uploads a photo of a person §  Someone or something has to create a link to a person first

§  Rising use of metadata partially will do this §  No effective countermeasures

§  Ex post legal actions may only limit damage, but not prevent it


Out of S

cope

Awareness about relevant media

§  Awareness about media is key issue to prevent from foreign-grown harm

§  How to become aware of relevant photos? – 3 cases

1.  Photos linked to profiles at any social network

§  Initially met with great outcry of privacy concerns at Facebook §  Simplifies access to photos of a person

§  But, if person is tagged, she usually is notified about that photo §  She may take action, request removal or visibility restriction, etc. !  Linking like on Facebook also has positive values


Awareness about relevant media (2)

§  How to become aware of relevant photos? – 3 cases

2.  Photos with personal tags but without profile link or notification

§  E.g. metadata contains names of photographer / depicted people

§  No automated notification §  Photo might be found by special search engines

§  Used by depicted concerned people as well as offenders

§  Only way to combat such photos is pro-active search

3.  No technical link in picture

§  Someone knowing concerned person must stumble across photo §  No countermeasures


Users’ perception

§  Do users’ perceive foreign-grown issues as a threat? §  How aware feel users concerning relevant photos on the Web?

§  Excerpt from online survey on photo sharing, awareness, …1

§  Invited 1,418 members of university-related mailing list §  414 valid and complete answers (from computer to social sciences) §  53.9 % male, 46.1 % female §  Average age 23±4 years §  91.8 % privacy pragmatists,

6.0 % fundamentalists, 2.2 % unconcerned [Westin’s Privacy Segmentation]

1 complete survey published in Henne and Smith: Awareness about photos on the Web and how privacy-privacy-tradeoffs could help, 2013 Workshop on Usable Security associated with Financial Cryptography and Data Security Conference, Okinawa, Japan, 01.04.2013.


User survey: Origin of Privacy Threats

Estimate a possible privacy violation of photos shares by … on the 7-point scale from very low to very high.

§  Although less likely, participants consider privacy threats by

strangers’ photos to be worse §  47 % rated violation by strangers higher than by friends or foafs


count [%]

strangersfriends of friends

friends

50 0 50

Itemsvery low very high

m=3.64, sd=1.85 m=4.69, sd=1.66 m=5.23, sd=1.95

1 2 3 4 5 6 7

User survey: Awareness

How well do you feel informed about all photos of yourself on the Web?(7-point scale from completely sufficient to completely insufficient)

§  People do not feel sufficiently informed

§  nice / decent photos 22 % completely sufficient (1); 25 % insufficient (5-7)

§  bad / objectionable photos 11 % completely sufficient (1); 39 % insufficient (5-7)


m=3.2, sd=1.85 m=4.0, sd=1.66

1 2 3 4 5 6 7

count [%]

bad / unwantednice / decent

60 40 20 0 20 40

Itemscompletely sufficient completely insufficient

User survey: Becoming aware

§  How do people become aware today?

75 % via automatic notifications (94 % were Facebook users) 52 % by chance 39 % in conversations 30 % in friends’ messages 18 % by actively looking 4.6 % in messages of non-friends 3.4 % not at all


§  Would they like to use a service that helps them to find relevant photos, which entails the need to screen potential photos? (hypothetical)

53.1 % clear yes 48.1 % were interested 3.6 % costs overbalance benefits 1.5 % called on uploaders’ moral obligation or did not believe that any photos of them

were online

Don‘t forget about metadata

1.  Associate photo to person §  Non-technical: person is recognizable on photo

§  Technical: image metadata contains link (name, unique identifier)

2.  Photo contains objectionable content

§  Non-technical: image shows embarrassing actions or setting §  Technical: image metadata contains objectionable entries like

time, location, personal references

§  Metadata increasingly is automatically added and users may not be aware of embedded metadata. §  User survey: 61 % knew concept of metadata and

29 % of those did not know what is stored in files


John McAfee in hiding

Awareness about metadata missing at skilled people A college published a photo I took including all metadata ... ... not publishing a bad photo this time, but my name + unique camera id


Service/Metadata Privacy Analysis – Summary

Flickr, Facebook, Picasa Web, Google+, SkyDrive, iCloud Photo Stream, Instagram

§  Bewildering number of different handling of metadata by services §  Remove all metadata

§  Simplest solution to privacy (for user and especially provider) §  But, rejects valuable data to keep mass of photos under control, either

for ordering/search by providers/user, or copyright issues §  Keep all metadata

§  May raise privacy issues to unaware users §  Partial removal

§  Inconsequent: Remove GPS coordinates, but keep postal address?

§  Privacy sometimes is opt-in, sometimes opt-out §  Users have to consciously understand what really is shared and stored


Analysis of Photos on the Web (Flickr)


GPS Location City People Artist Description Tags Headline

0 %

20 %

40 %

60 %

80 %

100 %

20,000 random photos (left bar) vs. 3,000 mobile user random photos (right bar)M

eta

data

in r

andom

Flic

kr P

hoto

s

Flickr!stored EXIF Data

Original in!file Metadata

User!added Metadata

20k random photos; one photo per user 68 % were Pro users w/ original files containing metadata 23 % denied access to metadata in DB 19 % with GPS data 16 % with GPS data, people on photo, no person tag

3k mobile random photos; one photo per user 46.8 % were Pro users 2 % denied metadata access 34 % with GPS data 28 % with GPS data, people on photo, no person tag

§  Mobile users rarely denied md access – different behavior in mobile scenarios? §  Little use of textual location data, but this is changing (geocoder APIs) §  Little metadata other than GPS location in mobile photos, but this will change

§  textual locations, names & regions, unique camera ids, …

data from end 2011

Analysis of Photos on the Web (Flickr Pro users)

GPS Location City People Artist Description Tags Headline

0 %

10 %

20 %

30 %

40 %

50 %

5,761 random photos (left bar) vs. 1,050 mobile user random photos (right bar)

Me

tad

ata

in r

an

do

m F

lickr

Ori

gin

al P

ho

tos

Original in!file Metadata


§  Pro users’ photos are “as originally uploaded” §  Reflect what photos and metadata people upload to the Web

GPS data uploaded within files

20k any: 3 % with GPS data only – extrapolated for all users: < 4.5 % 3k mobile: 32 % with GPS data – extrapolated for all users: 68 %

§  Mobile devices become dominant

type of camera (mostly iPhone 4 here) §  10 % of original mobile photos

contained at least GPS data and depicted people §  Some of these might harm

privacy of those people

Summary

§  Photos uploaded by other people pose a serious threat to privacy §  Users need to become more aware about shared photos of themselves

§  Metadata plays an integral role for linking photos to people §  Metadata may include privacy-relevant information

§  Location is most prominent example

However

§  We propose leveraging location data for privacy enhancement §  Use locating tracking capabilities of modern devices

§  Use location tags in uploaded media

§  Goal: make users aware especially of spontaneous photos that were imprudently uploaded, which were taken in their vicinity


media sharing portal w/ watchdog

R

R

[lat,lon], face recognition, ...

1

2

3R

SnapMe Photo Watchdog – Basic idea


§  Users define private areas on the map and if a photo is taken in such an area the corresponding user is notified and may screen it.

1.   Registered black user takes a photo and uploads it to the service

2.  Service locates photo in private area of green (2) and red (1) person and sends notifications (1) gets a false positive

(2) gets correct notification and may react

the blue one (3) is not a service user and hence is not notified about any photo

(1) uploadphoto

[lat, lon]

(2)alert/infophoto hasbeen shot

in your area

(2)alert/infophoto hasbeen shot

in your area

(3)maybereact

How SnapMe finds photos taken by others

1.   Co-Location: a photo and a private area on the map match §  Static private areas are defined by static coordinates and radius

§  home, work place, … §  Using a location-based service via smartphone app, users can update

their current position to maintain their dynamic private area

2.   Face Detection is used to filter out photos without any faces in it

3.  Optional Face Recognition (enabled by users) lowers the number of false positive notification §  Many people already share profile pictures with SNSs


SnapMe Technical Requirements and Privacy

§  Uploaded photos must have a geo-reference §  Location must only be available to SnapMe and may be dropped

before publication of a photo §  Location may be stored by publication service like SNS as well (optional)

§  Face recognition training data must be shared with SnapMe §  Use profile pictures that are already online?

§  Dynamic locations and photo locations must be cached §  Photo check wait for latest location updates to strive for best matches

§  Less than 1 hour should allow finding spontaneous imprudent photos §  Flickr mobile dataset: 47% were uploaded within first hour


t

SnapMe Tradeoffs

Service §  Service parameters

§  Cache duration of photos & LBS-based locations §  The less data is cached, the less photos will be found – 1 hour?

§  Private area size & Location update interval §  Proof-of-concept simulation of geometric setup and parameters:

update interval of 15 minutes and dynamic radius of 20 meters è people were notified about approx. half of all depictions

§  Service integration §  Deep integration vs. app §  Just as notification service: all photos are published §  vs. Checks delay publication: some photos may be kept off from public

§  But disrupts habitual workflow


SnapMe Tradeoffs

User

1.  Users have to trust SnapMe privacy service

2.  Users trade some private data (location, profile photos) with SnapMe service for getting notified about questionable photos §  They agree to a privacy-privacy-tradeoff:

They trade less private data to the trusted service to prevent others from becoming to know private and maybe objectionable photos User study @ Henne and Smith: Awareness about photos on the Web and how privacy-privacy-tradeoffs could help, 2013 Workshop on Usable Security associated with Financial Cryptography and Data Security Conference, Okinawa, Japan, 01.04.2013.

Ø Not all, but a notable percentage of users would agree to such a tradeoff Ø Those people could benefit from SnapMe service


SnapMe Restrictions and Location Privacy

§  Static areas’ size must be restricted due to service load and number of false positive notification

§  Obfuscation of dynamic locations breaks service functionality §  Additional fake locations bug co-locations checks and do not not scale

§  Higher load for service provider §  Service would have to support multiple simultaneous locations

if making any location interpolation, or interpolation breaks §  Simple fake paths may be detected if not masking source IP, etc.

§  Enabling LBS client only if needed allows deducing private locations

Ø  Mix may be a solution for users not really trusting the privacy service §  Send real locations at private places and fake locations otherwise


Conclusion

§  SnapMe service helps users becoming aware of spontaneous uploads §  Does not cover all uploads – works on best-effort base §  However, it increases privacy – addresses foreign-grown issues

§  Users have to trust SnapMe service – as for any privacy service

§  Users have to agree to privacy-privacy-tradeoff §  Interesting research idea: We cannot preserve privacy up to 100%,

so why not using the 20 % that are less private to a person to preserve the other 80 % that are strictly private

§  By example: better let your SNS knowing where you were, than private photos becoming public

§  Simulation proved basic idea in general


Future Work

§  Real world implementation and evaluation of SnapMe service §  Work in progress


Users set up static private locations in Web UI

Android client sends single or periodical location updates and allows uploading image to service

Future Work

§  Real world implementation and evaluation of SnapMe service §  Work in progress

§  Further evaluation of the topics awareness and privacy-p-tradeoffs §  Currently: Get and compare user estimation and real number of

§  photos shared by friends (visible to apps) §  location tags §  person tags §  comments

Facebook App: Photo Privacy Statistics https://www.facebook.com/appcenter/fbpps_app


a us

er w

ith a

bout

650

frie

nds

User survey: What users might trade

§  What information would you disclose to a photo-sharing service to find photos of yourself that you otherwise would not be able to find? (strongly agree è strongly disagree)

B. Henne & M. Smith: Awareness about photos on the Web and how privacy-privacy-tradeoffs could help

count [%]

LBS-based current location

pre-defined static locations

friends list

special profile photos

existing profile photos

50 0 50

itemsstrongly agree neutral strongly disagree

Information Agree Agree/Not mind

profile picture 67.5 % 82.6 %

guidelined photos 35 % 51.7 %

friends list 30.9 % 50.5 %

private locations 39.6 % 61.8 %

LBS-based location 19.1 % 31.2 %

User survey: Three assumed Tradeoffs

(1 = strongly agree è 7 = strongly disagree)

§  “I am less upset if someone finds out where I have been than if that person gets to see private photos of myself.” §  mean 3.0 (sd=1.7); 66.2 % agreed, 15.7 % neutral

§  “I am less upset if my SNS knows where I have been than if my friends and strangers gets to see unwanted photos of myself.” §  mean 3.3 ( sd=1.8); 60.4 % agreed, 16.2 % neutral

§  “If there is a privacy service that notifies me about unwanted photos in which I am depicted but needs to know where I have been, I would use it. I would tell it where I have been to get to see possible photos of myself.” §  mean 3.7 (sd=1.8); 53.2 % agreed, 16.1 % neutral

B. Henne & M. Smith: Awareness about photos on the Web and how privacy-privacy-tradeoffs could help

snapme if you can: privacy threats of other peoples‘ geo ......slide 3 requirements of a photo...

Documents