Dumb Risk of the Day

Geotagged images of children:

Joanne Kuzma of the University of Worcester, England, has analyzed photos that clearly show children’s faces on the photo sharing site Flickr. She found that a significant proportion of those analyzed were geotagged and a large number of those were associated with 50 of the more expensive residential zip codes in the USA.

The location information could possibly be used to locate a child’s home or other location based on information publicly available on Flickr,” explains Kuzma. “Publishing geolocation data raises concerns about privacy and security of children when such personalized information is available to internet users who may have dubious reasons for accessing this data.”

It’s children, though, so it’s going to be hard to have a rational risk discussion about this topic.

Tags: , , , ,

Posted on February 15, 2012 at 1:11 PM46 Comments

Comments

Steve Wildstrom February 15, 2012 1:33 PM

So without geotagging, potential kidnappers (or whatever) wouldn’t have known that rich kids tend to live in high-income neighborhoods?

Will February 15, 2012 1:38 PM

On a tangent, but flickr and other sites that upload photos should strip off geotags and pretty much all headers except perhaps orientation.

Paul February 15, 2012 1:46 PM

I have to say that the risk of a criminal searching picture websites, collating information to find those geotagged from their geographical area, and going after those specific kids is almost nonexistant. The threat of that same criminal grabbing a kid at random from the street is much higher, but still almost nonexistent. The thread of the kid being abused by the person taking the picture is the highest of all.

“For the children” is frequently used and destroys all hope of rational discussion.

PrometheeFeu February 15, 2012 1:55 PM

Flickr and similar sites are actually small potatoes compared to the real threat: real life. Using nothing but their eyes and legs, criminals can walk in a neighborhood and see children in high resolution images walking or playing in the street and get their location to within a centimeter.

Julius Strassberg February 15, 2012 1:56 PM

Seems however if you were involved in a really bad custody case you may not want this information on web. Especially if there was someone that hurt the child. Like all risk the devil is in the details.

It is like business that protect their client list or freak when on factor likely your competitor knows it already. Any specific business process or system that gives you competitive edge is far more valuable…

vinita February 15, 2012 2:16 PM

Flickr does not force you to geotag images. Don’t post your kids’ pics on public websites if you’re THAT worried about their safety.

jacob February 15, 2012 2:19 PM

Well, how could the government use this to make us safe? They are on it, I’m sure…..

You have to be smarter than the equipment you operate..Yep, I do dumb stuff too, too often.

The scary part is that technology is outstripping knowledge. Not just what you can do, but what you can do in the future. Remove metadata and someone will figure out how to locate you by geographical features, etc. Oh, wait they already try to do that to target “assets” in afghanistan.

Someone target a really cute kid, I guess it’s possible. odd/unlikely. I would think celebrities would be more at risk. Kim Kardasian (sp?) posts a twitter with geographical location and if you are fast enough you can catch her in that towel. Not sure if really possible. Social media has up sides and possible down sides..We all have to weigh the security..or we should.

AlanS February 15, 2012 2:22 PM

Leaking location data is associated with more general security issues. Dave Marcus gave an entertaining talk a couple of years ago titled “Using Social Networks To Profile, Find and 0wn Your Victims” that looks at how social networking data posted from mobile devices with on board GPS can be used for various purposes. I think the video can still be found online.

mcb February 15, 2012 2:56 PM

Honey, When you get to Timmy’s have his mother take your picture and post it to Flickr so we know you got there safe.

Clive Robinson February 15, 2012 3:03 PM

@ vinita,

Don,t post your kids’ pics on public websites if you’re THAT worried about their safety

I can think of a whole load of other potentialy more important reasons not to post personal pictures online than the fear of geo-tagged images might bring abductors to your door.

First of all what gives anybody the right to put anothers PII online without their informed consent?

I’m aware of many organisations assuming “presumed consent” from employeees and others and their children so that they can use the persons image in what is effectivly advertising.

Another aspect is where “consent” is effectivly blackmailed out of people for them or their children is in the workplace and education and such like. Where the mantra is “Because we have a website where we put up images of events if you do not consent there is no participation” with the often heavy handed hint that a persons grade or career will be adversely effected.

People should not be blackmailed into giving away a right in an open ended way where they subsequently have no right of redress.

Look at it another way, if you have children playing in a municipal park water feature and somebody just walks up and starts taking photos what are your feelings and why?

What about if your children are just walking down the street?

How about if it’s you not your children and you are a little the worse for ware etc?

Mike Bentley February 15, 2012 3:18 PM

The service should recognize that a child (yours?) has been geotagged and tell you. Or it should give user option of telling people that there is a geotag on a kid’s image. It gives you a way to 1) recognize what that means, 2) change things if you wanna.

mcb February 15, 2012 3:24 PM

@ julius strassberg

“Seems however if you were involved in a really bad custody case you may not want this information on web. Like all risk the devil is in the details.”

Like this one time, Mia Farrow was pregnant in New York and all these weird people were hanging around and being all weird about her baby which was like freaking her out and then… Oh wait, that was way before Flickr.

Or this other time, Gregory Peck was like the Ambassador to England or something but his wife had a baby that was like really weird and gave people bad luck and stabbed this dude with a weather vane and stuff and the baby’s name was Damien, and then this priest give Peck this knife… No, that was before online photo sharing too.

Or there was this guy, the one who played Neo in the Matrix. His little sister was like in hell permanently but he could only visit. Then this other guy, the one who played the scary guy in Fargo, was like the devil, didn’t want to let the Neo dude’s sister go… No wait, nobody used cell phone cameras in that one either.

Sorry, Julius I’m not getting many hits on movie plot threats that involve custody battles and the devil in the details.

Henning Makholm February 15, 2012 3:35 PM

Perhaps the intended audience for this research is potential child molesters themselves? If we can somehow convince them that they need to choose as their victim a specific child on a random internet photo, and then spend lots of time sleuthing out that particular child’s whereabouts, their overall molesting efficiency (measured in successful molestations per hour of labor put into it) will be dramatically reduced compared to just grabbing a random kid off the street, creating a net gain in security.

Of course, fewer victims per pedophile will also make the pedophiles harder to catch, so if one’s objective is to maximize criminals convicted rather than to minimize crimes committed, this may not be a fruitful strategy.

vinita February 15, 2012 3:38 PM

@Clive: I mentioned safety because that’s what the original article talks about:

“Publishing geolocation data raises concerns about privacy and security of children when such personalized information is available to internet users who may have dubious reasons for accessing this data.”

To address some of your points:

I can think of a whole load of other potentialy more important reasons not to post personal pictures online than the fear of geo-tagged images might bring abductors to your door.

I’m curious – what reasons, more important than safety, did you have in mind?

First of all what gives anybody the right to put another’s PII online without their informed consent?

Laws (at least in the US) are pretty clear about the expectation of privacy in a public place. From http://en.wikipedia.org/wiki/Photography_and_the_law
It is generally legal to photograph or videotape anything and anyone on any public property, with some exceptions made for certain portions of military installations that have national security sensitivity.
However, as a parent you can always tell the photographer to not take pictures of your kids. I have done that and it has worked for me.

with the often heavy handed hint that a persons grade or career will be adversely effected.

Wow! I’ve never heard of someone’s education or career being jeopardized because they refused to have their picture taken.
Most places I’ve worked at or studied – if I ask them to not include my picture, they just won’t.

How about if it’s you not your children and you are a little the worse for ware etc?
As I said above if I’m not comfortable with someone taking pics of me or my kids, I just tell them to stop. It has worked every time.

Clive Robinson February 15, 2012 3:54 PM

@ Bruce,

It’s children, though, so it’s going to be hard to have a rational risk discussion about this topic.

Without wishing to derail this thread have you seen articles about the proposer (Vic Toews) of a new very intrusive Canadian online act who said,

We are proposing measures to bring our laws into the 21st century and to provide the police with the lawful tools that they need

But when challenged on this by the MP for Lac-Saint-Louis (Que) Toews replied,

He can either stand with us or with the child pornographers.

http://www.nationalpost.com/m/wp/news/blog.html?b=news.nationalpost.com/2012/02/14/bill-c-30-protecting-children-from-internet-predators-act

kingsnake February 15, 2012 4:39 PM

Most of the abuse of children comes from people they already know and associate with, not Bond villains. (And those that don’t know the kids, rely on low tech lollipops and panel vans …)

Tim February 15, 2012 5:43 PM

I would probably use this data to determine where to sell ice cream. When rich kids rebel, they tend to do ironic things, so you could sell Choco Taco’s at 400%. That’s my kind of margin.

mb February 15, 2012 6:03 PM

Geotagging says where the picture was taken, not where you live. If I post vaction pictures, and never go back again, it’s effectively impossible to find me from that information. If I take pictures near where I live, I still haven’t given my address. Nor have I provided when I’ll return to that place again. Could be weeks, months or years. I’m somewhere in a sea of thousands of people.

Varjohaltia February 15, 2012 6:52 PM

When I used Flickr I rather liked that they would use the caption, title, keywords, ranking and geotagging automatically so I didn’t have to do any of that. I’m more knowledgeable about this than the average consumer, so I made sure that only pictures I wanted geotagged were geotagged prior to uploading, and if I made a mistake I promptly removed the geotag after uploading.
Flickr, moreso than many other sites, also allows you some control in geotag privacy, so you can tag your images but restrict to whom that information is available.
Fundamentally it gets back to the issue of the average consumer not being aware of the technological repercussions. I’d say the geotag point, such as the camera app on a smart phone, should have a pop-up where the user chooses whether to tag or not, with an explanation on what it’s about. I certainly don’t want very useful (to me) functionality crippled because a casual user doesn’t understand it.

Matt February 15, 2012 8:56 PM

Simple solution: I have disabled photo and video geotagging on my Android phone.

I have a Canon compact digital camera and a Flip video camera that, in terms of image and audio quality, will run circles around my Motorola Droid Bionic. So when I go on a vacation, I keep the Droid on my belt and use real cameras. No geotagging, no instant posting, and no risk. 🙂

Clive Robinson February 15, 2012 9:05 PM

@ vinita,

First off safety is a problematic word because it means many different things to many different people and cultures (for instance the French language has one word to cover both of the English words safety and security).

As far as I’m concerned the risk of a child being abducted or in other ways physicaly harmed due to a geo-tag a photo on the Internet is very low (I’m not aware of any indicative cases so far).

However I am aware of children adolescents and young adults coming to a lot of harm both physicaly and mentally due to their “friends and peers” posting pictures and movie clips of them to the Internet. Many of these were not photographed or recorded in public places or at what would be considered public events, and where those present would have had significant expectations of privacy.

But what of events recorded in public places, some people argue fairly convincingly that the vogue of “Happy Slapping” is largely driven by the Internet and access to easy multi-media sharing via mobile phones with Internet connections.

There have been reports via the news of “steaming Gangs” recording their attacks on commuters on South West trains on local lines that run through Wimbledon and Clapham Junction. Likewise there have been reports in the press of cases of gang rape being recorded and posted one of which apparently happened in South East London in Crystal Palace, and another in the Croydon area close to the areas that were recently devastated in the riots.

We also know that various “indiscretions” by University students that have been photographed and posted to social media by other students has resulted in the indiscretions becoming public and their studies being terminated by University authorities.

Then there are the various forms of cyber-bullying that occurr with such frequency some consider it now as almost a normal part of growing up. But the fact is a number of youngsters have been driven to the point of suicide by such bullying. And as it occures outside of school premises etc it is very very difficult to deal with even when the authorities can be persuaded to get involved and not ignore the problem. I know this from recent experiance of helping a friend get her child out of a school where they were being bullied not just online but physicaly and had been rendered unconcious on more than one occasion.

However behind all of this we are now finding out that there are various private organisations trawling the Internet to compile dossiers on people. Information from these Internet searches can and do criticaly effect the targets employment and future life prospects and thus that of their whole families.

A recent employment tribunal case in the UK showed that major building contractors were using a shadowy private firm who had compiled dosiers on many people in the building industry that was used to show if they were sympathetic to unions or took a pro stance on site health and safety (the avoidance of which is the major cause of work related deaths and injuries in the UK, and significant increases in profits for the companies doing the avoidance).

We also know that similar organisations used the Internet to build up dosiers and find out details on peaceful protestors that had been used as parts of evidence supplied by the companies (the protestors where protesting about) to get restraining orders against the protestors. Worse it turns out a lot of the basic information to run the searches (such as names, addresses/postcodes, vehicle registrations, photographs and employer details) had been provided to the companies by the UK Police and Security Services.

So yes depending on what you regard as safety and what you regard as security there are currently worse things happening daily than the currently unknown safety asspect of geo-tagging.

Hopefully geo-tagging will remain like thousands of others as just a potential threat, rather than those that have become quantified security threats.

Steven Hoober February 15, 2012 11:11 PM

On a tangent, but flickr and other sites that upload photos should strip off geotags and pretty much all headers except perhaps orientation.

Why?! I know it does this, it’s actually very, very clear it does this, and it’s easy to disable. If you don’t want to use the service, don’t. Personally, that sort of information is why I use it.

And I am not some crazy information-should-be free guy with no kids. In fact, we foster. I cannot post photos, names and lots of other stuff about foster kids, AT ALL.

We even do police protective custody. Sheriff shows up at 2 am with kids, who may even be from crazy shotgun-wielding dad who is not in custody. It’s still struck-by-meteor rare to me, but if you want to be worried, these are more realistic threats than most of you have.

And… I post photos. Of the back of their heads, etc. I anonymize their names. I leave in geotagging, and tag events and places. I leave in DTC. Because I cannot IMAGINE a way that this would be used for evil. And I think about how systems can be compromised, through stupidity or malice, so I thought about it pretty hard.

I assume the Simpsons pulled the Helen Lovejoy “think of the children” gag as no one got the ironic use.

Adam February 16, 2012 2:57 AM

I would have thought it prudent for social media sites to scrub images of geotags and other meta info unless a user explicitly asks to enable it.

How hard is that? A checkbox and some script that filters images as they’re uploaded to the service or as they’re viewed by users.

If for no other reason than to protect their members from exposing data they may not be aware they’re exposing.

AC2 February 16, 2012 4:18 AM

Strip all EXIF data before sharing online.

Share via a site that allows you to restrict access via a secret link (that can be disabled after say a week) or specific signed-on users. Specifically preventing the photo from appearing on Google Images and for GOD’s SAKE don’t upload on Facebook.

Don’t tag names on the photo.

Don’t post images larger than a certain resolution.

Last option share photos only by emailing as attachments.

Now if only I could get my extended family to start following this…

hwk February 16, 2012 4:23 AM

the problem is, that some / many people don’t think about that in their private life, even if they should be aware of privacy issues.
It’s easy to say, “people should know this and if they don’t care, it’s their fault”, but the problem is, that kids are not under control of their parants 24/7. they take pictures themselves, parents of friends or teachers take pictures (and who knows if they care). And this tech features (like geo tagging) are so handy and nice to have.
I don’t know how to solve this as long as people don’t care or don’t know about the risks.

Muffin February 16, 2012 4:29 AM

So, what’s the threat that she’s imagining? That criminals will learn that rich people have kids?

No shit.

Peter Austin February 16, 2012 5:33 AM

That research paper, thanks to the Google cache:
http://webcache.googleusercontent.com/search?q=cache:0CrDDvpTgSIJ:www.alphagalileo.org/AssetViewer.aspx%3FAssetId%3D61043%26CultureCode%3Den+joanne+m+kuzma&cd=7&hl=en&ct=clnk&gl=uk

Suggested threats include:
* “A stalker could easily use Google
maps to fix the geolocation coordinates to the exact physical location of the person’s home.”
* “a family immediately posts pictures of them on vacation in a foreign country, and a burglar determines that this family may be gone for an extended period.”
* “People reading the location and know that a person in a picture is visiting a doctor’s office, shopping at a specific store, interviewing for a new job or engaging in a gun rally. The geolocation can be used to infer regular habits and routines or deviations from these
routines”

D0R February 16, 2012 7:12 AM

I like to think that, 50 years from now, everybody will remember the ages when people were scared by the Big Evil Internet.

Adrian February 16, 2012 8:12 AM

On behalf of those of us in England that went to a “REAL” university, please accept my apology for this half baked “research”.

Back in the 1990’s some fools in the Government decided that there was too much youth unemployment. Rather than solve the problem of not enough jobs, or people with the wrong qualifications, they decided that it would be a “Good Thing” (TM Tony Blair) if at least 50% of the school leavers went to University.

Now the problem was different- not enough Universities. So they create some. Well, actually they created a lot. Oh, look, Worcester – why not create a university. So they did – in 2005. Fill it with students and pretty soon you have graduates. The graduates still can’t get jobs because they fail to learn anything.

(As an aside, my University, Durham, established by Henry VIII) does not teach you a subject at all. It teaches you how to learn and then tells you that every so often you will be tested on how much you have learnt. You get a hint about what the final exam will contain, but it is only a hint. Lectures are totally optional).

Now you have a lot of unemployed (and unemployable) graduates, so you offer post graduate research courses. The result is half baked research like this.

The current thinking is that it is too expensive to run universities in the UK, so people have to pay to attend. You can expect that the researcher who did this, would if she started today, expect to pay 9000 GBP per year to be this good. But she doesn’t have to pay a penny back provided she stays in academia, and as a post graduate that means publishing. It doesn’t have to be good, it only has to be published.

Its no longer “published and be damned”, but “published and avoid repaying your student loan”.

Worcester is the origin of Worcestershire sauce – it is such a pity it did not rest on its laurels. Unfortunately you can expect much more of this. I dread the day they decide that they can do Cryptography…

Gweihir February 16, 2012 8:17 AM

Gasp we have to hide the children from the bad people! Maybe, I don’t know, build bunkers or houses with walls and guards, put them in there and don’t let them out!

Hmm. Come to think of it, why not imprison all the children permanently instead of the possible perpetrators? They are known to be children, after all and are targets. And the prison industry is already set up and efficient. I think this makes perfect sense.

Seriously, some people have lost all connection to reality.

Tony Bradley February 16, 2012 9:21 AM

It isn’t that potential kidnappers don’t already know where the affluent neighborhoods are, and couldn’t just go target random children there. It’s the fact that sharing relevant information through geotagging and social networking sites does the homework and makes such a crime easier.

It is one thing to just target a random kid in a wealthy neighborhood. But, if I know the child’s name, and possibly the name or names of the child’s parents, it makes it significantly easier to convince the child to come along willingly.

Mel February 16, 2012 9:50 AM

“Well, how could the government use this to make us safe? They are on it, I’m sure…..”

Easy if you watch TV. When the photo shows up on the kidnappers’ web page, you can tell where it was taken. It’s easier if geotagging is madatory.

The Canadian federal bill to allow warantless access to all ISP records is now titled “Protecting Children from Internet Predators Act”, but I guess this is not truly news. “DOG BITES MAN”, as it were.

Dawg the Pontiac Hunter February 16, 2012 10:08 AM

As a retired repo guy, I can tell you for a fact that geotagged photos of your children WILL help me find YOU. Along with their well-meaning elementary schools and newspapers publishing your childrens’ names on online “honor roll” lists (so I can wait near the school to tail you to work in the morning or to your home in the afternoon). Many school districts cheerfully publish their bus route pickup and dropoff points, too. We’ve got 8 billion other little tricks that involve you (or someone else) stupidly plastering your info everywhere, and it isn’t hard for me to imagine pervos and other criminals availing themselves of that information.

“People love social networking” = “deer never look up”. Gotta love those tree stands. POW!

Mark February 16, 2012 11:21 AM

@Adrian

The same is hapenning for almost a decade in Brazil since the highly populist government adopted a policy of universal college degrees, even paying the costs (paying, not loaning money) for some students. A lot of low quality private colleges opened to grab the new demand, some of them worse then some good American high-schools.

anonymouse February 16, 2012 11:58 AM

This isn’t even particularly interesting. The app’s been done, had its day of infamy, and been shut off with some old screenshots.

http://pleaserobme.com/

GeoTagged photos going to a real time social network have…all the implications of a geotagged photo going to realtime social network. GPS coordinates, time and date stamps, finding out if friends/neighbors are also there… whatever.

It’s been done. Certain not so nice websites relish exposing the homes of girls that take naughty pictures in their bathroom mirrors. Others datamine timestamps. I’m sure a skilled intelligence agency with an accurate camera clock, and a good outdoor picture with shadows could probably guess a lot about location even beyond geotags.

Then there’s facebook with their automagic facial recognition. Think about what that does in conjunction with tagging and search.

Technology isn’t the problem. Crazy people abusing tools are. Same as it’s always been.

John David Galt February 17, 2012 5:19 PM

I don’t believe there has been a single kidnapping for ransom in the US since 1978. And what stopped it wasn’t anything sold to the public as “for the children” — it is the fact that all countries on earth, even those that still won’t cooperate with US tax authorities such as the Cayman Islands, will now cooperate and provide real-time tracing of money movements connected with violent crimes. Thus, there is no longer any way for the kidnapper to collect his ransom without the cops being there to pick him up, even if he transfers the funds around the world ten times and has ten couriers rush it across towns along the way.

The same achievement also stopped airplane hijacking for ransom, though of course it hasn’t affected suicidal attackers (or kidnappers who intend to murder their victims).

For those who feel the remaining risk of kidnap-and-murder is high enough to be worth spending more effort to prevent, perhaps we should start installing RFID chips in our kids as we already do in our pets. While it’s unlikely this will cause the police to find Junior fast enough to prevent his death, it may very well mean they find him before the murderer can get rid of the body, thus ensuring the bad guy gets caught.

tOM Trottier February 24, 2012 11:34 PM

Almost all child abuse comes from relatives (parents are tops) or friends of the family. Kids are far too “protected” these days from strangers, and we have a more hostile society as a result.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.