The photo depicts a family of six standing in front of a Christmas tree, each holding popular electronic devices, including iPads and cellphones.
Posted on the personal blog page of a Florida woman, the snapshot apparently was meant as a lighthearted glimpse into the blogger’s life that she wished to share with family and friends.
Computer security expert Jonathan Weber of Marathon Studios Inc. saw it as something much different: an invitation for trouble.
With a few clicks of a computer mouse, Weber was able to copy invisible information embedded in the photo into a readily available Internet application, allowing him to pinpoint the location of the home where the shot was taken. Another click and the Google Maps service provided him directions to the woman’s door in Florida.
The experiment, conducted in an office at East Stroudsburg University where the 21-year-old Weber is a student, served as a startling example of how easily someone with even moderate knowledge about computers can obtain information that was never meant to be public.
Getting in harm’s way
Weber, a junior majoring in computer security, had no nefarious intentions in mind. His demonstration, conducted at the request of a reporter, was meant to reveal the dangers people can create for themselves when they fail to employ security measures to protect their online posts.
Internet security has become a major concern in the past decade as more people have become victims of identity theft. In 2011, 11.6 million people in the United States were victims of identity fraud, a 13 percent increase from 2011, according to the Javelin Strategy & Research group.
The increased popularity of Facebook, Twitter and other popular online social media networks has provided a treasure trove of personal information that can be used by thieves, Weber said.
In the Florida blogger’s case, Weber took advantage of little known fact: Photos taken with cellphones and most digital cameras include something known as meta data, or exif data, embedded in the photo.
Weber simply clicked on the photo posted on the woman’s webpage, then pasted the Internet address (url) associated with it into an Internet application that allowed him to pull up a host of information about the picture.
He knows it was taken on Dec. 5, 2012 by an iPhone 4s and that the flash did not go off. He also knows the exact longitude and latitude of the camera when the shot was taken. That longitude and latitude, when punched into Google Maps, allowed him to use the street view feature to pull up the exact address and photo of the woman’s home.
“It’s very important people know what kind of information is out there and that the stuff they are doing drops digital footprints they don’t know about,” Weber said. “That information can be used in ways people don’t want.”
Fortunately, Weber said, Facebook and Twitter, the nation’s most popular online networks, automatically remove exif data from photos when they are posted. But there are numerous other sites that leave the data intact, including Google+, the photo sharing sites Flickr and Photobucket and Tumblr, a microblogging service popular with teenagers, Weber said.
Phone and digital camera users can alter the settings on their cameras so that they don’t include the meta data, Weber said. Exact instructions for each type phone vary, but typically it’s done through the “settings” menu on the camera.
Privacy concerns with photos are only a small part of the security issues the public faces in the online world, Weber said. More troublesome are the blatant security lapses with email accounts and postings on social networking sites that can allow thieves to gather information to steal your identity, he said.
One of the most common mistakes people make is allowing too much information about themselves to be publicly available on Facebook — the hugely popular social networking site allows people to post pictures, videos and comments about themselves and others.
The Javelin group’s study found 68 percent of people with public profiles shared their birthday information, with 45 percent of them providing the exact date and year — information that’s key to a person wanting to steal your identity.
Facebook contains several different privacy settings that permit a person to restrict who can see their information and posts. The most open setting is public, which means everything posted on the page is open to anyone in the world with a Facebook account to see.
A more restrictive mode allows only those the page owner deems to be “friends” to see posts and information. That privacy setting might not be quite as private as people think, depending on how it’s set up, Weber said.
Users assume limiting their posts so that only their friends can see them prevents strangers from from viewing their information, Weber said. What many don’t understand is that if their settings allow mutual friends, or friends of their friends, to see their postings, they’re opening themselves up to be seen by potentially thousands of people.
Consider: If you have 500 Facebook friends, and each of your friends has an average of 300 friends …
“That’s hundreds of thousands of people who can see everything you post,” Weber said. “Friends of a friend in Facebook gets really big really fast.”
Another thing people don’t fully comprehend is the impact of other people’s postings that involve them.
You knew it wasn’t a good idea to post that picture of you passed out at the company party on your Facebook account. But that doesn’t mean one of your friends or co-workers won’t post it and “tag” you in it. If you don’t have your security settings set to limit who can see things that “tag,” it will be posted on your Facebook page and your friend’s page.
“You can control what you do, but you gotta remember, you cannot control what other people post about you,” he said. “It’s not just you you have to worry about. It’s the people you’re interacting with.”
And then there are the photos and posts you make to other people’s Facebook pages. People don’t realize those are not private to that person alone and are subject to whatever privacy settings that person has. If their account is public, everyone can see it.
“When you post to another person’s Facebook page, it’s public by default. There is no way to make it private,” Weber said.
‘It won’t happen to me’
Why should you care about any of this?
Most people don’t, and that’s a concern, Weber said.
Part of the reason people don’t take this seriously might be tied to the belief “it won’t happen to me.”
Identity theft is a growing problem, but the reality is most people will never be victimized. In a 2010 report, the U.S. Department of Justice found 7 percent of households in the United States had someone who had been a victim of identity theft.
And while it’s possible a thief will use Facebook to find out when someone’s away, most burglars are not that sophisticated, Weber acknowledged.
What people need to understand, he said, is there are other ramifications for allowing too much personal information about yourself to become public.
For one, employers are increasingly using Google, Facebook and other Internet search tools to check out people they’re looking to hire. If you don’t take steps to control the public information that’s available about you on line, the consequences can be troubling.
Take the case of a Monroe County teenager, for example.
The teen’s mother agreed to be a test case for Weber to see how much information he could obtain about the mother and her family.
The woman, whose name is being withheld to protect her family’s privacy, was actually pretty good at protecting her online identity, Weber said. She employed high security settings on her Facebook account and did not provide any personal information that was publicly available. She also kept her friends’ list private, meaning others could not see it.
Her family and friends were not quite as diligent, however.
Weber was able to gather information about the woman’s daughter because she had made a post to her mother’s Facebook page. That allowed him to learn the daughter’s username for her Facebook account, which he then accessed. Information he gained there led him to accounts she had on Twitter and Photobucket.
Weber was able to view hundreds of photos she had posted, including numerous shots of her engaging in underage drinking that mom had not known about.
Worse yet for the teen, some of those images made it outside the Facebook world and are available simply by doing a Google search of her name.
“You Google her name in quotes and the first thing that comes up is her waving two vodka bottles,” Weber said.
“In three years she’s going to get out of a college and need a job. Every employer at least Googles the person they’re hiring.
The first thing they’re going to get is a picture of her underage, waiving a bottle of vodka.”